Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-

Published byGarey Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-"— Presentation transcript:

1 Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\- /lucky 13\ / \ / `-(' ')-' \ / \ /lucky 13\ \ / `-' (U) `-' \ / `-' `-' CS3695 – Network Vulnerability Assessment & Risk Mitigation –

2 Buffer Overflows Buffer Overflows have been “all the rage” lately... THE definitive resources for this topic – XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Smashing The Stack For Fun And Profit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX by Aleph On –The Tao of Windows Buffer Overflow as taught by DilDog Essence Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain Essence Throughout these ages our operating systems infested by bugs The ignorant world turns to Windows for safety Safety from themselves It is now the time for the world to realize that we all feel pain

3 In it’s simplest terms, a buffer overflow attack places an oversized input into a variable... overflowing its boundaries and writing over some other code. If properly placed, this will point the program to perform our code (now residing inside that variable’s memory location) In Simple Terms...

4 Poor programmers don’t check for a valid size input, and some languages (C/C++ for example; used to write most of our modern day programs and OS’) will over-write other locations in memory when an input is larger then it’s variable... Why Does This Happen?

5

6 Processes and the OS... –When a process (in simple terms a program) starts, the OS allots a certain amount of memory to manage that process –It is broken down into three parts: TEXT: the main code DATA: static data SEGMENT: scratch pad area for functions... HEAP: for malloc() calls for memory allocation –Lets see how this works... Background

7 Program starts and allocates memory... filling the text and data portions... Memory Allotment Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables Grows Up

8 Once the program starts to run, it sets up the STACK as functions are called... The stack’s end point is tracked in a register called Stack Point (SP) Memory Allotment Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables STACK: Function “Scratch Pad” Free Memory Grows Down HEAP: Malloc() HEAP: Malloc()

9 Each function called will be set up with its own frame... Pushing on to the stack that function’s arguments, parameters, and more... Stack Frames Low Memory 0x0000 High Memory 0xFFFF TEXT: Main Code DATA: Static Variables STACK: Grows Down HEAP: Malloc() HEAP: Malloc()

10 As the functions are called, and the frames created, some registers that track locations change... FP (or EBP) shows where the frame started... SP (or ESP) tracks the new end of the stack EI (EIP) tracks the next instruction Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) some address in main (back in the TEXT section) Variables (buffers) 0xFF12 Previous FP (EBP) Grows Down Stack Pointer (SP) or ESP {shows the “end” of the stack} Frame Pointer (FP) or EBP {shows the “end” of the last frame} 0xFF120xFFFF 0xFF48 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF48

11 As a new, second function is called by the first function, the second function’s frame causes some more register changes... Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) inst in main Variables (buffers) 0xFF12 Arguments Return Address (previous EBP) inst in function 1 Variables (buffers) First Functions Frame Second Functions Frame 0xDD45 Previous FP (EBP) FFFF Previous FP (EBP) FFFF Grows Down Stack Pointer (SP) or ESP {shows the “end” of the stack} 0xDD45 Frame Pointer (FP) or EBP {shows the “end” of the last frame} 0xFF12 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF00

12 So where does the buffer overflow really come in? We can overwrite the Return Address to point to some code we want to execute... by overflowing our code and the address of our code in a variable in the buffers... Stack Frames (cont) STACK: 0xFFFF Arguments Return Address (previous EBP) inst in main Variables (buffers) 0xFF12 Arguments Return Address (previous EBP) inst in function 1 Variables (buffers) First Functions Frame Second Functions Frame 0xDD45 Previous FP (EBP) FFFF Previous FP (EBP) FFFF Address of our code... NOP Our exploit code Grows Down 0xFF00 Extended Inst (EI) or EIP {shows where to execute next instruction} 0xFF00

13 A list from Eric Cole’s “Hacker Beware” –Netmeeting –Outlook –Linuxconf –Tooltalk –IMPAD –AOL IM –IIS 4/5 –SQL –Our latest... RPC Some Example Exploits

14 The Threat Programs that run as [SUID] to root. –In general, a program executable (the binary) has a “context” that determines privileges –The context is based on, or is a subset of, the user’s (the owner) privileges. –For example, if Bob rights a program, the executable will have the same privileges as Bob

15 The Threat (2) Sometimes a program requires extended privileges to work properly –We discussed the passwd program in class The passwd command runs as a [SUID] program such that the executable is associated with the file owner and NOT the user –In this case root owns passwd binary. The program runs with root privileges against the passwd and shadow files.

16 The Threat (3) Some programs start at boot and run in the background… –Unix daemons –Windows services Many times they will run with extended privileges as open ports to the world and they are always on. –These are possible targets for buffer overflows

17 DCOM Buffer Overflow First reported in July 2003 It is a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access (system level) and execute any code on a target machine, leaving it compromised. DCOM is a protocol that enables programs to communicate over the network, while RPC is a protocol used by a program to request services from another program on a remote machine The following platforms are affected by this vulnerability: ・ –Windows NT 4.0 ・ Windows 2000 Professional & Server ・ Windows 2000 Advance Server ・ Windows XP Home ・ Windows XP Professional –The following RPC-related ports can be attacked to exploit this vulnerability: ・ 135 ・ 139 ・ 445 ・ 593

18 Metasploit It’s a framework for penetration testing that allows you to choose an exploit and payload combination against a remote host –It has a very clean version of dcom, so we will use it in the lab…

19 Hardware Level Prevention Of Buffer Overflow Intel Q965 Express Chipset prevent certain classes of viruses or worms that exploit buffer overflow vulnerabilities AMD's Athlon 64 processors can detect buffer overflows and trigger an overflow exception that crashes an application or operating system Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Page 2605

20 How to Detect Buffer Overflows in a Program One way is to look at the source code In this case, the attacker can look for strings declared as local variables in functions or methods and verify the presence of boundary checks It is also necessary to check for improper use of standard functions, especially those related to strings and input/output Another way is to feed the application with huge amounts of data and check for the abnormal behavior Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

21 Defense Against Buffer Overflows ManualDisablingSafer C Compiler auditing ofstacklibrary techniques the codeexecutionsupport Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Also include: 1.Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space 2.PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. Also include: 1.Address space layout randomization (ASLR) is a computer security technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space 2.PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. Page 2363

Download ppt "Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/-------\-------/-----\-----/---\--\ /--/---\-----/-----\-------/-------\-"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
CS252: Systems Programming Ninghui Li Final Exam Review.

CS252: Systems Programming Ninghui Li Final Exam Review.
Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie.

Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie.
System Calls 1.

System Calls 1.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google