Buffer overflows and various code injection methods
This presentation is the property of its rightful owner.
Sponsored Links
1 / 23

Buffer overflows and various code injection methods PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on
  • Presentation posted in: General

Buffer overflows and various code injection methods. Raghunathan Srinivasan CSE 539, 2/2/2011. What is the deal with overflows. Why does it exist? Can we get rid of it? Why cant we get rid of it?. Since 80 % of the general population uses Microsoft OS lets google Microsoft buffer overflow.

Download Presentation

Buffer overflows and various code injection methods

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Buffer overflows and various code injection methods

Buffer overflows and various code injection methods

Raghunathan SrinivasanCSE 539, 2/2/2011


What is the deal with overflows

What is the deal with overflows

  • Why does it exist?

  • Can we get rid of it?

  • Why cant we get rid of it?


Buffer overflows and various code injection methods

  • Since 80 % of the general population uses Microsoft OS lets google Microsoft buffer overflow


Bounds checking

Bounds checking?

int main()

{

int a[4]; int n;

scanf(“%d”, &n);

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}


Buffer overflows and various code injection methods

int main()

{

int a[4]; int n;

scanf(“%d”, &n);

if (n>3) n=3;// return

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}


Why buffer overflow is possible

Why buffer overflow is possible

  • Are our machines different?

  • What does the stack look like?


Takeaways

Takeaways?

  • How secure is any code?

  • What would happen if we all used different architecture, custom compiled OS?


Benefits of custom compilation

Benefits of custom compilation

  • Randomize application memory

  • Modify the relative distance between Return address and locals on stack for every binary

    • Attacker needs to determine correct input values on every binary

    • Return of investment is lower


Buffer overflows and various code injection methods

  • Randomize the stack frame of every routine

    • Add padding between local variables and return address

    • Makes buffer overflow exploits difficult

  • So how to randomize the code

    • Source code?

    • Executable?


Binary re writing

Binary re writing

  • No net instructions added (or subtracted)

  • Change arguments for adding space on stack

  • Every instruction that use locations on stack (local variables) has to be fixed


Buffer overflows and various code injection methods

void foo() {

char buffer[1024];

gets(buffer);

}

push %ebp

mov %esp,%ebp

sub $0x408,%esp

lea -0x400(%ebp),%eax

mov %eax,(%esp)

call 80482c8 <[email protected]>

leave

ret


So what instructions need to be modified

So what instructions need to be modified?

  • A)

  • B)

  • C)


Was this done

Was this done

  • Yes

  • Use objdump to parse out the text

  • Identify instructions

  • Determine max pad for each function

  • Go and re write instructions


Code injection

Code injection

Mprotect

Ptrace

Let take a look at the man page of these system calls


Lets write code

Lets write code

#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/mman.h> #include <limits.h>    /* for PAGESIZE */ #ifndef PAGESIZE #define PAGESIZE 4096 #endif

int test(); int main() {  int a;  char *location = &test;  char *d = &test;  test();  printf("\nAttempting not possible stuff");  fflush(NULL);  d = (char *)(((int) d) & ~(PAGESIZE-1));  if (mprotect(d, 1024, PROT_WRITE|PROT_EXEC)) {         perror("Couldn't mprotect");         exit(errno);     }  location [1] = 0xc3; test();

 printf("\nShould not be here"); fflush(NULL);  return 0;

}

int test() {  int i;  printf("\n hello from test");  return 0;

}


What does this show

What does this show

  • If an application wants to, it can cause havoc on itself.

  • Is this useful?

  • But this is a system call

  • All system calls are available to every binary

  • Can you make the execution jump to mprotect with correct stack arguments?


Ptrace

ptrace

  • Parent process may observe and control a child process

  • Essentially debugger


Buffer overflows and various code injection methods

fork

  • Creates a child process

  • Execution returns back twice at the same location

  • If return value is 0, it’s a child, else parent

  • Code example 1


Example 2

Example 2

  • PTRACE_TRACEME

    • Process allows parent to trace it. When child executes a system call (any signal), the control causes it to wait and sends control to parent which is waiting.

  • PTRACE_CONT

    • Parent resumes the stopped child


Example 3

Example 3

  • Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process


Example 6

Example 6

  • PTRACE_ATTACH

    • Attaches to the process specified in pid, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME.

  • PTRACE_GETREGS

    • Copies the child's general purpose or floating-point registers, respectively, to location data in the parent.

  • PTRACE_PEEKTEXT

    • Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call.


Example 7

Example 7

  • PTRACE_SETREGS

    • Copies the child's general purpose or floating-point registers, respectively, from location data in the parent.


Example 8

Example 8

  • Do it yourself at home


  • Login