Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Finding stack buffer overflows

I have read 5 Papers/articles and 2 videos on Stack Buffer Overflows, and Heap overflows. I have written a program that was vulnerable overflowed and exploited that, ran a server on port 7777 that was vulnerable, overflowed and exploited that. But what I don't understand is how to find vulnerabilities in Windows (or other operating systems) or software. I was using gcc and gdb to do debugging to find everything I need to write the exploit. How do I find Stack Buffer Overflow vulnerabilities on other programs/software and how do I debug the vulnerable program or can I use gdb?

like image 213
Noah_DuV Avatar asked Apr 24 '15 13:04

Noah_DuV


People also ask

What is the stack in relation to buffer overflows?

In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.

How are buffer overflows found?

A buffer overflow occurs when data written to a buffer also corrupts data values in memory addresses adjacent to the destination buffer due to insufficient bounds checking. This can occur when copying data from one buffer to another without first checking that the data fits within the destination buffer.

How can you determine the possibility of stack overflow before it actually overflows?

A method of detecting stack overflows is to create a canary space at the end of each task. This space is filled with some known data. If this data is ever modified, then the application has written past the end of the stack.

Is stack overflow the same as buffer overflow?

A stack overflow is a type of buffer overflow error that occurs when a computer program tries to use more memory space in the call stack than has been allocated to that stack.


1 Answers

There are two main approaches for finding stack buffer overflows:

Black box testing The key to testing an application for stack overflow vulnerabilities is supplying overly large input data as compared to what is expected. However, subjecting the application to arbitrarily large data is not sufficient. It becomes necessary to inspect the application’s execution flow and responses to ascertain whether an overflow has actually been triggered or not. Therefore, the steps required to locate and validate stack overflows would be to attach a debugger to the target application or process, generate malformed input for the application, subject the application to malformed input, and inspect responses in a debugger. The debugger allows the tester to view the execution flow and the state of the registers when the vulnerability gets triggered

Gray Box Testing Manually review the code (disassemble it). When reviewing code for stack overflows, it is advisable to search for calls to insecure library functions like gets(), strcpy(), strcat() etc which do not validate the length of source strings and blindly copy data into fixed size buffers. Apart from manually reviewing code for stack overflows, static code analysis tools can also be of great assistance. Although they tend to generate a lot of false positives and would barely be able to locate a small portion of defects, they certainly help in reducing the overhead associated with finding low hanging fruits, like strcpy() and sprintf() bugs. A variety of tools like RATS, Flawfinder and ITS4 are available for analyzing C-style languages.

The best tools for those testings are: OllyDbg and IDA Pro (for static and dynamic debugging).

like image 80
Slava Bronfman Avatar answered Oct 12 '22 02:10

Slava Bronfman