1 / 67

Buffer Overflow Attacks

Buffer Overflow Attacks. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1. 6.857. History. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1960s. 1970s. 1980s. 1990s. Today.

petra
Download Presentation

Buffer Overflow Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Buffer Overflow Attacks 6.857, Computer & Network Security Basic Idea Sample Attacks Protection 1 6.857

  2. History 6.857, Computer & Network Security Basic Idea Sample Attacks Protection 1960s 1970s 1980s 1990s Today The problem persists(e.g., IE VML advisory fromtwo months ago). Vulnerability exploited on time-share machines Morris Worm usesbuffer overflow intaking down significantportion of the Internet Attacks on early networkedmachines Buffer overflow attacks become(arguably) the most pressingsecurity concerns facing the web(e..g., in 1998, 2/3 of CERT advisorieswere buffer overflow related) 2 6.857

  3. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text Data Heap Stack High Addresses 3 6.857

  4. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap Stack High Addresses 4 6.857

  5. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap Stack High Addresses 5 6.857

  6. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap sp Stack fp High Addresses 6 6.857

  7. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap sp 2 Stack fp High Addresses 7 6.857

  8. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap 1 sp 2 Stack fp High Addresses 8 6.857

  9. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap ret 1 sp 2 Stack fp High Addresses 9 6.857

  10. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap sfp ret 1 sp 2 Stack fp High Addresses 10 6.857

  11. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap sfp ret 1 sp 2 Stack fp High Addresses 11 6.857

  12. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap sfp ret 1 sp 2 Stack fp High Addresses 12 6.857

  13. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text pushl $2pushl $1call func…pushl%ebpmovl %esp, %ebpsubl $24, %esp void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } Data Heap buffer sfp ret 1 sp 2 Stack fp High Addresses 13 6.857

  14. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } Data Heap buffer sfp ret 1 sp 2 Stack fp High Addresses 14 6.857

  15. Memory Layout 6.857, Computer & Network Security Basic Idea Sample Attacks Protection Low Addresses Text void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } Data Heap bigstr sfp ret 1 sp 2 Stack fp High Addresses 15 6.857

  16. Sample Attacks 6.857, Computer & Network Security Basic Idea Sample Attacks Protection • Modify local variables • Modify return address to skip/repeat code • Modify return address to run evil code 16 6.857

  17. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection • Modify local variables • Modify return address to skip/repeat code • Modify return address to run evil code 17 6.857

  18. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } 18 6.857

  19. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } query recp[] subject[] sfp ret 19 6.857

  20. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } query recp[] subject[] sfp ret 20 6.857

  21. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } query recp[] subject[] sfp ret 21 6.857

  22. Modify Local Variables 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret e-mail to recp … } query recp[] subject[] Demo… sfp ret 22 6.857

  23. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection • Modify local variables • Modify return address to skip/repeat code • Modify return address to run evil code 23 6.857

  24. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer sfp ret a b 24 6.857

  25. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer sfp ret a b 25 6.857

  26. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } sfp ret addr a b 26 6.857

  27. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer sfp ret a b 27 6.857

  28. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } sfp ret addr a b 28 6.857

  29. Repeat Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } sfp ret addr a b Demo… 29 6.857

  30. Sample Attacks 6.857, Computer & Network Security Basic Idea Sample Attacks Protection • Modify local variables • Modify return address to skip/repeat code • Modify return address to run evil code 30 6.857

  31. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } sfp ret 1 2 31 6.857

  32. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection evil codeevil codeevil codeevil code nopnopnopnopnopnopnopnopnopnopnop0x80483eb void func(int a, int b) { char buffer[32]; gets(buffer); … } 1 2 32 6.857

  33. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection evil codeevil codeevil codeevil code nopnopnopnopnopnopnopnopnopnopnop0x80483eb void func(int a, int b) { char buffer[32]; gets(buffer); … } 1 2 33 6.857

  34. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection evil codeevil codeevil codeevil code nopnopnopnopnopnopnopnopnopnopnop0x80483eb void func(int a, int b) { char buffer[32]; gets(buffer); … } 1 2 34 6.857

  35. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection evil codeevil codeevil codeevil code nopnopnopnopnopnopnopnopnopnopnop0x80483eb void func(int a, int b) { char buffer[32]; gets(buffer); … } 1 2 35 6.857

  36. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection evil codeevil codeevil codeevil code nopnopnopnopnopnopnopnopnopnopnop0x80483eb void func(int a, int b) { char buffer[32]; gets(buffer); … } ???? 1 2 36 6.857

  37. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } 37 6.857

  38. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 38 6.857

  39. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 0xffffffff 39 6.857

  40. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 0xfffffff8 0x80884a8 0xffffffff 40 6.857 “/bin/sh”

  41. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 41 6.857

  42. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 42 6.857 name

  43. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } 0x80884a8 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve> 0xfffffff8 NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 43 6.857

  44. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret 0x80884a8 0xfffffff8 NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 44 6.857

  45. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret ebx 0x80884a8 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 0xfffffff8 NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 45 6.857

  46. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret ebx 0x80884a8 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ecx 0xfffffff8 NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 46 6.857

  47. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret ebx 0x80884a8 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ecx 0xfffffff8 edx NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 47 6.857

  48. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret ebx 0x80884a8 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ecx 0xfffffff8 edx NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 48 6.857

  49. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } fp (ebp) sfp ret ebx 0x80884a8 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ecx 0xfffffff8 edx NULL 0xfffffff8 0x80884a8 0xfffffffc NULL 0xffffffff 49 6.857

  50. Running Evil Code… 6.857, Computer & Network Security Basic Idea Sample Attacks Protection movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 fp (ebp) sfp ret 50 6.857

More Related