13 July 2012

Windows Buffer Overflow Explained - Part 2

Welcome back, in part 1 we talked about the definition of the buffer overflows and how they can occur, also we talked about memory and its relations to buffer overflow. In this part we are continuing our series talking about Registers and Shellcodes.

Processors contain memory known as registers. These registers are very small and are used for very fast processing. Registers can be thought of as variables for assembly. Registers are classified according to the functions they perform. High level registers can be categorised in four sections
  • General purpose 
  • Segment 
  • Control 
  • Other 

Registers EAX, EBX, ECX, EDX, ESI and EDI are used for general purpose variables such as mathematical operations and hold  data for an operation. These are 32 bit registers on a 32 bit processor. The 16 bit registers for EAX, EBX, ECX and EDX are known as AX, BX, CX and DX. Finally 8 bit registers are known as AL, BL, CL and DL which are the low order bits. High order bits are known as AH, BH, CH and DH. These 16 and 8 bit  registers exist for backwards compatibility and are very useful when producing smaller shellcode. The "E" means extended to address the full 32-bit registers.

Windows Buffer Overflow Explained - Part 1

Buffer Overflows 
We begin our part by discussing the basics of an overflow, followed by the next sections in the next parts: memory, registers and shellcode  giving us an adequate understanding on these areas and how they later help us better understand buffer overflows and ways to exploit them. Types of buffer overflows are then described in detail, followed by controlling our overflow to our chosen code.

What is a buffer overflow?
Buffer overflows are a common vulnerability on all platforms, but are by far the most commonly exploited bug on the Linux/Unix Operating systems. Buffer over flow occurs when something is filled beyond  its capacity. Imagine pouring water into a container with more than it can store, the water will spill over and create a mess. A similar situation applies to computer programs where a certain amount of space is allocated to store data for the program during execution. If too much data is inputted into the fixed amount of space, then this space known as the buffer will overflow. Hence the overflow is known as a buffer overflow.

Buffer overflow or buffer overrun occurs when a program allows input to be written beyond the end of an allocated buffer. When a memory block is allocated to store data only data up to that limit is allowed and no more. Any more data inputted would produce unwanted results.  These results would overwrite critical areas of memory which would give an attacker the ability to alter the execution flow of the program. Having the ability to control the flow of execution gives the attacker the ability to execute anything he wishes to.