1. CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011

2. A Stack Frame Parameters Return Address Calling Stack Pointer
Local Variables BP
SP+offset SP
Addresses
SP: stack pointer BP: base/frame pointer
Calling stack pointer: previous function’s SP

3. Using GDB to Check Stack
GDB tutorial:
When compile the c code, use “gcc –g …..” so that Gdb can match source code line number with code
Some knowledge:
Register eip: instruction pointer, the current position of next executable instruction
Register ebp: stack pointer, the top of the current stack, used for addressing local variable

4. Related Gdb Commands:
List: list the source code and each execution’s corresponding line number
Break linenumber: set breakpoint at the linenumber
Run argv: run the execution code with the parameter argv
Next: execute the next line of code
Backtrace: show trace of all function calls in stack
Info frame: List address, language, address of arguments/local variables and which registers were saved in frame.
This will show where the return address is saved
Return address is in Register EIP
Calling stack pointer is in Register EBP
x &variable: show the address and value of a local variable (in hex format)
x address: print binary representation of 4 bytes of memory pointed to by address.

5. Example of Using GDB #include <stdio.h> void foo(char * input){
int a1=11;
int a2=22;
char buf[7];
strcpy(buf, input); }
void main(int argc, char **argv){
foo(argv[1]);
Question: What does the stack look like before strcpy()?

6. Remove address randomization used in Unix (will talk in next lecture)
setarch i686 –R gdb ./gdb-example (gdb) list 1 #include <stdio.h> 2 void foo(char * input){ 3 int a1=11; 4 int a2=22; 5 char buf[7]; 6 strcpy(buf, input); 7 } 8 void main(int argc, char **argv){ 9 foo(argv[1]); 10 } (gdb) break 6 Breakpoint 1 at 0x : file gdb-example.c, line 6. (gdb) run “whatever” Starting program: /home/czou/buffer-code/gdb-example "whatever" Breakpoint 1, foo (input=0xbffff92e "whatever") at gdb-example.c: 6 strcpy(buf, input);
Remove address randomization
used in Unix (will talk in next lecture)

7. (gdb) info frame Stack level 0, frame at 0xbffff750: eip = 0x in foo (gdb-example.c:6); saved eip 0x80483bd called by frame at 0xbffff760 source language c. Arglist at 0xbffff748, args: input=0xbffff92e "whatever" Locals at 0xbffff748, Previous frame's sp is 0xbffff750 Saved registers: ebp at 0xbffff748, eip at 0xbffff74c (gdb) x &a1 0xbffff744: 0x b (gdb) x &a2 0xbffff740: 0x (gdb) x buf 0xbffff739: 0xa4bffff7 (gdb) x 0xbffff740

8. Two Techniques for Generating Stack Overflow Codes

9. NOPs
Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer.
Usually we can put a bunch of these ahead of our program (in the string).
As long as the new return-address points to a NOP we are OK.

10. (exec /bin/ls or whatever)
Using NOPs
new return address
Real program
(exec /bin/ls or whatever)
Can point
anywhere
in here
nop instructions

11. Estimating the stack size
We can also guess at the location of the return address relative to the overflowed buffer.
Put in a bunch of new return addresses!

12. Estimating the Location
new return address
new return address
new return address
new return address
new return address
new return address
Real program
nop instructions

13. Explanation of Project 1
Target.c code vulnerability:
int foo(char* arg, short arglen) {
char buf[100];
int i, maxlen = 100;
int len;
if (arglen < maxlen)
len = strlen(arg);
strncpy(buf, arg, len);
If input to foo(*arg, Big_Value) where Big_Value overflows ‘short’, then arglen could be negative value and passes the if() security check.

14. Explanation of Project 1
In the exploit.c code:
#define TARGET "/home/jobert/cap6135/1/proj1-fa08/targets/target
Need to be changed to point to your own target code
Change args[1] = "hi there";
args[1] needs to point to a large buffer that can cause overflow to target code
You can define such a large buffer here and make args[1] points to it.
Your main task is to:
Find out the where in stack stores the return address
Find out where is the starting point of ‘buf’ in foo() in target code
Fill the shellcode[] into the large buffer in your exploit code (which will fill the ‘buf’ variable in target code)
Assign the starting address of buf to the right place in the large buffer in your exploit code in order to overwrite the return address, then CPU will run the shellcode you put at the start of buf variable.

15. Several Tips on Project 1
Be sure to use the Makefile to generate executable of both exploit program and target program
Be sure to use “setarch i686 -R” in front of every execution, including both Gdb and ./exploit
You can use “break foo” to set breakpoint upon entering foo() function.
Fill the shell executable code (in the string array shellcode[]) byte-by-byte into the buffer for your modified return address to execute, do not use strcpy() because shellcode[] is not an ASCII string.

16. Several Tips on Project 1
Given that:
We know the address of ‘buf’ in target.c is: 0xbfff0000
We know the address of the function’s return address (eip) is 0xbfff0100
We put the shellcode[] at the beginning of ‘buf’.
How to Overwrite the return address to execute shellcode?
0xbfff0100 – 0xbfff0000 = 0x100 = 256 in decimal
Since address in 32-bit machine is 4 bytes and Eustis is a little-endian machine:
buf[256] = 0x00; buf[257] = 0x00;
buf[258] = 0xff; buf[259] = 0xbf;
In this way, we have changed the flow to the beginning of shellcode!