Buffer Overflows in Microsoft Windows Environment

Parvez Anwar

(2009)

Parvez Anwar (2009) Buffer Overflows in Microsoft Windows Environment.

Our Full Text Deposits

Full text access: Open

Full Text - 1.3 MB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

Security in this day and age is a necessity for everyone. No one can afford to be negligent any more. Personal or corporate information can very easily be acquired if the infrastructure is not secure and the days of just having up-to-date antivirus software are long gone. There are various types of vulnerabilities where a number of vectors of attack are available which are constantly being exploited by attackers. Multiple layers of security are required to deter unwanted guests. This paper attempts to explain one type of vulnerability known as buffer overflows. Various articles, papers, books, etc. have been released over the years related to buffer overflows on what they are and how to deal with them. The four main chapters of this paper will explain buffer overflows in the Microsoft Windows™ environment in depth. We start out with the basic foundations on understanding buffer overflows, then move on to how to exploit vulnerable software and then prevent attacks from being successful. Finally we mention ways to bypass prevention mechanisms already in place.

Information about this Version

This is a Published version
This version's date is: 16/02/2009
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/2e37d289-7926-1146-1596-42a057dc3d88/1/

Item TypeMonograph (Technical Report)
TitleBuffer Overflows in Microsoft Windows Environment
AuthorsAnwar, Parvez
DepartmentsFaculty of Science\Mathematics

Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[01] J. Erickson, Hacking the art of exploitation, No Starch Press, pages 7-138,
2003.

[02] M. Howard, D. LeBlanc, J. Viega, 19 Deadly Sins of Software Security,
McGraw Hill, pages 1-16, 2005.

[03] E. Skoudis, T. Liston, Counter Hack Reloaded, Prentice Hall, pages 342-
377, 2005.

[04] J. Koziol, D. Litchfield, D. Aitel, C. Anley, S. Eren, N. Metha, R. Hassel,
The Shellcoders Handbook, Wiley, pages 3-53, 83-213, 2004.

[05] S. Chenette, M. Joseph, Detecting Web Browser Heap Corruption Attacks,
August 2007; https://www.blackhat.com/presentations/bh-usa-
07/Chenette_and_Joseph/Presentation/bh-usa-07-chenette_and_joseph.pdf .

[06] S. Harris, A. Harper, C. Eagle, J. Ness, Gray Hat Hacking – The Ethical
Hacker’s Handbook, McGraw Hill, pages 119-274, 2008.

[07] N. Bhalla, Writing Stack Based Overflows on Windows,
http://www.securitycompass.com/resources.shtml, Accessed: May 31st 2008.

[08] tal.z, Stack Overflows - Exploiting SEH on win32,
http://www.securityforest.com/wiki/index.php/Exploit:_Stack_Overflows_-
_Exploiting_SEH_on_win32 , Accessed: 17th June 2008.

[09] A. Rahbar, Stack overflow on Windows XP SP2, October 2005.
http://www.sysdream.com/articles/stack_overflow_win_XP_sp2.pdf .

[10] D. Litchfield, Variations in Exploit methods between Linux and Windows,
July 2003, http://www.ngssoftware.com/papers/exploitvariation.pdf.

[11] M. Pietrek, A Crash Course on the Depths of Win32 Structured Exception
Handling, http://www.microsoft.com/msj/0197/Exception/Exception.aspx,
Accessed: 23rd June 2008.

[12] M. Miller, Preventing the Exploitation of SEH Overwrites, September 2006,
http://www.uninformed.org/?v=5&a=2&t=pdf.

[13] M. Howard, S. Lipner, Writing Secure Code, Microsoft Press, pages 127-
170, 2003.

[14] D. Litchfield, Defeating the Stack Based Buffer Overflow Prevention
Mechanism of Microsoft Windows 2003 Server, September 2003.
http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf

[15] Microsoft, Best Security Practices in Game Development.
http://msdn.microsoft.com/en-us/library/bb172354(VS.85).aspx, Accessed: 28th
June 2008.

[16] Microsoft, /SAFESEH (Image has Safe Exception Handlers),
http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx, Accessed: 28th
June 2008.

[17] Uniformed, No Support for SafeSEH,
http://uninformed.org/index.cgi?v=9&a=4&p=7, Accessed: 28th June 2008

[18] M. Howard, D. LeBlanc, Writing Secure Code for Windows Vista, Microsoft
Press, pages 49-73, 121-134, 2007.

[19] Microsoft, Boot INI Options Reference, http://technet.microsoft.com/enus/
sysinternals/bb963892.aspx, Accessed: 02nd July 2008

[20] Microsoft, A detailed description of the Data Execution Prevention (DEP)
feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005,
and Windows Server 2003, http://support.microsoft.com/kb/875352#2, Accessed:
02nd July 2008.

[21] M. Miller, Skywing, Bypassing Windows Hardware-enforced Data
Execution Prevention, http://www.uninformed.org/?v=2&a=4 ,Accessed: 04th
July 2008.

[22] J. Foster, V. Osipov, N. Bhalla, N. Heinen, Buffer Overflow Attacks,
Syngress Publishing, pages 3-132, 161-271, 317-358, 2005.

[23] D. Aitel, Exploiting the MSRPC Heap Overflow – Part I, Sep 11, 2003,
http://www.immunitysec.com/downloads/msrpcheap.pdf.

[24] D. Aitel, MSRPC Heap Overflow – Part II, Sep 11, 2003,
http://www.immunitysec.com/downloads/msrpcheap2.pdf .

[25] M. Conover, w00w00 on Heap Overflows,
http://www.w00w00.org/files/articles/heaptut.txt, Accessed: 08th July 2008.

[26] B. Moore, Windows Heap Overflow Exploitation,
http://lists.virus.org/darklab-0402/msg00000.html, Accessed: 25th July 2008.

[27] C0ntex, Windows heap overflows using the Process Environment Block,
http://www.milw0rm.com/papers/66, Accessed: 18th July 2008.
 
[28] A. Anisimov, Defeating Microsoft Windows XP SP2 Heap protection and
DEP bypass, December 2004, http://www.maxpatrol.com/defeating-xpsp2-heapprotection.
pdf.

[29] B. Moore, Exploiting Freelist[0] On XP Service Pack 2, December 2005,
http://www.securityassessment.
com/files/whitepapers/Exploiting_Freelist%5B0%5D_On_XPSP2.zip

[30] A. Sotirov, Heap Feng Shui in JavaScript,
http://www.determina.com/security.research/presentations/bh-eu07/bh-eu07-
sotirov-paper.html, Accessed: 18th July 2008.

[31] N. Falliere, A new way to bypass Windows heap protections,
http://www.securityfocus.com/infocus/1846, Accessed: 18th July 2008.

[32], D. Litchfield, Windows Heap Overflows, January 2004,
http://www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-
04-litchfield.ppt.

[33] O. Whitehouse, Analysis of GS protections in Microsoft Windows Vista,
March 2007,
http://www.symantec.com/avcenter/reference/GS_Protections_in_Vista.pdf.

[34] O. Whitehouse, An Analysis of Address Space Layout Randomization on
Windows Vista, March 2007,
http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomi
zation.pdf.

[35] A. Rahbar, An analysis of Microsoft Windows Vista’s ASLR, November
2006, http://www.sysdream.com/articles/Analysis-of-Microsoft-Windows-
Vista's-ASLR.pdf.

[36] D. Litchfield, Non-stack Based Exploitation of Buffer Overrun
Vulnerabilities on Windows NT/2000/XP, March 2002,
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf.

[37] B. Moore, Windows Stack Overflow Exploitation,
http://lists.virus.org/darklab-0402/msg00001.html, Accessed: 02nd August 2008.

[38] T. Puttaraksa, Heap Spraying: Introduction, http://sffreedom.
blogspot.com/2006/06/heap-spraying-introduction.html, Accessed: 24th
August 2008

Details