CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Slides:



Advertisements
Similar presentations
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Advertisements

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow
1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Computer Security Buffer Overflow lab Eu-Jin Goh.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Section 3.4: Buffer Overflow Attack: Attack Techniques 1.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Introduction to Information Security ROP – Recitation 5.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2015.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Objective Explain basic fuzzing with concrete coding example
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 4, 2010 CSCE 212Honors Computer Organization.
Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented.
Refs: rootshell, antionline, your favorite hacker site…
Mitigation against Buffer Overflow Attacks
Instructions for test_function
CSCE 212Honors Computer Organization
Introduction to Information Security
Homework Reading Machine Projects Labs PAL, pp ,
CSC 495/583 Topics of Software Security Stack Overflows (2)
Recitation: Attack Lab
CMSC 414 Computer and Network Security Lecture 21
Objective Explain basic fuzzing with concrete coding example
SEED Workshop Buffer Overflow Lab
Advanced Buffer Overflow: Pointer subterfuge
Assembly Language Programming I: Introduction
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Week 2: Buffer Overflow Part 2.
Software vulnerabilities
Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou University of Central Florida.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CSCE 212Honors Computer Organization
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Several Tips on Project 1
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014

2 A Stack Frame Parameters Return Address Calling Stack Pointer Added Protection Local Variables Addresses SP SP+offset SP: stack pointer BP: base/frame pointer Calling stack pointer: previous function’s SP BP

Using GDB to Check Stack  GDB tutorial:    When compile the c code, use “gcc –g …..” so that Gdb can match source code line number with code  Some knowledge:  Register eip: instruction pointer, the current position of next executable instruction  Register ebp: stack pointer, the top of the current stack, used for addressing local variable 3

 Related Gdb Commands:  List: list the source code and each execution’s corresponding line number  Break linenumber: set breakpoint at the linenumber  Break test.c:foo break when program run in the foo() function in test.c file.  Run argv: run the execution code with the parameter argv  Next: execute the next line of code  Backtrace: show trace of all function calls in stack  Info frame: List address, language, address of arguments/local variables and which registers were saved in frame.  This will show where the return address is saved  Return address is in Register EIP  Calling stack pointer is in Register EBP  x &variable: show the address and value of a local variable (in hex format)  x address: print binary representation of 4 bytes of memory pointed to by address. 4

Example of Using GDB #include void foo(char * input){ int a1=11; int a2=22; char buf[7]; strcpy(buf, input); } void main(int argc, char **argv){ foo(argv[1]); } Question: What does the stack look like before strcpy()? 5

7 setarch i686 –R gdb./gdb-example (gdb) list 1 #include 2 void foo(char * input){ 3 int a1=11; 4 int a2=22; 5 char buf[7]; 6 strcpy(buf, input); 7 } 8 void main(int argc, char **argv){ 9 foo(argv[1]); 10 } (gdb) break 6 Breakpoint 1 at 0x : file gdb-example.c, line 6. (gdb) run “what is this? a book” Starting program: /home/czou/buffer-code/gdb-example “what is this? a book" Breakpoint 1, foo (input=0xbffff838 " ") at gdb-example.c: 6 strcpy(buf, input); 6 Remove address randomization used in Unix (will talk in next lecture)

(gdb) info frame Stack level 0, frame at 0xbffff620: eip = 0x in foo (gdb-example.c:6); saved eip 0x called by frame at 0xbffff640 source language c. Arglist at 0xbffff618, args: input=0xbffff82d "what is this? a book" Locals at 0xbffff618, Previous frame's sp is 0xbffff620 Saved registers: ebp at 0xbffff618, eip at 0xbffff61c (gdb) x &a1 0xbffff5fc: 0x b (gdb) x &a2 0xbffff600: 0x (gdb) x buf 0xbffff605: 0xf

Two Techniques for Generating Stack Overflow Codes

NOPs  Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer.  Usually we can put a bunch of these ahead of our program (in the string).  As long as the new return-address points to a NOP we are OK.

Using NOPs Real program (exec /bin/ls or whatever) new return address nop instructions Can point anywhere in here

Estimating the stack size  We can also guess at the location of the return address relative to the overflowed buffer.  Put in a bunch of new return addresses!

Estimating the Location Real program new return address nop instructions new return address

Explanation of Project 1 13 Target.c code vulnerability: int foo(char* arg, short arglen) { char buf[100]; int i, maxlen = 100; int len; if (arglen < maxlen) { len = strlen(arg); strncpy(buf, arg, len); If input to foo(*arg, Big_Value) where Big_Value overflows ‘short’, then arglen could be negative value and passes the if() security check.

Explanation of Project 1 14 In the exploit.c code: #define TARGET “/home/czou/cap6135-project1/targets/target” Need to be changed to point to your own target executable code Change args[1] = “…….."; args[1] needs to point to a large buffer that can cause overflow to target code You can define such a large buffer in exploit.c and make args[1] points to it. Your main task is to: Find out where in stack stores the return address Find out where is the starting address of ‘buf’ in foo() in target code Fill the shellcode[] into the large buffer in your exploit code (which will fill the ‘buf’ variable in target code) Assign the starting address of buf to the right place in the large buffer in your exploit code in order to overwrite the return address, then CPU will run the shellcode you put at the start of buf variable.

Several Tips on Project 1 1.Be sure to use the Makefile to generate executable of both exploit program and target program At both./exploit and./target directory, run “make” 2.Be sure to use “setarch i686 -R” in front of every execution, including both Gdb and./exploit 3.You can use “break target.c:foo” to set breakpoint upon entering foo() function. 4.Fill the shell executable code (in the string array shellcode[]) byte-by-byte into the buffer for your modified return address to execute, do not use strcpy() because shellcode[] is not an ASCII string. 5.Make sure the long string you create has no NULL byte except the last byte

Several Tips on Project 1 16 As an example, suppose we know that: 1.The address of ‘buf’ in target.c is: 0xbfff The address of the function’s return address (eip) is 0xbfff We put the shellcode[] at the beginning of ‘buf’. How to Overwrite the return address to execute shellcode? 1.0xbfff0100 – 0xbfff0000 = 0x100 = 256 in decimal 2.Since address in 32-bit machine is 4 bytes and Eustis is a little- endian machine: buf[256] = 0x00; buf[257] = 0x00; buf[258] = 0xff; buf[259] = 0xbf; In this way, we have changed the flow to the beginning of shellcode!