Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Similar presentations

Presentation on theme: "Buffer Overflows By Tim Peterson Joel Miller Dan Block."— Presentation transcript:

1 Buffer Overflows By Tim Peterson Joel Miller Dan Block

2 Overview What is a Buffer Overflow? Demo of a Stack Overflow Prevention Techniques Resources

3 Definition via wikipedia… “a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.”

4 Why does this matter? You can overwrite the return address! Why does that matter? Because you can overwrite the return address, you can jump to an arbitrary code segment (in particular your own)

5 How does it work Arg Return Addr Local vars Local vars (buffer) Stack Heap High Low Does it matter which way the Stack grows? What about size of variables and alignment? Once the return address is overwritten you ideally want to have it jump back into the buffer you overwrote

6 How does it work…. int main(){ char buf[16]; gets(buf); } Functions like gets and strcpy don’t check bounds of the buffer and therefore are susceptible to an attack.

7 How to execute arbitrary code Assume at this point you know there exists a buffer which is exploitable. Step 1: Using GDB determine the absolute address of the buffer. Step 2: Create a well-crafted string which includes the code you would like to execute and the address of the buffer. “code|buffer address” Step 3: Pass this string into the buffer

8 Well-crafted String?? is your friend If it is going to be handcrafted watch out for null bytes For the return address you really have 2 options Find the exact offset to the return address and pad the string Write the return address multiple times on the end of the string and cross your fingers.

9 Reality In theory this all makes sense but how could I find an exploitable buffer? Guess and check Disassemble and check for calls to exploitable functions (strcpy,gets…) Source code?

10 Prevention From a developer perspective Don’t write exploitable code Use fgets, strncpy…. Pay attention to compiler and linker warnings From a Sys admin perspective On POSIX-patch gcc to have stack smashing protector AMD64- Data Execution Prevention (windows, Linux?) PaX - software emulated Data Execution Prevention (Linux) Windows update

11 Resources Wikipedia Metaploit Project - Stack Smashing for fun and Profit - Stack Smashing Protector- p/ PAX -

Download ppt "Buffer Overflows By Tim Peterson Joel Miller Dan Block."

Similar presentations

Ads by Google