Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Programming

Stack Overflow

advertisement 
Intro to Exploitation
Stack Overflows
James McFadyen
UTD Computer Security Group
10/20/2011
Intro to Exploitation

Only an intro to stack overflow

Basic theory and application

One of many types of exploitation
Outline

What is a buffer overflow?

Tools

Vulnerable C Functions

Remember the memory

Learn to love assembly

Stack overflow

Protection Mechanisms

ret2libc in Linux
Buffer Overflow

“In computer security and programming, a
buffer overflow, or buffer overrun, is an
anomaly where a program, while writing data
to a buffer, overruns the buffer's boundary
and overwrites adjacent memory. This is a
special case of violation of memory safety.” Wikipedia
Buffer Overflow


In our examples..
Give the program too much input, hijack the
instruction pointer (EIP)

Control EIP

Execute arbitrary code locally or remotely

Achieve what we want as elevated user
Tools

Linux


GDB, gcc, vi, perl/python/ruby, readelf,
objdump, ltrace, strace, ropeme
Windows

WinDBG, OllyDBG, ImmunityDBG, IDA,
Python, Mona (ImmunityDBG plugin)
Vulnerable C Code

strcpy(), strncpy()

strcat(), strncat()

sprintf(), snprintf()

gets()

sscanf()

Many others...
Vulnerable C Code

strcpy() doesn't check size

If we have
char buf[128];
strcpy(buf, userSuppliedString);

This makes it too easy...
Vulnerable C Code

char *strncpy(char *dest, const char *src, size_t n);

We have a size, but what if..
strncpy(somebuffer, str, strlen(str));

or..
strncpy(somebuffer, str, sizeof(somebuffer));

Where str is supplied by user
Vulnerable C Code

Common bug, proper fix:
strncpy(somebuffer, str, sizeof(somebuffer)-1);
Vulnerable C Code

char *strncat(char *dest, const char *src, size_t n);

Ex:
int vulnerable(char *str1, char *str2)
{
char buf[256];
strncpy(buf, str1, 100);
strncat(buf, str2, sizeof(buf)-1);
return;
}
Vulnerable C Code

Fix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);
Remember the Memory
Low
Text
Data
BSS
Heap
Stack
High
Code segment, machine instr.
Initialized global and static
variables
Uninitialized global and static
variables
Dynamic space.
malloc(...) / free(...)
new(...) / ~
Program scratch space.
Local variables, pass
arguments, etc..
* Taken from Mitchell Adair's “Stack Overflows”
Remember the Memory:
The Stack
Low
ESP
local variables
...
EBP
EBP - x
EBP
RET
arguments...
previous stack frame
EBP + x
High
* Taken from Mitchell Adair's “Stack Overflows”
Love the Assembly
EIP – Extended Instruction
Pointer
ESP – Extended Stack Pointer
EBP – Extended Base Pointer
Next Instruction executed
Top of stack
Base Pointer
EAX
Accumulator register
EBX
Base register
ECX
Counter register
EDX
Data register
ESI
Source index
EDI
Destination Index
* Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow
ESP
char buf[100]
100 bytes
EBP
EBP
RET
4 bytes
4 bytes
argc
*argv[]
* Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow
ESP
Ex: $ ./program $(python -c 'print "A" * 108 ')
108 bytes
( 0x41 * 108)
Ret will pop the instruction pointer
off of the stack
EIP will now point to 0x41414141
100 bytes
EBP
RET
EBP
RET overwritten
RET
argc
*argv[]
4 bytes
4 bytes
* Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow
Ex: $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')
ESP
104 bytes
( 0x41 * 104
EIP will now point to 0xdeadbeef
We can now point EIP where we want
100 bytes
EBP
RET
EBP
0xdeadbeef
RET
4 bytes
4 bytes
argc
*argv[]
* Taken from Mitchell Adair's “Stack Overflows”
Stack Overflow
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde”
')

We have 104 bytes for a payload

Payload can be anything, but for our purpose
we would spawn a shell

The payload will be fixed size, so when we
insert it, we must reduce the # of A's by the
size of the payload
Stack Overflow
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde”
')

If we had a 32 byte payload .. (real payload will not
be a bunch of \xff)
$ ./program $(python -c 'print "A" * 72 +
“\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” +
“\xef\xbe\xad\xde” ')


We have adjusted the buffer so the payload will fit
We will then have to point EIP (\xef\xbe\xad\xde) to our
payload on the stack
Stack Overflow
$ ./program $(python -c 'print "A" * 72 +
“\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x
ff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” +
“\xef\xbe\xad\xde” ')




“\xef\xbe\xad\xde” would be replaced with the address
of our payload
EIP will now point to the address of our payload,
which will spawn a shell
NOPs help create a bigger “landing area”
This technique is not very effective anymore...
why?
Protection Mechanisms
(Windows)

DEP – Data execution Prevention


/GS Flag – cookie / canary


detects if stack has been altered
SafeSEH – Structured Exception Handler


Can't execute on the stack
Try / except, catches exceptions
ASLR - Address Space Layout
Randomization

Randomizes addresses in memory
Protection Mechanisms (Linux)


NX – Stack Execute Invalidation

Processor feature

Like DEP, can't execute on the stack
Stack Smashing Protection – cookie / canary



Generally enabled by default
ASLR - Address Space Layout
Randomization
Many other compiler protections...
ret2libc

Bypasses NX

Point EIP to a function in libc


system(), exec() etc...
system(“/bin/sh”);

We will get a shell by using the system()
function in libc
ret2libc
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde”
')


We don't need the payload where the A's are
anymore
We now will point EIP to the address of
system(), then the next 4 bytes will be a
return address, followed by system()
arguments (which will be /bin/sh)
$ ./program $(python -c 'print "A" * 104 +
address_of_system + return_address + payload ')
Demo!

How to use GDB for exploitation

Exploring the stack

Finding important memory addresses
(ret2libc)

Breakpoints

Using Perl/Python/Ruby for arguments in GDB

Basic Stack Overflow

Ret2libc
Additional Resources

https://www.corelan.be/index.php/articles/

http://beej.us/guide/bggdb/

http://en.wikibooks.org/wiki/X86_Assembly

http://www.alexonlinux.com/how-debuggerworks

http://smashthestack.org/

http://intruded.net/
Sources


“Source Code Auditing” - Jared Demott
“Smashing the stack in 2010” - Andrea
Cugliari + Mariano Graziano

“Stack Overflows” - Mitchell Adair

http://en.wikipedia.org/wiki/Buffer_overflow

http://en.wikipedia.org/wiki/Return-tolibc_attack
Related documents
Exploit Development slides
Exploit Development slides
An open source QA stack
An open source QA stack
Slides for lecture 22
Slides for lecture 22
Slides for lecture 20
Slides for lecture 20
File
File
Automated Analysis and Signature Generation for Script
Automated Analysis and Signature Generation for Script
Combining proportions
Combining proportions
NodeJS
NodeJS
Document
Document
The Internet- A Boon or A Curse - Joy
The Internet- A Boon or A Curse - Joy
hTut_0134
hTut_0134
Download
advertisement