[ Certified Ethical Hacker v10 ] :: [ Chapter 10 cont’d] :: Buffer Overflow

Buffer Overflow

Know these critical four C functions that don’t perform bounds checking, and thus are susceptible to buffer overflows:

gets( )
scanf( )
strcopy( )
strcat( )

The Heap

This is a loosely (dis)organized area for random storage. Memory space gets allocated and recovered automatically.

The Stack

This is much more organized, or constrained. It is literally a “stack” of information, each piece “on top of” the piece before it. Each running process gets its own stack (and heap).

You put information into the stack using the push operator (and you’re always pushing to the top). You get information from the stack using the pop operator, which deletes the info from the stack but hands it to you as the return value.

Smashing the Stack

The critical acronym (from the standpoint of the CEH exam) is the Extended Instruction Pointer (EIP). When a process is running, it needs a memory address to return to once it’s done. Usually it’s the address just after the currently running process’s address, but not always.

So if we want to fill up a buffer area (really just a space in memory, but one that’s defined with a specific size), we need some extra code or instructions just to fill up space. Often this is done by jamming a bunch of “no-op instructions”, or NOPs, into the buffer. Stacking a bunch of NOPs together to fill the buffer creates a NOP Sled.

The NOP instruction is 0x90, which means that when you see a bunch of these in a row, you’re probably looking at an evil NOP Sled.