Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Published byAlicia Owen Modified over 9 years ago

Similar presentations

Presentation on theme: "Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011."— Presentation transcript:

1 Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011

2 Intro to Exploitation Only an intro to stack overflow Basic theory and application One of many types of exploitation

3 Outline What is a buffer overflow? Tools Vulnerable C Functions Remember the memory Learn to love assembly Stack overflow Protection Mechanisms ret2libc in Linux

4 Buffer Overflow “In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.” - Wikipedia

5 Buffer Overflow In our examples.. Give the program too much input, hijack the instruction pointer (EIP) Control EIP Execute arbitrary code locally or remotely Achieve what we want as elevated user

6 Tools Linux  GDB, gcc, vi, perl/python/ruby, readelf, objdump, ltrace, strace, ropeme Windows  WinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)

7 Vulnerable C Code strcpy(), strncpy() strcat(), strncat() sprintf(), snprintf() gets() sscanf() Many others...

8 Vulnerable C Code strcpy() doesn't check size If we have char buf[128]; strcpy(buf, userSuppliedString); This makes it too easy...

9 Vulnerable C Code char *strncpy(char *dest, const char *src, size_t n); We have a size, but what if.. strncpy(somebuffer, str, strlen(str)); or.. strncpy(somebuffer, str, sizeof(somebuffer)); Where str is supplied by user

10 Vulnerable C Code Common bug, proper fix: strncpy(somebuffer, str, sizeof(somebuffer)-1);

11 Vulnerable C Code char *strncat(char *dest, const char *src, size_t n); Ex: int vulnerable(char *str1, char *str2) { char buf[256]; strncpy(buf, str1, 100); strncat(buf, str2, sizeof(buf)-1); return; }

12 Vulnerable C Code Fix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);

13 Remember the Memory Text Data BSS Heap Stack Initialized global and static variables Uninitialized global and static variables Program scratch space. Local variables, pass arguments, etc.. Code segment, machine instr. Dynamic space. malloc(...) / free(...) new(...) / ~ Low High * Taken from Mitchell Adair's “Stack Overflows”

14 Remember the Memory: The Stack ESP EBP RET arguments... previous stack frame local variables... High Low EBP EBP - x EBP + x * Taken from Mitchell Adair's “Stack Overflows”

15 Love the Assembly EIP – Extended Instruction Pointer ESP – Extended Stack Pointer EBP – Extended Base Pointer EAX ECX EDX ESI EDI Next Instruction executed Data register Source index Destination Index Counter register Accumulator register EBX Base register Top of stack Base Pointer * Taken from Mitchell Adair's “Stack Overflows”

16 Stack Overflow ESP EBP RET argc *argv[] EBP char buf[100] 100 bytes 4 bytes * Taken from Mitchell Adair's “Stack Overflows”

17 Stack Overflow ESP EBP RET argc *argv[] EBP 100 bytes 4 bytes RET overwritten RET 108 bytes ( 0x41 * 108) Ret will pop the instruction pointer off of the stack EIP will now point to 0x41414141 Ex: $./program $(python -c 'print "A" * 108 ') * Taken from Mitchell Adair's “Stack Overflows”

18 Stack Overflow ESP EBP RET argc *argv[] EBP 100 bytes 4 bytes 0xdeadbeef RET 104 bytes ( 0x41 * 104 EIP will now point to 0xdeadbeef We can now point EIP where we want Ex: $./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') * Taken from Mitchell Adair's “Stack Overflows”

19 Stack Overflow $./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') We have 104 bytes for a payload  Payload can be anything, but for our purpose we would spawn a shell  The payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload

20 Stack Overflow $./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') If we had a 32 byte payload.. (real payload will not be a bunch of \xff) $./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\ xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ') We have adjusted the buffer so the payload will fit We will then have to point EIP (\xef\xbe\xad\xde) to our payload on the stack

21 Stack Overflow $./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\ xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ') “\xef\xbe\xad\xde” would be replaced with the address of our payload EIP will now point to the address of our payload, which will spawn a shell NOPs help create a bigger “landing area” This technique is not very effective anymore... why?

22 Protection Mechanisms (Windows) DEP – Data execution Prevention  Can't execute on the stack /GS Flag – cookie / canary  detects if stack has been altered SafeSEH – Structured Exception Handler  Try / except, catches exceptions ASLR - Address Space Layout Randomization  Randomizes addresses in memory

23 Protection Mechanisms (Linux) NX – Stack Execute Invalidation  Processor feature  Like DEP, can't execute on the stack Stack Smashing Protection – cookie / canary  Generally enabled by default ASLR - Address Space Layout Randomization Many other compiler protections...

24 ret2libc Bypasses NX Point EIP to a function in libc  system(), exec() etc... system(“/bin/sh”);  We will get a shell by using the system() function in libc

25 ret2libc $./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') We don't need the payload where the A's are anymore We now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh) $./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')

26 Demo! How to use GDB for exploitation  Exploring the stack  Finding important memory addresses (ret2libc)  Breakpoints  Using Perl/Python/Ruby for arguments in GDB Basic Stack Overflow Ret2libc

27 Additional Resources https://www.corelan.be/index.php/articles/ http://beej.us/guide/bggdb/ http://en.wikibooks.org/wiki/X86_Assembly http://www.alexonlinux.com/how-debugger- works http://www.alexonlinux.com/how-debugger- works http://smashthestack.org/ http://intruded.net/

28 Sources “Source Code Auditing” - Jared Demott “Smashing the stack in 2010” - Andrea Cugliari + Mariano Graziano “Stack Overflows” - Mitchell Adair http://en.wikipedia.org/wiki/Buffer_overflow http://en.wikipedia.org/wiki/Return-to- libc_attack http://en.wikipedia.org/wiki/Return-to- libc_attack

Download ppt "Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
The art of exploitation

The art of exploitation
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Introduction to exploitation

Introduction to exploitation
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Similar presentations

Ads by Google