Can someone please explain this to me? I understand it is a programming error which lets someone execute code on your pc, but how? How can someone access your computer after a cache-thing on your CPU is overwritten?
I don't know how much you know about programming or the layout of code in memory but I'll have a quick go at describing the basic 'theory' behind it. You have code and data sections in memory for a process. The data section is a constant size (to get more memory at runtime you allocate memory from the heap which is referenced by a pointer variable on the stack, in your data section of the process). If you have code which copies say a string of input characters to an array in the data section and it doesn't check that the string will fit in the space allocated by the compiler then it will just overwrite whatever comes next in memory, be it data or code. So in this example a string could be passed into the program (although it is intended to be a string of characters it can of course be any numerical values 'disguised' as a string) that would replace code and data with arbitary values. So you could basically just dump a load of hostile code in there or modify data you shouldn't have access to. Protected mode stops you trashing absolutely everything directly, but you've still got access to the entire system through the current process. There is a new technology I read about a few months ago that should put a stop to this but I don't know a lot about it. A quick google turned up this. There are actually legitimate cases of wanting to modify code at runtime (self modifying code has become quite a popular technique in game programming I know). There's a more in depth article here if you're interested in learning more. There's loads of information around of course so just search.
a buffer overflow only comes from a poor programmer. Ring 3 (protected mode) as good as it is, still dosen't stop the problem because often its a legitamate task for the code to perform, that you need to trick it into doing. There are a few main ways of going about this, but its always about accessing memory outside of what the programmer was thinking you would use. because of the .DATA .DATA? .CODE structure used by many compilers, there might be 16bytes reserved for a string say, (in the .DATA? because its a variable). Now say the coder used strcpy (string copy, copies all the data from the memory specified by the first operand, to the memory specified by the second operand until a null is found). in pysdo code this might look like Code: function strcpy (pointer target,pointer destination) { i=0 while (target[i]!=NULL) { // memory specifed by (target+i) is not null destination[i]=target[i]; i++; // increment i } } now the problem here is the code dosen't check if it can write to the memory at destination, ie, it dosen't make sure enough has been reserved. Also, it has no escape, say your expecting a string in your game server code, this would be a string sent by the client, what happens if they just send foo without a null at the end? the code would keep on running. This shows how most buffer overflows, are normally a form of DoS attack. But lets say you have a known binary (whats your assembly like, if its not upto scratch hit www.masm32.org download + read the tutorials). now because we have this pattern used by most C compilers, of .DATA .DATA? .CODE we can extend this idea a bit further. if you had function foo, and function foobar adjacent in memory (how the compiler placed them), then with a buffer overflow in foor, you could not only re-write foo, but also change constants in foobar (this is SO much easyer than making new machine code.) lets have a look at this. Code: function foo ( void ) { CHAR string[20]; POINTER bar = getuser_input(); // function that returns a pointer to the user input, lets say its a password strncpy (bar,&string[0]); invoke foobar (&string[0]); } functioin foobar (pointer string) { CHAR passwd="secret"; if (!strncmp(string,passwd)){ do_login(); } else { do_un_authed(); } } hope that bullsh!t code makes some sense, but say you buffer overflowed ur input on string, you could very easily change the data thats in passwd. a intresting thought would be how you could caus another type of buffer overflow (well its in a differn't place) on this code, if we changed foobar, so it took a string of 20, rather than a pointer (there are cases where you would want a copy of it passed this way so you could modify it, i've seen this done). from my understanding of the AMD 64b(the b is for bollcoks)it CPU is that it would do ANYTHING to stop this type of attack, and well why should it, you can't exactly put a protected mode layer around a function!? What it will do however is stop fun and games with the Stack Pointer.
Ok. So what it does is to crash programs? So a evil hacker could send some packet or something to cause buffer overflow on my firewall, and gain complete access to my computer?
