90 likes | 97 Views
Overflows. Mark Shtern. Overflows. Try a web search for “ buffer overflow exploit”. Check alt. 2600 , rootshell.com, antionline.com – you can find long lists of exploits based on buffer overflow, integer overflow Overflows are very popular security bugs
E N D
Overflows Mark Shtern
Overflows • Try a web search for “bufferoverflow exploit”. • Check alt.2600, rootshell.com, antionline.com – you can find long lists of exploits based on bufferoverflow, integer overflow • Overflows are very popular security bugs • Metasploit framework has large number of buffer overflow exploits
The Problem void foo(char *s) { char buf[10]; strcpy(buf,s); printf(“buf is %s\n”,s); } foo(“thisstringistoolongforfoo”);
Buffer Overflow • Intent • Arbitrary code execution • Spawn a remote shell or infect with worm/virus • Steps • Inject attack code into buffer • Redirect control flow to attack code • Execute attack code
Vulnerable Code Example #define MAX_BUF 256 void BadCode(char* input) { short len; char buf[MAX_BUF]; len = strlen(input); / / Is the following safe? if(len < MAX_BUF) strcpy(buf, input); }
Redemption steps • Enable stack protection (compiler flag) • Enable catch signed overflow (compiler flag) • Enable OS protection mechanisms (Randomize stack, Non-executable Stack and Heap) • Use analysis tools (Archer, Boon, Splint, Uno, OleDbg, Spike, Brute Force Binary Tester)
Redemption steps • Replace dangerous string functions • Audit memory allocations • Check loops and array access • Avoid low-level data manipulation • Do not use tricks (if (a ^ b ^ c < 0) ....) • Write out casts • Use high level libraries (STL, SafeInt)
Metasploit • Start metasploit () • Identify exploit • Select target • Select payload to execute • Complete target identification and set options • Exploit target
Overflow Simulation • Find application vulnerability by reviewing the code • Smash the application stack • The program counter register must be modified with a value of your choice • Use gdb to view the values of the registers • Use: info registers