1 / 21

Andrew T. Phillips Jack S. E. Tan Department of Computer Science

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA. Andrew T. Phillips Jack S. E. Tan Department of Computer Science University of Wisconsin – Eau Claire. Smashing the stack. Limitations of C permit security exploits

oro
Download Presentation

Andrew T. Phillips Jack S. E. Tan Department of Computer Science

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University of Wisconsin – Eau Claire

  2. Smashing the stack • Limitations of C permit security exploits • Library routines: • strcpy, strcat, sprintf, etc. • no automatic bounds checking. • Shortcomings: • allow writing past end of array. • Major source of security exploits

  3. The Original Exploit • The trade magazine "Phrack" published: • "Smashing the Stack for Fun and Profit" by Aleph One • http://www.phrack.com/phrack/49/P49-14 • Original exploit done on the Intel architecture

  4. Overall Strategy • Write a small program that starts a shell window: use something like system("/bin/sh") • Translate the program into HEX, modifying individual bytes as needed (explained later) • Put the HEX code into a buffer, followed by the address of the start of that buffer, repeated many times • Will overwrite the return address (on the stack) of the servers buffer handler routine

  5. Basic Steps • Get a copy of the OS to be attacked • Analyze the system stack layout for that OS • Put the "shell window" HEX code into a buffer • Send your buffer to a program on the target OS (maybe one that runs as "root") that takes a buffer as input, makes a copy of that buffer, and doesn't check its bounds

  6. Typical MIPS Memory Layout

  7. Stack Frame • On a function call: • Preserve state of calling function • Allocate additional memory for calling function • Stack frame (activation record) created • Pushed onto execution stack

  8. Stack Frame – cont’d • Stack frame (activation record) contains: • Function arguments • Local variables • Return address ($ra) • Global pointer ($gp) Note: Not all local variables may be stacked: Optimizing compiler may put them in registers.

  9. Typical Procedure Call Memory Layout New SP Local Variables Saved Registers (preserved across calls) Arguments (if > 4 args; $4-$7 holds 1st four) Global pointer (to static data segment for fast access using offset) Return address (if any) Old SP Subsequent examples will exclude saved registers & argument details for brevity. Note:

  10. Mechanics of Function Calls Simple C program where: main( )  foo( )  bar( ) main( ) foo(x) bar(y) foo(8) foo_p = x +2 bar_q = y bar(foo_p)

  11. Mechanics of Function Calls – cont’d void bar(int y) { int bar_q; /* will be allocated on the stack */ bar_q = y;}void foo(int x) { int foo_p; /* will be allocated on the stack */ foo_p = x + 2; bar(foo_p); /* return address points to here */}void main( ) { foo(8); /* return address points to here */}

  12. Memory Layout for foo( )

  13. Overview of an Overflow void foo(char *buf) { char local_buf[10]; strcpy(local_buf,buf);}void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */}

  14. Overflowing foo( )’s Buffer local_buf $ra (a) Stack before strcpy( ) in foo( ) …… ‘a’…. ‘a’ (b) Stack after strcpy( ) in foo( )

  15. Implementing Overflow in the MIPS ISA void foo(char *buf) { char local_buf[10]; int i = 0; while (buf[i] != 0) { local_buf[i] = buf[i]; i++; } bar(); /* code for bar() not shown */ /* bar( )’s RA in $31 reg.; foo( )’s RA on stack */ }void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */}

  16. 32-bit MIPS stack during call to foo( )

  17. 32 bit MIPS translation using “gcc –S –O2” .L4: jal bar lw $ra,24($sp) lw $gp,20($sp) jr $ra addu $sp, $sp, 28.end foo.LC0: # lots of a’s .byte 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61 .byte 0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61 .byte 0x61,0x61,0x61,0x61,0x00main: subu $sp,$sp,16 sw $ra,12($sp) sw $gp,8($sp) la $a0,.LC0 jal foo….end main foo: subu $sp,$sp,28 sw $ra,24($sp) sw $gp,20($sp) lbu $v0,0($a0) beq $v0,$zero,.L4 addi $a1,$zero,0 addu $a2,$sp,8 # addr local_buf[0] .L5 lbu $v0,0($a0) addu $a0, $a0, 1 addu $v1,$a2,$a1 sb $v0,0($v1) # write onto stack lbu $v0,0($a0) bne $v0,$zero,.L5 addu $a1,$a1,1

  18. Buffer Overflow With Code Exploit • To cause the exploit, when foo is called: • Pass a buffer of length greater than foo( )’s local buffer • Ensure none of values copied into foo( )’s buffer prior to $ra contain value of 0 (terminates buffer copy prematurely) • Ensure bytes in buffer contain MIPS (exploit) code • Overwrite $ra with address that points back into buffer containing MIPS exploit code • Ensure buffer copy is terminated by a 0 value after $ra

  19. Buffer Overflow With Code Exploit void foo(char *buf) { char local_buf[256]; strcpy(local_buf,buf);}void main() { char *large_buf = “\x01\x20\x48\x20” /* add $t1, $t1, $zero */ “\x01\x20\x48\x20” … “\x20\x84\xFF\xFF” /* addi $a0, $a0, -1 */ “\x12\x34\x56\x78” /* guess address of exploit */ “\x12\x34\x56\x78” /* guess address of exploit */ “\x12\x34\x56\x78” /* guess address of exploit */ “\x00”; foo(large_buf); /* location of return from foo() */}

  20. Example of an Exploit

  21. Detailed Paper Explaining the Exploit http://www.cs.uwec.edu/~phillips/papers/bufferOverflow.pdf

More Related