Buffer Overflow Exploit POC

Hi, i noticed a thread somewhere on here before about Buffer Overflows, so i thought you might be interesed to have a look at this i just found. And also to hear your comments.

Proof-Of-Concept Buffer Overflow Exploit

http://www.testing.onlytherightanswers.com/modules.php?name=Forums&file=viewtopic&t=35


StevieO

 

Hi SteveO,

Based upon the discussions in earlier discussions, the key issue for desktop users is whether a buffer overflow exploit can find a "target" on a typical home user platform. The article alluded to this:

"A hacker I know created a program to automatically find an char array and overflow it to see if it was vulnerable, although I cannot give you this, according to our black hat lore Wink "

Does such a program exist, that can scan a desktop PC that:

a) Locate a process that has a buffer overflow vulnerability and then ...
b) Somehow exploit it

Known, targets for buffer overflows, seem to exist on servers, e.g. SQL Server. What's more SQL Server DBMSs, are designed to listen for incoming messages and responding to them. This makes them good target for such an attack. (I do not know whether this particular vulnerability still exists - but it was an example given in the previous discussion thread).

As of today, I am not aware of any similar target program on the average desktop PC. However, if there was one, it would still be necessary for a program to get through the primary desktop security protection in order to exploit it. (I use KAV+ProcessGuard+WormGuard to try to stop such a process from ever getting started).

So, bottomline, my understanding is that there is a very low probability of such a threat actually occurring on a desktop PC, but probably a higher probability on a server.

This is my current understanding, and I await further comments.

Rich

 

JPG buffer overflow.

Zone alarm buffer overflow

Firefox buffer overflow

 

It is my understanding that these buffer overflows have been fixed with vendor patches. Please correct me if I am wrong.

Rich

 

Those that are known to the unwitting public yes.

Just giving you examples of real world examples affecting non servers setups that aren't 'designed to listen for incoming messages and responding to them'. You can bet many exist that aren't publicised. The more programs you run, the higher possibility of this happening.

Ah 'layering', the ultimate one word answer that allows everybody to sleep like a baby at night. A vodoo chant that can counter any conceviable threat.

It goes without saying that everyone here already understands the importance of this, but it doesn't prevent us for looking for direct and better solutions.

Your setup for instance doesn't handle buffer over flows directly, at best they can (perhaps) catch the secondary effects.

 

What I am primarily trying to achieve is to detect and stop the inital causes - i.e. catch the processes before they can begin to do their damage. Hence ZoneAlarm, KAV, WormGuard, and Processguard (this is at the point that the process is requesting services to run), and possibly Ewido (if it is fast enough in its process scanning). RegDefend, would be an example of trying to catch a secondary effect. I am hopeful that future releases of KAV and ZoneAlarm will be even stronger in this respect. I am always looking for stronger ways to achieve this goal.

Products such as Prevx are more designed to catch secondary effects - e.g. buffer overflows, file system changes, etc., since at this point the process is already running.

 

Which look up the meaning of buffer overflows again.

 

Hi richrf, always enjoy reading your posts on here and elsewhere !

JH, you make some valid comments.


Here's an interesting App from those nice ZA people. IMsecure Pro from ZoneLabs protects against buffer overflow attacks and more.

http://www.zonelabs.com/store/content/catalog/products/sku_list_ims.jsp

Any thoughts from anyone on this ?


StevieO