1 / 37

安全编程之缓冲区溢出

安全编程之缓冲区溢出. 内容. 缓冲区溢出初步 ( 标准栈溢出 ) 总结 & 提问 深入了解缓冲区溢出 总结 & 提问 安全编程防止缓冲区溢出 ( 一些实例 ) 拓展 : 非 x86 平台上的缓冲区溢出 总结 & 提问. pushl $68732f 'sh' pushl $6e69622f '/bin' movl sp, r10 pushl $0 pushl $0 pushl r10 pushl $3 movl sp, ap chmk $3b. History.

savea
Download Presentation

安全编程之缓冲区溢出

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 安全编程之缓冲区溢出

  2. 内容 • 缓冲区溢出初步(标准栈溢出) • 总结 & 提问 • 深入了解缓冲区溢出 • 总结 & 提问 • 安全编程防止缓冲区溢出(一些实例) • 拓展:非x86平台上的缓冲区溢出 • 总结 & 提问

  3. pushl $68732f 'sh\0' pushl $6e69622f '/bin' movl sp, r10 pushl $0 pushl $0 pushl r10 pushl $3 movl sp, ap chmk $3b History • 1988 : Robert Morris Internet Worms • BSD fingerd buffer overflow Vulnerability • http://www.securityfocus.com/bid/2/ • 1996 : Smashing The Stack for Fun and Profit • Aleph One • 1999 : w00w00 on heap/bss overflow • 2001 : free() • 2002 : Integer overflow • Kernel Buffer overflow, Misc shellcode, worm,……

  4. Why we learn it? • Black Hat & White Hat • Inform the vendor before expose the vul. • No exploit in the advisory • Concept code always • Write the exploit yourself in your hacking • Security base knowledge • Deep into your world • Secure programming

  5. A simple sample foo: pushl %ebp movl %esp,%ebp subl $24,%esp addl $-8,%esp movl 8(%ebp),%eax pushl %eax leal -12(%ebp),%eax pushl %eax call strcpy addl $16,%esp .L2: leave ret main: pushl %ebp movl %esp,%ebp subl $8,%esp addl $-12,%esp movl 12(%ebp),%eax addl $4,%eax movl (%eax),%edx pushl %edx call foo addl $16,%esp .L4: leave ret #include <stdio.h> #include <string.h> void foo(const char* input){ char stack[10]; strcpy(stack,input); } void bar(){ printf("\nAh,I've been hacked!\n"); } void main(int argc,char *argv[]){ foo(argv[1]); }

  6. How the program works • call • Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the address of proc-name. Code continues with execution at CS:IP. • ret • Transfers control from a procedure back to the instruction address saved on the stack. "n bytes" is an optional number of bytes to release. Far returns pop the IP followed by the CS, while near returns pop only the IP register. • strcpy • copy a string without boundary check • Activation record (stack based) • Frame pointer • Stack pointer • Return address • Grow downwards • buffer • Grow upwards

  7. How to exploit it • Cover the return address with your shellcode address. • When the foo return, it will execute your shellcode. • Shellcode ?? It may be the var function which print “I've been hacked” on the screen. • En, let’s continue

  8. Shellcode • Binary code (Machine code) • The CPU can execute it directly. • Generally, it return a shell like bash$, or bind a shell with a special TCP/UDP port … • Please refer to <<Smashing the stack for fun and profit>> for details

  9. Summary • Buffer grows upwards while the stack grows downwards. (buffer may overwrite the activation record) • Protect the activation record. • String functions in lib do not check the array boundary. • Safe string functions like strncpy • The shellcode executes on stack. • Non-executable stack

  10. Question & Answers Next : Inside the buffer overflow

  11. Inside the process’s address space • Linux on x86 • 0x00000000-0x08000000 • NULL Pointer • 0x08000000-0x40000000 • Data Segment • Text Segment • 0x40000000-… • Library code • … - 0xc0000000 • Heap • Stack

  12. Where is the buffer • Stack (the sample above, local variables) • 0xbfffffff downwards • Heap • char *buf = malloc(BUF_LEN); • char *buf = new char[BUF_LEN]; • 0x4xxxxxxx upwards • BSS (uninitialized data) • staic char buf[BUF_LEN]; • static char* buf; buf = “/etc/passwd”; • 0x08xxxxxx upwards • Initialized data • char buf[BUF_LEN] = {1}; • 0x08xxxxxx upwards

  13. Data we will overwrite • Stack • Data on stack • Activation Record • Heap • Data on heap • The management block of malloc or new • BSS & Initialized data • Function pointer

  14. GCC implement (sections in elf binary) A (alloc) X (execute) W (write) , the address above may different with different binary

  15. GOT & DTORS • GOT (Global Offset Table) • Relocation • DTORS • Support destructor function in c++

  16. Buffer overflows in real-life • General stack overflow • Heap/BSS overflow • Double Free (2001 – 1) • Reentered signal (<<Deliver signals for fun and profit>>) • Off by one errors • Integer overflow (2002 – 1) • Misuse of pointer (always in loop)

  17. Off by one problems • middleman-1.2 and prior off-by-one bug • Code /* strncpy which always NULL terminates */ char *s_strncpy(char *d, char *s, size_t len) { char *dest = d; for (; len && (*dest = *s); s++, dest++, len--); *dest = '\0'; return d; } • The buffer which user supplied may overwrite the frame pointer (ebp).

  18. Integer Overflow • Integer Overflow • 0xfffffff + 1 = ??? • 0x9000000 * 2 = ??? • 0x0 – 1 = ??? • signed problem • unsigned and signed • 0xfffffffc = -4 • %d %u

  19. Integer Overflow int num, i; object_t *objs; … num = get_user_num(); if(!(objs = (object_t *)malloc(num * sizeof(object_t)))){ perror(“malloc”); exit(errno); } for(i = 0; i < num; i++){ objs[i] = get_user_object(); }

  20. signed and unsigned int http_init() { char *buf, buf2[1024], *t2, *t3; int n; #ifndef SILENCE printf("Content-type: text/html; charset=%s\n\n\n", CHARSET); printf("<html>\n"); printf("<meta http-equiv='Content-Type' content='text/html; charset=%s'>\n", CHARSET); #endif n=atoi(getsenv("CONTENT_LENGTH")); if(n>5000000) n=5000000; buf=calloc(n+1, 1); if(buf==0) http_fatal("memory overflow"); fread(buf, 1, n, stdin); … }

  21. Errors in Looping while (cp < reqend && isspace(*cp)) cp++;if (cp == reqend || *cp == ',') { buf[0] = '\0'; *data = buf; if (cp < reqend) cp++; reqpt = cp; return v;}if (*cp == '=') { cp++; tp = buf; while (cp < reqend && isspace(*cp)) cp++; while (cp < reqend && *cp != ',') *tp++ = *cp++; // here is the problem if (cp < reqend) cp++; *tp = '\0'; while (isspace(*(tp-1))) *(--tp) = '\0'; reqpt = cp; *data = buf; return v;}

  22. Summary • Where is the buffer • Stack • Heap/BSS • …… • What we can overwrite. (the data can change eip) • Activation Record (ret, ebp, …) • The data can make a jump. • Implement in GCC and Glibc • Defending buffer overflow • Non-executable stack, data, heap/BSS (optimize online) • Return to Lib (Solar Design http://www.openwall.com) • Safe compiler • Secure programming

  23. Question & Answer Next topic: Secure Programming

  24. Unsafe function • String function • strcpy,strcat,sprintf,vsprintf,gets • scanf family • scanf,fscanf,sscanf,vscanf,vsscanf,vfscanf • Other • realpath,getopt,getpass,streadd,strecpy,strtrns,getwd • select (FD_SET …) • The buffer accepting data is not enough to store the data user input.

  25. Secure Programming • Non-boundary check function • strcpy, strcat, … • memcpy • Boundary check function • strncpy , strncat,… • But, the misuse of these functions leads to new exploit…

  26. General misuse • snprintf(dst, src, strlen(src)); • snprintf(dst, src, strlen(dst)); • strncat(dst, src, strlen(dst)); • strncat(dst, src, strlen(dst) - 1);

  27. strncpy NULL termination problem /* * strncpy() NULL termination problems * kk_qq@263.net * ./a.out `perl -e 'print "A" x49'` */ int main(int argc, char** argv){ char buf1[50]; char buf2[50]; strcpy(buf1,"This is buf2"); strncpy(buf2, argv[1], sizeof(buf2)-1); printf("%s\n", buf2); }

  28. strncat off-by-one problem /* * strncat() off-by-one problem * kk_qq@263.net */ int main(int argc, char** argv){ char buf[50]; strcpy(buf,"This is buf2"); strncat(buf, argv[1], sizeof(buf)-strlen(buf)); printf("length: %d content:%s\n", strlen(buf), buf); }

  29. Underflow problem /* undeflow problem * strncpy() NULL teimination problem * kk_qq@263.net */ int main(int argc, char** argv){ char buf[50]; //buf[49] = '\0'; strncpy(buf, argv[1], sizeof(buf)-1); printf("size:%x, strlen:%x remain:%x\n", sizeof(buf), strlen(buf), sizeof(buf)-strlen(buf)-1); strncat(buf, argv[2], sizeof(buf)-strlen(buf)-1); printf("length:%d content:%s\n", strlen(buf), buf); }

  30. misuse of return value in snprintf() /* misuse of return value in snprintf() * kk_qq@263.net * ./a.out `perl -e 'print "A" x51'` `perl -e 'print "B" x20'` */ int main(int argc, char** argv){ char buf[50]; char *ptr; ptr = buf; //buf[49-1] = '\0'; ptr += snprintf(ptr, sizeof(buf), "%s", argv[1]); ptr += snprintf(ptr, sizeof(buf)-(ptr-buf), "%s", argv[2]); printf("%s\n", buf); }

  31. snprintf & strncat • snprintf snprintf(dst, src, sizeof(dst) -1); dst[sizeof(dst) - 1] = ‘\0’; • strncat strncat(dst, src, sizeof(dst) – strlen(dst) - 1); dst[sizeof(dst) – 1] = ‘\0’; • Do not use these functions like qmail

  32. Question & Answer Next topic : non-x86 & (the Eight Diagrams)

  33. Buffer overflow on non-x86 arch. • SPARC/Solaris • The return address of current address is saved in register. • Computer Arch. : Register Windows • Leaf functions and non-leaf functions • PA-RISC/HP-UX • Buffer grow upwards • Stack grows upwards • Leaf functions and non-leaf functions • MIPS/VxWorks (Cisco IOS hacking) • PowerPC/AIX • MIPS/IRIX

  34. What’s ideal hacking?? • Not intrude • Not blackhat && whitehat • Not inside details • “exploring the limits of what is possible, in a spirit of playful cleverness” • Richard Stallman • Hacking : How the world works. • Hacking : Find the way to free world.

  35. Wonderful hacking world • http://lsd-pl.net • The poor and great hacking in Argus System. • http://team-teso.net • http://www.wiretrip.net/rfp/ • http://www.big.net.au/~silvio/

  36. Reference • http://www.immunix.org/StackGuard/discex00.pdf • http://www.phrack-dont-give-a-shit-about-dmca.org/phrack/49/P49-14 • http://www.phrack-dont-give-a-shit-about-dmca.org/phrack/60/p60-0x0a.txt • http://www.phrack-dont-give-a-shit-about-dmca.org/phrack/58/p58-0x0b • http://www.phrack-dont-give-a-shit-about-dmca.org/phrack/57/p57-0x08 • http://www.blackhat.com//presentations/bh-usa-02/bh-us-02-iss-sourceaudit.ppt

  37. Thanks.Question & Answer

More Related