5.6. The Human Buffer Overflow
A glass can only hold so much liquid. If you have an 8-ounce glass and you try to pour 10 ounces of liquid into it, what will happen? It will overflow and spill all over the place. If you try to force the container to hold more liquid that it is meant to you can eventually break the glass due to pressure.
Computer programs work in a similar manner. Imagine you have a small program that has only one purpose and two fields: User Name and Password.
When the program opens you see a little screen where you type in admin in the User Name field and password in the Password field. A little box appears that says "OK," signifying all is good.
The developer allocated a certain amount of memory space for the User Name field, enough to hold the word admin a couple times. What happens if you put 20 A's in that field and click OK?
The program crashes and gives you an error message. Why? The input entered is longer than the allocated space and without proper error handling the program throws an exception and crashes.
The goal of software hackers is to find the address that the program will call upon in a crash and insert malicious code into that address. By controlling the execution flow the hacker can tell the program to "execute" any program he desires. He can inject commands of any type into the memory space of that program because he now controls it. As a penetration tester few things are more exciting than seeing a program execute commands you tell it to. ...
Get Social Engineering: The Art of Human Hacking now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
