0x3 Buffer overflow Example 1: the Morris worm

I plan to give several real world examples of buffer overflows. The first one would be the Morris worm. This worm was born in the same year as me, in 1988. It is created by a fellow with the name of Robert Tappan Morris, who is now a professor in MIT. Due to the worm outbreak(according to wikipedia), he was convicted and sentenced to three years of probation, 400 hours of community service, a fine of $10,050 and the cost of his supervision.

Now the actual exploit was actually quite simple. The worm exploited the gets() function used in the fingerd program. This program is used for the finger protocol on port 79. fingerd declared a 512-byte buffer to be used for gets() without any bounds checking. To make the attack even easier, the buffer in question turned out to be the first local variable declared in main(). The exploit code consists of 400 bytes of NOP(no operation) instructions (typically called NOP sled). At the 400th position of the buffer, the attacker included the instruction for execve(“/bin/sh”,0,0) system call(typically called shell code), which would launch a shell that can receive instructions from the attacker via open network connection. To launch this shell, all the attacker has to do is to overflow the return address of main to point to the NOP sled of Morris worm, which would eventually reach the shellcode.