EH-Net

I am interested in learning understanding about the basics of buffer over flow ,how it works?
etc,can any one suggest me a good e-book or link or paper to understand the basic operation and functions of buffer overflow?


Hope i will get some help here...

Well, I (and many others) began here:

http://insecure.org/stf/smashstack.html
(Smashing the Stack for Fun and Profit)

There are plenty of other books / tutorials, and a fast Google search will turn up a lot.

If you have $32 to spend, jump over to amazon and buy "Hacking: the art of exploitation."  Then read some papers and realize that your money was well spent from all the time you saved reading a book that gives you a good grounding to digest everything else.  Search the site for some book reviews on this.  It is widely read and universally recommended.

BTW, I'm pathologically cheap, but I do invest money freely in two things:
1.  Good hardware
2.  Good documentation

Both actually save me money over the long haul.  The book falls into the later category.

A user actually requested similar information recently on the forum I host, so I thought I'd share the same links here  ;)

------------ Link Start ------------

Writing Windows Exploits:
http://forum.intern0t.net/cinema/video-21/ (or: http://guides.intern0t.net/msf2.php )
http://www.offensive-security.com/videos/pwb-v3.0-demo/pwb-v3.0-demo_controller.swf
http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit

Egghunters:
http://www.offensive-security.com/videos/defcon-presentation-2008-video/defcon-presentation-2008_controller.swf

SEH Overflow:
http://www.offensive-security.com/videos/cracking-the-perimeter-demo/cracking-the-perimeter-demo_controller.swf

Smashing the Stack 2010: (paper)
http://5d4a.wordpress.com/2010/08/02/smashing-the-stack-in-2010/
http://mariano-graziano.llab.it/docs/report.pdf

Metasploit Unleashed: (chapter 07)
http://www.offensive-security.com/metasploit-unleashed/


There's also a couple of books, I would probably read these:
http://www.amazon.com/Buffer-Overflow-Attacks-Exploit-Prevent/dp/1932266674/
http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/
http://www.amazon.com/Writing-Security-Tools-Exploits-Foster/dp/1597499978/

I haven't read any of these books yet though I intend to

There's also a couple of interesting articles I would read:
http://www.phrack.com/issues.html?issue=62&id=7
http://www.phrack.com/issues.html?issue=55&id=15
http://www.phrack.com/issues.html?issue=49&id=14
http://www.phrack.org/issues.html?id=14&issue=49

Smashing the Stack: (original)
http://insecure.org/stf/smashstack.html
http://www-inst.eecs.berkeley.edu/%7Ecs161/fa08/papers/stack_smashing.pdf

The Tao of Windows Buffer Overflow:
http://www.cultdeadcow.com/cDc_files/cDc-351/

And of course lets not forget the tutorials from Corelan:
http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/page/3/

------------ Link End ------------

There's some resources to get you started  ;)

Reference:
http://forum.intern0t.net/general-hacking-discussions/3049-windows-exploitation.html

Do you have basic understanding of C/C++, specifically arrays,strings and pointers? If not then it'll be useful to firstly get some programming experience. I suggest reading "C programming language" http://www.amazon.com/Programming-Language-2nd-Brian-Kernighan/dp/0131103628/ref=sr_1_1?ie=UTF8&s=books&qid=1284897188&sr=8-1

You can then move to assembly language tutorials from securitytube especially videos 1,2,3,4 and 11. (I suggest watching all the videos, but if you can't then don't miss at least these five)
http://www.securitytube.net/Assembly-Primer-for-Hackers-%28Part-1%29-System-Organization-video.aspx

Armed with this knowledge it should be easy for you to understand bufferoverflows.
Again, securitytube has free buffer overflow primer videos. I found these very useful.
http://www.securitytube.net/Buffer-Overflow-Primer-Part-1-%28Smashing-the-Stack%29-video.aspx

Just a quick note (and sorry for bringing up an old topic) as far as I am aware C does not support strings so that should only refer to C++. From how I learned it C only supports array's of characters.

Next to that all a great book that should be mentioned for learning C, some assembly and how it is used to write exploits would be "hacking, the art of exploitation".

http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=pd_sim_b_2

A nice video tutorial set from securitytube.net,
http://www.securitytube.net/groups?operation=view&groupId=4 (http://www.securitytube.net/groups?operation=view&groupId=4)

I'm quite sure you might like it  8).

this is absolutely untrue, C is the father of C++/Java..

there's a pleny ways to define string in C:
char *string=""
char string[]=""

and define your own struct to use only the keyword string  ;)

As others have already pointed out, securitytube is where I start for all such questions. With over 2,000 videos there's almost always something of interest on whatever subject you're interested in. And the videos are getting much better as people like Vivek have upgraded their editing software.

His wireless security megaprimer is *awesome* (as he would say). :D

If you want a book, you should read Hacking: The Art Of Exploitation. Even if you cant program in C or Assembly it should get you into writing exploits. If you can do that well, you should read The Shellcoders Handbook, which goes a little bit further than The Art Of Exploitation but both will teach you how to write exploits, and how exploits work.

I think H4TT1fn4TT meant that C does not have a built-in "Strings" type, and he's right. Of course you can define your own types and data structures and call them whatever you want, but in C you don't have that native type as other languages do.

Hey forumer33t i was wondering does the book cover the ability to hack or just defend a website? I want to know to see if i shoupd get it.

I found this training session from Dino Dai Zovi to be very useful.

http://pentest.cryptocity.net/exploitation/