Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 495/583 Topics of Software Security Format String Bug (2) & Heap

Published byΣίβύλ Ζερβός Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC 495/583 Topics of Software Security Format String Bug (2) & Heap"— Presentation transcript:

1 CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Class19 CSC 495/583 Topics of Software Security Format String Bug (2) & Heap Dr. Si Chen

2 StackGuard turn off stack guard
Insert Canary before the function being called. Check this value to see if it been tweaked Cowan, Crispan, et al. "Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks." USENIX Security Symposium. Vol

3 StackGuard: Stack Reading
Overflow one more byte and try every possible value If no crash  success Crash  wrong guess

4 Format String Bug

5 Format String Bug What is a Format String? A Format String is an ASCII string that contains text and format parameters printf("%s %d\n", str, a); fprintf(stderr, "%s %d\n", str, a); sprintf(buffer, "%s %d\n", str, a); E.g. My name is Chen

6 Format String Bug

7 Advanced Usage: Format String Direct Access

8 fmt_write.c In C printf(), %n is a special format specifier which instead of printing something causes printf() to load the variable pointed by the corresponding argument with a value equal to the number of characters that have been printed by printf() before the occurrence of %n.

9 Write data in any memory address:
%n  DWORD %hn  WORD %hhn  BYTE

10 What is this BUG used for?
Read data in any memory address: %s to read data in an arbitrary memory address Write data in any memory address: printf not only allows you to read but also write %n

11 Read data in any memory address:
Exercise: fmt_test.c Read data in any memory address: %s to read data in an arbitrary memory address Dump the whole program!

12 Find offset Offset is 11

13 Data stored in that Memory Address
Leak Data MemoryAddress%11$x Data stored in that Memory Address 0xFFFFFFFF%11$x  0xDEADBEEF Address Data 0xFFFFFFFF 0xDEADBEEF

14 Another Issue printf use \x00 to judge the end of the string
Solution: add some dummy characters to avoid truncate:

15 Dump the whole program!

16 What is this BUG used for?
Disclose sensitive information: Variable(s) EBP value The correct location for putting Shellcode

17 What is this BUG used for?
Disclose StackGuard Canary: By pass stack checking

18 What is this BUG used for?
Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

19 What is this BUG used for?
Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

20 GOT Overwrite Attack with Format String Bug

21 The Heap

22 It’s just another segment in runtime memory
The Heap 0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack It’s just another segment in runtime memory 0xFFFFFFFF

23 Basics of Dynamic Memory
int main() { char * buffer = NULL; /* allocate a 0x100 byte buffer */ buffer = malloc(0x100); /* read input and print it */ fgets(stdin, buffer, 0x100); printf(“Hello %s!\n”, buffer); /* destroy our dynamically allocated buffer */ free(buffer); return 0; }

24 Heap vs Stack Heap Dynamic memory allocations at runtime
Objects, big buffers, structs, persistence, larger things Slower, Manual Done by the programmer malloc/calloc/recalloc/free new/delete Stack Fixed memory allocations known at compile time Local variables, return addresses, function args Fast, Automatic Done by the compiler Abstracts away any concept of allocating/de-allocating

25 malloc in glibc ptmalloc

26 unsigned int * buffer = NULL; buffer = ptmalloc(0x100);
Heap Chunks unsigned int * buffer = NULL; buffer = ptmalloc(0x100); //Out comes a heap chunk Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

27 Pseudo Memory Map Runtime Memory Runtime Memory MBE - 04/07/2015 2727
0x – Start of memory 0x – Start of memory Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack 0x – Start of .text Segment 0x – Start of .text Segment 0xb7ff0000 – Top of heap 0xbfff0000 – Top of stack 0xFFFFFFFF – End of memory MBE - 04/07/2015 Heap Exploitation 2727

28 Heap Allocations Runtime Memory Heap Segment Previous Chunk Size
0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

29 Heap Allocations Runtime Memory Heap Segment Previous Chunk Size
0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

30 Heap Allocations Runtime Memory Heap Segment Previous Chunk Size
0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

31 Heap chunks exist in two states
Heap Chunks – In Use Heap chunks exist in two states in use (malloc’d) free’d Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

32 free(buffer); Heap Chunk (freed) Forward Pointer Backwards Pointer
Heap Chunks – Freed free(buffer); Forward Pointer A pointer to the next freed chunk Backwards Pointer A pointer to the previous freed chunk Heap Chunk (freed) Previous Chunk Size (4 bytes) Chunk Size (4 bytes) FD (4 bytes) BK (4 bytes) Flags *(buffer-2) *(buffer-1) *buffer *(buffer+1)

33 Heap Overflows Runtime Memory Heap Segment Previous Chunk Size
0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

34 Heap Overflows Buffer overflows are basically the same on the heap as they are on the stack 0x Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment > Grows towards higher memory Previous Chunk Size Chunk Size AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA heap overflow Data Previous Chunk Size Chunk Size Data 0xFFFFFFFF

35 Heap Overflows In the real world, lots of cool and complex things like objects/structs end up on the heap Anything that handles the data you just corrupted is now viable attack surface in the application It’s common to put function pointers in structs which generally are malloc’d on the heap Overwrite a function pointer on the heap, and force a codepath to call that object’s function!

36 Q & A

Download ppt "CSC 495/583 Topics of Software Security Format String Bug (2) & Heap"

Similar presentations

Dynamic Memory Management

Dynamic Memory Management
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.

1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Outline Midterm results Static variables Memory model

Outline Midterm results Static variables Memory model
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.

1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.
Pointers and Arrays Beyond Chapter 16. 16-2 Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.

Pointers and Arrays Beyond Chapter Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.
Stack and Heap Memory Stack resident variables include:

Stack and Heap Memory Stack resident variables include:
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Programming for Beginners Martin Nelson Elizabeth FitzGerald Lecture 15: More-Advanced Concepts.

Programming for Beginners Martin Nelson Elizabeth FitzGerald Lecture 15: More-Advanced Concepts.

Similar presentations

Ads by Google