A buffer is a temporary area for data storage. When a program or system process places more data more than the originally allocated, the extra data overflows. It causes some of that data to leak out into other buffers, which can corrupt or overwrite whatever data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions intended by a hacker or malicious user, for example, the data could trigger a response that damages files, changes data or unveils private information.
Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input.
There are two types of buffer overflows: Stack-based and Heap-based.
Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.
Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.
Stack has 5 registers:-
- EBP:- Extended Base Pointer
This denotes the address of the location where the first data has to be entered into stack (StackBase). It is always fixed.
- ESP :- Extended Stack pointer
This denotes the address where the next data has to be entered into the stack.
- EIP :- Extended Instruction Pointer
This denotes the address of next instruction has to be operated/ executed into the stack.
- ESI :- Extended Source index
It is used as source index for string operations.
- EDI :- Extended destination Index
It is used as destination index for string operations.
For stack based buffer overflow we will focus only on EBP, EIP and ESP. EBP points to higher memory address at the bottom of the stack, ESP points to the top of the stack at lower memory location.
EIP holds the address of next instruction to be executed. Our prime focus is on EIP register since we need to hijack execution flow. EIP read only register, so we cannot assign the memory address of the instruction to be executed to it.
When a function is executed, a stack frame for its information is pushed onto the stack. Once the function finishes execution, related stack frame is popped from the stack and execution resumes in the caller function where it left-off.CPU must know from where it has to continue execution, it obtains this information from return address pushed onto the stack when a function is called.
For example in programming language like C/C++ there is a main() which a calls a another function func(). So when the execution starts main() will be called and a stack frame will be created for main() hen main() calls func(), so before allocation in stack frame, main() notes return address from where the execution will start after func() is over.
After func() is executed it returns, its stack frame is popped and the stored return address is loaded into the EIP register to continue execution to main(). So to do buffer overflow we can take control of that return address i.e we can control which instruction are executed when func() returns.
So in the next tutorial see Stack based Buffer Overflow PCMan FTP.