buffer overflow – smashing the stack
TRANSCRIPT
Buffer Overflow – Smashing The Stack
Tomer Zait - Application Security Engineer
root@kali:~# whoamiironSource\Tomer Zait• Application Security Engineer at• Practical Software Engineer (Ort Singalovsky)• Offensive Security Certified Professional (OSCP)• OpenSource Projects:
o PyMultitoro HackMe Credito AutoBrowser o SubDomain Analyzero Proxist
• 1st Place at The Israel Cyber Challenge, 2014
Today we will focus on:
• Past Events• What Is Stack• Assembly – Registers• Stack Overflow• Shell Code• Exploit Development
Past Events
• Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface.
• Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP and runs commands to execute it.
• mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as scanning/infecting other hosts.
BLASTER WORM
Hex dump of the Blaster worm
• DOS attack on windowsupdate.com failed - the regular domain name is windowsupdate.microsoft.com.
• Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so Microsoft just decomissioned it.
BLASTER WORM - EFFECTS
• August 11, 2003: Original version of the worm appears on the internet.
• August 12, 2003: The number of infected systems is reported at 30,000.
• August 15, 2003:The number of infected systems is reported at 423,000.
• August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that url is merely a redirect to the real site, windowsupdate.microsoft.com)
• January 28, 2005: The creator of the "B" variant of MSBlaster is sentenced to 18 months in jail.
BLASTER WORM - TIMELINE
• Exploits a buffer overflow vulnerability in Microsoft NET BIOS interface (MS08-067).
• Dictionary attack on ADMIN$ shares.
• Creates DLL-based AutoRun trojan on attached removable drives.
• Downloads daily from any of 250 pseudorandom domains over 5 TLDs (Top-level domains).
• Updates self to Conficker B, C or D.
CONFICKER WORM
• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
• Domain controllers responding slowly to client requests.
• Congestion on local area networks (ARP flood as consequence of network scan).
• Web sites related to antivirus software or the Windows Update service becoming inaccessible
CONFICKER WORM - EFFECTS
• Discovered in early November 2008.
• The French Navy computer network, was infected with Conficker on 15 January 2009.
• An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009.
• The estimated number of infected computers ranged from almost 9 million to 15 million.
• Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.
CONFICKER WORM - TIMELINE
What Is Stack
It's a special region of your computer's memory that stores temporary variables created by each function (including the main() function),The stack is a “LIFO” (last in , first out) data structure.
Principal operations: • push adds an element to the collection.• pop removes the last element that was added.
• Stack Real Life example is weapon's magazine
STACK - EXPLANATION
Assembly – Registers
On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers).
Their names are:EAX: Extended Accumulator RegisterEBX: Extended Base RegisterECX: Extended Counter RegisterEDX: Extended Data RegisterESI: Extended Source IndexEDI: Extended Destination IndexEBP: Extended Base PointerESP: Extended Stack PointerEIP: Extended Instruction Pointer
CPU REGISTERS
The ESP register serves as an indirect memory operand pointing to the top of the stack at any time.WORD takes 2 bytes In memory.
• When a word value is pushed onto the stack, the assembler decreases the ESP (Stack Pointer) register by 2.
• When a word value is popped off the stack, the assembler increases the ESP register by 2.
ESP REGISTER
The instruction pointer register points to the memory address which the processor will next attempt to execute.
it cannot be directly accessed in 16-bit or 32-bit mode, but a sequence like the following can be written to put the address of next_line into eax:
call next_linenext_line: pop eax
This sequence of instructions generates position-independent code because call takes an instruction-pointer-relative immediate operand describing the offset in bytes of the target instruction from the next instruction (in this case 0).
EIP REGISTER
Stack Overflow
A stack overflow is an undesirable condition in which a particular computer program tries to use more memory space than the call stack has available.In programming, the call stack is a buffer that stores requests that need to be handled.
The size of a call stack depends on various factors. It is usually defined at the start of a program. Its size can depend on the architecture of the computer on which the program runs, the language in which the program is written, and the total amount of available memory in the system. When a stack overflow occurs as a result of a program's excessive demand for memory space, that program (and sometimes the entire computer) may crash.
STACK OVERFLOW - EXPLANATION
Shell Code
# Metasploit generated – write.exe – x86 – Windows XP Pro SP2shellcode="\x68\x97\x4C\x80\x7C\xB8\x4D\x11\x86\x7C\xFF\xD0”;
Let’s disassemble these bytes into instructions :
You don’t need to run this code to figure out what it will do.
SHELLCODE - WINDOWS XP PRO SP2 32BIT (1)
C:\shellcode>"c:\program files\nasm\ndisasm.exe" -b 32 c:\tmp\shellcode.bin00000000 68974C807C push dword 0x7c804c9700000005 B84D11867C mov eax,0x7c86114d0000000A FFD0 call eax
If the exploit is indeed written for Windows XP Pro SP2 then this will happen :at 0x7c804c97 on XP SP2, we find (windbg output) :
So push dword 0x7c804c97 will push “Write” onto the stack.
SHELLCODE - WINDOWS XP PRO SP2 32BIT (2)
0:001> d 0x7c804c977c804c97 57 72 69 74 65 00 42 61-73 65 43 68 65 63 6b 41 Write.BaseCheckA7c804ca7 70 70 63 6f 6d 70 61 74-43 61 63 68 65 00 42 61 ppcompatCache.Ba7c804cb7 73 65 43 6c 65 61 6e 75-70 41 70 70 63 6f 6d 70 seCleanupAppcomp7c804cc7 61 74 43 61 63 68 65 00-42 61 73 65 43 6c 65 61 atCache.BaseClea7c804cd7 6e 75 70 41 70 70 63 6f-6d 70 61 74 43 61 63 68 nupAppcompatCach7c804ce7 65 53 75 70 70 6f 72 74-00 42 61 73 65 44 75 6d eSupport.BaseDum7c804cf7 70 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 pAppcompatCache.7c804d07 42 61 73 65 46 6c 75 73-68 41 70 70 63 6f 6d 70 BaseFlushAppcomp
Next, 0x7c86114d is moved into eax and a call eax is made. At 0x7c86114d, we find :
Conclusion : this code will execute “write” (=wordpad).
SHELLCODE - WINDOWS XP PRO SP2 32BIT (3)
0:001> ln 0x7c86114d(7c86114d) kernel32!WinExec | (7c86123c) kernel32!`string'Exact matches:kernel32!WinExec =
SHELLCODE TEST - WINDOWS XP PRO SP2 32BIT
char code[] = "\x68\x97\x4C\x80\x7C\xB8\x4D\x11\x86\x7C\xFF\xD0";
int main(int argc, char **argv) {
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Exploit Development
VULNERABLE CODE - EXAMPLE
#include <string.h>
void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking}
int main (int argc, char **argv) { foo(argv[1]);}
VULNERABLE CODE - EXPLOTION
This code takes an argument from the command line and copies it to a local stack variable c.
This works fine for command line arguments smaller than 12 characters (as you can see in figure B below).
Any arguments larger than 11 characters long will result in corruption of the stack.(The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language strings are terminated by a zero byte character.
A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.)
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (1)
A. - Before data is copied.
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (2)
B. - "hello" is the first command line argument.
THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (3)
A. - Before data is copied.
VULNERABLE CODE - SUMMARY
Notice in figure C above, when an argument larger than 11 bytes is supplied on the command line foo() overwrites local stack data, the saved frame pointer, and most importantly,
the return address. When foo() returns it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address).
Thus, the attacker has overwritten the return address with a pointer to the stack buffer char c[12], which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable to the platform and desired function.
If this program had special privileges (e.g. the SUID bit set to run as the superuser), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.
{ THANK YOU
1. Wikipedia - http://www.wikipedia.org/2. Corelan Team- https://www.corelan.be/3. Natashenka - http://natashenka.ca/
BIBLIOGRAPHY