280 likes | 423 Views
Intro to Exploitation Stack Overflows. James McFadyen UTD Computer Security Group 10/20/2011. Intro to Exploitation. Only an intro to stack overflow Basic theory and application One of many types of exploitation. Outline. What is a buffer overflow? Tools Vulnerable C Functions
E N D
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011
Intro to Exploitation • Only an intro to stack overflow • Basic theory and application • One of many types of exploitation
Outline • What is a buffer overflow? • Tools • Vulnerable C Functions • Remember the memory • Learn to love assembly • Stack overflow • Protection Mechanisms • ret2libc in Linux
Buffer Overflow • “In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.” - Wikipedia
Buffer Overflow • In our examples.. • Give the program too much input, hijack the instruction pointer (EIP) • Control EIP • Execute arbitrary code locally or remotely • Achieve what we want as elevated user
Tools • Linux • GDB, gcc, vi, perl/python/ruby, readelf, objdump, ltrace, strace, ropeme • Windows • WinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)
Vulnerable C Code • strcpy(), strncpy() • strcat(), strncat() • sprintf(), snprintf() • gets() • sscanf() • Many others...
Vulnerable C Code • strcpy() doesn't check size • If we have char buf[128]; strcpy(buf, userSuppliedString); • This makes it too easy...
Vulnerable C Code • char *strncpy(char *dest, const char *src, size_t n); • We have a size, but what if.. strncpy(somebuffer, str, strlen(str)); • or.. strncpy(somebuffer, str, sizeof(somebuffer)); • Where str is supplied by user
Vulnerable C Code • Common bug, proper fix: strncpy(somebuffer, str, sizeof(somebuffer)-1);
Vulnerable C Code • char *strncat(char *dest, const char *src, size_t n); • Ex: int vulnerable(char *str1, char *str2) { char buf[256]; strncpy(buf, str1, 100); strncat(buf, str2, sizeof(buf)-1); return; }
Vulnerable C Code • Fix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);
Remember the Memory Low Text Code segment, machine instr. Initialized global and static variables Data Uninitialized global and static variables BSS Heap Dynamic space. malloc(...) / free(...) new(...) / ~ Program scratch space. Local variables, pass arguments, etc.. Stack High * Taken from Mitchell Adair's “Stack Overflows”
Remember the Memory: The Stack Low ESP local variables ... EBP - x EBP EBP RET EBP + x arguments... previous stack frame High * Taken from Mitchell Adair's “Stack Overflows”
Love the Assembly EIP – Extended Instruction Pointer Next Instruction executed ESP – Extended Stack Pointer Top of stack EBP – Extended Base Pointer Base Pointer EAX Accumulatorregister EBX Base register ECX Counter register EDX Data register ESI Source index EDI Destination Index * Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow ESP char buf[100] 100 bytes EBP EBP 4 bytes RET 4 bytes argc *argv[] * Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow Ex: $ ./program $(python -c 'print "A" * 108 ') ESP RET overwritten Ret will pop the instruction pointer off of the stack EIP will now point to 0x41414141 108 bytes ( 0x41 * 108) 100 bytes EBP EBP 4 bytes RET RET 4 bytes argc *argv[] * Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow Ex: $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') ESP 0xdeadbeef EIP will now point to 0xdeadbeef We can now point EIP where we want 104 bytes ( 0x41 * 104 100 bytes EBP EBP 4 bytes RET RET 4 bytes argc *argv[] * Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow • $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') • We have 104 bytes for a payload • Payload can be anything, but for our purpose we would spawn a shell • The payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload
Stack Overflow • $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') • If we had a 32 byte payload .. (real payload will not be a bunch of \xff) $ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ') • We have adjusted the buffer so the payload will fit • We will then have to point EIP (\xef\xbe\xad\xde) to our payload on the stack
Stack Overflow • $ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ') • “\xef\xbe\xad\xde” would be replaced with the address of our payload • EIP will now point to the address of our payload, which will spawn a shell • NOPs help create a bigger “landing area” • This technique is not very effective anymore... why?
Protection Mechanisms (Windows) • DEP – Data execution Prevention • Can't execute on the stack • /GS Flag – cookie / canary • detects if stack has been altered • SafeSEH – Structured Exception Handler • Try / except, catches exceptions • ASLR - Address Space Layout Randomization • Randomizes addresses in memory
Protection Mechanisms (Linux) • NX – Stack Execute Invalidation • Processor feature • Like DEP, can't execute on the stack • Stack Smashing Protection – cookie / canary • Generally enabled by default • ASLR - Address Space Layout Randomization • Many other compiler protections...
ret2libc • Bypasses NX • Point EIP to a function in libc • system(), exec() etc... • system(“/bin/sh”); • We will get a shell by using the system() function in libc
ret2libc $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ') • We don't need the payload where the A's are anymore • We now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh) $ ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')
Demo! • How to use GDB for exploitation • Exploring the stack • Finding important memory addresses (ret2libc) • Breakpoints • Using Perl/Python/Ruby for arguments in GDB • Basic Stack Overflow • Ret2libc
Additional Resources • https://www.corelan.be/index.php/articles/ • http://beej.us/guide/bggdb/ • http://en.wikibooks.org/wiki/X86_Assembly • http://www.alexonlinux.com/how-debugger-works • http://smashthestack.org/ • http://intruded.net/
Sources • “Source Code Auditing” - Jared Demott • “Smashing the stack in 2010” - Andrea Cugliari + Mariano Graziano • “Stack Overflows” - Mitchell Adair • http://en.wikipedia.org/wiki/Buffer_overflow • http://en.wikipedia.org/wiki/Return-to-libc_attack