Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEED Workshop Buffer Overflow Lab

Published bySugiarto Tedja Modified over 6 years ago

Similar presentations

Presentation on theme: "SEED Workshop Buffer Overflow Lab"— Presentation transcript:

1 SEED Workshop Buffer Overflow Lab

2 Outline Principle High Level Picture Program Memory Layout
Function Stack Layout Function Call Chain Practice Vulnerable Program Task Breakdown Environment Setup Run Tasks Run the Exploit

3 High Level Picture

4 High Level Picture

5 High Level Picture

6 High Level Picture

7 High Level Picture

8 High Level Picture

9 High Level Picture

10 High Level Picture

11 High Level Picture

12 Principle Program Memory Layout

13 Function Stack Layout void func(int a, int b) { int x,y ; }

14 Function Call Chain void f(int a, int b) { int x; } void main()
printf("hello world");

15 Practice Vulnerable Program (stack.c)
int main(int argc, char **argv) { char str[517]; FILE *badfile; // 1. Opens badfile badfile = fopen("badfile", "r"); // 2. Reads upto 517 bytes from badfile fread(str, sizeof(char), 517, badfile); // 3. Call vulnerable function bof(str); printf("Returned Properly\n"); return 1; }

16 Buffer Overflow in stack.c

17 Program Behavior Show program behavior for badfile of length:
< 24 bytes > 24 bytes

18 Goal

19 Use of NOP’s

20 Task Breakdown - Prepare “badfile”

21 Environment Setup for Tasks
Turn off address randomization (countermeasure) % sudo sysctl -w kernel.randomize_va_space=0 Compile set-uid root version of stack.c % gcc -o stack -z execstack -fno-stack-protector stack.c % sudo chown root stack % sudo chmod 4755 stack

22 Goal - Task A

23 Goal - Task A

24 Goal - Task A Need for debugging
Buffer size may exceed 24 bytes at run time Need accurate buffer size

25 Goal - Task A Need for debugging
Buffer size may exceed 24 bytes at run time Need accurate buffer size Compile debug version of stack.c % gcc -z execstack -fno-stack-protector g -o stack_dbg stack.c

26 Task A Start debugging using gdb Set breakpoint Print buffer address
Print frame pointer address Calculate distance

27 Task Breakdown - Prepare “badfile”

28 Goal - Task B

29 Task B

30 Task B Calculate lowest address for shellcode Add offset

31 Task Breakdown - Prepare “badfile”

32 Construct the badfile - exploit.c
void main(int argc, char **argv) { // Initialize buffer with 0x90 (NOP instruction) memset(&buffer, 0x90, 517); // From tasks A and B *((long *) (buffer + <distance - task A>)) = <address - task B>; // Place the shellcode towards the end of buffer memcpy(buffer + sizeof(buffer) - sizeof(shellcode), shellcode, sizeof(shellcode)); }

33 Run the exploit Compile and run exploit.c to generate badfile
Run set-uid root compiled stack.c

34 Countermeasures ASLR StackGuard Non-Executable (NX) Stack
For each of these, refer to lab description or research.

Download ppt "SEED Workshop Buffer Overflow Lab"

Similar presentations

Buffer Overflow Prabhaker Mateti Wright State University.

Buffer Overflow Prabhaker Mateti Wright State University.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow.

Stack buffer overflow.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Buffer Overflow Maddikayala, jagadish. CSCI 5931 Web Security Prof. T. Andrew Yang Monday Feb. 23.

Buffer Overflow Maddikayala, jagadish. CSCI 5931 Web Security Prof. T. Andrew Yang Monday Feb. 23.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Similar presentations

Ads by Google