Presentation is loading. Please wait.

Presentation is loading. Please wait.

Refs: rootshell, antionline, your favorite hacker site…

Published byArchibald Miles Modified over 6 years ago

Similar presentations

Presentation on theme: "Refs: rootshell, antionline, your favorite hacker site…"— Presentation transcript:

1 Refs: rootshell, antionline, your favorite hacker site…
Buffer Overflow Refs: rootshell, antionline, your favorite hacker site… Netprog: Buffer Overflow

2 Internet Break-In Statistics*
40% of compromised accounts/hosts are due to bad passwords. 35% are due to buffer overflow exploits. 10% are due to pancake mothballs. 8% are due to black helicopters. 2.600% are due to IP spoofing. * I made all these numbers up! Netprog: Buffer Overflow

3 Netprog: Buffer Overflow
Serious Note Try a web search for “buffer overflow exploit”. Check alt.2600, rootshell.com, antionline.com – you can find long lists of exploits based on buffer overflow. Even the original version of ssh had a problem! (after they made a big deal that there were no buffer overflow problems in their code). Netprog: Buffer Overflow

4 Netprog: Buffer Overflow
The Problem void foo(char *s) { char buf[10]; strcpy(buf,s); printf(“buf is %s\n”,s); } foo(“thisstringistolongforfoo”); Netprog: Buffer Overflow

5 Netprog: Buffer Overflow
Exploitation The general idea is to give servers very large strings that will overflow a buffer. For a server with sloppy code – it’s easy to crash the server by overflowing a buffer (SEGV typically). It’s sometimes possible to actually make the server do whatever you want (instead of crashing). Netprog: Buffer Overflow

6 Netprog: Buffer Overflow
Background Necessary C functions and the stack. A little knowledge of assembly/machine language. How system calls are made (at the machine code level). exec() system calls How to “guess” some key parameters. Netprog: Buffer Overflow

7 Netprog: Buffer Overflow
CPU/OS dependency Building an exploit requires knowledge of the specific CPU and operating system of the target. I’ll just talk about x86 and Linux, but the methods work for other CPUs and OSs. Some details are very different, but the concepts are the same. Netprog: Buffer Overflow

8 Netprog: Buffer Overflow
C Call Stack When a function call is made, the return address is put on the stack. Often the values of parameters are put on the stack. Usually the function saves the stack frame pointer (on the stack). Local variables are on the stack. Netprog: Buffer Overflow

9 Netprog: Buffer Overflow
Stack Direction On Linux (x86) the stack grows from high addresses to low. Pushing something on the stack moves the Top Of Stack towards the address 0. Netprog: Buffer Overflow

10 Netprog: Buffer Overflow
A Stack Frame Parameters Return Address Calling Stack Pointer Local Variables SP+offset SP Addresses Netprog: Buffer Overflow

11 Netprog: Buffer Overflow
18 addressof(y=3) return address saved stack pointer y x buf Sample Stack void foo(int j) { int x,y; char buf[100]; x=j; } x=2; foo(18); y=3; Netprog: Buffer Overflow

12 Netprog: Buffer Overflow
“Smashing the Stack”* The general idea is to overflow a buffer so that it overwrites the return address. When the function is done it will jump to whatever address is on the stack. We put some code in the buffer and set the return address to point to it! *taken from the title of an article in Phrack 49-7 Netprog: Buffer Overflow

13 Netprog: Buffer Overflow
void foo(char *s) { char buf[100]; strcpy(buf,s); Before and After address of s address of s return-address pointer to pgm Small Program saved sp buf Netprog: Buffer Overflow

14 Netprog: Buffer Overflow
Issues How do we know what value the pointer should have (the new “return address”). It’s the address of the buffer, but how do we know what address this is? How do we build the “small program” and put it in a string? Netprog: Buffer Overflow

15 Netprog: Buffer Overflow
Guessing Addresses Typically you need the source code so you can estimate the address of both the buffer and the return-address. An estimate is often good enough! (more on this in a bit). Netprog: Buffer Overflow

16 Building the small program
Typically, the small program stuffed in to the buffer does an exec(). Sometimes it changes the password db or other files… Netprog: Buffer Overflow

17 Netprog: Buffer Overflow
exec() example #include <stdio.h> char *args[] = {"/bin/ls", NULL}; void execls(void) { execv("/bin/ls",args); printf(“I’m not printed\n"); } Netprog: Buffer Overflow

18 Netprog: Buffer Overflow
Generating a String You can take code like the previous slide, and generate machine language. Copy down the individual byte values and build a string. To do a simple exec requires less than 100 bytes. Netprog: Buffer Overflow

19 A Sample Program/String
Does an exec() of /bin/ls: unsigned char cde[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0” “\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c” “\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/ls"; Netprog: Buffer Overflow

20 Netprog: Buffer Overflow
Some important issues The small program should be position-independent – able to run at any memory location. It can’t be too large, or we can’t fit the program and the new return-address on the stack! Netprog: Buffer Overflow

21 Sample Overflow Program
unsigned char cde[] = "\xeb\x1f\… void tst(void) { int *ret; ret = (int *)&ret+2; // pointer arith! (*ret) = (int) cde; //change ret addr } int main(void) { printf("Running tst\n"); tst(); printf("tst has returned\n"); Netprog: Buffer Overflow

22 Attacking a real program
Recall that the idea is to feed a server a string that is too big for a buffer. This string overflows the buffer and overwrites the return address on the stack. Assuming we put our small program in the string, we need to know it’s address. Netprog: Buffer Overflow

23 Netprog: Buffer Overflow
NOPs Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer. Usually we can put a bunch of these ahead of our program (in the string). As long as the new return-address points to a NOP we are OK. Netprog: Buffer Overflow

24 Netprog: Buffer Overflow
Using NOPs new return address Real program (exec /bin/ls or whatever) Can point anywhere in here nop instructions Netprog: Buffer Overflow

25 Estimating the stack size
We can also guess at the location of the return address relative to the overflowed buffer. Put in a bunch of new return addresses! Netprog: Buffer Overflow

26 Estimating the Location
new return address new return address new return address new return address new return address new return address Real program nop instructions Netprog: Buffer Overflow

27 Netprog: Buffer Overflow
vulnerable.c void foo( char *s ) { char name[200]; strcpy(name,s); printf("Name is %s\n",name); } int main(void) { char buf[2000]; read(0,buf,2000); foo(buf); Netprog: Buffer Overflow

28 Netprog: Buffer Overflow
genpgm.c genpgm.c was constructed to exploit the buffer overflow in vulnerable.c It allows he user to add an offset to a fixed “guess” of the address of the return-address on the stack. It writes (to stdout) a string that contains a bunch of return-addresses and a program that does: exec /bin/ls. Netprog: Buffer Overflow

29 Netprog: Buffer Overflow
Testing ./genpgm 32 | ./vulnerable Get ambitious! Change the program output by genpgm to exec /bin/sh! (./genpgm 32; cat) | ./vulnerable Netprog: Buffer Overflow

30 Other Potential Problems
Buffer overflow is just the most common programming problem exploited. Integer arithmetic can also be a problem! foo = malloc(num * sizeof(struct blah)); what if num is 2^32-1? what if num is -1? Netprog: Buffer Overflow

31 Netprog: Buffer Overflow
Summary Don't use strcpy. Check the return value on all calls to library functions like malloc (as well as all system calls). Don't use multiplication (or addition). Might as well not use subtraction or division either. It's probably best to avoid writing programs at all… Netprog: Buffer Overflow

Download ppt "Refs: rootshell, antionline, your favorite hacker site…"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
INSTRUCTION SET ARCHITECTURES

INSTRUCTION SET ARCHITECTURES
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.

1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2012.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.

Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Netprog: Java Intro1 Crash Course in Java. Netprog: Java Intro2 Why Java? Network Programming in Java is very different than in C/C++ –much more language.

Netprog: Java Intro1 Crash Course in Java. Netprog: Java Intro2 Why Java? Network Programming in Java is very different than in C/C++ –much more language.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

Similar presentations

Ads by Google