Part II Let’s make it real Memory Layout of a Process.

Slides:



Advertisements
Similar presentations
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Advertisements

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
ITEC 352 Lecture 27 Memory(4). Review Questions? Cache control –L1/L2  Main memory example –Formulas for hits.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Programming Project # 1 cs155 Due: Thursday, April 21 st, 11:59pm Shayan Guha Elizabeth Stinson.
Buffer Overflow. Process Memory Organization.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Computer Security Buffer Overflow lab Eu-Jin Goh.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
UBC104 Embedded Systems Functions & Pointers.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Attacks Using Stack Buffer Overflow Boxuan Gu
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.
CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Recitation 4: The Stack & Lab3 Andrew Faulring Section A 30 September 2002.
1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
Recitation 6 – 2/26/01 Outline Linking Exam Review –Topics Covered –Your Questions Shaheen Gandhi Office Hours: Wednesday.
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Smashing the Stack Overview The Stack Region Buffer Overflow
Procedures – Generating the Code Lecture 21 Mon, Apr 4, 2005.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
CNIT 127: Exploit Development Ch 1: Before you begin.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.
Bits and Bytes September 1, F’05 class02.ppt “The Class That Gives CMU Its Zip!”
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
International Summer School on Information and System Security Stack Based Buffer Overflows Alberto Ornaghi Lorenzo Cavallaro.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
Improvements to the Compiler Lecture 27 Mon, Apr 26, 2004.
Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Introduction to Information Security
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Buffer Overflow Walk-Through
Return Oriented Programming
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
Performance Optimizations in Dyninst
Introduction to Information Security
Exploiting & Defense Day 2 Recap
Recitation: Attack Lab
CMSC 414 Computer and Network Security Lecture 21
Y86 Processor State Program Registers
Defeating Instruction Set Randomization Nora Sovarel
C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Assembly Language Programming II: C Compiler Calling Sequences
The Runtime Environment
Machine Level Representation of Programs (IV)
Week 2: Buffer Overflow Part 2.
Instructors: Majd Sakr and Khaled Harras
System and Cyber Security
Return-to-libc Attacks
Presentation transcript:

Part II Let’s make it real

Memory Layout of a Process

In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x :push %ebp 0x :mov %esp,%ebp 0x b :call 0x x :pop %ebp 0x :ret

In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x :push %ebp 0x :mov %esp,%ebp 0x b :call 0x x :pop %ebp 0x :ret

In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x :push %ebp 0x :mov %esp,%ebp 0x b :call 0x x :pop %ebp 0x :ret

In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x :push %ebp 0x :mov %esp,%ebp 0x b :call 0x x :pop %ebp 0x :ret

Similarly The assembly code for getURL(): 0x :push %ebp 0x :mov %esp,%ebp 0x :sub $0x18,%esp 0x a :mov 0x804a014,%eax 0x f :movl $0x40,0x8(%esp) 0x :lea -0xc(%ebp),%edx 0x a :mov %edx,0x4(%esp) 0x e :mov %eax,(%esp) 0x :call 0x x :leave 0x :ret

Similarly The assembly code for getURL(): 0x :push %ebp 0x :mov %esp,%ebp 0x :sub $0x18,%esp 0x a :mov 0x804a014,%eax 0x f :movl $0x40,0x8(%esp) 0x :lea -0xc(%ebp),%edx 0x a :mov %edx,0x4(%esp) 0x e :mov %eax,(%esp) 0x :call 0x x :leave 0x :ret

So we have: ret pop %ebp call 0x mov %esp,%ebp push %ebp IE stack old FP (buf) fd (code for read) read 0x x ret leave call 0x mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x x getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); }

So we have: ret pop %ebp call 0x mov %esp,%ebp push %ebp IE stack old FP (buf) fd (code for read) read 0x x ret leave call 0x mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x x getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); }

stack old FP (buf) fd What about the stack? getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); } ret pop %ebp call 0x mov %esp,%ebp push %ebp IE (code for read) read 0x x ret leave call 0x mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x x

0xbfffeedc 0x getURL () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { getURL (); } old FP 64 (buf) fd What about the stack? 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffee98 0xbfffee9c 0xbfffeea0 0xbfffeea4 0xbfffeea8 0xbfffeeac ret pop %ebp call 0x mov %esp,%ebp push %ebp IE (code for read) read 0x x ret leave call 0x mov %eax,(%esp) mov %edx,0x4(%esp) lea -0xc(%ebp),%edx movl $0x40,0x8(%esp) mov 0x804a014,%eax sub $0x18,%esp mov %esp,%ebp push %ebp getURL 0x x When getURL is about to call ‘read’ 4 bytes

And now the exploit

Exploit 0x buf getURL () { char buf[10]; read(fd, buf, 64); get_webpage (buf); } IE () { getURL (); } 0xbfffeeb0 0xbfffeedc 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffee98 0xbfffeea4 0xbfffeea8 0xbfffeeac

That is it, really all we need to do is stick our program in the buffer Easy to do: attacker controls what goes in the buffer! – and that program simply consists of a few instructions (not unlike what we saw before)

But sometimes We don’t even need to change the return address Or execute any of our code Let’s have a look at an example, where the buffer overflow changes only data…

get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } Exploit against non control data

get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); }

name authorized=T get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } Exploit against non-control data

Other return targets also possible! This is what we did before

But other locations also possible If we start the program ourselves, we control the env

So all the attacker needs to do…... is stick a program in the buffer or environment! – Easy: attacker controls what goes in the buffer! – What does such code look like?  “shellcode”

Typical injection vector Shellcode address: – the address of the memory region that contains the shellcode Shellcode: – a sequence of machine instructions to be executed (e.g. execve("/bin/sh")) NOP sled: – a sequence of do-nothing instructions (nop). It is used to ease the exploitation: attacker can jump anywhere inside, and will eventually reach the shellcode (optional) NOP sled shellcode address of shellcode

How do you create the vector? 1.Create the shellcode 2.Prepend the NOP sled: perl -e 'print "\x90"' | ndisasm -b 32 – nop 3.Add the address 0xbfffeeb0 setreuid execve why this? C0 B DB 31 C9 1..F CD 80 EB 16 5B 31 C [ B C C..[..C B0 0B 8D 4B 08 8D 53 0C...K..S CD 80 E8 E5 FF FF FF 2F / E 2F E 41 bin/shNA AAABBBB.

In reality, things are more complicated why do you think encoding is so frequently used? – think strcpy(), etc. unpacker encoded shellcode

In reality, things are more complicated why do you think encoding is so frequently used? – think strcpy(), etc. unpacker encoded shellcode A: if strcpy() is used to overflow the buffer, it will stop when it encounters the null byte. So if the shellcode contains a null byte, the attacker has a problem. So the attacker may have to encode the shellcode to remove null bytes and then generate them dynamically

get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); if (authorized) show_medical_info (name); else printf (“sorry, not allowed”); } authorized = F name Exploit against non control data

That is, fundamentally, it. Let us see whether we understood this.

Can you exploit this?

w without comments

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.