1
00:00:00,970 --> 00:00:03,090
<v ->The next type of exploit that were going to cover</v>

2
00:00:03,090 --> 00:00:05,250
is called a buffer overflow.

3
00:00:05,250 --> 00:00:07,510
A buffer overflow occurs when a process

4
00:00:07,510 --> 00:00:11,260
in a program stores data outside the memory range allocated

5
00:00:11,260 --> 00:00:12,530
by the developer.

6
00:00:12,530 --> 00:00:15,730
Now, this begs the question, what exactly is a buffer?

7
00:00:15,730 --> 00:00:18,550
Well, a buffer is simply a temporary storage area

8
00:00:18,550 --> 00:00:21,140
that a program uses to store its data.

9
00:00:21,140 --> 00:00:23,620
Let's pretend that you have a glass sitting on a table.

10
00:00:23,620 --> 00:00:26,010
It can hold a certain amount of water, right?

11
00:00:26,010 --> 00:00:28,360
If it's designed to hold 16 ounces of liquid,

12
00:00:28,360 --> 00:00:30,440
but you pour 20 ounces in, well,

13
00:00:30,440 --> 00:00:32,240
the cup is going to overflow with water

14
00:00:32,240 --> 00:00:34,050
and the table is going to get wet.

15
00:00:34,050 --> 00:00:36,320
In this example, the glass is our buffer,

16
00:00:36,320 --> 00:00:39,380
and when we overflow it with our data, in our case water,

17
00:00:39,380 --> 00:00:41,200
the extra is going to spill out onto the table

18
00:00:41,200 --> 00:00:42,490
and make a huge mess.

19
00:00:42,490 --> 00:00:45,260
Buffer overflows in the IT world can also create

20
00:00:45,260 --> 00:00:46,490
a big mess for us.

21
00:00:46,490 --> 00:00:49,700
In fact, 85% of the data breaches were caused by

22
00:00:49,700 --> 00:00:51,590
a buffer overflow attack being used

23
00:00:51,590 --> 00:00:53,360
as the initial attack vector.

24
00:00:53,360 --> 00:00:55,220
So, let's take a closer look at how

25
00:00:55,220 --> 00:00:57,870
a buffer overflow attack really works.

26
00:00:57,870 --> 00:00:59,950
Let's pretend you wanted to store my phone number into

27
00:00:59,950 --> 00:01:01,320
your contacts list.

28
00:01:01,320 --> 00:01:03,440
Here in the United States, our phone numbers consist

29
00:01:03,440 --> 00:01:04,610
of 10 digits.

30
00:01:04,610 --> 00:01:06,880
The first three digits are for our area code,

31
00:01:06,880 --> 00:01:08,520
which represents the city we live in.

32
00:01:08,520 --> 00:01:10,180
And the last seven digits represent

33
00:01:10,180 --> 00:01:11,720
the person's unique phone number.

34
00:01:11,720 --> 00:01:13,920
Before we had cell phones, you would simply pick up

35
00:01:13,920 --> 00:01:16,280
the phone and dial seven digits of your phone number

36
00:01:16,280 --> 00:01:18,240
because the telephone company assumed you wanted

37
00:01:18,240 --> 00:01:21,980
to place a local call within your own city or area code.

38
00:01:21,980 --> 00:01:23,910
So, let's pretend that the person who designed

39
00:01:23,910 --> 00:01:26,310
the contact list application on your phone decided

40
00:01:26,310 --> 00:01:27,860
they wanted to save some memory space

41
00:01:27,860 --> 00:01:30,250
and they wanted to use the smallest buffer possible,

42
00:01:30,250 --> 00:01:33,220
so they decided to use an eight-digit buffer because

43
00:01:33,220 --> 00:01:35,070
they are going to assume that you don't need to store

44
00:01:35,070 --> 00:01:37,980
an area code because you're going to make local calls.

45
00:01:37,980 --> 00:01:42,270
So, let's store my made-up phone number, 555-1234,

46
00:01:42,270 --> 00:01:44,820
into an eight-digit buffer called A.

47
00:01:44,820 --> 00:01:46,810
When I do this, you'll see that it takes up

48
00:01:46,810 --> 00:01:49,830
the first seven boxes labeled zero through six,

49
00:01:49,830 --> 00:01:52,270
because computers always start counting with zero,

50
00:01:52,270 --> 00:01:54,130
like you learned back in A+.

51
00:01:54,130 --> 00:01:56,040
What happens, though, if we try to enter a number

52
00:01:56,040 --> 00:01:57,150
that's too long?

53
00:01:57,150 --> 00:01:59,580
Well, Buffer A isn't the only memory buffer

54
00:01:59,580 --> 00:02:01,880
that your contact list application can use.

55
00:02:01,880 --> 00:02:03,950
Right after Buffer A is Buffer B

56
00:02:03,950 --> 00:02:05,920
and then Buffer C and so on.

57
00:02:05,920 --> 00:02:09,010
So, let's consider how we store a longer phone number.

58
00:02:09,010 --> 00:02:11,140
For example, let's say you're out on vacation

59
00:02:11,140 --> 00:02:13,780
and you meet somebody but they don't live in your city.

60
00:02:13,780 --> 00:02:16,240
Well, in this case, you need to store the area code

61
00:02:16,240 --> 00:02:21,240
and the phone number, like 410-555-1234.

62
00:02:21,270 --> 00:02:22,860
Since this now includes the area code

63
00:02:22,860 --> 00:02:25,280
for Annapolis, Maryland, we now have ten digits

64
00:02:25,280 --> 00:02:28,900
we need to store, but each buffer is only eight digits long

65
00:02:28,900 --> 00:02:31,450
because our programmer didn't quite think through all

66
00:02:31,450 --> 00:02:33,800
of the different types of phone numbers that one might need

67
00:02:33,800 --> 00:02:35,280
to store in their list.

68
00:02:35,280 --> 00:02:38,160
So, our contact list application tries to store

69
00:02:38,160 --> 00:02:40,920
this ten-digit number in an eight-digit buffer.

70
00:02:40,920 --> 00:02:43,550
But the last two digits overflow Buffer A

71
00:02:43,550 --> 00:02:45,310
and go into Buffer B.

72
00:02:45,310 --> 00:02:48,340
This is exactly what happens with a buffer overflow.

73
00:02:48,340 --> 00:02:50,330
Now, why is this a bad thing?

74
00:02:50,330 --> 00:02:52,230
Well, to explain that, we have to get

75
00:02:52,230 --> 00:02:55,040
a little bit technical, so bear with me.

76
00:02:55,040 --> 00:02:57,440
Each program reserves a chunk of system memory

77
00:02:57,440 --> 00:02:58,400
when it's run.

78
00:02:58,400 --> 00:03:00,390
This allows it to have a place to store data

79
00:03:00,390 --> 00:03:02,090
that it needs during processing.

80
00:03:02,090 --> 00:03:04,090
This area is known as a stack.

81
00:03:04,090 --> 00:03:06,310
A stack is a reserved area of memory

82
00:03:06,310 --> 00:03:08,350
where the program saves the return address

83
00:03:08,350 --> 00:03:10,660
when a function call instruction is received.

84
00:03:10,660 --> 00:03:12,950
Here is an example of a stack that's organized

85
00:03:12,950 --> 00:03:15,260
as first in, last out.

86
00:03:15,260 --> 00:03:17,060
Basically, this means that the first thing

87
00:03:17,060 --> 00:03:19,830
that's placed in the stack is the last thing to be removed

88
00:03:19,830 --> 00:03:22,270
and data is filled from the bottom of the memory,

89
00:03:22,270 --> 00:03:24,180
which is shown as the top of our screen,

90
00:03:24,180 --> 00:03:27,270
to the top of the memory, shown at the bottom of our screen.

91
00:03:27,270 --> 00:03:29,630
Now, I apologize for this being what looks like

92
00:03:29,630 --> 00:03:31,330
it's upside-down, but this is actually

93
00:03:31,330 --> 00:03:33,580
the standard convention used in the IT world.

94
00:03:33,580 --> 00:03:35,110
I wanted to introduce it to you now

95
00:03:35,110 --> 00:03:37,870
so you won't get confused in your later studies.

96
00:03:37,870 --> 00:03:40,660
Now, if an attacker places too much information into

97
00:03:40,660 --> 00:03:43,720
the stack or changes the value of that return pointer,

98
00:03:43,720 --> 00:03:45,460
they can carry out an attack.

99
00:03:45,460 --> 00:03:46,810
This is what they're attempting to do with

100
00:03:46,810 --> 00:03:49,110
a buffer overflow, they're attempting to overwrite

101
00:03:49,110 --> 00:03:51,750
the return address of the pointer so that it will point

102
00:03:51,750 --> 00:03:54,200
to a different place in the stack where they've placed

103
00:03:54,200 --> 00:03:55,600
their malicious code.

104
00:03:55,600 --> 00:03:58,070
That way, when the non-malicious code is run

105
00:03:58,070 --> 00:04:00,350
and hits that return pointer, it's going to return

106
00:04:00,350 --> 00:04:02,070
to the attacker's malicious code,

107
00:04:02,070 --> 00:04:05,520
such as the /bin/shell code shown here,

108
00:04:05,520 --> 00:04:08,110
and this is going to give them a shell or a command prompt

109
00:04:08,110 --> 00:04:10,470
on the victim system where they can then perform

110
00:04:10,470 --> 00:04:13,300
a remote code execution using that shell.

111
00:04:13,300 --> 00:04:14,820
When an attacker is able to do this,

112
00:04:14,820 --> 00:04:17,010
it's known as smashing the stack.

113
00:04:17,010 --> 00:04:19,980
This occurs when an attacker fills up the buffer with a NOP,

114
00:04:19,980 --> 00:04:22,180
or a non-operation instruction,

115
00:04:22,180 --> 00:04:24,700
so that the return address may hit one of these NOPs

116
00:04:24,700 --> 00:04:27,220
and continue on until it finds the attacker's code

117
00:04:27,220 --> 00:04:28,360
and runs it.

118
00:04:28,360 --> 00:04:31,730
When this series of NOPs is hit by a non-malicious program,

119
00:04:31,730 --> 00:04:33,340
because the attacker's filled up the buffer

120
00:04:33,340 --> 00:04:35,970
with NOPs and a return address to his malicious code,

121
00:04:35,970 --> 00:04:38,000
this is known as a NOP slide.

122
00:04:38,000 --> 00:04:39,930
The NOP instruction, essentially, is an instruction

123
00:04:39,930 --> 00:04:41,990
that tells it to do nothing and simply go

124
00:04:41,990 --> 00:04:44,540
to the next instruction and it will continue to do this

125
00:04:44,540 --> 00:04:48,000
and slide down until it hits that final return pointer

126
00:04:48,000 --> 00:04:50,030
and that causes the program to branch over

127
00:04:50,030 --> 00:04:51,940
to that memory address.

128
00:04:51,940 --> 00:04:54,440
One of the mitigations against a buffer overflow attack

129
00:04:54,440 --> 00:04:57,470
is the use of address space layout randomization,

130
00:04:57,470 --> 00:04:59,950
also known as ASLR.

131
00:04:59,950 --> 00:05:02,330
This is a programming technique that helps prevent

132
00:05:02,330 --> 00:05:05,130
an attacker's ability to guess where the return pointer

133
00:05:05,130 --> 00:05:08,270
for a non-malicious program has been set to call back

134
00:05:08,270 --> 00:05:10,540
by randomizing the memory addresses used

135
00:05:10,540 --> 00:05:12,700
by well-known programs, such as parts

136
00:05:12,700 --> 00:05:14,330
of the operating system.

137
00:05:14,330 --> 00:05:17,510
ASLR was first introduced back in Windows Vista

138
00:05:17,510 --> 00:05:20,010
as a way to prevent buffer overflow attacks,

139
00:05:20,010 --> 00:05:23,860
but there are methods used by attackers to help bypass ASLR

140
00:05:23,860 --> 00:05:25,690
like side-channel attacks, too.

141
00:05:25,690 --> 00:05:28,530
Like I said, this is a very technical concept,

142
00:05:28,530 --> 00:05:30,830
and it's not one that you need to understand in-depth

143
00:05:30,830 --> 00:05:32,470
for the Security+ exam.

144
00:05:32,470 --> 00:05:34,910
When you move on to the PenTest+ exam later,

145
00:05:34,910 --> 00:05:36,900
you'll come back and look at buffer overflows

146
00:05:36,900 --> 00:05:38,790
in much more technical depth.

147
00:05:38,790 --> 00:05:41,700
But for the Security+ exam, you just need to remember

148
00:05:41,700 --> 00:05:44,540
that a buffer overflow is used to put more data

149
00:05:44,540 --> 00:05:46,810
into memory than it's designed to hold.

150
00:05:46,810 --> 00:05:49,170
The intent here is to overflow the buffer

151
00:05:49,170 --> 00:05:52,120
for the non-malicious program in an effort for the attacker

152
00:05:52,120 --> 00:05:54,740
to be able to get their malicious program into memory

153
00:05:54,740 --> 00:05:56,290
and allow it to be run.

154
00:05:56,290 --> 00:05:57,850
In the next lesson, I'm going to show you

155
00:05:57,850 --> 00:06:00,790
how a buffer overflow attack works in a lab environment

156
00:06:00,790 --> 00:06:02,280
and I'm going to walk you through how

157
00:06:02,280 --> 00:06:03,970
an attacker might perform one.

158
00:06:03,970 --> 00:06:07,460
This demonstration is not required to fully be understood

159
00:06:07,460 --> 00:06:10,210
for the Security+ exam, but I think it'll help you better

160
00:06:10,210 --> 00:06:13,290
solidify how a buffer overflow attack actually works

161
00:06:13,290 --> 00:06:14,250
in the real world.

162
00:06:14,250 --> 00:06:17,833
And that's why I'm going to show it to you.