Buffer overflows and various code injection methods
Download
1 / 23

Buffer overflows and various code injection methods - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Buffer overflows and various code injection methods. Raghunathan Srinivasan CSE 539, 2/2/2011. What is the deal with overflows. Why does it exist? Can we get rid of it? Why cant we get rid of it?. Since 80 % of the general population uses Microsoft OS lets google Microsoft buffer overflow.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Buffer overflows and various code injection methods' - julius


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Buffer overflows and various code injection methods
Buffer overflows and various code injection methods

Raghunathan SrinivasanCSE 539, 2/2/2011


What is the deal with overflows
What is the deal with overflows

  • Why does it exist?

  • Can we get rid of it?

  • Why cant we get rid of it?



Bounds checking
Bounds checking? google Microsoft buffer overflow

int main()

{

int a[4]; int n;

scanf(“%d”, &n);

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}


int main() google Microsoft buffer overflow

{

int a[4]; int n;

scanf(“%d”, &n);

if (n>3) n=3;// return

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}


Why buffer overflow is possible
Why buffer overflow is possible google Microsoft buffer overflow

  • Are our machines different?

  • What does the stack look like?


Takeaways
Takeaways? google Microsoft buffer overflow

  • How secure is any code?

  • What would happen if we all used different architecture, custom compiled OS?


Benefits of custom compilation
Benefits of custom compilation google Microsoft buffer overflow

  • Randomize application memory

  • Modify the relative distance between Return address and locals on stack for every binary

    • Attacker needs to determine correct input values on every binary

    • Return of investment is lower


  • Randomize the stack frame of every routine google Microsoft buffer overflow

    • Add padding between local variables and return address

    • Makes buffer overflow exploits difficult

  • So how to randomize the code

    • Source code?

    • Executable?


Binary re writing
Binary re writing google Microsoft buffer overflow

  • No net instructions added (or subtracted)

  • Change arguments for adding space on stack

  • Every instruction that use locations on stack (local variables) has to be fixed


void foo() { google Microsoft buffer overflow

char buffer[1024];

gets(buffer);

}

push %ebp

mov %esp,%ebp

sub $0x408,%esp

lea -0x400(%ebp),%eax

mov %eax,(%esp)

call 80482c8 <[email protected]>

leave

ret


So what instructions need to be modified
So what instructions need to be modified? google Microsoft buffer overflow

  • A)

  • B)

  • C)


Was this done
Was this done google Microsoft buffer overflow

  • Yes

  • Use objdump to parse out the text

  • Identify instructions

  • Determine max pad for each function

  • Go and re write instructions


Code injection
Code injection google Microsoft buffer overflow

Mprotect

Ptrace

Let take a look at the man page of these system calls


Lets write code
Lets write code google Microsoft buffer overflow

#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/mman.h> #include <limits.h>    /* for PAGESIZE */ #ifndef PAGESIZE #define PAGESIZE 4096 #endif

int test(); int main() {  int a;  char *location = &test;  char *d = &test;  test();  printf("\nAttempting not possible stuff");  fflush(NULL);  d = (char *)(((int) d) & ~(PAGESIZE-1));  if (mprotect(d, 1024, PROT_WRITE|PROT_EXEC)) {         perror("Couldn't mprotect");         exit(errno);     }  location [1] = 0xc3; test();

 printf("\nShould not be here"); fflush(NULL);  return 0;

}

int test() {  int i;  printf("\n hello from test");  return 0;

}


What does this show
What does this show google Microsoft buffer overflow

  • If an application wants to, it can cause havoc on itself.

  • Is this useful?

  • But this is a system call

  • All system calls are available to every binary

  • Can you make the execution jump to mprotect with correct stack arguments?


Ptrace
ptrace google Microsoft buffer overflow

  • Parent process may observe and control a child process

  • Essentially debugger


fork google Microsoft buffer overflow

  • Creates a child process

  • Execution returns back twice at the same location

  • If return value is 0, it’s a child, else parent

  • Code example 1


Example 2
Example 2 google Microsoft buffer overflow

  • PTRACE_TRACEME

    • Process allows parent to trace it. When child executes a system call (any signal), the control causes it to wait and sends control to parent which is waiting.

  • PTRACE_CONT

    • Parent resumes the stopped child


Example 3
Example 3 google Microsoft buffer overflow

  • Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process


Example 6
Example 6 google Microsoft buffer overflow

  • PTRACE_ATTACH

    • Attaches to the process specified in pid, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME.

  • PTRACE_GETREGS

    • Copies the child's general purpose or floating-point registers, respectively, to location data in the parent.

  • PTRACE_PEEKTEXT

    • Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call.


Example 7
Example 7 google Microsoft buffer overflow

  • PTRACE_SETREGS

    • Copies the child's general purpose or floating-point registers, respectively, from location data in the parent.


Example 8
Example 8 google Microsoft buffer overflow

  • Do it yourself at home


ad