Smashing the Stack for Fun and Profit

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow By: John Quach and Napoleon N. Valdez.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Buffer Overflow. Process Memory Organization.
Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Host and Application Security Lesson 10: Code Injection.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Introduction to Information Security ROP – Recitation 5.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Let’s look at an example
Shellcode COSC 480 Presentation Alison Buben.
Refs: rootshell, antionline, your favorite hacker site…
Buffer Overflow By Collin Donaldson.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Protecting Memory What is there to protect in memory?
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
CSC 495/583 Topics of Software Security Stack Overflows (2)
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Lecture 9: Buffer Overflow*
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Week 2: Buffer Overflow Part 2.
Buffer Overflows.
Anatomy of the Buffer Overflow
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
System and Cyber Security
FIGURE Illustration of Stack Buffer Overflow
Several Tips on Project 1
Return-to-libc Attacks
Presentation transcript:

Smashing the Stack for Fun and Profit -by aleph1 circa 1996 Presented by Dan Frohlich

Overview Memory and Stack basics. The buffer overflow vulnerability. Take control. Spawn a shell. Issues. Guesswork and Increasing your chance of success. Questions?

Memory Basics. The Code or Text section is usually read only, preventing self-modifying code.

A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function returns and it’s stack frame is POP’d.

The buffer overflow vulnerability. The user injected data writes beyond the unchecked buffer length, overwriting the stack frame return address!

Take control. The last byte of the buffer is the return address. To run arbitrary code of the users choice, set to the address of the buffer.

Spawn a shell. Write code such that a shell if spawned. provides platform independent code to spawn a shell. Shell command is executed in the program’s security context . Allows user impersonation If program is running as root, the user now has total control of the host!

Issues. What to exploit? What is the return address? grep is your friend grep the source for strcpy, strcat, etc. What is the return address? Can not be known at runtime. Must be guessed. Dealing with small buffers. Place shell code in an environment variable.

Guesswork and Increasing your chance of success. Stack sizes are application dependant but 100 to 1000 bytes are good guesses. Prolog your exploit with NOOPs!

Questions? aleph1 uses a combination of JMP and CALL in his buffer. Why is this necessary? Can’t you just right buffer of NOOPs followed by the return address of the shell command environment variable?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.