Chapter 14. Understanding and Attempting Buffer Overflows

Of all men's miseries the bitterest is this: to know so much and to have control over nothing.

Herodotus

Imagine a van with four passengers and a driver. The driver gets to control the direction of the van. She gets to drop off and pick up passengers along the way. This is the way a buffer operates in a computer. A buffer contains both code and data variables that a user inputs. A buffer has pointers, like the van driver, that direct what to do when you get to the end of the buffer.

Now imagine that five passengers get into the van. The van has room for only four passengers and a driver. If five new passengers get in to replace the existing passengers, then all four seats for the passengers plus the van driver get replaced by the new passengers. This would cause the van to have a new driver. In effect, the van filled up with more passengers than it was intended for and now is under the control of a new driver. This is what happens with a buffer overflow exploit. A buffer is filled up with more information than was anticipated, and the pointer is replaced with a new pointer directing the program to execute new code of the malicious hacker's choosing.

Buffer overflows are caused by the lack of bounds checking in programs. This chapter explores the memory architecture of an 80x86 32-bit Intel computer, sample buffer overflow code, and methods for detecting and securing your network against buffer overflow attacks. This chapter covers sample code, so having programming knowledge is helpful.