• Choose a category
• All
• Classic-Fiction

Overview of Buffer Overflow Mutation Techniques

As you see, hackers can graduate from standard buffer overflows to redirecting the return pointer to the code of their choosing. A hacker must know the exact memory address and the size of the stack in order to make the return pointer execute their code. A hacker can use a No Operation (NOP) instruction, which is just padding to move the instruction pointer and does not execute any code. The NOP is added to a string before the malicious code to be executed.

If an intrusion detection system (IDS) is present on the network, it can thwart a hacker who sends a series of NOPs to forward the instruction pointer. To bypass the IDS, the hacker can randomly replace some of the NOPs with equivalent pieces of code, such as x++, x; ? NOPNOP. This example of a mutated buffer overflow attack can bypass detection by an IDS.

Programmers should not use the bui l t-i n strcpy() , strcat() , and streadd() C/C++ Functions as these are susceptible to buffer overflows. Alternately Java can be used as the programming language as Java is not susceptible to buffer overflows.

Exam Essentials

Understand how SQL injection and buffer overflow attacks are similar. SQL injection and buffer overflows are similar in that both attacks are delivered via a web form field.

Understand SQL injection countermeasures. Utilizing correct programming code without single quotes and performing bounds-checking and input validation are SQL injection countermeasures.

Know the difference between a stack-based and a heap-based buffer overflow. Stacks are static locations of memory address space, whereas heaps are dynamic memory address spaces.

Understand how to bypass an IDS using a buffer overflow attack. An IDS looks for a series of NOPs. By replacing the NOP with other code segments, a hacker can effectively bypass an IDS.

The memory register that gets overwritten with the return address of the exploit code is known as the EIP

Understand buffer overflow and SQL injection countermeasures. Bounds-checking and sanitizing the input from a web form can prevent a buffer overflow and SQL injection vulnerability.

Review Questions

1. Entering Password: :blah' or 1=1- into a web form in order to get a password is an example of what type of attack?

A. Buffer overflow

B. Heap-based overflow

C. Stack-based overflow

D. SQL injection

2. Replacing NOPs with other code in a buffer-overflow mutation serves what purpose?

A. Bypassing an IDS

B. Overwriting the return pointer

C. Advancing the return pointer

D. Bypassing a firewall

3. Which of the following is used to store dynamically allocated variables?

A. Heap overflow

B. Stack overflow

C. Heap

D. Stack

4. What is the first step in a SQL injection attack?

A. Enter arbitrary commands at a user prompt.

B. Locate a user input field on a web page.

C. Locate the return pointer.

D. Enter a series of NOPs.

5. What command is used to retrieve information from a SQL database?

A. INSERT

B. GET

C. SET

D. SELECT

6. Which of the following is a countermeasure for buffer overflows?

A. Not using single quotes

B. Securing all login pages with SSL

C. Bounds checking

D. User validation

7. What does NOP stand for?

A. No Operation

B. Network Operation Protocol

C. No Once Prompt

D. Network Operation

8. A hacker needs to be familiar with the memory address space and techniques of buffer overflows in order to launch a buffer overflow attack.

A. True

B. False

9. Why are many programs vulnerable to SQL injection and buffer overflow attacks?

A. The programs are written quickly and use poor programming techniques.

B. These are inherent flaws in any program.

C. The users have not applied the correct service packs.

D. The programmers are using the wrong programming language.

10. Which command would a hacker enter in a web form field to obtain a directory listing?

A. Blah';exec master..xp_cmdshell "dir

B. Blah';exec_cmdshell "dir c:\*.* Is >c:\directory.txt"--

C. Blah';exec master..xp_cmdshell