1 / 16

Buffer overflow overview

Buffer overflow overview. Speaker: Nickle@NSC. Agenda. Introduction Buffer overflow Stack overflow Heap overflow bss overflow Demo Conclusion Reference. Introduction. Some major cpu registers EIP – extended instruction pointer EBP – extended base pointer ESP – extended stack pointer

tovi
Download Presentation

Buffer overflow overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Buffer overflow overview Speaker: Nickle@NSC

  2. Agenda • Introduction • Buffer overflow • Stack overflow • Heap overflow • bss overflow • Demo • Conclusion • Reference

  3. Introduction • Some major cpu registers • EIP – extended instruction pointer • EBP – extended base pointer • ESP – extended stack pointer • Byte order of 4-byte words on X86 • Ordering is known as little-endian • E.g. 0x12345678 ……………………………… ……… 78 56 34 12 Low address High address

  4. Introduction cont. Low address text segment • Memory segmentation • text - store code • data - global variables • Bss - static variables • heap - other variables • stack • Function call parameters • Function call context • Local variables data segment bss segment heap segment stack segment Fixed size Variable size High address

  5. Introduction cont. Low address (Top of stack) ESP buffer • Function stack layer-out /* function.c */ void function(int a,int b,int c,int d) { char flag; char buffer[10]; } void main() { function(1, 2, 3, 4); } flag EBP stack frame pointer return address a b c d High address

  6. Buffer overflow • Buffer overflow introduction • Demo code vuln.c • Category of buffer overflow • Stack-based overflows • Heap • bss-based overflows

  7. Buffer overflow cont. Low address • Stack-based overflow • The input buffer size is much bigger than buffer size which declaration in function • Overwrite the return address field • The address where the code locate is something we want to do buffer AAAAAAAA … … … … … 0x00fedc stack frame pointer return address ? High address

  8. Buffer overflow cont. • Two techniques • NOP instruction (do nothing) • Flooding the end of the buffer with RET • Hybrid result NOP NOP NOP NOP NOP NOP SHELL CODE Buffer SFP RET ADDR SHELL CODE RET RET RET RET RET NOP NOP NOP NOP SHELL CODE RET RET RET RET

  9. Buffer overflow cont. • Heap overflow Input buffer store content for writting myroot::0:0:me:/root:/bin/sh /etc/passwd Output buffer store name of written file Write into file _____________ _____________ _____________ _____________ _____________ ! Heap memory space

  10. Buffer overflow cont. 08049670 A _edata 08049690 A _end 080484f8 T _fini 0804830c T _init U _init_tls 08048360 T _start U atexit 08049670 b completed.1 0804968c B environ U exit 08048440 t frame_dummy 0804848c T function1 08048498 T function2 080484a4 T main 08049674 b object.2 080495a4 d p.0 • bss-based overflow • static buffer • $nm PROGRAM • Overflow the address of function1 or function 2 Symbols list in bss field

  11. Demo • vuln.c • Target program for exploiting • Change owner ot root • Set UID program • exploit.c • Shellcode  get shell with root privilege 200 byte 68 byte NOP SHELL CODE RET RET RET RET 600 byte

  12. Stack memory layer out 1096 byte ESP (0xbfbfe720) ESP (0xbfbfeb68) Buffer (500) SFP (4) RET (4) ARG (?) … SFP (4) RET (4) ARG (?) vuln.c exploit.c Low address High address Stack grow direction

  13. Stack memory layer out cont. 1096 byte ESP (0xbfbfe720) ESP (0xbfbfeb68) Buffer (500) RET (4) Argv[1] Shell code (600) … SFP (4) RET (4) ARG (?) SFP (4) Overflow(600) ? byte vuln.c exploit.c Low address High address Stack grow direction 13

  14. Demo cont. • Some suggestion • The size of exploit buffer is larger 100 bytes than the target buffer • The offset often is ±1000 • Any null byte in shellcode will be considered the end of the string, so null byte should be removed • Shellcode generator - libshellcode • Shellcode can place in environment variable [csie0][nickle][~]> setenv SHELLCODE `cat SHELLCODE` [csie0][nickle][~]> ./getenvaddr SHELLCODE SHELLCODE is located at 0xbfbfee94 [csie0][nickle][~]>

  15. Conclusion • A powerful technique for exploiting • Creative!! • Every bound of buffer which you declared must check carefully • Next topic may be format strings

  16. Reference • Hacking – the art of exploitation, Jon Erickson • Shell code - http://freeworld.thc.org/papers/OVERFLOW.TXT • http://www.unixwiz.net/techtips/win32-callconv-asm.html

More Related