Exploits / Buffer Overflows
This article is aimed at trying to explain some of the most common exploits usually seen and why they work. Go to any ulnerability publising site (e.g. CVE) and you will see many exploits in seemingly unreadable code that look like the examples below:
push eax
These are a combination of Assembly / shell code that are usually executed in a low level language such as C. The aim of this article is to explain why they work. Lets start with assembly code.
Whatever programming languages you already know, when you compile this language is translated into machine code. Machine code is the lowest-level programming language and is read and executed by the computer's central processing unit. One step above machine code is assembly code, this is also complex but more human readable, push and mov for example are codes telling the processing Disassembling a program using a tool such as OllyDbg will normally result in decompiled assembly commands.
Next, there's shellcode. This is commonly written in machine code and is used to exploit software vulnerabilities. The name comes from the exploit usually starting a command shell allowing the attacker full control. Shellcode is not executed directly and so is normally contained within another language and executed such as in C as a byte buffer (buffers are regions in memory storing temporary data.) Although what happens if the allowed boundaries of the buffer are exceeded? This is where buffer / stack overflows come in.
What Are Buffer Overflows?
In very simple terms a buffer overflow is when writing data to a memory location (buffer) exceeds the allowed limit and starts writing to adjacent memory. For example say a program has allowed 8 bytes to store a value. Now this value is being stored in "1st" below if you enter 12345678 it is stored as below:
1st | 1st | 1st | 1st | 1st | 1st | 1st | 1st | 2nd | 2nd |
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
This is working as expected. But say you were to exceed the allowed limit and start entering exploit code. This could function as shown below:
1st | 1st | 1st | 1st | 1st | 1st | 1st | 1st | 2nd | 2nd |
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | push aex | mov.. |
By exceeding the allowed limit you can cause a program to behave in an unexpected way and possibly overwrite into an area of memory that is storing executable code. This is how the exploit works. By replacing a point in memory via an overflow with stored shellcode malicious code can be executed and a system can be compromised. This is again common in low level languages such as C due to limited protection from overwriting allocated areas of memory.
For further information research the different types of buffer overflows and shellcode encoding.