a buffer overflow example joão paulo magalhães ([email protected])april 2009
Post on 19-Dec-2015
214 views
TRANSCRIPT
![Page 2: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/2.jpg)
2
Buffer Overflow
![Page 3: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/3.jpg)
3
Buffer Overflow – A simple program
![Page 4: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/4.jpg)
4
Buffer Overflow – A simple program
• Our goal is to execute the hack() function
Could be worst!
![Page 5: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/5.jpg)
5
Buffer Overflow – Internal aspects of the program
Stack before the scanf call
Stack after the scanf call
print_it() and hack() functions addresses
![Page 6: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/6.jpg)
6
Buffer Overflow – Running the program
The code of ‘A’ is 0x41!
![Page 7: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/7.jpg)
7
Buffer Overflow – The x86 stack
Call parameters
Return Address
%EBP register
Preserve original register values
Make space for local variables in subroutines%ESP
Stack Pointer (32
bits)
Ends of the stack
Stack Frame(currently)
Stack Frame(Of who calls the subroutine)
![Page 8: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/8.jpg)
8
Buffer Overflow – The attack
Call parameters
Return Address
%EBP register
Preserve original register values
Make space for local variables in subroutines
Buffer s stays here
Ends of the stack
Stack Frame(currently)
Stack Frame(Of who calls the subroutine)
Write chars until change
the return address
![Page 9: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/9.jpg)
9
Buffer Overflow – Running once more
We want to put this address here
![Page 10: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/10.jpg)
10
Buffer Overflow – The attack
![Page 11: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/11.jpg)
11
Buffer Overflow – The attack
It’s used a String larger than s buffer is expecting and that stays over the return value
The return address was changed
Mallicious code
![Page 12: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/12.jpg)
12
Buffer Overflow – But where came from the hack() function??
Usually buffers don’t have enought space to store all the code that is going to be executed (i.e. s[] buffer does not have enought space to the binary code of hack()), so we only need to make the program to read data from someplace, and store it in a way that is possible to locate it later. In this case is just necessary to make the returning address point to the right location (e.g., a image!)
![Page 13: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/13.jpg)
13
Buffer Overflow – But...
• Hackers could not have access to the source code to discover the buffer sizes...
It’s very easy to incrementally enlarge the input data until a crash occur. This way, the buffer size is discovered.
![Page 14: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/14.jpg)
14
Buffer Overflow – The correct code
Don’t use “insecure functions”, or when it’s absolutely necessary to use them special cares are needed. E.g.,
gets()/fgets()scanf()/fscanf()strcat()/strcpy()...
![Page 15: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/15.jpg)
15
Bibliography
![Page 16: A Buffer Overflow Example João Paulo Magalhães (jpm@estgf.ipp.pt)April 2009](https://reader036.vdocuments.mx/reader036/viewer/2022081519/56649d2e5503460f94a0621b/html5/thumbnails/16.jpg)
16
Credits...
Paulo Marques Departamento de Eng. Informática Universidade de Coimbra [email protected]
The original (and Portuguese) version of these presentation belongs to Professor Paulo Marques