O v e r f l o w M o d u le 18 Exam 312-50 C ertified Ethical HackerEthical Hacking and Counterm easures B u ffer O ve rflo w B uffer O verflow M o d u l e 1 8 Engineered by Hackers. Presented by Professionals. 1 ■ 1 J 1 ■ e ) CEH E t h i c a l H a c k i n g a n d C o u n t e r m e a s u r e s v 8 M o d u l e 1 8 : B u f f e r O v e r f l o w E x a m 3 1 2 - 5 0 Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2692 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w Security News c (citifwd 1 EH ItkKJl Nm Im • • • • • • C m & # s Home f News ^ Services j r About Us 1 s t Octob er 19,201 2 S t e a m G a m i n g P l a t f o r m V u ln e r a b l e t o R e m o t e E x p l o i t s ; 5 0 M i l li o n a t R i s k M ore than 50 m illion users o f the Steam gam ing and m edia d istrib u tion platform are at risk fo r rem o te com p ro m ise because o f w eaknesse s in the platform 's URL protocol handler, a pair o f researchers at ReVuIn w rote in a paper released this week. Luigi Auriem m a and D onato Ferrante discovered a num ber o f m em ory corruption issues, including buffer and heap overflow s that w ou ld allow an attacker to abuse the way the Steam client handles bro w ser requ ests. Steam runs on W indow s, Linux and Mac OSX. The steam :// URL p rotocol is used to connect to game servers, load and uninstall games, backup files, run gam es and interact with news, profiles and download pages offered by Valve, the com pany that operates th e p latform . Attackers, Auriem m a and Ferrante said, can abuse specific Steam com m ands via stea m :// URLs to inject attacks and run othe r m alicious code on victim m achines. "We proved that the current im ple m entation of the Steam Brow ser P ro to col handling m echanism is an excellent attack vector, w hich enables attackers to exploit local issues in a rem ote fashion," Auriem m a and Ferrante w rote. "Because of the big audience, the su p port for several different platform s and the am o u n t of effort required to exploit bug via the Steam Brow ser Protoco l com m and s. Steam can be considered a high-im pact attack vector." http://th reatp ost.co m Copyright © by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited. A S e c u r i t y N e w s S t e a m G a m i n g P l a t f o r m V u l n e r a b l e t o R e m o t e E x p l o i t s ; 5 0 M i l l i o n a t R i s k S ou rc e: h tt p : / /t h r e a t p o s t .c o m M o re th a n 5 0 m illio n us e rs o f th e S te a m g a m in g a nd m e d ia d is t r ib u tio n p la tfo rm a re a t r is k f o r r e m o te c o m p r o m i s e b ec au se o f w e a kn e s se s in th e p la tf o rm 's URL p ro t o c o l h a n d le r, a p air o f re s e a rc h e rs a t R eV uIn w r o te in a p a p e r re le as e d th is w e e k . Lu ig i A u r ie m m a a n d D o n a to F e r r a n te d is c o v e re d a n u m b e r o f m e m o r y c o r r u p tio n issues, in c lu d in g b u f fe r a n d h e a p o v e r fl o w s t h a t w o u ld a llo w an a tt a c k e r to a b u s e th e w a y th e S te a m c lie n t h a nd le s b ro w s e r re q u e s ts . S te a m ru n s on W in d o w s , L in ux a n d M a c OSX. T he s t e a m : // UR L p ro to c o l is us e d to c o n n e c t to g a m e s erv e rs , lo ad a nd u n in s ta ll g a m e s, b a c k u p file s , ru n g a m e s a nd in te r a c t w it h n e w s, p ro file s a nd d o w n lo a d p ag es o ff e re d b y V a lv e, th e c o m p a n y th a t o p e r a te s t h e p la t fo rm . A tta c k e r s , A u r ie m m a a n d F e rra n te sa id , c an a b us e s p e cific S te a m c o m m a n d s via s t e a m : // URLs t o in je c t a tta c k s a n d ru n o th e r m a lic io u s c o d e o n v ic tim m a ch in e s . " W e p ro v e d th a t th e c u rr e n t im p le m e n ta tio n o f th e S te a m B ro w s e r P r o to c o l h a n d lin g m e c h a n is m is a n e x ce lle n t a tta c k v e c to r , w h ic h e n a ble s a tta c k e rs to e x p lo it lo c a l issue s in a Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2693 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w r e m o t e f a s h io n , " A u r ie m m a a nd F e rra n te w r o te . "B e c au s e o f t h e big a u d ie n ce , t h e s u p p o r t fo r s e ve ra l d if f e r e n t p la tf o rm s a n d th e a m o u n t o f e ff o r t r e q u ir e d to e x p lo it b u g v ia t h e S te a m B r o w s e r P ro to c o l c o m m a n d s , S te a m ca n b e c o n s id e re d a h ig h -im p a c t a tta c k v e c to r ." A la rg e p a rt o f th e p ro b le m re sts in th e f a c t th a t m o s t b ro w s e rs d o n 't a sk fo r u se r p e rm is s io n b e fo re in te r a c tin g w it h th e S te a m c lie n t, a n d th o s e t h a t do , d o n 't e x p la in t h e re c o u ld be a s e c u rity issue. A s a re s u lt, use rs c o u ld b e tr ic k e d in to c lic k in g o n a m a lic io u s s te a m : // URL o r re d ir e c t b r o w s e rs via J a va S crip t to a m a lic io u s site , th e p a p e r sa id. T he p a p e r d e ta ils fiv e n e w r e m o te ly e x p lo it a b le v u ln e r a b ilit ie s in n o t o n ly S te a m , b u t als o in th e S o u rc e a nd U n re a l g a m e e n gin es . S o m e o f th e g a m e s ru n n in g o n t h e a f fe c te d p la tfo r m s in c lu d e H a lf-L ife 2 C o u n te r-S trik e , T e a m F ortre ss 2, L eft 4 D ea d, N u cle a r D a w n , S m a s h b all a n d m a n y o t h e rs . O n e o f th e m o re d a n g e ro u s v u ln e r a b ilitie s d is c o v e re d is in v olv e s t h e r e ta ilin s ta ll c o m m a n d th a t a llo w s S te a m to in sta ll o r re s to r e b a c k u p s fr o m a lo ca l d ir e c to r y . A n a tta c k e r ca n a b u s e th e d ir e c to r y p a th t o p o in t to a r e m o t e n e tw o rk fo ld e r an d t h e n a tta c k th e fu n c tio n t h a t p ro ce ss es a .tga s p la sh im a g e w h ic h is v u ln e r a b le t o an in te g e r o v e rf lo w a tta c k . A h e a p - b a s e d o v e rf l o w re s u lts a n d a n a tt a c k e r c o u ld r e m o te ly e x e c u te c o d e . T o e x p lo it t h e S o urc e g a m e e n g in e , A u rie m m a a n d F e rr a n te us e d a m a lic io u s .b a t file p la c ed in th e s ta rt u p f o ld e r o f th e u s er's a c c o u n t t h a t e x e c u te s u p o n th e g a m e r's n e x t lo gin . T he p a ir als o fo u n d s e v e ra l in te g e r o v e r fl o w fla w s in th e U nre al g a m in g e n g in e b y ta k in g a d v a n ta g e o f a c o n d it io n w h e re U n r e a l s u p p o rt s th e lo a d in g o f c o n t e n t fr o m r e m o te m a c h in e s via W in d o w s W e b D A V o r a S M B s ha re . M a lic io u s c o n te n t c o u ld b e re m o t e l y in je c te d in th is w a y. A u to -u p d a te fu n c t io n v u ln e ra b ilit ie s in a p a ir o f g a m e s, All P o in ts B u lle tin a nd M ic r o V o lts , w e re a lso d is c o ve re d a nd e x p lo ite d . T he re s e a rc h e rs w e r e a b le t o e x p lo it a d ir e c to ry tra v e rs a l to o v e r w r it e o r c re a te a n y m a lic io u s file . U sers re d u c e t h e im p a c t o f th e s e issue s by d is a b lin g th e s te a m : // URL h a n d le r o r u sin g a b r o w s e r th a t d o e s n 't a llo w d ir e c t e x e c u tio n o f th e S te a m B ro w s e r P ro to c ol. S te a m c o u ld a lso d e n y t h e p as s ing o f c o m m a n d - li n e a r g u m e n t s to re m o t e s o f t w a re . Copyright © 2 01 2 threatpost.com By Michael Mimoso h ttp : / / t h r e a t p o s t . c o m / e n u s /b lo g s /s te a m -g a m in g -p la tfo r m -v u ln e ra b le -r e rn o te -e x p lo its -5 0 - m illio n -r is k -1 0 1 9 1 2 Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2694 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w C E HM odule O bjectives J H o w to M u ta te a B uffe r O v e rflo w E xp lo it J Id en tify in g B uffe r O ve rflo w s J H o w to D ete ct B uffe r O ve rflo w s in a P ro g ram J B0 F D ete ctio n Tools t i D efense A ga in s t B u ffe r O ve rflo w s J B u ffe r O v erflo w S ec u rity Tools J B u ffe r O v e rflo w P en e tra tio n Testing J H ea p-B a se d B uffe r O ve rflo w J W h y A re Progra m s an d A p p lic atio ns V uln era ble to B u ffe r O ve rflo w s ? J K now le d g e R e q u ire d to P rog ra m B uffe r O v erflo w E x ploits J B uffe r O v erflo w Steps J O ve rflo w U sing F orm a t S tring J B uffe r O v erflo w E xa m ples Copyright © by EC-Cauncl. All Rights Reserved. Reproduction is Strictly Prohibited. M o d u l e O b j e c t i v e s V a rio u s s e c u rity c o n c e rn s , a tta c k m e th o d s , a nd c o u n te rm e a s u re s h av e b e e n d isc u ss ed in th e p re v io u s m o d u le s . B u ffe r o v e r flo w a tta c k s h a ve b e en a s o u rc e o f w o r r y f r o m tim e t o tim e . Th is m o d u le lo ok s a t d if f e re n t a sp e cts o f b u ff e r o v e rf lo w e x p lo it s t h a t in clu d e : © H o w t o M u ta te a B u ffe r O v e rflo w E xp lo it © Id e n tify in g B u ffe r O v e rflo w s © H o w t o D e te c t B u ffe r O v e rf lo w s in a P ro g ra m © B0 F D e te c tio n T oo ls © D e fe n s e A g a in s t B u ffe r O v e rflo w s © B u ffe r O v e rflo w S e cu rity T o o ls © B u ffe r O v e r f lo w P e n e tr a tio n T e s tin g © H e ap -B a se d B u ffe r O v e rflo w © W h y A r e P ro g ra m s a n d A p p lic a tio n s V u ln e ra b le t o B u ffe r O v e rflo w s ? © K n o w le d g e R e q u ire d t o P ro g ra m B u ffe r O v e r f lo w E xp lo its © B u ffe r O v e r f lo w S tep s © O v e rflo w U sin g F o r m a t S trin g © B u ffe r O v e r f lo w E x am ple s Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2695 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w C E HM odule Flow B u ffe r O v e rflo w C ou nte r- m e a su re s B u ffe r O v e rflo w S e c u rity To ols B u ffe r O v e rflo w D e te c tio n B u ffe r O v e rflo w E xa m p le s B u ffe r O v e rflo w M e th o d o lo g y B u ffe r O v e rflo w Pen T e sting Copyright © by EG־G0UI1gI. All Rights Reserved Reproduction is Strictly Prohibited M o d u l e F l o w M any applications and program s are vu lnerab le to bu ffer o ve rflo w attacks. This is o ften overlooke d by application developers or prog ram m ers. Though it seems to be sim ple, it m ay lead to severe consequences. To avoid the co m ple xity of th e bu ffer ove rflo w vu ln era bility subject, w e have divided it in to various sections. B efore going tech nically deep into th e subject, firs t w e w ill discuss bu ffer ove rflo w concepts. u B uffer O v e rflo w C oncepts Buffer Overflow Countermeasures Buffer O verflow M ethodology Buffer O verflow Security Tools v ri 1 -^ . - 4 Buffer O verflow Examples j • ’ י— Buffer O verflow Pen Testing Buffer O verflow Detection Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2696 This section describes bu ffer overflows, various kinds o f bu ffer o ve rflo w s (stack-based and heap-based), stack operations, shellcode, and NOPs. Ethical Hacking and Cou nterm easures Exam 312-50 C ertified Ethical Hacker B u ffer O ve rflo w Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2697 Ethical Hacking and Cou nterm easures Exam 312-50 C ertified Ethical H acker B u ffer O ve rflo w o © - o o o B u f f e r O v e r f l o w s Buffers have data storage capacity. If th e data c ount exceeds th e original, a b uffer ove rflo w occurs. Buffers are deve loped to m aintain fin ite data; ad dition al in fo rm atio n can be directed w h ere ve r it is needed. The extra in fo rm atio n may o v erflo w into ne ighboring buffers, d estro ying or overw ritin g th e legal d ata. For exam ple, th e fo llo w in g C p rogra m illustrates how a bu ffer o ve rflo w a tta ck w orks, w here an attacker easily m an ipulates th e code: # in c lu d e < std io .h> in t main (in t arg c , char **argv) { ch ar t a r g e t [5 ] = ״TTTT"; ch ar a tta c k e r [1 1 ]=״AAAAAAAAAA"; s t r c p y ( a t t a c k e r ,״ DDDDDDDDDDDDDD"); p r i n t f ("% \ n ",t a r g e t ) ; re tu rn 0 ; } Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2698 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w r 0 l 2 3 4 5 6 7 8 9 10 11 12 s t r c p y / D D D D D D D D D D D D \0 S trin g 0 1 2 3 4 5 6 7 8 9 10 A A A A 1 A T A A A A 1 A 1 \0 B u ffe r [11] 0 1 2 i 4 ST 6 7 8 9 10 D D D D D ם י < ם 1 D D D D D \0 O v e rflo w L. _______________1 FIGURE 18.1: B u ffe r O ve rflo w s The prog ram seems to be just a no th er norm al program w ritte n by a program m er. H ow ever, th e crux o f this code lies in a small m a n ip ula tio n by th e attacker, if examined closely. The actual pro ble m is explained step-by-step as follow s: 1. During co m pila tio n of th e program, th e fo llo w in g lines o f code are executed: char target[5 ]= "TT TT "; char a ttacke r[11]="A AA AA AA AA A"; © At th is point, a b uffe r called "ta rg et," th at can hold up to 5 characters, is created © Then, th e program places 4 Ts in to th e "ta rg e t" buffe r Q The p rog ram the n creates a buffe r called "a tta ck er" tha t can hold up to 11 characters © Then, th e program places 10 As in to th e "a tta cke r" buffer © The prog ram compiles these tw o lines o f code The fo llo w ing is a snapshot of th e m em o ry in th e system . The co nte nts o f th e ta rg et and a ttacker b u ffe r are placed in th e m em o ry along w ith null characters, \0. \ 0 T T T T \ 0 A A A A A A A A A A 1^ ־ S t a c k M e m o r y i n i t i a l l y 1. A fte r com p iling th e previously m e ntio ned tw o lines of code, the co m pile r com piles the fo llo w ing lines o f code: s t r c p y ( a t t a c k e r , ״ D D D D D D D D D D D D D " ) ; p r i n t f (" % \ n " , t a r g e t ) ; © Here, in this line of code, th e sting co py fu n ctio n is used, which copies th e 13 characters of th e le tte r D into th e attacke r b uffer Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2699 Exam 312-50 C ertified Ethical HackerEthical H acking and C ou nterm easures B u ffer O ve rflo w © A fte r th is , th e p ro g r a m p rin ts t h e c o n te n t o f th e ta r g e t b u ffe r 2. T h e s tr n c p y fu n c t io n o f t h e C p ro g r a m co p ie s th e 13 D c h a ra c te rs in to th e a tta c k e r b u ffe r, w h o s e m e m o r y s pa ce is o n ly 1 1 ch a ra c te rs . B e ca u se th e r e is no s pa c e f o r th e re m a in in g " D " c h a ra c te rs , it e ats u p th e m e m o ry o f th e " ta r g e t" b u ffe r , d e s t r o y in g th e c o n te n ts o f th e " ta r g e t " b u ffe r . H e re is th e s n a p s h o t o f th e s ys te m m e m o ry a f te r t h e s trn c p y fu n c t io n is e x e c u te d : \ 0 \ 0 D D D D D D D D D D D D D T his is h o w b u ffe r o v e r flo w oc cu rs : A p r o g ra m , w h ic h s e e m e d t o b e less p ro b le m a t ic , c re a te d a b u ff e r o v e r fl o w a tta c k ju s t by m a n ip u la t in g o n e c o m m a n d . In t h e c u rr e n t s ce n a rio , th e fo c u s is p r im a r ily o n th e A p p lic a tio n P r o g r a m m in g In te r f a c e (A P I), w h ic h is a se t o f p r o g r a m m in g c o n v e n tio n s f a c ilita ti n g d ire c t c o m m u n ic a tio n w it h a n o th e r p ie ce o f c o d e ; an d th e p ro t o c o l, w h ic h is a s et o f da ta an d c o m m a n d s t o be pa sse d b e tw e e n p ro g ra m s . It is a fa c t t h a t m a n y p ro g r a m s u s e a s ta n d a rd c o d e s e t p ro v id e d b y th e o p e r a tin g s ys te m w h e n th e y w a n t to use a p ro to c o l. T h e AP Is a ss o cia te d w it h a p ro g ra m a n d t h e c o n c e rn e d p ro to c o l d e t e r m in e s th e n a tu r e o f in fo rm a tio n th a t can b e e x c h a n g e d by th e p ro g r a m . F or in s ta n ce , c o n s id e r a s im p le lo gin f o rm . T he lo gin p r o g ra m ca n d e fin e th e le n g th o f t h e in p u t th a t ca n be a cc e p te d as t h e u se r n a m e . H o w e v e r, if th e p r o g ra m d oe s n o t ch e ck f o r le n g th , it is p o s sib le t h a t th e s to r a g e s pa ce a llo t t e d f o r th e d ata m a y b e u se d up , ca u sin g o th e r are a s in t h e m e m o r y t o be u se d . If a n a tta c k e r is a b le to d e te c t th is v u ln e r a b ility , he o r s h e ca n e x e c u te a rb itr a ry c o d e by c au sin g th e w e b a p p lic a tio n to a ct e r ro n e o u s ly . Ethical H acking and C ounterm e asure s C opyright © by EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2700 [...]... user); M o d u le 18 Page 2725 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d Ethical Hacking and Countermeasures Buffer Overflow Exam 3 12 -5 0 Certified Ethical Hacker sprintf( outbuf, errmsg ); If user = "%500d ", this will bypass ""%400s" limitation and overflow outbuf... 12 -5 0 Certified Ethical Hacker sprintf( outbuf, errmsg ); If user = "%500d ", this will bypass ""%400s" limitation and overflow outbuf Thus, the stack smashing buffer overflow attack is carried out Module 18 Page 2726 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reproduction is Strictly Prohibited ... signatures o f NO P sleds th e in stru ctio n p o in te r A D M m utate (by http://www.ktwo.ca) accepts a buffer overflow exploit as input and randomly creates a functionally equivalent version Note: It is the NOP sled that ADM utate mutates (not the shellcode) Attacker pads the beginning o f the intended buffer o v e rflo w w ith a long run o f NO P instructions (a N O P slide or sled) so the CPU w ill... a s t- In - F ir s t- O u t (LIFO ) SP poin ts here th e m e c h a n is m to pa s s a r g u m e n ts to m e m o ry fu n c tio n s a n d r e fe r th e lo c a l v a r ia b le s r Buffer 2 (Local Variable 2 ) F ill d ire c tio n Buffer 1 BP It a c ts lik e a b u ffe r , h o ld in g a ll o f th e (Local Variable 1 ) a n y w h e re in fo r m a t io n th a t th e fu n c tio n n e e d s w ith in th e sta ck... l e F l o w p ri X So fa r , w e h a v e d is c u s s e d t h e b a s ic b u f f e r o v e r f l o w c o n c e p t s , N o w w e w ill d is c u s s t h e b u ffe r o v e rflo w m e th o d o lo g y Buffer Overflow Countermeasures B uffe r O v e rflo w Concepts B u ffe r O v e rflo w - M e th o d o lo g y \' ‫7 כ ־ ^ ל‬ V L B uffe r O v e rflo w Examples B uffe r O ve rflo w S ecurity Tools * ‫׳‬ B uffe... a n d d e b u g g i n g t o o l s s u c h as g d b © e x e c ( ) s y s t e m c a lls H o w t o g u e s s s o m e k e y p a r a m e t e r s © H o w to guess s o m e key p a ra m e te rs M o d u le 18 Page 2 718 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d E thical H acking and C o u n te rm... 18 Page 2723 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d E thical H acking and C o u n te rm e a su re s B u ffe r O v e rflo w C o rre c t fo rm in t Exam 3 1 2 -5 0 C e rtifie d E thical H acker is : fu n c (c h a r *u se r) { f p r in t f ( s td o u t, "% s", u s e r) } M o d u le 18. .. en t End o f Stack SP ■ ■» Stack w hen Attacker calls a function Data Malicious code 6*‫י‬ Execve(/b 1n/sn) End o f Stack Stack w hen function sm ashes a stack FIGURE 18 3 : S ta ck-b a se d B u ffe r O v e rflo w M o d u le 18 Page 2705 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d ... P o i n t e r (E BP), is u s e d M o d u le 18 Page 2711 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d E thical H acking and C o u n te rm e a su re s B u ffe r O v e rflo w Exam 3 1 2 -5 0 C e rtifie d E thical H acker S hellcode C E H [” ‫״‬Buffers are s o ft targets fo r attackers as... output=m alloc(20); ‫י‬f ‫ם‬ ‫י‬ V fn o rd fn o rd fn o r d fn o rd f fn o rd fn o r d fn o rd \0 H e a p : A f t e r O v e r flo w FIGURE 1 8 5 : H e a p -b a se d B u ffe r O v e r flo w M o d u le 18 Page 2709 E th ica l H ackin g a nd C o u n te rm e a s u re s C o p y rig h t © by EC-C0UnCil A ll Rights R eserved R e p ro d u c tio n is S tric tly P ro h ib ite d E thical H acking and C o u n . oncepts Buffer Overflow Countermeasures Buffer O verflow M ethodology Buffer O verflow Security Tools v ri 1 -^ . - 4 Buffer O verflow Examples j • ’ י— Buffer O verflow Pen Testing Buffer O. m a and D onato Ferrante discovered a num ber o f m em ory corruption issues, including buffer and heap overflow s that w ou ld allow an attacker to abuse the way the Steam client handles bro. EC-C0UnCil All Rights Reserved. Reproduction is S trictly P ro hibited. M odule 18 Page 2696 This section describes bu ffer overflows, various kinds o f bu ffer o ve rflo w s (stack-based and heap-based),