CS38, Security and Privacy, Spring 2005

The following is a list of short tutorials, HOWTOs and articles about exploiting buffer oveflow vulnerabilities. Most of these are non-scholarly in nature, and instead of taking a broad view of the problem, dive directly into the details of exploiting a particular architecture. A point of interest about them is that they, to an extent, represent the attackers' view and attitude.

Note: Urls on this page do not necessarily point to the author's page -- in cases when it moved or disappeared, I am merely pointing to an available copy mirrored by someone else.

Note: Shellcoding normally requires some command of the assembly language of the target platform, and some debugger experience. Luckily, you can learn as you read/go along -- see x86 and GDB links below.

Buffer overflows & shellcoding tutorials

• Buffer overflows demystified, Murat Balaban
  http://www.shellcode.com.ar/docz/bof/buf-eng.htm  [local bof-eng.txt]
  

• Designing shellcode demystified, Murat Balaban
  http://www.enderunix.org/docs/en/sc-en.txt  [local sc-en.txt]
  Also covered by the intro chapter of Shellcoder's Handbook

• Smashing the stack for fun and profit, aleph1
  http://www.phrack.org/show.php?p=49&a=14
  This is the classic reference, one HAS to quote it :-)

• Shellcoding for Linux and Windows Tutorial, steve hanna
  http://www.acm.uiuc.edu/sigmil/talks/shellcode/shellcode.html  [local shellcode.html]
  Gives a primer on syscalls and Nasm, my assembler of choice.

• Writing shellcode, zillion (safemode.org)
  http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html  [local Writing_shellcode.html]
  Another tutorial, more Nasm and x86 assembly examples

• shellcode.org,
  http://shellcode.org/
  A small neat collection of shellcodes and tutorials. Also has a Debian alert newsfeed.

• Shellcode Assembly: Smashing the Mac for Fun and Profit, B-r00t
  http://www.cs.dartmouth.edu/~cs38/2004/resources/local/broot.pdf
  This is for PowerPC/OS X (Darwin).

Format string vulns

• Format string attacks, Tim Newsham
  http://lava.net/~newsham/format-string-attacks.pdf  [local format-string-attacks.pdf]
  Excellent intro ("what they didn't teach you about printf can kill your system").

• Exploiting format string Vulnerabilities, scut / team teso
  http://www.cs.ucsb.edu/~jzhou/security/formats-teso.html  [local formats-teso.html]
  Format string vulnerabilities were publicized comparatively recently, but, apparently, were known in the underground for much longer, judging by the consternation caused of the "black hat" community, caused by their disclosure. They are an easy programming mistake to make, and very powerful (for the exploiter).

Integer overflows

• Basic integer overflows,
  http://www.phrack.org/phrack/60/p60-0x0a.txt
  If-branching based on comparison of signed and unsigned integers gives rise to a class of vulnerabilities often left in the code by novice or even experienced C programmers. This Phrack paper has elementary examples and useful discussion.

Return to libc

This technique is used when the stack memory pages are marked non-executable (e.g., ExecShield, used by Fedora Core). The idea is that all the code that the attacker wants executed is likely already contained in the process address space (e.g., in loaded lobraries) or, as an advanced technique, can be loaded into it by the OS dynamic loader, on demand! All that is needed is to skillfully construct the stack frames to point to the desired code.

This technique can be thwarted by randomizing the addresses at which the libraries load in each process, but this only complicates the attack, but does not preclude it. The PaX Linux kernel patch provides both the non-executable stack protection and and address space randomization. The article below deals with overcoming them.

• The advanced return-into-lib(c) exploits: PaX case study., Nergal
  http://www.phrack.org/show.php?p=58&a=4
  Useful recap of return-to-libc exploits. The dynamic loading part is a bit dense; Levin's book will help to understand it.

Using GDB and other UNIX tools

There are plenty of GDB tutorials on the web. Please let me know if you find a good one.

• A local C and GDB tutorial,
  http://www.cs.dartmouth.edu/~dwagn/cs58/tutorial/
  

• Linux software debugging with GDB, David Seager
  http://www-106.ibm.com/developerworks/library/l-gdb/
  A very good tutorial from the IBM Linux group. Have a look around on their site, their stuff is usually clear, concise and to the point.

• How to write Buffer Overflows, Mudge
  http://www.cs.ucsb.edu/~jzhou/security/bufero.html  [local bufero.html]
  Use this a summary of useful gdb commands

• "Debugging with GDB", the official GDB manual,
  http://www.gnu.org/manual/gdb/gdb.html
  Free software, free documentation, good reading :-)

Exploiting vulnerabilities, next level

• Insecure Programming by example, gera
  http://community.core-sdi.com/~gera/InsecureProgramming/
  Short examples of exploitable C code: simple unchecked buffers to overflow, format string vulnerabilities, and more. Good example of a "hacker homework".

• badc0ded collection of documents on exploits,
  http://community.corest.com/~juliano/
  Many bits of technical info, in no particular order.

• Metasploit.org,
  http://www.metasploit.org/
  The free framework for developing shellcodes. A number of packaged exploits ready to run and yield shell. Professional tools like this (CoreImpact, Canvas) cost >10000+ .

x86 Assembly language

• A Tiny Guide to Programming in 32-bit x86 Assembly Language, Adam Ferrari
  http://www.cs.virginia.edu/~cs216/notes/x86-doc.pdf  [local x86-doc.pdf]
  Very useful intro to x86 assembly, exactly the kind needed for shellcode. Also details the function call convention (the layout of the structures created by a function call on the stack -- this layout is the target of "stack smashing"). Recommended reading for shellcode intro.

• PC Assembly Language,
  http://www.drpaulcarter.com/pcasm/index.php  [local pcasm-book.pdf]
  This is a free textbook created by the author for teaching x86 assembly. It complements Bob Neveln's book (see Books), which spends most of its energy demystifying the PC hardware. Use this as a reference. Has a Nasm tutorial and examples.

• www.linuxassembly.org tutorials,
  http://www.linuxassembly.org/resources.html#tutorials
  Look the the "nasm" links. There are a better start than the full Nasm manual below.

• Nasm examples,
  http://www.technocage.com/~ray/notespage.jsp?pageName=nasmexamples&pageTitle=NASM+Examples
  Useful examples, lovely design.

• The Netwide Assembler: NASM,
  http://nasm.sourceforge.net/doc/html/nasmdoc0.html
  Nasm is my recommended assembler for shellcoding work. This is the Nasm manual. Skim the examples, you will not need the full power of Nasm (it can do pretty elaborate macro substitutions etc, at times resembling a real compiler).

• Appendix B of the above, the x86 instructions reference,
  http://nasm.sourceforge.net/doc/html/nasmdocb.html
  Intel's x86 assembly instructions are many and varied. They are also very confusing, because every instruction has special forms for all the backwards compatibility modes that an x86 processor supports. Luckily, you don't need many instructions to write meaningful shellcode, and you can always look up others that you encounter on the web (just googling for them works).

• Startup state of Linux/i386 ELF binary, Konstantin Boldyshev (of http://linuxassembly.org/)
  http://community.corest.com/~juliano/misc/elf.html
  Details on how programs are launched on Linux, particularly what the memory layout looks like.

• Calling conventions on the x86 platform, Andreas Jönsson
  http://www.angelcode.com/dev/callconv/callconv.html
  A short summary of various x86 calling conventions

Back to Dartmouth CS Home Page