HACKED! How a Buffer Overflow Exploit works, plus Code Red!

00:00

[Music]

00:05

the infection was released into the wild

00:07

just two months before the 9 11 attacks

00:10

on a friday the 13th

00:12

initially just a handful were infected

00:14

but the virus proved so contagious that

00:16

within 10 minutes more than 75 000 were

00:19

infected within hours the police would

00:21

stop responding to 9-1-1 calls in the

00:24

seattle area and shortly after that atms

00:26

scattered around the nation and then

00:28

around the globe would soon stop

00:30

dispensing cash

00:32

airline reservation systems were

00:33

overwhelmed that in some quarters panic

00:36

began to erupt

00:37

once infected each new machine would

00:39

join a zombie army silently striving to

00:41

infect as many others as possible

00:44

once the worm had successfully spawned

00:46

itself the host would become useless

00:48

effectively rolling over and going to

00:50

sleep

00:51

the only symptom of infection was a

00:52

cryptic message claiming chinese

00:54

responsibility but the silent countdown

00:57

had already begun

00:58

the virus had been programmed to enter a

01:01

cycle of infection attack and waiting

01:04

when the clock expired the attack would

01:06

begin

01:07

it would be a massive attack initiated

01:09

by hundreds of thousands of the world's

01:10

most powerful servers hijacked from all

01:13

corners of the globe

01:14

each bot in the army would use all of

01:16

its available network computing

01:17

resources in a coordinated distributed

01:19

denial of service attack aimed squarely

01:21

at one family's home

01:23

a home located at 1600 pennsylvania

01:26

avenue the american white house

01:28

in the meantime the virus will continue

01:30

to mutate and a week later a new variant

01:33

appeared that spread much more rapidly

01:35

the white house took cyber security more

01:37

seriously than most and an astute

01:39

administrator noticed suspicious

01:41

activity early on

01:43

in the web server logs he found

01:44

thousands upon thousands of requests

01:46

from random servers all around the world

01:48

all looking for a file that simply did

01:50

not exist

01:52

more about the ghost file later he

01:54

quickly brought it to the attention of

01:55

two high-level security researchers at a

01:57

company known as ei digital security who

02:00

knew immediately that something serious

02:02

was happening

02:03

but what they could not yet tell

02:05

the research went late into the night

02:07

fueled by a caffeinated energy drink

02:09

known as mountain dew code red

02:12

and that is why one of the most

02:14

destructive computer viruses of all time

02:16

responsible for more than a billion

02:18

dollars in damages will be forever known

02:20

as code red it's but a single example of

02:23

perhaps the most common security exploit

02:25

in computer software the buffer overrun

02:29

today in dave's garage i'll not only

02:31

tell you the story of code red i'll

02:33

explain in detail how a buffer overflow

02:35

works down to actually writing one and

02:37

walking the code with you in the

02:38

debugger so that you can watch the

02:40

hijack in action and see it with your

02:42

own eyes

02:45

[Music]

02:52

hey i'm dave welcome to my shop i'm dave

02:54

plummer a retired operating systems

02:56

engineer for microsoft going back to the

02:57

ms-dos and windows 95 days i've been

03:00

coding in cnc plus plus for more than 30

03:03

years and the buffer overrun bug that

03:05

made code red possible is a classic

03:07

problem for code written in either of

03:08

those languages coming up we'll drop

03:11

into the code editor and i'll even show

03:12

you how to write a buffer exploit in c

03:14

hack the stack inject your own code and

03:17

watch it run live in the debugger just

03:19

promise to use your powers for good

03:21

[Laughter]

03:24

to appreciate it though we first have to

03:26

revisit some of the details of the

03:27

buffer overrun attack itself and so back

03:30

to the story of code red

03:32

within a week on the 20th of july those

03:34

initial 75 000 servers had spread to in

03:37

fact a total of an estimated 360 000

03:40

servers

03:41

because codered targeted an exploit in

03:43

the server product known as internet

03:44

information services or iis his victims

03:47

were almost exclusively the web servers

03:49

in large data centers or corporate

03:51

offices running a company's public

03:53

presence on the internet

03:55

that meant two things it meant that bit

03:58

by bit some of the internet itself

03:59

started to disappear as hundreds of

04:01

thousands of the world's web server

04:02

simply stopped responding

04:04

but it also meant that the machines

04:06

infected were often the biggest and most

04:08

powerful systems of the day the big iron

04:10

of the web if you will in fact client

04:13

machines like windows 95 were generally

04:15

immune as they simply lacked the iis

04:17

server software that contained the

04:19

vulnerability being exploited

04:21

as a windows nt guy however i was

04:24

personally running on working on nt and

04:26

win2k systems all of which contained iis

04:28

out of the box

04:29

but if there's anybody who's up to date

04:30

with the latest fixes and patches it's

04:32

usually the developers working on the

04:33

actual product where you often define

04:35

up-to-date as have you installed this

04:38

morning's build yet

04:39

among the updates that i already had for

04:41

example was an update named ms01-33

04:44

it was boldly labeled by microsoft as

04:46

critical the fix had been made available

04:48

publicly by microsoft about a month

04:50

before code red hit the streets the

04:53

title of the update was sobering uncheck

04:55

the buffer in an index server extension

04:57

could enable web server compromise

05:00

this was in the days before the

05:01

automatic system updates however and the

05:04

onus of performing regular updates

05:05

therefore fell to the system

05:07

administrators but when combined with a

05:09

fairly casual approach to security in

05:11

the halcyon days before code red and

05:12

slammer and so on very few systems were

05:15

properly updated on a rigorous schedule

05:18

but how many machines would that leave

05:20

without updates unpatched and vulnerable

05:22

to infection there's a federal

05:23

government agency known as the national

05:25

infrastructure protection center whose

05:27

job it is to worry about such things

05:29

the nipc as it's known was formerly a

05:32

division of the fbi and by the end of

05:34

the summer they estimated that more than

05:36

650 000 unique server ips had been

05:38

infected

05:40

codered was interesting in that each

05:41

server kept track of any others that had

05:43

already infected and would go back

05:45

periodically to refresh or re-infect

05:47

those same machines

05:48

that meant that even if code red were

05:50

removed from a machine but the

05:52

underlying exploit were not promptly

05:53

patched and fixed the server was likely

05:56

to be reinfected again in short order

05:58

code red was very aggressive spawning

06:00

300 threats per server to go about its

06:02

nasty business of infecting others

06:04

that's unless the machine were shut to

06:06

chinese in which case it would use 600

06:08

threads

06:09

even though code red randomly searched

06:11

for ip addresses to infect it turns out

06:14

not to have been very random at all as

06:16

it used the same seed for the random

06:18

number generator each time

06:20

that means the simulate random sequence

06:22

was in fact always the same and while

06:24

this had the side effect of dutifully

06:26

reinfecting some servers the second or

06:27

third time as i mentioned it also wasted

06:30

a lot of time and resources attacking

06:32

servers that were already infected but

06:34

soon after the initial code rate hit it

06:36

was followed by a new variant that chose

06:38

a different seed each time in so doing

06:40

the random ip zip probe were different

06:42

each time and all the resources could be

06:44

invested towards new infections as a

06:46

result the new variant spread even

06:49

faster it was given the identifier crv2

06:52

to distinguish it from the original crv

06:53

one

06:54

regardless of the variant though the

06:56

code red worm operated in three distinct

06:58

phases based on what calendar day of the

07:00

month it was on the 1st through the 19th

07:03

of the month it would spend its time

07:04

randomly searching for new hosts to

07:06

infect

07:07

on the 20th through the 27th it would

07:09

launch its denial of service attacks on

07:12

days 28 and higher it would rest

07:14

while trying to find new machines to

07:16

infect it did not discriminate and it

07:17

searched for iis in order to try to

07:19

confirm the vulnerability was even

07:21

present or check a version number or

07:23

anything

07:24

that's because it simply looked for a

07:25

file called default.ida and it didn't

07:28

even matter that the file didn't exist

07:30

the mere act of asking the server about

07:32

the file was enough to trigger the

07:34

worm's attack vector on a vulnerable

07:36

system by exploiting a buffer overrun in

07:38

the iis web server extension code

07:41

all of this begs the question of just

07:42

what a buffer overrun is and how it can

07:44

be used to inject malicious code

07:47

well put most simply imagine you have a

07:49

web page that accepts a username and a

07:50

password as a visitor you type your

07:52

answers into text boxes and the server

07:54

reads them and copies them into buffers

07:56

in its own memory

07:57

now let's say those buffers are reached

07:59

some reasonable length like 64

08:00

characters each that seems plenty long

08:02

for a typical username or password but

08:04

what if due to a bug in the webpage it

08:06

allows much longer ones to be entered

08:09

what if some joker comes along and types

08:10

a hundred letters into the username box

08:12

what happens to the extra characters

08:14

beyond 64th where do they go

08:17

that is the key

08:18

once you run out of buffer those extra

08:20

characters the payload if you will runs

08:22

straight into whatever is in memory next

08:24

in many cases that memory will be on

08:27

stack and a carefully constructed attack

08:29

can even include code that is then

08:30

executed heap attacks are also possible

08:33

as well but they're more complicated to

08:35

execute

08:36

it's important to note that when i say

08:38

the malicious payload code that gets

08:40

stomped into memory will be executed it

08:42

is executed by the server in the context

08:44

of the server process

08:46

your code has made the leap from web

08:48

browser straight into executing memory

08:49

of the web server you're visiting just

08:51

like a true viral infection might leap

08:53

between species but how can that even

08:55

happen

08:56

to understand it we must have an idea of

08:58

how memory is laid out for a process

09:00

with the lowest addresses at the bottom

09:02

and the highest at the top let's look at

09:04

a map of how a process is laid out in

09:06

memory

09:07

typically it starts out with the program

09:09

code down at the bottom in a secure

09:11

system this area can't be modified once

09:14

running

09:15

above that in memory we have

09:16

pre-initialized data like built-in

09:18

graphics images cursors global tables

09:20

you might have defined that kind of

09:22

thing

09:23

above that we have uninitialized data

09:25

area reserved for variables that will

09:27

not be created until runtime

09:29

above that is the program heap where

09:31

your mallocs and calyx and new objects

09:33

come from

09:34

everything else in a little memory is

09:35

fixed in size but the heap expands

09:37

upward as you need more of it

09:39

now up at the top of memory is the stack

09:41

it's an area of memory that goes down as

09:43

you add things to it

09:45

the fact that it goes downward in memory

09:46

is a little counter-intuitive but it's

09:48

done that way because the heap is

09:49

growing up from the other end it simply

09:51

puts them the furthest apart

09:53

the address spaces are big enough with

09:55

the x86 and especially with the ia-64

09:57

that you'd likely run out of memory long

10:00

before the heap actually reaches a stack

10:02

the traditional metaphor for the stack

10:04

is the good old stack of food trades in

10:06

a cafeteria

10:07

it's a last in first out affair where

10:09

when you add a new trade to the stack it

10:11

becomes the first one that will be

10:12

popped off next

10:14

with a computer stack data can be pushed

10:16

onto the stack and much like the trays

10:18

they get popped off in reverse order as

10:20

a really simplified example imagine the

10:22

only thing the stack were used for were

10:24

the return addresses of functions let's

10:26

say that a called b we push the return

10:29

address in a onto the stack and we jump

10:31

to b

10:33

now b calls c

10:34

we push the return address for b onto

10:36

the stack and jump to c perhaps

10:38

similarly c calls d

10:40

now when d returns it pops the first

10:42

thing off the stack that it finds and

10:43

that's the return address back in c when

10:46

c returns it pops off the address in b

10:49

when b is complete it pops off the

10:50

original point back in a

10:52

given how a stack works it lends itself

10:54

very naturally to nested function calls

10:57

in reality it's slightly more

10:58

complicated than that for a couple of

11:00

reasons first the function arguments are

11:02

also pushed onto the stack by the caller

11:04

before the return address is pushed on

11:06

second following the return address a

11:08

pointer to the previous frame is pushed

11:10

onto the stack

11:12

and third this is followed by space

11:14

that's reserved for local variables

11:16

finally the function itself can make use

11:18

of the stack as long as it cleans up

11:19

anything it pushes on by popping it off

11:21

before returning

11:23

note that to create local variables the

11:25

system merely reserves space on the

11:27

stack by adjusting the stack pointer

11:28

down it doesn't really push them onto

11:30

the stack and instead it just subtracts

11:32

however many bytes it needs from the

11:34

system stack pointer

11:36

the little patch of stack belonging to a

11:37

function that contains its return

11:39

address and local variables is known as

11:41

its stack frame

11:42

now you can access any part of your own

11:44

frame but no random access to stack

11:46

memory outside of your own frame is

11:48

typically allowed the hardware doesn't

11:50

prevent it it's just kind of a

11:51

convention so we however are going to

11:53

break that rule we're actually going to

11:55

break a lot of rules but that's what

11:57

real hackers do they're fast talking

11:58

rebels that play by nobody's rules not

12:00

even their own

12:02

but first we'll look at what happens

12:03

when you call a function first any

12:05

arguments that need to be passed to the

12:06

function are pushed onto the stack in

12:08

right to left order finally the

12:11

instruction pointer which indicates

12:12

where execution should pick up when the

12:14

function returns is pushed onto the

12:15

stack and that's key because we're going

12:17

to cause our own code to execute by

12:19

replacing the real return address of the

12:21

current function with our own address

12:24

that way when the function returns the

12:26

cpu will do what it always does pop the

12:28

address we came from off the stack and

12:30

jump back to it

12:31

little will it know that like folger's

12:33

crystals we've secretly replaced the

12:35

real address with our own causing our

12:37

malicious payload to be executed as soon

12:38

as the function even tries to return

12:41

to see this in action let's write a

12:42

simple c program that simply calls a

12:44

function that's all it does

12:46

and then i'll use a string buffer

12:48

overrun inside that function to show you

12:49

how to mess with the stack and inject

12:51

our code but first let's get the basic

12:53

demo program running

12:55

if you'll give me a moment i'll crank

12:57

out a little program to do exactly what

12:58

it is that we want

13:16

here we have a basic c program with

13:17

three functions the entry point main is

13:20

down at the bottom

13:22

it simply prints a message to let us

13:23

know that it's running and then it calls

13:25

function one

13:27

function one just copies a string to a

13:29

buffer and then prints a message

13:30

confirming that it ran and then it

13:31

returns the program exits and that's it

13:34

that's all it does

13:36

but notice there's another function

13:37

called function2 it's defined in the

13:39

file as well

13:40

it will represent our malicious payload

13:42

but nobody calls function2 and hence it

13:44

should never run or execute our exploit

13:47

will change all that but for now when

13:48

things are working properly unmodified

13:51

if we run the program we get a console

13:52

window and then the messages in the

13:54

expected order

13:55

first the main function runs and then

13:57

the message from function one is

13:58

displayed and then it exits

14:01

now comes the exploit i'm going to

14:03

overrun the buffer by giving stir end

14:05

copy too much source data to work with

14:07

because of the way local variables are

14:09

laid out on the stack i know that right

14:11

after the foo buffer of eight characters

14:13

i'll be able to find the frame pointer

14:15

or ebp

14:16

because pushing evp is the first thing

14:18

that the function does

14:20

above that is the return address that we

14:22

came from which is what we're really

14:23

after

14:24

now as soon as we overrun the foo buffer

14:26

by even four bytes we will overwrite the

14:28

copy of ebp on the stack

14:30

the next four bytes will overrun the

14:32

return address on the stack

14:34

but what do i provide is the new

14:35

hijacked value for the return address i

14:37

need to know the address of function too

14:39

because that's where i want it to go

14:41

to figure that out let's run the program

14:43

under the debugger and see where

14:44

function 2 lives

14:46

when we run it under the debugger i can

14:48

pause execution right before the string

14:50

copy call and inspect the address of

14:52

function 2 which turns out to be 1 0 0 1

14:55

1 5 e 0.

14:57

thus in little envy and reverse order

14:59

the bytes we want to stuff in our memory

15:01

are e0 1 5 0 1 1 0.

15:04

let's update the code to pass those

15:06

until string copy we now have 16 bytes

15:08

to work with

15:11

let's run the program and stop it again

15:13

at the break point on the string copy

15:14

call

15:16

i can use the debugger to see that the

15:17

foo buffer is now located at 1 9 fe 88

15:21

with the memory window open in the

15:22

debugger i'll select those bytes with

15:24

the cursor so you can see where the

15:25

string is that's going to get copied to

15:27

the first eight bytes worth the ones

15:29

i've selected are completely legal it's

15:31

okay to write there but the next four

15:33

bytes comprise the 0 0 1 9 f e4 value of

15:36

the ebp frame pointer that was pushed at

15:39

function entry

15:40

the next four bytes the one zero zero

15:43

one one six one c

15:45

they form the return address we're gonna

15:47

use our string copy to fill out the

15:49

eight legal bytes and then overrun into

15:51

ebp with the number one two three four

15:53

and then the magic part the address of

15:56

function two will be poked into the next

15:57

four bytes which we know are the return

15:59

address

16:00

we can sanity check that by seeing what

16:02

now lives at one zero zero one one six

16:05

one c the address that was currently on

16:07

the stack and sure enough you can see

16:09

that it's immediately after the call to

16:10

function one just as we'd expect

16:12

if we didn't change anything it would

16:14

return and then happily execute that xor

16:16

instruction

16:18

let's see what happens when we do change

16:20

things

16:20

as soon as the code calls string copy

16:22

note how the bytes in the memory window

16:24

turn red to indicate that they've

16:25

changed two more bytes than colored red

16:27

were actually written out but because

16:29

the values 0 1 and 1 0 stay the same

16:31

before and after the call they don't get

16:33

highlighted by the debugger but they all

16:35

changed

16:36

let's see what happens when we continue

16:38

on to return out of the function we

16:40

normally would have been going back to

16:41

main but if our hackery has worked

16:43

execution will wind up in the payload

16:45

code we proceed step by step and as soon

16:48

as the ret instruction is executed boom

16:50

there it is we're at the top of function

16:52

2. if i run the code sure enough the

16:55

output confirms that the sinister

16:56

payload code that should never run just

16:58

ran to keep things simpler you'll notice

17:01

i didn't preserve evp but that only

17:03

matters if i return back out of function

17:05

2. when i try that it winds up in a loop

17:07

of main function 1 and function 2

17:09

sinister payload code executing an order

17:12

forever

17:16

hopefully you now have a sense for how

17:18

these can work and you're no doubt

17:20

surprised at how little code it took

17:21

particularly with the sample exploit

17:23

being a single string copy line can't be

17:26

that easy can it there must be some

17:28

defense and indeed with a modern system

17:30

there are several layers of defense

17:32

the first is for programmers to follow

17:34

the practice of banning these unsafe

17:35

string functions like i just used from

17:37

their coding lives the ones that don't

17:39

accept the buffer length that have

17:41

undesirable or unsafe behavior otherwise

17:44

microsoft has a list of these and

17:45

depending on the project settings the

17:47

compiler will even warn you or generate

17:49

an error if you try to use any of the

17:50

old unsaved functions it's not just some

17:53

weird paternalistic or idealistic notion

17:55

you really should upgrade to the modern

17:57

alternatives just to avoid common

17:59

frustrating bugs even aside from the

18:00

security implications of the old

18:02

functions i'll be looking at that whole

18:04

issue in detail in a future episode of

18:06

my stupid c plus plus tricks series so

18:08

please make sure that you're subscribed

18:10

to the channel in order to see that as

18:11

well as other cool and interesting

18:12

technical and historical material the

18:15

next level of protection comes from

18:16

microsoft's depth for data execution

18:18

prevention on windows but simply

18:20

prevents running as code anything that's

18:22

actually in a data segment let's say you

18:25

managed to get your payload into a heat

18:26

buffer and wanted to modify the return

18:28

value of some function using a string

18:30

exploit just as we did earlier to then

18:31

jump to your code with depon you'd be

18:34

protected because your cpu would not be

18:36

allowed to run code from a page on the

18:37

heap like that

18:39

similarly and perhaps more important you

18:41

can prohibit the execution of code on

18:42

the stack

18:43

back in the olden days of coal mining

18:45

which is to say up until about 1986 the

18:48

workers would be accompanied by a bird

18:49

such as a canary

18:51

carried in a little cage and exposed to

18:53

the same gases and vapors as the workers

18:55

in the mine tunnels if the air became

18:57

toxic with carbon monoxide or other

18:58

gases the bird would become ill first

19:00

and act as an advanced signal that the

19:02

air had become unsafe

19:04

this would allow the workers to be

19:06

safely evacuated

19:07

that's the origin of the phrase canary

19:09

in the coal mine and that's the reason

19:11

why when the compiler places guard

19:13

blocks of bytes before and after your

19:15

buffers those blocks are known as stack

19:17

canaries

19:18

if their value becomes disturbed by

19:20

anyone or anything the system knows that

19:22

something has corrupted them and the

19:23

application has become unstable

19:26

stack canaries are great except that the

19:28

corruption isn't usually detected until

19:30

the function tries to return when

19:31

they're inspected the health of the

19:33

canary is then verified but the damage

19:35

could have been done long ago somewhere

19:37

earlier in the same function in order to

19:39

catch buffer overruns live as soon as

19:41

they happen the compiler can enlist the

19:43

processor's memory management unit or

19:45

mmu in the fight

19:47

for each buffer an entire page of memory

19:49

is allocated before and after it the

19:51

hardware mmu is then instructed to deny

19:54

rights to those pages and any attempts

19:56

to do so are caught right as the

19:58

offending instruction is executing it's

20:00

nearly foolproof but it consumes extra

20:02

memory pages for each buffer

20:04

i'm no cpu talking smart guy but if i

20:07

were i'd assume that there are limits to

20:09

the number of entries you can have in

20:10

the mmu's page table

20:12

even if there were no practical limits

20:14

i've got to imagine that there's a

20:15

performance impact of some kind involved

20:17

with massively growing the mmu's

20:18

translation look aside buffer

20:20

now i've never used guard pages in a

20:22

shipping product but i have turned them

20:24

on briefly for the heap rather than the

20:26

stack in order to chase an elusive heap

20:28

corruption bug once long ago

20:31

it was very slow in operation but it

20:33

found the problem on i think like the

20:34

first run that i tried it with

20:36

the two questions we'd like to know the

20:38

answer to next though are how

20:39

specifically did codered exploit a

20:41

buffer overrun and how did it get its

20:43

payload onto the machine

20:45

apparently codered exploited a bug in an

20:48

iis extension where a component that

20:50

wound up inspecting get requests had a

20:52

buffer overrun bug

20:54

specifically there was a completely

20:56

unchecked buffer in idq.dll which is an

20:58

is api extension related to the indexing

21:01

portion of the iis web server

21:04

when presented with a really long string

21:05

for get requests such as the one shown

21:07

on the screen here the buffer is big

21:09

enough to accommodate everything through

21:10

about the last capital n after that it's

21:13

all carefully constructed binary payload

21:16

much as i demonstrated in the debugger

21:17

the program counter was hijacked to

21:19

cause the payload to execute as

21:21

instructions

21:22

that would serve to begin the infection

21:24

and the propagation of the worm

21:26

meanwhile back at the white house the

21:28

iit staff had to contend with a new

21:30

onslaught of denial of service attacks

21:32

that would begin like clockwork on the

21:34

20th of every month

21:35

they would last a week before they'd go

21:37

dormant again and each month's attack

21:39

was larger than the month before it the

21:41

infection would continue to spread

21:42

unchecked like fire in a dry field until

21:44

a fellow named kenneth eichman

21:46

discovered that just like the dinosaurs

21:48

of jurassic park the virus's creators

21:50

had engineered a lysine deficiency of

21:52

sorts into the worm except this one was

21:54

sort of backwards in the movie the giant

21:57

tyrant lizards would die out if not

21:58

periodically fed a special nutrient

22:00

thereby hopefully preventing them from

22:02

running amok without their creator's

22:04

consent

22:05

without the lysine supplement being

22:06

intentionally fed to them they would die

22:08

out

22:09

eichmann discovered that code red worked

22:11

in a similar fashion but with a twist

22:13

one of the first things it did upon

22:14

starting up was to look for a file on a

22:16

c drive called wait for it no worm

22:19

if a file named no worm was present and

22:22

it didn't matter what it contained as

22:23

long as the file was just there at all

22:25

the infection would go dormant

22:27

once good old kant discovered this

22:28

backdoor method of shutting down the

22:30

attacks it became widely known that

22:32

protecting a machine was as simple as

22:33

creating a file by that name

22:35

that gave system administrators the

22:37

breathing room needed to remove the

22:38

malware and update their servers with

22:40

the latest security patches

22:42

this discovery of how to shut down code

22:44

red earned eichmann a trip to the white

22:45

house

22:46

of course they would still need to

22:47

contend with the slammer worm just two

22:49

years later and with any number of

22:51

would-be exploits over the decades but

22:53

the important thing is that security

22:54

efforts became more proactive rather

22:56

than responding to attacks after they

22:58

happened administrators began keeping

23:00

machines up to date as part of regular

23:02

maintenance

23:03

modern programming practices combined

23:04

with updated operating systems and

23:06

server components written with security

23:08

in mind from the beginning rather than

23:09

tacked on as an afterthought have

23:11

combined to make the buffer overrun much

23:13

less frequent than in years past

23:15

zero day exploits are becoming

23:17

increasingly rare and perhaps further

23:18

and further apart but they can never be

23:20

eradicated entirely and it only takes

23:22

one

23:23

as the wannacry ransomware attack of

23:25

2017 demonstrated there really are no

23:27

links to which a malicious actor will

23:29

not go up to including encrypting all

23:31

the data present on the machine holding

23:33

it for ransom and even completely

23:35

deleting it

23:36

if you found this story entertaining or

23:38

if you learned anything from the buffer

23:39

overrun explanation please drop me a

23:41

like on the video to let me know it was

23:42

worthwhile

23:43

as you can see my channel is still

23:45

fairly small so if you can share with a

23:46

friend please shoot them a link

23:49

if you're interested in this kind of

23:50

content yourself please make sure to

23:51

subscribe to the channel these days a

23:53

subscription doesn't do much on youtube

23:55

in terms of content but it does serve as

23:57

a vote of confidence in the channel and

23:59

it makes me personally happy since i'm

24:01

really only in this for the subs and

24:02

likes anyway so please consider it

24:05

thanks for joining me out here in the

24:06

shop today in the meantime and in

24:07

between time i hope to see you next time

24:09

right here in dave's garage

24:14

let's go back and redo this part

24:16

a new variant appeared that would spreed

24:19

spreed

24:20

it would spreed

24:21

damn it

24:22

they simply lacked the iss

24:26

that meant that even if code red were

24:28

removed from

24:31

just read the words that you wrote when

24:33

you were thinking at the speed that you

24:35

can type and think

24:37

as a result the new variant spread even

24:39

faster it was given the identifier

24:43

identifier

24:45

the first eight bytes worth the ones

24:47

i've selected are completely legal we're

24:48

allowed to write there the next four

24:50

break ah dan

24:56

boom there it is

24:59

[Music]

25:01

that's good enough

25:02

boom there it is two sinister payload

25:05

pages

25:06

in main function one and function twos

25:08

says payload uh

25:11

payload no payload for me

25:14

black door

25:16

i see a black door and i want to paint

25:19

it red

25:20

that's the origin of the phrase canary

25:22

in the coal mine and that's the reason

25:24

when the compiler places

25:28

i can't win man too many leaf blowers

25:30

the server was likely to be re-affected

25:32

again in

25:34

re-effected it's gonna be a re-affected

25:38

don't know what that

25:39

[Music]

25:40

gotta get up in the means

25:42

because i have to

25:44

do it anyway