Example buffer overflow



  •  I have to give a short (well, three hour) presentation on computer security issues to non-tech-guru people. I thought it'd be fun for me to have a VM on the machine where I do the presentation and demonstrate some of the things I'm discussing. I don't want to do actual hacks like, "here's something I downloaded, now I'm running it, and it's over" because I don't think that'd be interesting.

     

    What I would like to do is to show some C code (or any language I guess) and point to it and say, "see this? this is an unchecked buffer" then I'd compile it, then overflow it. Ideally, I'd love to run this compiled program as nobody and then when I exploit it, it would dump me to a shell and when I run whois it'd say I'm nobody.

     

    One problem here is that modern operating systems don't allow execution on the stack, right? So what do you guys think? Is this just a pipe dream? Is it more trouble than it's worth and I should just forget it? Can you recommend anything else I can do that'd be cool?

     

    Thanks.



  • Install Windows 95 on a VM and send it the good old Ping o'Death. It's a classic buffer overflow. 8=]



  • So let me get this right. Your problem is that you want to demonstrate how some kinds of flaws can allow some kind of exploit but cannot actually manage to do so. Doesn't that kind of disprove the whole point you are trying to make?
    Surely the way to approach this is to first actually exploit a system then document & present how you did it. You'll come across as way more knowledgable and convincing doing this than telling scary boogey man stories that you are unable to substantiate.
    Maybe you need to refocus on real threats or things you understand.



  • @LoztInSpace said:

    Surely the way to approach this is to first actually exploit a system then document & present how you did it.
     

    I don't think so. There are two ways that I could do that:

    1. OK everyone, here's a VM running a LAMP stack. And here's a script that I didn't write. I'm now running the script... wow! Do you see that? I have root access! See what happened is that the script exploited a vulnerability in MySQLs zlib compression library and used it to upload a PHP file. Then we execute that file and it does some other stuff, and (snip) step 10 is where we drop to a root shell. Any questions?

    Option 2. OK everyone, here's some real live code!

        void *ptr;
        if (sl) ptr = kzalloc_node(nr * sizeof(*desc->kstat_irqs),GFP_ATOMIC, node);
        else ptr = alloc_bootmem_node(NODE_DATA(node),nr * sizeof(*desc->kstat_irqs));
        if (ptr) { desc->kstat_irqs = ptr;}


    (snip about 500 more lines)

    Now, none of you are programmers. You're taking this class because you might manage programmers and you only have that one programming class you took in college. So we're going to have to spend the next two hours stepping through this code in order to set up the exploit. Hey! Where did everybody go??

    Neither of those options work. What works is for me to show less than five lines of C. All it has to do is strcpy into an array.



  • You can have fun with printf(). Just make sure the fmt param is given via the CLI and not hard-coded. If done right you can actually get printf to write to variables of your chosing.



  • What about having an array (fixed length name or something) and an int containing something important (money?) and then just overwrite too much so that it overwrites the int value.



  •  good idea! I was making it needlessly complex.  Thanks.



  •  @tofu said:

     good idea! I was making it needlessly complex.  Thanks.

    I think the problem with your original idea is that to open up a shell from a buffer overflow, you'd need, well, shellcode. And if your audience hasn't much of an understanding of C, I think chances are even worse that you can expain assembly to them, regardless how simple the actual code may be.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.