cnit 127: exploit development ch 2: stack overflows in linux2019/08/28 · cnit 127: exploit...
TRANSCRIPT
![Page 1: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/1.jpg)
CNIT 127: Exploit Development
Ch 2: Stack Overflows in Linux
Updated 8-28-19
![Page 2: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/2.jpg)
Topics
• Buffers in C • Information Disclosure • gdb: Gnu Debugger • Segmentation Fault • The Stack • Functions and the Stack • Stack Buffer Overflow
![Page 3: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/3.jpg)
Stack-Based Buffer Overflows
• Most popular and best understood exploitation method
• Aleph One's "Smashing the Stack for Fun and Profit" (1996) – Link Ch 2a
• Buffer – A limited, contiguously allocated set of
memory – In C, usually an array
![Page 4: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/4.jpg)
Exploit A: Information Disclosure
![Page 5: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/5.jpg)
C and C++ Lack Bounds-Checking
• It is the programmer's responsibility to ensure that array indices remain in the valid range
#include <stdio.h>
int main() { int array[5] = {1, 2, 3, 4, 5}; printf("%d\n", array[5]); }
![Page 6: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/6.jpg)
Reading Past End of Array
• We can read data that we shouldn't be seeing • Information disclosure vulnerabilty
![Page 7: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/7.jpg)
Using gdb (GNU Debugger)
• Source code debugging • Because we compiled with gcc -g
![Page 8: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/8.jpg)
Using gdb (GNU Debugger)
• gdb commands
list show source code run execute program break insert breakpoint x examine memory
![Page 9: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/9.jpg)
Exploit B: Denial of Service
![Page 10: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/10.jpg)
Writing Past End of Array
• Program has crashed • Denial of service
![Page 11: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/11.jpg)
Print Out More Information
• printf uses a format string • %x means print in hexadecimal
![Page 12: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/12.jpg)
Segmentation Fault
• Cannot write to address ffffe188
![Page 13: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/13.jpg)
Debug
Insert breakpoint and run
![Page 14: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/14.jpg)
Memory Map
• Stack ends at 0xffffe000 • Trying to write past this address caused a
segmentation fault
![Page 15: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/15.jpg)
The Stack
![Page 16: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/16.jpg)
LIFO (Last-In, First-Out)
• ESP (Extended Stack Pointer) register points to the top of the stack
• PUSH puts items on the stack – push 1 – push addr var
![Page 17: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/17.jpg)
Stack
• POP takes items off the stack – pop eax – pop ebx
![Page 18: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/18.jpg)
EBP (Extended Base Pointer)
• EBP is typically used for calculated addresses on the stack –mov eax, [ebp+10h]
• Copies the data 16 bytes down the stack into the EAX register
![Page 19: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/19.jpg)
Functions and the Stack
![Page 20: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/20.jpg)
Purpose• The stack's primary purpose is to make the
use of functions more efficient • When a function is called, these things occur: – Calling routine stops processing its instructions – Saves its current state – Transfers control to the function – Function processes its instructions – Function exits – State of the calling function is restored – Calling routine's execution resumes
![Page 21: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/21.jpg)
![Page 22: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/22.jpg)
Functions and the Stack
• Primary purpose of the stack – To make functions more efficient
• When a function is called – Push function's arguments onto the stack – Call function, which pushes the return address
RET onto the stack, which is the EIP at the time the function is called
![Page 23: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/23.jpg)
Functions and the Stack
– Before function starts, a prolog executes, pushing EBP onto the stack
– It then copies ESP into EBP – Calculates size of local variables – Reserves that space on the stack, by
subtracting the size from ESP – Pushes local variables onto stack
![Page 24: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/24.jpg)
Functions and the Stack#include <stdio.h>
void function(int a, int b){
int array[5];}
main(){
function(1,2);printf("This is where the
return address points\n");}
![Page 25: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/25.jpg)
Example of a Function
![Page 26: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/26.jpg)
Debug and Set Breakpoints
![Page 27: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/27.jpg)
In main()
Stack frame goes from ebp to esp
![Page 28: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/28.jpg)
In function()
Stack frame goes from ebp to esp
![Page 29: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/29.jpg)
Examine the Stack Frame
• Highlighted region is the stack frame of function()
• Below it is the stack frame of main()
![Page 30: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/30.jpg)
Disassemble Main
• To call a function: • push arguments onto the stack • call the function
![Page 31: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/31.jpg)
Disassemble Function
• Prolog: • push ebp onto stack • mov esp into ebp, starting a new stack frame • sub from esp, reserving room for local variables
![Page 32: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/32.jpg)
Saved Return Address
• Next word after stack frame
• Address of next instruction to be executed in main()
![Page 33: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/33.jpg)
Stack Buffer Overflow Exploit
![Page 34: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/34.jpg)
Stack Buffer Overflow Vulnerability
gets() reads user input Does not limit its length
![Page 35: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/35.jpg)
Compile and Run
Segmentation fault indicates an illegal operation
![Page 36: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/36.jpg)
Debug and Set Breakpoint
Break after gets()
![Page 37: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/37.jpg)
Stack After HELLO
• ASCII values for HELLO appear in the words outlined in red
• Return value is outlined in green
![Page 38: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/38.jpg)
ASCII
•Google "ASCII" •0x41 is A •0x42 is B •etc.
![Page 39: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/39.jpg)
Stack After AAAAA...
• Stack frame is filled with many A characters • Return value is overwritten with 0x41414141
![Page 40: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/40.jpg)
Examining the Crash
• eip value is 0x41414141 • Controlled by user input!
![Page 41: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/41.jpg)
gdb Commands
list show source code run execute program break insert breakpoint x examine memory disassemble show asssembly code continue resume execution info registers see registers info proc mapping see memory map
![Page 42: CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux2019/08/28 · CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Updated 8-28-19 Topics • Buffers in C •](https://reader034.vdocuments.site/reader034/viewer/2022042811/5fa49969caa3482cc820e47f/html5/thumbnails/42.jpg)