IAP Practical Computer Security Buffer Overflow Attacksweb.mit.edu/iap-security/www/BO.pdf ·...
Transcript of IAP Practical Computer Security Buffer Overflow Attacksweb.mit.edu/iap-security/www/BO.pdf ·...
Buffer Overflow Attacks
1
IAP Practical Computer Security
History
2
IAP Practical Computer Security
1960s 1970s 1990s Today 1980s
Vulnerability exploited on time-share machines
Attacks on early networked machines
Morris Worm uses buffer overflow in
taking down significant portion of the Internet
Buffer overflow attacks become (arguably) the most pressing
security concerns facing the web (e..g., in 1998, 2/3 of CERT advisories
were buffer overflow related)
The problem persists (e.g., IE VML advisory from
two months ago).
Memory Layout
3
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses
Memory Layout
4
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
Memory Layout
5
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
Memory Layout
6
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp
Memory Layout
7
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
Memory Layout
8
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
Memory Layout
9
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
ret
Memory Layout
10
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
ret
sfp
Memory Layout
11
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
ret
sfp
Memory Layout
12
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
ret
sfp
Memory Layout
13
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; } void main() {
func(1,2); }
pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $24, %esp
sp
fp 2
1
ret
sfp
buffer
Memory Layout
14
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr); }
sp
fp 2
1
ret
sfp
buffer
Memory Layout
15
IAP Practical Computer Security
Text
Data
Heap
Stack High Addresses
Low Addresses void func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr); }
sp
fp 2
1
ret
sfp bigstr
Sample Attacks
16
IAP Practical Computer Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Modify Local Variables
17
IAP Practical Computer Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Modify Local Variables
18
IAP Practical Computer Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8];
strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp … }
Modify Local Variables
19
IAP Practical Computer Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8];
strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp … }
ret
sfp
query
subject[]
recp[]
Modify Local Variables
20
IAP Practical Computer Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8];
strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp … }
ret
sfp
query
subject[]
recp[]
Modify Local Variables
21
IAP Practical Computer Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8];
strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp … }
ret
sfp
subject[]
recp[]
query
Repeat Code…
22
IAP Practical Computer Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Repeat Code…
23
IAP Practical Computer Security
b
a
ret
sfp
buffer
void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); }
main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
Repeat Code…
24
IAP Practical Computer Security
b
a
ret
sfp
buffer
void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); }
main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
Repeat Code…
25
IAP Practical Computer Security
b
a
ret
sfp
void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); }
main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
addr
Repeat Code…
26
IAP Practical Computer Security
b
a
ret
sfp
void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); }
main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
buffer
Repeat Code…
27
IAP Practical Computer Security
b
a
ret
sfp
void func(int a, int b) { printf("Inside func loop.\n"); char buffer[4]; gets(buffer); }
main() { printf("about to call func.\n"); func(5,6); printf("done.\n"); }
addr
Sample Attacks
28
IAP Practical Computer Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Running Evil Code…
29
IAP Practical Computer Security
2
1
ret
sfp
buffer
void func(int a, int b) { char buffer[32];
gets(buffer); … }
Running Evil Code…
30
IAP Practical Computer Security
2
1
void func(int a, int b) { char buffer[32];
gets(buffer); … }
evil code evil code evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code…
31
IAP Practical Computer Security
2
1
void func(int a, int b) { char buffer[32];
gets(buffer); … }
evil code evil code evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code…
32
IAP Practical Computer Security
2
1
void func(int a, int b) { char buffer[32];
gets(buffer); … }
evil code evil code evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code…
33
IAP Practical Computer Security
2
1
void func(int a, int b) { char buffer[32];
gets(buffer); … }
evil code evil code evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
Running Evil Code…
34
IAP Practical Computer Security
2
1
void func(int a, int b) { char buffer[32];
gets(buffer); … }
evil code evil code evil code evil code nop nop nop nop nop nop nop nop nop nop nop 0x80483eb
????
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
35
IAP Practical Computer Security
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
36
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
37
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
0xffffffff
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
38
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
0xffffffff
0x80884a8 0xfffffff8
“/bin/sh”
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
39
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
40
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
name
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
41
IAP Practical Computer Security
movl $0x80884a8,0xfffffff8(%ebp) movl $0x0,0xfffffffc(%ebp) push $0x0 lea 0xfffffff8(%ebp),%eax push %eax pushl 0xfffffff8(%ebp) call 0x804d880 <execve>
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
0xfffffff8
0x80884a8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
42
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
0x80884a8
0xfffffff8
ret
sfp fp (ebp)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
43
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
ret
sfp fp (ebp)
mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80
ebx 0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
44
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
ret
sfp fp (ebp)
mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80
ebx ecx
0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
45
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
ret
sfp fp (ebp)
mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80
ebx ecx edx
0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
46
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
ret
sfp fp (ebp)
mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80
ebx ecx edx
0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Running Evil Code…
47
IAP Practical Computer Security
0xffffffff
0x80884a8 0xfffffff8
NULL 0xfffffffc
NULL
ret
sfp fp (ebp)
mov 0x8(%ebp),%ebx mov 0xc(%ebp),%ecx mov 0x10(%ebp),%edx mov $0xb,%eax int $0x80
ebx ecx edx
0x80884a8
0xfffffff8
Running Evil Code…
48
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
Running Evil Code…
49
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero Bytes
Running Evil Code…
50
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero Bytes Solution: Generate on the fly (e.g., push $0x0 = xor %eax, %eax push %eax )
Running Evil Code…
51
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ ret’ ret’ ret’ ret’ ret’
Running Evil Code…
52
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ ret’ ret’ ret’ ret’ ret’
Running Evil Code…
53
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ ret’ ret’ ret’ ret’ ret’
Running Evil Code…
54
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right.
code ret’ ret’ ret’ ret’ ret’ ret’
nop nop nop
Running Evil Code…
55
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right.
code ret’ ret’ ret’ ret’ ret’ ret’
nop nop nop
Running Evil Code…
56
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right.
code ret’ ret’ ret’ ret’ ret’ ret’
nop nop nop
Running Evil Code…
57
IAP Practical Computer Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address Solution: Add a NOP landing pad to increase the chance that your guess is right.
code ret’ ret’ ret’ ret’ ret’ ret’
nop nop nop
Running Evil Code…
58
IAP Practical Computer Security
Part of your challenge!