buffer overflows 101: some assembly required
TRANSCRIPT
![Page 1: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/1.jpg)
BUFFER OVERFLOWS 101SOME ASSEMBLY REQUIRED KORY KYZAR
![Page 2: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/2.jpg)
This talk is…
Very high level
Restricted to stack buffer overflows
Restricted to x86 architecture
![Page 3: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/3.jpg)
What’s a buffer?A buffer can be thought of as an allocated space in memory intended to hold a certain amount of data.
char A[10];
Allocate 10 bytes for the variable A
![Page 4: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/4.jpg)
Ok, and overflow?Storing more data in the buffer than it is designed to hold.
t o o m u c h d a t a
strcopy(A, “toomuchdata”);
A
Data is written to memory outside the region allocated to A. We’ve overflowed the buffer.
![Page 5: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/5.jpg)
So What Happens?
![Page 6: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/6.jpg)
Crash
![Page 7: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/7.jpg)
Score
![Page 8: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/8.jpg)
So how do we score?
![Page 9: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/9.jpg)
So how do we score?
Slow down there Romeo.
![Page 10: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/10.jpg)
So how do we score?
Slow down there Romeo.
![Page 11: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/11.jpg)
CPU REGISTERS
![Page 12: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/12.jpg)
General Purpose RegistersSmall storage areas on the CPU that allow for very fast access.
x86 CPUs have 8 general purpose registers.
Basically, data from memory is loaded into a register, some form of processing is done, then the data is saved back to memory.
Main ones we are concerned with are EBP and ESP.
EIP is not considered a general purpose register, but we are interested in it as well.
![Page 13: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/13.jpg)
EBP - The Base Pointer
Used to track the base of the current frame (function).
Can be used for other purposes
![Page 14: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/14.jpg)
ESP - The Stack Pointer
Used to track the top of the stack.
As data is moved onto (PUSH) or off of (POP), the ESP register is incremented or decremented accordingly
![Page 15: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/15.jpg)
EIP - Instruction PointerAlways points to the memory address of the next instruction to be executed by the CPU
![Page 16: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/16.jpg)
EIP - Instruction PointerAlways points to the memory address of the next instruction to be executed by the CPU
![Page 17: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/17.jpg)
THE STACK
![Page 18: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/18.jpg)
What is the stack?
Data structure that store values contiguously in memory
Last In First Out structure
ESP register marks the top of the stack
![Page 19: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/19.jpg)
Assume the below program#include <string.h> void foo (char *bar){ char A[10]; strcpy(A, bar); // no bounds checking} int main (int argc, char **argv){ foo(argv[1]);}
Program simply takes an argument on the
command line and copies it into a variable that is allocated 10 bytes (A)
https://en.wikipedia.org/wiki/Stack_buffer_overflow
![Page 20: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/20.jpg)
Stack - Program Initializes
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 21: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/21.jpg)
Stack - Foo Function Called
ret address
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 22: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/22.jpg)
Stack - Foo Function Called
ret address
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 23: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/23.jpg)
Stack - Foo Function Called
saved EBPret address
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 24: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/24.jpg)
Stack - Foo Function Called
saved EBPret address
main
High Mem Address
Low Mem Address
EBPESP
![Page 25: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/25.jpg)
Stack - Foo Function Called
10 bytes reserved for A
saved EBPret address
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 26: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/26.jpg)
Stack - strcopy()Assume we executed our program with an argument of “AAAAAAAAAA”
AAAAAAAA
AA
saved EBPret address
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 27: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/27.jpg)
Stack - strcopy()Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA”
AAAAAAAA
AAAAAAAAAA
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 28: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/28.jpg)
Stack - strcopy()Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA”
AAAAAAAA
AAAAAAAAAA
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 29: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/29.jpg)
Stack - strcopy()Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA”
AAAAAAAA
AAAAAAAAAA
main
High Mem Address
Low Mem Address
EBP
ESP
![Page 30: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/30.jpg)
Stack - strcopy()Now let’s put our attacker hat on and execute our program with the argument “AAAAAAAAAAAAAAAAAA”
AAAAAAAA
AAAAAAAAAA
main
High Mem Address
Low Mem Address
EBP
ESP
We just overwrote the RET address,meaning we can tell the CPU
which instruction to execute next.
![Page 31: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/31.jpg)
CONGRATULATIONS!YOU CRASHED.
![Page 32: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/32.jpg)
Buffer Overflow Shopping List
We need…..
The offset in the buffer at which EIP is overwritten.
Code to perform the exploit.
A way to direct EIP to the code we want to run.
![Page 33: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/33.jpg)
The buffer you were trying to overflow was larger than 10 bytes? Let’s say we have a large buffer of an unknown size.
We could write a fuzzer that submits an increasing number of “A”s and make note of the length that causes the crash.
But how do we know which of the “A”’s overwrote EIP?
What if…?
![Page 34: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/34.jpg)
Finding the offset pattern_create.rb is a ruby script that creates a non repeating sequence of characters of a given length.
![Page 35: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/35.jpg)
Finding the offsetUsing the string generated by pattern_create.rb as your input, you would analyze where the program crashed in a debugger. (i.e. Access violation when executing 30614239)
Then you would check where that series of characters was in string with pattern_offset.rb
Now you have the exact position in the buffer to place your return address
![Page 36: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/36.jpg)
Shellcode
Assembly code generated to execute the payload of the attackers choice
Shellcode must be carefully crafted by hand…RIGHT?
![Page 37: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/37.jpg)
Shellcode
Assembly code generated to execute the payload of the attackers choice
Shellcode must be carefully crafted by hand…RIGHT?
![Page 38: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/38.jpg)
MSFVENOMMSFPAYLOAD AND MSFENCODE HAVE BEEN DEPRECATED IN FAVOR OF MSFVENOM
![Page 39: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/39.jpg)
So where do we point EIP?
We need to get the CPU to execute our shellcode
“So just set EIP to the address at the beginning of your shellcode!?”
![Page 40: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/40.jpg)
So where do we point EIP?
We need to get the CPU to execute our shellcode
“So just set EIP to the address at the beginning of your shellcode!?”
![Page 41: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/41.jpg)
Setting the RET addressYou can’t hardcode the EIP address in since the program will be loaded into different places in memory at each execution.
JMP ESP - one of the most common methods of getting back to your shellcode is to point EIP to a JMP ESP command. This can be used since its relative.
This causes EIP to go to the address in the ESP register, which you should be able to use to access your shellcode.
![Page 42: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/42.jpg)
Putting it all together
Padding
NOP Sled
Shellcode
EIP = JMP ESP
Padding
Our CraftedBuffer Overflow
![Page 43: Buffer Overflows 101: Some Assembly Required](https://reader030.vdocuments.mx/reader030/viewer/2022012909/5a6d7ad17f8b9aec418b57cf/html5/thumbnails/43.jpg)
DEMO?THIS WILL PROBABLY END IN FLAMES