intro to exploitation stack overflows

of 28 /28
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011

Author: phiala

Post on 04-Feb-2016




0 download

Embed Size (px)


Intro to Exploitation Stack Overflows. James McFadyen UTD Computer Security Group 10/20/2011. Intro to Exploitation. Only an intro to stack overflow Basic theory and application One of many types of exploitation. Outline. What is a buffer overflow? Tools Vulnerable C Functions - PowerPoint PPT Presentation


  • Intro to Exploitation Stack OverflowsJames McFadyen UTD Computer Security Group10/20/2011

  • Intro to ExploitationOnly an intro to stack overflowBasic theory and applicationOne of many types of exploitation

  • OutlineWhat is a buffer overflow?ToolsVulnerable C FunctionsRemember the memoryLearn to love assemblyStack overflowProtection Mechanismsret2libc in Linux

  • Buffer OverflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. - Wikipedia

  • Buffer OverflowIn our examples..Give the program too much input, hijack the instruction pointer (EIP)Control EIPExecute arbitrary code locally or remotelyAchieve what we want as elevated user

  • ToolsLinuxGDB, gcc, vi, perl/python/ruby, readelf, objdump, ltrace, strace, ropemeWindowsWinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)

  • Vulnerable C Codestrcpy(), strncpy()strcat(), strncat()sprintf(), snprintf()gets()sscanf()Many others...

  • Vulnerable C Codestrcpy() doesn't check sizeIf we have

    char buf[128];strcpy(buf, userSuppliedString);

    This makes it too easy...

  • Vulnerable C Codechar *strncpy(char *dest, const char *src, size_t n);We have a size, but what if..strncpy(somebuffer, str, strlen(str));or..strncpy(somebuffer, str, sizeof(somebuffer));Where str is supplied by user

  • Vulnerable C CodeCommon bug, proper fix:strncpy(somebuffer, str, sizeof(somebuffer)-1);

  • Vulnerable C Codechar *strncat(char *dest, const char *src, size_t n);Ex:int vulnerable(char *str1, char *str2){char buf[256];strncpy(buf, str1, 100);strncat(buf, str2, sizeof(buf)-1);return;}

  • Vulnerable C CodeFix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);

  • Remember the MemoryTextDataBSSHeapStackInitialized global and static variablesUninitialized global and static variablesProgram scratch space. Local variables, pass arguments, etc..Code segment, machine instr.Dynamic space.malloc(...) / free(...)new(...) / ~LowHigh * Taken from Mitchell Adair's Stack Overflows

  • Remember the Memory: The StackESPEBPRETarguments...previous stack framelocal variables ...

    High LowEBPEBP - xEBP + x* Taken from Mitchell Adair's Stack Overflows

  • Love the AssemblyEIP Extended Instruction PointerESP Extended Stack PointerEBP Extended Base PointerEAX ECX EDXESIEDINext Instruction executedData registerSource indexDestination IndexCounter registerAccumulator registerEBX Base registerTop of stackBase Pointer* Taken from Mitchell Adair's Stack Overflows

  • Stack OverflowESPEBPRETargc *argv[]EBPchar buf[100]100 bytes4 bytes4 bytes* Taken from Mitchell Adair's Stack Overflows

  • Stack OverflowESPEBPRETargc *argv[]EBP100 bytes4 bytes4 bytes

    RET overwrittenRET108 bytes( 0x41 * 108)Ret will pop the instruction pointeroff of the stack

    EIP will now point to 0x41414141

    Ex: $ ./program $(python -c 'print "A" * 108 ') * Taken from Mitchell Adair's Stack Overflows

  • Stack OverflowESPEBPRETargc *argv[]EBP100 bytes4 bytes4 bytes

    0xdeadbeefRET104 bytes( 0x41 * 104EIP will now point to 0xdeadbeef

    We can now point EIP where we wantEx: $ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ') * Taken from Mitchell Adair's Stack Overflows

  • Stack Overflow$ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')We have 104 bytes for a payloadPayload can be anything, but for our purpose we would spawn a shellThe payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload

  • Stack Overflow$ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')If we had a 32 byte payload .. (real payload will not be a bunch of \xff)$ ./program $(python -c 'print "A" * 72 + \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff + \xef\xbe\xad\xde ')We have adjusted the buffer so the payload will fitWe will then have to point EIP (\xef\xbe\xad\xde) to our payload on the stack

  • Stack Overflow$ ./program $(python -c 'print "A" * 72 + \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff + \xef\xbe\xad\xde ')\xef\xbe\xad\xde would be replaced with the address of our payloadEIP will now point to the address of our payload, which will spawn a shellNOPs help create a bigger landing areaThis technique is not very effective anymore... why?

  • Protection Mechanisms (Windows)DEP Data execution PreventionCan't execute on the stack/GS Flag cookie / canarydetects if stack has been alteredSafeSEH Structured Exception HandlerTry / except, catches exceptionsASLR - Address Space Layout RandomizationRandomizes addresses in memory

  • Protection Mechanisms (Linux)NX Stack Execute InvalidationProcessor featureLike DEP, can't execute on the stackStack Smashing Protection cookie / canaryGenerally enabled by defaultASLR - Address Space Layout RandomizationMany other compiler protections...

  • ret2libcBypasses NXPoint EIP to a function in libcsystem(), exec() etc...system(/bin/sh);We will get a shell by using the system() function in libc

  • ret2libc

    $ ./program $(python -c 'print "A" * 104 + \xef\xbe\xad\xde ')We don't need the payload where the A's are anymoreWe now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh)$ ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')

  • Demo!How to use GDB for exploitationExploring the stackFinding important memory addresses (ret2libc)BreakpointsUsing Perl/Python/Ruby for arguments in GDBBasic Stack OverflowRet2libc

  • Additional Resources

  • SourcesSource Code Auditing - Jared DemottSmashing the stack in 2010 - Andrea Cugliari + Mariano GrazianoStack Overflows - Mitchell Adair