Intro to Exploitation Stack OverflowsJames McFadyen UTD Computer Security Group10/20/2011

Intro to ExploitationOnly an intro to stack overflowBasic theory and applicationOne of many types of exploitation

OutlineWhat is a buffer overflow?ToolsVulnerable C FunctionsRemember the memoryLearn to love assemblyStack overflowProtection Mechanismsret2libc in Linux

Buffer OverflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. - Wikipedia

Buffer OverflowIn our examples..Give the program too much input, hijack the instruction pointer (EIP)Control EIPExecute arbitrary code locally or remotelyAchieve what we want as elevated user

ToolsLinuxGDB, gcc, vi, perl/python/ruby, readelf, objdump, ltrace, strace, ropemeWindowsWinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)

Vulnerable C Codestrcpy(), strncpy()strcat(), strncat()sprintf(), snprintf()gets()sscanf()Many others...

Vulnerable C Codestrcpy() doesn't check sizeIf we have

char buf[128];strcpy(buf, userSuppliedString);

This makes it too easy...

Vulnerable C Codechar *strncpy(char *dest, const char *src, size_t n);We have a size, but what if..strncpy(somebuffer, str, strlen(str));or..strncpy(somebuffer, str, sizeof(somebuffer));Where str is supplied by user

Vulnerable C CodeCommon bug, proper fix:strncpy(somebuffer, str, sizeof(somebuffer)-1);

Vulnerable C Codechar *strncat(char *dest, const char *src, size_t n);Ex:int vulnerable(char *str1, char *str2){char buf[256];strncpy(buf, str1, 100);strncat(buf, str2, sizeof(buf)-1);return;}

Vulnerable C CodeFix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);

Remember the MemoryTextDataBSSHeapStackInitialized global and static variablesUninitialized global and static variablesProgram scratch space. Local variables, pass arguments, etc..Code segment, machine instr.Dynamic space.malloc(...) / free(...)new(...) / ~LowHigh * Taken from Mitchell Adair's Stack Overflows

Remember the Memory: The StackESPEBPRETarguments...previous stack framelocal variables ...

High LowEBPEBP - xEBP + x* Taken from Mitchell Adair's Stack Overflows

Love the AssemblyEIP Extended Instruction PointerESP Extended Stack PointerEBP Extended Base PointerEAX ECX EDXESIEDINext Instruction executedData registerSource indexDestination IndexCounter registerAccumulator registerEBX Base registerTop of stackBase Pointer* Taken from Mitchell Adair's Stack Overflows

Stack OverflowESPEBPRETargc *argv[]EBPchar buf[100]100 bytes4 bytes4 bytes* Taken from Mitchell Adair's Stack Overflows

Stack OverflowESPEBPRETargc *argv[]EBP100 bytes4 bytes4 bytes

RET overwrittenRET108 bytes( 0x41 * 108)Ret will pop the instruction pointeroff of the stack

EIP will now point to 0x41414141

Ex: $ ./program $(python -c 'print "A" * 108 ') * Taken from Mitchell Adair's Stack Overflows

Stack OverflowESPEBPRETargc *argv[]EBP100 bytes4 bytes4 bytes

0xdeadbeefRET104 bytes( 0x41 * 104EIP will now point to 0xdeadbeef

We can now point EIP where we wantEx: $ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ') * Taken from Mitchell Adair's Stack Overflows

Stack Overflow$ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')We have 104 bytes for a payloadPayload can be anything, but for our purpose we would spawn a shellThe payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload

Stack Overflow$ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')If we had a 32 byte payload .. (real payload will not be a bunch of \xff)$ ./program $(python -c 'print "A" * 72 + \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff + \xef\xbe\xad\xde ')We have adjusted the buffer so the payload will fitWe will then have to point EIP (\xef\xbe\xad\xde) to our payload on the stack

Stack Overflow$ ./program $(python -c 'print "A" * 72 + \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff + \xef\xbe\xad\xde ')\xef\xbe\xad\xde would be replaced with the address of our payloadEIP will now point to the address of our payload, which will spawn a shellNOPs help create a bigger landing areaThis technique is not very effective anymore... why?

Protection Mechanisms (Windows)DEP Data execution PreventionCan't execute on the stack/GS Flag cookie / canarydetects if stack has been alteredSafeSEH Structured Exception HandlerTry / except, catches exceptionsASLR - Address Space Layout RandomizationRandomizes addresses in memory

Protection Mechanisms (Linux)NX Stack Execute InvalidationProcessor featureLike DEP, can't execute on the stackStack Smashing Protection cookie / canaryGenerally enabled by defaultASLR - Address Space Layout RandomizationMany other compiler protections...

ret2libcBypasses NXPoint EIP to a function in libcsystem(), exec() etc...system(/bin/sh);We will get a shell by using the system() function in libc

ret2libc

$ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')We don't need the payload where the A's are anymoreWe now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh)$ ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')

Demo!How to use GDB for exploitationExploring the stackFinding important memory addresses (ret2libc)BreakpointsUsing Perl/Python/Ruby for arguments in GDBBasic Stack OverflowRet2libc

Additional Resourceshttps://www.corelan.be/index.php/articles/http://beej.us/guide/bggdb/http://en.wikibooks.org/wiki/X86_Assemblyhttp://www.alexonlinux.com/how-debugger-workshttp://smashthestack.org/http://intruded.net/

SourcesSource Code Auditing - Jared DemottSmashing the stack in 2010 - Andrea Cugliari + Mariano GrazianoStack Overflows - Mitchell Adairhttp://en.wikipedia.org/wiki/Buffer_overflowhttp://en.wikipedia.org/wiki/Return-to-libc_attack