buffer overflow null

Anatomy of Stack Overflow attack113 August 2016

Buffer Overflow – a Demo

Bhaskar K. Divecha +91 – 98193 36001



This session :

• Explains Buffer overflow in simple manner• Demos Exploitation of vulnerable program

– Works on the Vulnerable C Program– Tweaks the stack (by sending data to

program)– Modifies the return address in stack – Calls some other instruction



What is Buffer overflow?

Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.



What is Buffer overflow? ...contd.

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold.

It can corrupt data, crash the program, or cause the execution of malicious code.



The Exploit

Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

We will exploit such a vulnerable C program.



The Exploit

We will exploit such a vulnerable C program by:

– Tweaking the stack (by sending data to program)

– Modifying the return address in stack – Calling some other instruction


Buffer Overflow – a DemoThe Vulnerable Program void bbFunction1();

main(int bbArgc,char *bbArgv[])

{

int bbVbl = 12;

printf("\nValue of bbENV variable before calling bbFunction1 is : %d\n",bbVbl);

bbFunction1();

bbVbl = 100;

printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);

}

void bbFunction1()

{

char *bbENV, bbBuff[3]="BB";

bbENV=getenv("bbENV");

strcpy(bbBuff,bbENV);

printf("\nThe value of Env Vbl \"bbENV\" is -%s-\n",bbBuff);

__asm { int 3 }

}

This programs looks quite safe for the usual programmer. .



The Result of Normal run of the program

D:\>set bbENV=ABC

D:\>bbEnvVariable.exe

Value of bbENV variable before calling bbFunction1 is : 12

The value of Env Vbl "bbENV" is -ABC-

Value of bbENV variable after calling bbFunction1 is : 100

D:\>


Buffer Overflow – a DemoThe Vulnerable Program void bbFunction1();

main(int bbArgc,char *bbArgv[])

{

int bbVbl = 12;


bbFunction1();

00401021 bbVbl = 100; ▬► This instruction is bypassed0040102C printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);

}

void bbFunction1()

{

char *bbENV, bbBuff[3]="BB";

bbENV=getenv("bbENV");

strcpy(bbBuff,bbENV);

printf("\nThe value of Env Vbl \"bbENV\" is -%s-\n",bbBuff);

__asm { int 3 }

}

This programs looks quite safe for the usual programmer. But in fact we can bypass certain instructions and call altogether the different instruction by crafting the Environment Variable.



The Result of the program after the Exploit

D:\>set bbENV=ABCD1234,

D:\>bbEnvVariable

Value of bbENV variable before calling bbFunction1 is : 12

The value of Env Vbl "bbENV" is -ABCD1234,-

Value of bbENV variable after calling bbFunction1 is : 12

D:\>



Know the Concepts to Exploit this Program

1. Stack, it’s contents and it’s working during function calls and returns.

Stack - a LIFO memory structure where all the function parameters (incl. Commandline arguments), return addresses and the local variables of the function are stored. It grows downward in memory (from higher address space to lower address space).



Know the Concepts to Exploit this Program... contd.

2. Registers

Registers are 4 bytes or 32 bits as the binary is compiled for a 32 bit system.




2. Registers

%eip: The Instruction pointer register stores the address of the next instruction to be executed. After every instruction execution it’s value is incremented depending upon the size of an instrution.




2. Registers

%esp: The Stack pointer register stores the address of the top of the stack. This is the address of the last element on the stack. It points to the value in stack at the lowest memory address.


Buffer Overflow – a DemoKnow the Concepts to Exploit this Program

... contd.

2. Registers

%ebp: The Base pointer register usually set to %esp at the start of the function. This is done to keep tab of function parameters & local variables. Local variables are accessed by subtracting offsets from %ebp & function parameters are accessed by adding offsets to it.


Buffer Overflow – a DemoDisassembly of a Vulnerable Program ...

int bbVbl = 12;


bbFunction1();

00401021 bbVbl = 100; ▬► This instruction is bypassed by crafting Environment Variable0040102C printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);

}

00401004 C7 45 FC 0C 00 00 00 mov dword ptr [ebp-4],0Ch ▬► int bbVbl = 12; 0040100B 8B 45 FC mov eax,dword ptr [ebp-4] 0040100E 50 push eax 0040100F 68 00 D0 40 00 push 40D000h 00401014 E8 76 00 00 00 call 0040108F ▬► printf “BEFORE” calling bbFunction1()00401019 83 C4 08 add esp,8 0040101C E8 1F 00 00 00 call 00401040 00401021 C7 45 FC 64 00 00 00 mov dword ptr [ebp-4],64h ▬► bbVal = 100; (BYPASSED)00401028 8B 4D FC mov ecx,dword ptr [ebp-4] 0040102B 51 push ecx 0040102C 68 3C D0 40 00 push 40D03Ch 00401031 E8 59 00 00 00 call 0040108F ▬► printf “AFTER” calling bbFunction1()



References

While there are tons of information available on Internet, I glanced through following 2 sites:

https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/

https://www.owasp.org/index.php/Buffer_Overflow

https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/

https://www.owasp.org/index.php/Buffer_Overflow


Thank You

Bhaskar K. Divecha+91 – 98193 36001


buffer overflow null

Software