Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Buffer Overflow: Pointer subterfuge

Published byMarcus Kruse Modified over 6 years ago

Similar presentations

Presentation on theme: "Advanced Buffer Overflow: Pointer subterfuge"— Presentation transcript:

1 Advanced Buffer Overflow: Pointer subterfuge
Software attacks Advanced Buffer Overflow: Pointer subterfuge

2 The problem What is a pointer subterfuge?
It is essentially a buffer overflow + pointer manipulation The pointer could be a function pointer (a pointer to a code section) or even a data pointer This technique can help bypassing stack checks

3 Function-pointer clobbering
Recall code from the last lesson void func(void* arg, size_t len) { char buffer[100]; void (*f)() = ...; memcpy(buff, arg, len); //buffer overflow f(); } 0x AAAAAAAAAAA 004119A2 Return address a b 0012FE90 EBP saved unitiliazed f buffer StackCanary locals params The function pointer could be set to a value of our own choice! And without being caught by stack checks

4 Data pointer modification (1)
It requires a particular stack configuration BUT a modified version of this attack is also used in heap smashing exploits The basic idea: modify a pointer to a memory region AND the value assigned to perform an arbitrary memory write It is often used as a building block for other attacks

5 Data pointer modification (2)
void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow *ptr = val; return; } My Memory AAAAAAAAAAA My value 004119A2 Return address 0012FE90 EBP saved unitiliazed ptr buffer StackCanary locals params val Even in this case, we don’t have canary or ret overwriting

6 Data pointer modification (2)
void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow *ptr = val; return; } AAAAAAAAAAA 004119A2 Return address 0012FE90 EBP saved unitiliazed ptr buffer StackCanary locals params val My value My Memory My value My Memory Old value

7 Litchfield exploit (1) The double cookie overwrite exploit uses a data pointer modification to defeat canary based protection in VC++ 7.0 Stores shellcode in buffer as usual Modifies the pointer to point to the global cookie Overwrites stack cookie and global cookie with the same value

8 Litchfield exploit (2) Random value computed at process startup and stored in .data section extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } Inserted by compiler at stack frame bottom Check inserted by compiler just before ret instruction

9 Litchfield exploit (2) locals params 0x1234568
extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x 0x AAAAAAAAAAA 0x0BADF00D 004119A2 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x locals params i stack_cookie

10 Litchfield exploit (2) locals params 0x0BADF00D
extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x AAAAAAAAAAA 004119A2 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x locals params i 0x0BADF00D 0x 0x0BADF00D stack_cookie

11 Litchfield exploit (2) CHECK PASS!! locals params 0x0BADF00D
extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x CHECK PASS!! AAAAAAAAAAA 004119A2 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x locals params i 0x0BADF00D 0x 0x0BADF00D stack_cookie

12 Data pointer modification (3)
An arbitrary memory overwrite can be used to set a function pointer that is everywhere in our address space The problem is… find it! =) (more on this later, maybe…) extern void (* f)(); void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow *ptr = val; return; } Set ptr to &f, and val to the code we want to execute

13 Virtual pointer smashing
Virtual pointer (VPTR): what is this? C++ programming: virtual functions Inheritance without polymorphism class B { public: int i; void f() { printf(“Base”); } }; int main() { D d; d.f(); } call D::f() class D: public B { public: int i; void f() { printf(“Derived”); } }; > Derived

14 Virtual pointer smashing
Inheritance with polymorphism class B { public: int i; virtual void f() { printf(“Base”); } }; int main() { B* b = new D(); b.f(); b = new B(); b.f(); } class D: public B { public: int i; void f() { printf(“Derived”); } }; > Derived > Base How can the compiler distinguish?

15 Virtual pointer smashing
class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vptr (4 bytes) vtable void (*f)() i (4 bytes) vptr (4 bytes) int main() { B* b = new D(); b.f();

16 Virtual pointer smashing
class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vptr (4 bytes) vtable void (*f)() int main() { B* b = new D(); b.f(); mov edx, DWORD PTR b mov eax, DWORD PTR [edx] call DWORD PTR [eax]

17 Virtual pointer smashing
class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vtable void (*f)() vptr (4 bytes) 0xDDDDDDDD 0x 0x0012FF6C 0x buffer void foo() { printf("Foo!!\n"); } AAAAAAAA int main() { B* b = new D1(); char buffer[20]; memcpy(buffer, msg, 24); b->f(); return 0; } f

18 Virtual pointer smashing
class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vtable void (*f)() vptr (4 bytes) 0x0012FF6C 0xDDDDDDDD 0x 0x0012FF68 0x buffer void foo() { printf("Foo!!\n"); } AAAAAAAA int main() { B* b = new D1(); char buffer[20]; memcpy(buffer, msg, 24); b->f(); return 0; } f

19 Virtual pointer smashing
Demo?

20 Virtual pointer smashing
This attack relies on the method adopted by C++ compilers to have dynamic binding It’s compiler specific: where to place the vptr/vtable is up to the implementation data vptr (4 bytes) VC++ (COM-aware compilers) data vptr (4 bytes) GCC This memory layout leaves space for another exploit (anyone interested?)

Download ppt "Advanced Buffer Overflow: Pointer subterfuge"

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Buffer Overflow Prabhaker Mateti Wright State University.

Buffer Overflow Prabhaker Mateti Wright State University.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google