Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Functions Functions and Parameters. History A function call needs to save the registers in use The called function will use the registers The registers.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Software and Security Buffer Overflow 1.
Buffer Overflow. Process Memory Organization.
Computer Security Buffer Overflow lab Eu-Jin Goh.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
September 22, 2014 Pengju (Jimmy) Jin Section E
Buffer overflows.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU
Carnegie Mellon Introduction to Computer Systems /18-243, spring 2009 Recitation, Jan. 14 th.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Smashing the Stack Overview The Stack Region Buffer Overflow
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Introduction to Information Security ROP – Recitation 5.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
Variables Bryce Boe 2012/09/05 CS32, Summer 2012 B.
Exploiting & Defense Day 1 Recap
Introduction to Information Security
Shellcode COSC 480 Presentation Alison Buben.
CS 177 Computer Security Lecture 9
Introduction to Information Security
Introduction to Information Security
Exploiting & Defense Day 2 Recap
CSC 495/583 Topics of Software Security Stack Overflows (2)
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Lecture 9: Buffer Overflow*
Smashing the Stack for Fun and Profit
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
Week 2: Buffer Overflow Part 2.
Buffer Overflows.
Security Flaws 2 Ian Kayne
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
Several Tips on Project 1
Exploitation Part 1.
Computer Architecture and System Programming Laboratory
Presentation transcript:

Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009

02/20/092 Welcome  Introduction  Topics to be covered  Useful areas of existing knowledge

02/20/093 Security Flaws  User input? Buffer overflow!  One of the most common coding flaws int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

02/20/094 Buffer Overflows  What is a buffer overflow?  How does it work?  “The stack”  Last In First Out “buffer”/area of memory  Stack addressing: largest first  Stores data, parameters and return addresses

02/20/095 The Stack  Section of the stack (representative) data data data data data data data data data buffer data data data prev ebpreturn address 0x00004C00 0x00004C4F 0x00004C0F 0x00004C10 0x00004C20 0x00004C30 0x00004C40 0x00004C1F 0x00004C2F 0x00004C3F data data data data data data data 0x00004C50 0x00004C5F free free free free free free free 0x00004BFF0x00004BF0 ebp points here

02/20/096 The Stack  How does this relate to code? data data data data data data data databuffer data ebpreturn addr. int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

02/20/097 Buffer Overflow  Short names work: they fit in the buffer: data data Ian Kayne\0  Long names will break the code: data data A return address AAAAAAAAAAAA

02/20/098 Buffer Overflow  Interesting error, look closely!  Big security warning!

02/20/099 Buffer Overflow  Look at our stack representation again: data data buffer data data data frame pointerreturn address First we filled the buffer… then we overflowed to the return address A A A A A

02/20/0910 Buffer Overflow  0x is “ ” in memory, the ASCII code for “AAAA”

02/20/0911 Buffer Overflow  Why do we want a buffer overflow?  Code execution  Victim process’s security context  How do we get from crash to code?

02/20/0912 Buffer Overflow - Review  Recap:  “Grow downwards” – largest address first  Stack stores data  Every function call has a return address pushed to the stack (pointed to by x86 ebp)  Unchecked data lengths can overflow buffers  Overflow and overwrite the return address  So how do we get from crash to code?

02/20/0913 Buffer Overflow  Executable stack  Provide shellcode/payload as buffer input  Overwrite return address with buffer addr.  What is shellcode?  Difference between asm, machine code, shellcode  NULLs, high ASCII etc…

02/20/0914 Buffer Overflow  First, write our shellcode: Pseudocode: GetUsername(); ElevatePrivilege(); Pseudo-shellcode: \x6a\x35\x59\xe8\xff \xc1\x5e\x30\x4c\x0e  Metasploit and other tools make this easy!  Append address pointing to start of buffer Pseudo-shellcode: \x6a\x35\x59\xe8\xff \xc1\x5e\x30\x4c\x0e \x2C\x4C\x00\x00

02/20/0915 Buffer Overflow  Our shellcode maps to the stack layout: data return address \x6a\x35\x59\xe8\xff\xc1\x5e\x30\x4c\x0e\x2C\x4C\x00\x00 int main() { char szName[10]; printf(“Please enter your name: ”); scanf(“%s”, szName); printf(“Hello, %s!”, szName); return 0; }

02/20/0916 Buffer Overflow  One mystery left!  What is \x2C\x4C\x00\x00 ? data data data data data data data data data buffer data data data 0x00004C10 0x00004C20 0x00004C30 0x00004C1F 0x00004C2F 0x00004C3F  Endian-ness – 0x00004c2c

02/20/0917 Buffer Overflow  Buffer Overflow Demonstration

02/20/0918 Metasploit

02/20/0919 Metasploit

02/20/0920 Metasploit

02/20/0921 Buffer Overflow  Direct jump is unreliable  Rebasing (especially DLLs)  “NOP sleds”  NOP sled, then…  Shellcode, then…  Relative jump to shellcode somewhere in NOP sled  Better method is jump using register

02/20/0922 Buffer Overflow  Jump using register  Any register can point at the start of the buffer  Inject shellcode to buffer as normal  Overwrite return address with address of instructions that jump using the register  Near-guaranteed success! data shellcodereturn address EAX test ecx, ecx jmp eax push

02/20/0923 Prevention  Non-executable stack (“NX bit”)  Address randomisation  Canary bytes data return address

02/20/0924 Buffer Overflow  Recap and review  There is a lot more to buffer overflows, some detail has been cut out for clarity.  Stack diagrams are representation only and are not technically accurate  Metasploit (  “Smashing the stack for fun and profit” 

02/20/0925 Buffer Overflows  Basic principles  Flaw possible with any buffer operations  User input  Data load from disk  Data from network

02/20/0926 Review  Thank you!  Questions  Comments  Items to review  Further study

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.