Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

Published byPierce Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1."— Presentation transcript:

1 CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1

2 Topics Thread Environment Block and Process Environment Block Stack-Based Buffer Overflows SEH Protections Defenses in Server 2008 (not in textbook) Frame-Based Exception Handlers

3 Thread Environment Block and Process Environment Block

4 Thread Environment Block (TEB) Stores information about the currently executing thread Also called the Thread Information Block Starts with the address of the SEH (Structured Exception Handler) Microsoft tells us nothing about it except not to use it Win32 programs use it often anyway

5 Thread Environment Block (TEB) SEH pointer Info about the stack – Much more (Link Ch 8a)

6 FS: and GS: Segment Registers Left over from very early operating systems Not used much anymore for their original purpose On Windows, FS: is used to point to the TIB – Link Ch 8e

7 Process Environment Block (PEB) Parameters about a process

8 Stack-Based Buffer Overflows

9 Classic Technique Overwrite the saved return address – With a value that points back into the stack When the function returns, it copies the return address into EIP Return address points to NOP Sled

10

11 SEH Technique Overwrite the SEH – With a value that points back into the stack Trigger an exception Modified exception handler points to NOP Sled

12

13 Defeating ASLR (Address Space Layout Randomization)

14

15 Using Return Value We're inside the function ESP points to the stack Find a JMP ESP and insert its address into the return value

16 Using SEH Old Windows versions left the address of the SEH in EBX Newer versions clear all registers But SEH address is at ESP+8 Find POP, POP, RET and put its address in SEH

17 Frame-Based Exception Handlers

18 Exception Handler Code that deals with problems from within a running process – Such as access violation or divide by zero Frame-Based Exception Handler – Associated with a particular procedure – Each procedure sets up a new stack frame Every thread in a Win32 process has at least one frame-based exception handler

19 EXCEPTION_REGISTRATION Each thread's TEB has the address of the first EXCEPTION_REGISTRATION structure at fs:[0] When an exception occurs, the OS walks through the list until a suitable handler is found

20 SEH Example Code

21 SEH Chain in Immunity View, SEH Chain This is Notepad's SEH Chain

22 Follow Address in Stack

23 Exceptions in Stack Overflows Suppose we overflow the stack to overwrite the stored return address Unfortunately, we also overwrite other variables by accident (collateral damage) Those may lead to exceptions, as other instructions become invalid, before the function returns

24 Overwriting EXCEPTION_REGISTRATION To gain control of exception handling On Windows 2000 and Win XP (before SP1) – EBX points to the current EXCEPTION_REGISTRATION structure On later Windows versions, all the registers are zeroed when the SEH is called – In order to make exploitation more difficult

25 Old Windows Process At crash, EBX points to EXCEPTION_REGISTRATION structure Overwrite With "JMP EBX"

26 Modern Windows Process Stack at crash 3 rd value points to EXCEPTION _REGISTRATION structure Use POP, POP, RET

27 SEH Protections

28 Win 2003 Server Attempts to ensure that handler is valid before using it, with these steps 1.If handler is on the stack -- INVALID – According to the TEB's entries FS:[4] and FS:{8] 2.If handler is in any loaded EXE or DLL – MAYBE – Otherwise VALID

29 Win 2003 Server 3.If the module is marked as "not allowed – INVALID 4.If a module has no "Load Configuration Directory", or one with a small size: VALID

30 Three Ways to Exploit SEH on Windows Server 2003 1.Abuse an existing handler 2.Use code in an address outside all modules 3.Use code in a module without a "Load Configuration Directory"

31 Defenses in Win Server 2008 Not in Book

32 Microsoft's Defenses Normal SEH attack (link Ch 8f)

33 SAFESEH Microsoft added this compiler switch to Visual Studio 2003 It creates a whitelist of exception handler addresses BUT this depends on the developer using the switch – All legacy code must be recompiled

34 SEHOP Verifies that the exception handler is intact before using it The pointer to the next handler comes before the pointer to the registration record So an exploit will usually damage the *Next pointer

35 EXCEPTION_REGISTRATION_RECORD

36 How SEHOP Works Adds an extra registration record at the end of the list Walks the exception handler list to ensure that the added record can be reached Will detect corruption of *Next pointers

37 SEHOP

38 Windows Versions SEHOP is enabled by default in Windows Server 2008 Disabled by default in Windows Vista – Because it breaks some legacy code Also disabled by default on Windows 7 – But it can be enabled in the Registry – Link Ch 8k

39

40

Download ppt "CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
PC hardware and x86 3/3/08 Frans Kaashoek MIT

PC hardware and x86 3/3/08 Frans Kaashoek MIT
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
80386DX.

80386DX.

Similar presentations

Ads by Google