Chapter 8: Searching for Overflowing Buffers

image from book  Download CD Content

Overview

Searching for overflowing buffers, by the level of nerve strain and romanticism, can be compared only to searching for treasures. This is even truer because both types of searches have the same underlying principles. The success depends not only on your experience but also on your luck. Sometimes, even the mouse can bring misfortune ” at the crucial moment the cursor jumps to a slightly wrong position, and overflowing buffer remains unnoticed. Overflowing buffers are so interesting that hackers without hesitation might dedicate their entire lives to it. Don't despair if you encounter problems and difficulties. The first success may come only after several years of painstaking work, reading documents, and experimenting infinitely with compilers, disassemblers, and debuggers . To study the goings-on of overflowing buffers, it is not enough to know how to crack programs. It is also necessary to be a programmer. I wonder who the first person was to say that hacking is the same thing as vandalism. This is an intellectual game requiring infinite concentration and painstaking work, which brings the result only to those who did anything useful for cyberspace .

How do searches for overflowing buffers take place, and how is shellcode designed? First, the hacker chooses the target of attack, the role of which is played by a vulnerable application. If you need to check your own security or attack a strictly -defined host, then it is necessary to investigate a specific version of a specific software product installed on a specific computer. If your goal is to become famous or to try to design shellcode that would enable you to control tens of thousands of machines, then your choice is a little ambiguous.

On one hand, you must choose a widely-used but insufficiently studied program running with the highest level of privileges and using ports that are not too easy to close. The more popular the vulnerable application (operating system), the more power provided by overflowing buffers. From the firewall's point of view, all ports are equivalent; for the firewall it doesn't matter, which one is closed. Port 135, used by the Love San worm, could be disabled painlessly (I did exactly this). In contrast, it is impossible to do without services such as the Web.

It is tempting to find a new security hole in Windows. However, there is one problem here. Windows and other popular systems are the focus of the attention of thousands of security specialists and hackers. In other words, this area is too crowded. By contrast, some little-known UNIX clone or mail server might not be even tested . There are tens of thousands of such programs ” they are much more numerous than specialists. Thus, here there is enough space to hack.

The more sophisticated the application, the higher the probability of detecting a critical error in it. It is also necessary to pay attention to the representation format of the data being processed . Most frequently, overflowing buffers are detected in syntax analyzers parsing the text strings. However, most such errors were long ago detected and eliminated. Thus, it is much better to search for overflowing buffers where no one has yet made a search. If you want to hide something, then you have to place it in plain view. Sensational epidemics of Love San and Slapper confirm this. It seems impossible and unbelievable that such evident overflow errors remained undetected until recently.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net