#header-inner {background-position: right !important; width: 100% !important;}

8/30/15

'Heap Overflow' Hacking Attack.

Processes & Memory Allocation.

'process' is a running computer program.

for this to happen, a certain amount of computer's memory must be reserved (allocated) for the process. both for code as well as for data.

memory reserved for process is split into 'segments'.

in x86 processor machines, there are following segments:
- 'text segment' is also called 'code segment'. in this segment all of instructions written by programmer are stored in a 'machine language form'. nothing can be written there, segment's size cannot be changed after loading program into memory.
- 'data segment' contains both global variables, as well as declared constants, for example: 'character strings'.
- 'bss segment' contains static variables, as well as uninitialized global variables.
- 'heap segment' has dynamic size - can be resized during program's run; it's used for storing dynamic variables that are created & destroyed by user as programmer allowed.
- 'stack segment' is automatically used by local variables of called functions, storing for example call's arguments. it's similar to 'heap segment' in that it can be resized.


Heap Overflow.

let's look at a following screenshot with code.



Heap Overflow.



to overwrite buf2 we need 16 bytes ... we can see that a 'malloc' function allocates additional 8 bytes, beside what we requested for our variable.

putting 16 'B' characters inside argument passed to a program passess in fact 17 characters - 16 'B' characters & one 'NULL' character, a string's terminator.

next we passed 20 bytes to program ... 19 'B' characters & one 'NULL' byte, a string's terminator.

we can see that we can overwrite a heap variable that way.

if we read this after a 'Buffer Overflow' Hacking Attack article, we can also notice that heap's addressing rises in opposite direction to stack's.


Function Pointer Overwrite.

let's look at a following screenshot with code.



Code with a static function pointer variable.


this code uses static variables, they are put on a .bss segment, just beyond heap segment.

we can see that 'atoi' function converts character strings to a '0' value,

we can also see that too many of 'a' symbols (done using a perl one-liner script) causes memory protection error (Segmentation fault), with a core dump.

let's look at that dump file using gnu debugger gdb.




Code debugged ... yet attack failure happened.


we passed memory address of a 'dv' function to jump to in a little-endian notation, using a perl one-liner.

we got result of '10', while we expected 8 / 2 = '4'.

it seems attack failed, more of debugging neccessary.




Code debugged for an attack ...


it seems that due to hardware-software configuration of my machine, variables are stored in reverse order when compared to looking at source code only.

it seems not much we can do here other than reversing order of the two first 'main' function's lines (with variables declaration) & adjusting attack accordingly.




Succesful attack on modified code.

Function Pointer Overwrite Buffer Overflow Attack.


we did put '000' before '8', to enforce proper length of passed parameter - this way perl one liner that passess memory address to jump to won't be mistaken for a part of '8' number, a parameter to 'dv' function we jump to.


see also if You wish or need ... : Heap Overflow type Attacks, 'Buffer Overflow' Hacking Attack, 'Format String' Hacking Attack.

No comments:

Post a Comment