Harrison: Today we are going to talk about Buffer over flow Attacks. Now Buffer over flow Attacks the almost popular method for attackers to perform Arbitrary code execution. Now Arbitrary code execution in case you do not know is where like okay here is a script or you know some code lots of code which is in my code his and this would like make sure it happens. So before we time all of that though I am going to go ahead—well, let us break it down and make it simple and start of by explaining what exactly a buffer is.
Jonathan: All right, a buffer is basically I will locate the memory that a programmer creates and uses so that he can store and manipulate this data.
Harrison: Oh! Yes, well let us talk about this from hacker’s point of view, basically we got this buffer. Now we are going to fill it up and continue to pass data to it until it overflows and that data that overflows has to go somewhere so it goes to an adjacent or you know the next memory slot.
Jonathan: And when the memory slot now we have accessed to run and run around code possibly passing some over you know some assembly or some seed and also function.
Harrison: That assuming that the next memory slot contains a function call or executable code.
Jonathan: Yes, what I just have said.
Harrison: Yes, well it is. But you want to make sure that you really you know have a good idea of where your code is going maybe it is not as simple thing in the world to do. But let us take a real world example so we have four example a firewall and it is firmware, okay. So the firmware has to take accept the password and make sure that is valid so we are going to write a piece of code or some software that since the password those that buffer up then continues passing data to the buffer and after the password is filled up. Assuming that the developer pertinent make write a program to check the size of the password we can write or inject our own machine or assembly code to manipulate what the program does from there so we can get root access or you know change users modify users change of the settings that sort of thing.
Jonathan: I bring a great example of what language do you actually use to do this stuff of Buffer over flow Attacks and I guess we are going to lower level languages which you know probably the best way to do with assembling and see.
Harrison: Keep in mind that is because see and assembly C++ lower level languages require that the programs are managed the size of the buffers and it does not necessarily make them bad languages because they are very powerful and very useful. It just means that they have to be very careful to manage the size of their buffers.
Jonathan: Right.
Harrison: But this language is like you know WISP.
Jonathan: And Java and Pearl.
Harrison: Okay.
Jonathan: Great examples of programmable language that actually allocate the memory through a file.
Harrison: And that it is like a run time checking and then static analysis.
Jonathan: Exactly. So I guess we are going through a lot of example of how they actually do this.
Harrison: This is an example of we can all relate to because it has to lose beer so let us assume that this glass right here is a buffer and this is a buffer as well now John is the malicious user your Mallery the malicious user.
Jonathan: Mallery, the malicious hacker
Harrison: I will going to eat Bob.
Jonathan: Bob the ugly function.
Harrison: Now, hey common do not be too hard here. [Voice Overlap] I am the function that is to get calling this memory—so what the data that it is in the memory slot.
Jonathan: However, this is the actual buffer that we use for the actual log in for example.
Harrison: This is the log in and this is the buffer that takes the password, all right
Jonathan: So we are going to go ahead and put some—answer our username and log in password and then eventually we are going to go ahead.
Harrison: Oh!
Jonathan: Pass some extra variable or extra input and then give them over all that information.
Harrison: The thing is not only he is spilled beer on my fingers but he also passed data into
Transcription by:
Scribe4you Transcription Services