buffer overflows

29
Hamid Reza Hasani Hamid Reza Hasani Buffer OverFlow ه ظ اف ح از ی ی ا ه مت س ق ه ب ذ و ف ن و س ی و ن هم ا رن باهای ط خ از ه ذ ا ف ت س ا ده ن2 ن ک را ج ا رای ب ا ه ن8 ا ه ب ی س ر ت س ذ ه ز ا احی ذا ع ت ل ا ذز ح ه ک دازذ! ذ ن و ج و هم ا رن ب

Upload: faith-levine

Post on 13-Mar-2016

45 views

Category:

Documents


2 download

DESCRIPTION

Buffer OverFlow استفاده از خطاهای برنامه نویس و نفوذ به قسمتهایی از حافظه که در حالت عادی اجازه دسترسی به آنها برای اجرا کننده برنامه وجود ندارد!. Buffer Overflows. نگاه کلی به پدید سریزی بافر یک مثال واقعی SQL Slammer - مکانیزم های کشف و پیشگیری. نگاه کلی. - PowerPoint PPT Presentation

TRANSCRIPT

Buffer OverflowsBuffer OverFlow
!
Hamid Reza Hasani
Hamid Reza Hasani

*

*
“Smashing the Stack” ( ) !!!
Hamid Reza Hasani
Hamid Reza Hasani
Buffer Overflow
CERT .
*
*
*
0
0.2
0
0.1
0.07
0
0.15
0.23
0.11
0.54
0.54
0.45
Sheet2
1988
0%
1989
20%
1990
0%
1991
10%
1992
7%
1993
0%
1994
15%
1995
23%
1996
11%
1997
54%
1998
54%
1999
45%
Sheet3
Stack (Intel, Motorola, SPARC, MIPS)

Executable Code
char buffer1[5];
char buffer2[10];

Hamid Reza Hasani
Function Parameters
Return Address
*
Buffer overflow
void function(char *str){
char buffer[16];
large_string[i] = ‘A’;
:
4
*str
4
4
ret
sfp
buffer
16
: ‘AAAA’ (0x41414141) !
0x41414141…..

*
crash
void function(int a, int b, int c){
char buffer1[5];
char buffer2[10];
buffer1 + 12
1 x 0 x .
4
4
4
c
b
a
4
4
ret
sfp
buffer1
buffer2
8
12
!!!
!
*
*
jmp 0x1F
popl %esi
inc %eax
int $0x80
call -0x24
.string “/bin/sh”
char shellcode[] =
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89”
“\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”
“\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff”
“\xff\xff/bin/sh”;

Hamid Reza Hasani
*
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
shell .
crash .
S
S
S
S
S
S
S
*
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
NOP (0x90)
.
S
N
N
N
N
N
N
*
UNIX - search through source code for vulnerable library calls (strcpy, gets, etc.) and buffer operations that don’t check bounds. (grep is your friend)
Windows - wait for Microsoft to release a patch. Then you have about 6 - 8 months to write your exploit…
Hamid Reza Hasani
Hamid Reza Hasani

*
Slammer
( )
30 75000
90% 10
MS SQL Server !
*
Slammer
IP
UDP
packet 375 ...
8.5
*
SQL Server
UDP 1434 0x04 ( ) .
( ) buffer .
*
*
When SQL Server receives a packet on UDP port 1434 with the first byte set to 0x04, the SQL Monitor thread takes the remaining data in the packet and attempts to open a registry key using this user supplied information. For example, by sending \x04\x41\x41\x41\x41 (0x04 followed by 4 upper case 'A's) SQL Server attempts to open HKLM\Software\Microsoft\Microsoft SQL Server\AAAA\MSSQLServer\CurrentVersion By appending a large number of bytes to the end of this packet, whilst preparing the string for the registry key to open, a stack based buffer is overflowed and the saved return address is overwritten. This allows an attacker to gain complete control of the SQL Server process and its path of execution. By overwriting the saved return address on the stack with an address that contains a "jmp esp" or "call esp" instruction, when the vulnerable procedure returns the processor will start executing code of the attacker's choice. At no stage does the attacker need to authenticate.
Hamid Reza Hasani
Hamid Reza Hasani

Slammer ! DOS network .
*

*
Overflow
! (Windows 5 !!!)
*

MS
Slammer

*