What are attackers trying to achieve when doing attacks on local programs such as buffer overflows?

Question

In attacks on programs, such as stack buffer overflows, what is the objective of the attacker? I’m having trouble learning the technical details of the attack (such as overwriting the function’s return address) because it’s not clear what such attacks are intended to achieve. For example, in SQL injection, it’s usually done to get confidential information or make the server run code. It seems like the prerequisite for a buffer overflow attack is for the attacker to already have the ability to run code on the machine, so what more do they want?

Is it usually a program on a remote computer that is being attacked in these situations? By the way I'm more familiar with C++ than C.

Answer 1

An aspect which hasn't been mentioned yet very clearly: suppose you have a multi-user system (as all modern PC OSes like Windows, Linux, Unix and so on are), and suppose you are a normal (non-privileged) user who can run "normal" application programs. Now you want to do something malicious to your PC (like installing a keylogger to get all passwords which the other users of the PC are typing, or reading other users' emails). But you can't do that because you are just a normal user, do not have administrative rights, can't install software and can't view other users' data.

So your goal is to become a user with administrative rights (administrator in Windows, root in Linux / Unix, etc.). Besides tricking the administrator into giving you his password, another way to achieve that is to attack a vulnerable program which already is running with administrative rights. If you could make such a program run your code (for example, by abusing a buffer overflow), then this code would run with administrative privileges as well, and -bang- you could do anything what you like with the machine.

This is called privilege escalation. Please note that (due to technical reasons which can't be explained here in detail) practically every system has lots of (server) processes with root privileges running in the background, so this is a real scenario (actually, I am estimating that most of the attacks against local programs are done for privilege escalation).

So the key factor is: when you (a normal user) run a program, this program runs with your own privileges and access restrictions, but when you can make a program which is already running with administrative privileges run your own code by abusing buffer overflows and similar techniques, your code runs with administrative privileges as well.

Please note that this explanation is heavily simplified (for example, in Linux / Unix there are SUID programs and so on), but hopefully expresses the underlying idea.

One last thing: privilege escalation is often the goal whether or not the attack is done locally or remotely. Often enough, attacks work in two steps:

1. First, the attacker gets a naive user's password (for example, because it is too weak, is the birthday of his wife or the name of his dog) and then uses these credentials to get onto the respective machine remotely.

2. Then, as the second step, being that user, the attacker scans the respective machine for vulnerable, privileged software and, for example by abusing buffer overflows in that software, lets that software run his malicious code which in turn is executed with the same privileges as the vulnerable software, effectively making the attacker an administrator.

Of course, there are also many cases where an attacker directly abuses privileged software running on a remote system (for example, web server processes running on Linux under root). But since you have primarily asked for the sense of local attacks, we'll leave that away for now.

Answer 2

Most of the exploits which takes advantage of Buffer Overflow vulnerability does Code Execution on the victim's machine, and this is the main intention of the attacker, to take control of others computer remotely or locally.

Answer 3

Bugs which cause buffer overflows often manifest when a program operates on malformed data, which it either receives from a network message or from a file it tries to open.

The exploit potential of the first is obvious: It allows the attacker to execute code on a remote system.

The second can be exploited by sending a malfomed file to the user and tricking them into opening it with the vulnerable software. While most users are aware that running programs from an untrusted source is a very bad idea, many users are far less careful about opening files from untrusted sources.

Answer 4

In attacks on programs, such as stack buffer overflows, what is the objective of the attacker? I’m having trouble learning the technical details of the attack (such as overwriting the function’s return address) because it’s not clear what such attacks are intended to achieve.

They're intended to achieve remote code execution. This means they want to execute code in your program by overflowing the expected input. You always want to check that your input corresponds to the correct length.

Let's look at it from a different perspective: mind-control. What if you could control someone's mind to do whatever you want them to do?

Let's say there's an exploit in someone's brain where they can only take 8-character commands. Anything outside of that gets executed because it isn't checked for.

You: Hi there. Please respond with "Hello..." ["Hello..." is 8 characters]

Victim: Uhm, okay. Hello... [brain is only capable of processing 8 characters]

You: Please respond with "Cake."

Victim: Uh, "Cake."?

You: How about "Hello...<shellcode to make them say "Buffalo!", beyond the original 8 character limit>"

Victim: Hello...Buffalo!

Victim: Wait, What did you just do to me?

You: How are you gentlemen! All your buffalos are belong to us.

Now what if "Buffalo!" was shellcode designed to execute any kind of code you want, such as the downloading of a RAT?

For example, in SQL injection, it’s usually done to get confidential information or make the server run code. It seems like the prerequisite for a buffer overflow attack is for the attacker to already have the ability to run code on the machine, so what more do they want?

Because buffer overflows, like any kind of exploit that allows for remote code execution, are usually the result of a flaw in someone else's code. Like SQL injection, you are trying to get the remote machine to execute code.

This could be something as simple as sending a malformed command to a normal program. You could also implement intentional vulnerabilities your own programs. Some less-than-scrupulous individuals may do that.

There are lots of RCE vulnerabilities in various languages. The trick is to find something - anything - that allows you to run code/commands on the target in question that open up further opportunities to gain additional access.

Answer 5

The overall goal of a buffer overflow is to get hold of the program flow and execute your (mallicious) code.

What you want to control in first place is the so called 'return address' of a function. Before a function is called, the current address is pushed on the stack, so after the function has finished, the program knows where it was before and continue execution. So if we consider a very basic example:

void test() {
  char array[4];
  gets(array);
  printf("%s\n", array);
}

then the stack would probably look something like this:

0000000n:  array[0]
00000n+1:  array[1]
00000n+2:  array[2]
00000n+3:  array[3]
00000n+4:  address where *test* was called

So since gets doesn't check if your input actually fits into the buffer you provided, it wil write and write and write onto the stack, even if it's larger than your buffer. Therefore an attacker can manipulate the return address and make the program jump to wherever he wants after test has finished (additionally he would insert some machinecode after the return address and jumpt to that area somewhere).

Please note, this example is very abstract and only here to get the basic idea of this attack. For more details please visit sites like this, or this easier explanation