1 / 9

Stack-based buffer overflows, part 2

Stack-based buffer overflows, part 2. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be. Overview. Code injection. Code injection. Finding the inserted code is sometimes a problem

bruis
Download Presentation

Stack-based buffer overflows, part 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stack-based buffer overflows, part 2 Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be

  2. Overview • Code injection Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  3. Code injection • Finding the inserted code is sometimes a problem • Often an attacker will fill a buffer with nops and place the shellcode at the end • If he misses the address he may end up in the nops Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  4. Gdb intro • Compile code with -g for debugging information • Gdb program • break main -> tells the debugger to stop when main is reached • run -> run program • x buffer -> prints out the contents of buffer (and address) • If the shellcode is stored in the buffer, that address will be what to overwrite the return address with Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  5. Execve • Execve allows execution of a program • int execve(const char *filename, char *const argv [], char *const envp[]); • Must pass an array of arguments, note that the program name is argument 0, terminated with NULL • Must also pass an array of environment variables, terminated with NULL Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  6. Execve • #include <unistd.h> Int main (int argc, char **argv) { char *execargv[3] = { "/bin/ls", "--color=always", NULL }; char *env[2] = { "TEST=1", NULL }; execve(execargv[0],execargv,env); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  7. Finding inserted code • Generally (on kernels < 2.6) the stack will start at a static address • Finding shell code means running the program with a fixed set of arguments/fixed environment • This will result in the same address • Not very precise, small change can result in different location of code • Not mandatory to put shellcode in buffer used to overflow • Pass as environment variable Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  8. Controlling the environment Stack start: 0xBFFFFFFF High addr 0,0,0,0 Passing shellcode as environment variable: Program name Env var n • Stack start - 4 null bytes • strlen(program name) - • null byte (program name) • strlen(shellcode) Env var n-1 … Env var 0 Arg n • 0xBFFFFFFF - 4 • strlen(program name) - • 1 • strlen(shellcode) Arg n-1 … Arg 0 Low addr Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

  9. Conclusion • Follow “Gera’s Insecure Programming by example”: • http://community.corest.com/~gera/InsecureProgramming/ • Login/pass for the computers: cstudy/distrinet Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks

More Related