Download - Stack layout when calling functions
![Page 1: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/1.jpg)
Stack layout when calling functions
• What do we do when we call a function? • What data need to be stored? • Where do they go?
• How do we return from a function? • What data need to be restored? • Where do they come from?
Code examples(see ~/UMD/examples/ in the VM)
![Page 2: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/2.jpg)
Function call and returnvoid func(char *arg1, int arg2, int arg3) {
char loc1[4];int loc2;...
}
int main() {...func("Hey", 10, -3);...
}
![Page 3: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/3.jpg)
Function call and return
• Caller• push args (in reverse)• push return addr (%eip + ...)• jmp to func address
• pop args
void func(char *arg1, int arg2, int arg3) {char loc1[4];int loc2;...
}
int main() {...func("Hey", 10, -3);...
}
• Callee• push old frame ptr (%ebp)• set %ebp to stack top (%esp)• push local variables• . . .• restore old stack frame
%esp = %ebp; pop ebp• jmp return addr: pop %eip
![Page 4: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/4.jpg)
Function call and return
• Caller• push args (in reverse)• push return addr (%eip + ...)• jmp to func address
• pop args
void func(char *arg1, int arg2, int arg3) {char loc1[4];int loc2;...
}
int main() {...func("Hey", 10, -3);...
}
• Callee• push old frame ptr (%ebp)• set %ebp to stack top (%esp)• push local variables• . . .• restore old stack frame
%esp = %ebp; pop ebp• jmp return addr: pop %eip
• Why point %ebp to stack top at start of callee body?• Allows the compiled callee code to easily access args and local
variables (via offsets from %ebp)• Requires saving old %ebp
![Page 5: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/5.jpg)
Function call and return
• Caller• push args (in reverse)• push return addr (%eip + ...)• jmp to func address
• pop args
void func(char *arg1, int arg2, int arg3) {char loc1[4];int loc2;...
}
int main() {...func("Hey", 10, -3);...
}
• Callee• push old frame ptr (%ebp)• set %ebp to stack top (%esp)• push local variables• . . .• restore old stack frame
%esp = %ebp; pop ebp• jmp return addr: pop %eip
![Page 6: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/6.jpg)
Stack and functions: SummaryCalling function:1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something
3.Jump to the function’s address
Called function:4.Push the old frame pointer onto the stack: %ebp 5.Set frame pointer %ebp to where the end of the stack is right now: %esp 6.Push local variables onto the stack; access them as offsets from %ebp
Returning function:7.Reset the previous stack frame: %ebp = (%ebp) /* copy it off first */ 8.Jump back to return address: %eip = 4(%ebp) /* use the copy */
![Page 7: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/7.jpg)
Buffer overflows
![Page 8: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/8.jpg)
Buffer overflows from 10,000 ft• Buffer =
• Contiguous set of a given data type • Common in C
- All strings are buffers of char’s
• Overflow = • Put more into the buffer than it can hold
• Where does the extra data go?
• Well now that you’re experts in memory layouts…
![Page 9: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/9.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
![Page 10: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/10.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
![Page 11: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/11.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1
![Page 12: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/12.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip
![Page 13: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/13.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%ebp %eip
![Page 14: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/14.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg100 00 00 00
buffer
%ebp %eip
![Page 15: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/15.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg100 00 00 00
buffer
A u t h %ebp %eip
![Page 16: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/16.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg100 00 00 00
buffer
A u t h
M e ! \0
%ebp4d 65 21 00 %eip
![Page 17: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/17.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg100 00 00 00
buffer
A u t h
Upon return, sets %ebp to 0x0021654dM e ! \0
%ebp4d 65 21 00 %eip
![Page 18: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/18.jpg)
A buffer overflow examplevoid func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg100 00 00 00
buffer
A u t h
Upon return, sets %ebp to 0x0021654dM e ! \0
%ebp4d 65 21 00 %eip
SEGFAULT (0x00216551)
![Page 19: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/19.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
![Page 20: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/20.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
![Page 21: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/21.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1
![Page 22: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/22.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip
![Page 23: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/23.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp
![Page 24: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/24.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp00 00 00 00
authenticated
![Page 25: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/25.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp00 00 00 0000 00 00 00
authenticatedbuffer
![Page 26: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/26.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp00 00 00 0000 00 00 00
authenticatedbuffer
A u t h
![Page 27: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/27.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp00 00 00 0000 00 00 00
authenticatedbuffer
M e ! \0
4d 65 21 00A u t h
![Page 28: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/28.jpg)
A buffer overflow examplevoid func(char *arg1){ int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { ...}
int main(){ char *mystr = “AuthMe!”; func(mystr); ...}
&arg1%eip%ebp00 00 00 0000 00 00 00
authenticatedbuffer
M e ! \0
4d 65 21 00A u t h
Code still runs; user now ‘authenticated’
![Page 29: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/29.jpg)
void vulnerable(){ char buf[80]; gets(buf);}
![Page 30: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/30.jpg)
void vulnerable(){ char buf[80]; gets(buf);}
void still_vulnerable(){ char *buf = malloc(80); gets(buf);}
![Page 31: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/31.jpg)
void safe(){ char buf[80]; fgets(buf, 64, stdin);}
![Page 32: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/32.jpg)
void safe(){ char buf[80]; fgets(buf, 64, stdin);}
void safer(){ char buf[80]; fgets(buf, sizeof(buf), stdin);}
![Page 33: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/33.jpg)
![Page 34: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/34.jpg)
User-supplied strings• In these examples, we were providing our own
strings
• But they come from users in myriad aways • Text input • Network packets • Environment variables • File input…
![Page 35: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/35.jpg)
What’s the worst that could happen?
void func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
&mystr%eip%ebp00 00 00 00
buffer
![Page 36: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/36.jpg)
What’s the worst that could happen?
void func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
&mystr%eip%ebp00 00 00 00
buffer
strcpy will let you write as much as you want (til a ‘\0’)
![Page 37: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/37.jpg)
What’s the worst that could happen?
void func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
&mystr%eip%ebp00 00 00 00
buffer
strcpy will let you write as much as you want (til a ‘\0’)
All ours!
![Page 38: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/38.jpg)
What’s the worst that could happen?
void func(char *arg1){ char buffer[4]; strcpy(buffer, arg1); ...}
&mystr%eip%ebp00 00 00 00
buffer
strcpy will let you write as much as you want (til a ‘\0’)
All ours!
What could you write to memory to wreak havoc?
![Page 39: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/39.jpg)
Code injection
![Page 40: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/40.jpg)
High-level ideavoid func(char *arg1){ char buffer[4]; sprintf(buffer, arg1); ...}
&arg1%eip%ebp00 00 00 00
buffer
... …
![Page 41: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/41.jpg)
High-level ideavoid func(char *arg1){ char buffer[4]; sprintf(buffer, arg1); ...}
&arg1%eip%ebp00 00 00 00
buffer
(1) Load our own code into memory
Haxx0r c0d3... …
![Page 42: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/42.jpg)
High-level ideavoid func(char *arg1){ char buffer[4]; sprintf(buffer, arg1); ...}
&arg1%eip%ebp00 00 00 00
buffer
(1) Load our own code into memory
Haxx0r c0d3Text
%eip
(2) Somehow get %eip to point to it
... …
![Page 43: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/43.jpg)
High-level ideavoid func(char *arg1){ char buffer[4]; sprintf(buffer, arg1); ...}
&arg1%eip%ebp00 00 00 00
buffer
(1) Load our own code into memory
Haxx0r c0d3Text
%eip
(2) Somehow get %eip to point to it
... …
![Page 44: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/44.jpg)
High-level ideavoid func(char *arg1){ char buffer[4]; sprintf(buffer, arg1); ...}
&arg1%eip%ebp00 00 00 00
buffer
(1) Load our own code into memory
Haxx0r c0d3Text
%eip
(2) Somehow get %eip to point to it
... …
![Page 45: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/45.jpg)
This is nontrivial• Pulling off this attack requires getting a
few things really right (and some things sorta right)
• Think about what is tricky about the attack • The key to defending it will be to make
the hard parts really hard
![Page 46: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/46.jpg)
Challenge 1
• It must be the machine code instructions (i.e., already compiled and ready to run)
• We have to be careful in how we construct it: • It can’t contain any all-zero bytes
- Otherwise, sprintf / gets / scanf / … will stop copying - How to write assembly to never contain a full zero byte?
• It can’t use the loader (we’re injecting) - How to find addresses we need?
Loading code into memory
![Page 47: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/47.jpg)
What code to run?
• One goal: general-purpose shell• Command-line prompt that gives attacker general
access to the system
• The code to launch a shell is called shellcode
• Other stuff you could do?
![Page 48: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/48.jpg)
Shellcode#include <stdio.h>int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL);}
![Page 49: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/49.jpg)
Shellcode#include <stdio.h>int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL);}
xorl %eax, %eaxpushl %eaxpushl $0x68732f2fpushl $0x6e69622fmovl %esp,%ebxpushl %eax...
Ass
embl
y
![Page 50: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/50.jpg)
Shellcode#include <stdio.h>int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL);}
xorl %eax, %eaxpushl %eaxpushl $0x68732f2fpushl $0x6e69622fmovl %esp,%ebxpushl %eax...
Ass
embl
y
![Page 51: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/51.jpg)
Shellcode#include <stdio.h>int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL);}
xorl %eax, %eaxpushl %eaxpushl $0x68732f2fpushl $0x6e69622fmovl %esp,%ebxpushl %eax...
Ass
embl
y
“\x31\xc0”“\x50”“\x68””//sh”“\x68””/bin”“\x89\xe3”“\x50”...
Machine code
![Page 52: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/52.jpg)
Shellcode#include <stdio.h>int main( ) { char *name[2]; name[0] = “/bin/sh”; name[1] = NULL; execve(name[0], name, NULL);}
xorl %eax, %eaxpushl %eaxpushl $0x68732f2fpushl $0x6e69622fmovl %esp,%ebxpushl %eax...
Ass
embl
y
“\x31\xc0”“\x50”“\x68””//sh”“\x68””/bin”“\x89\xe3”“\x50”...
Machine code
(Part of) your input
![Page 53: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/53.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
... …
Getting our injected code to run
![Page 54: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/54.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
... …
Getting our injected code to run
![Page 55: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/55.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
... … \x0f \x3c \x2f ...
Getting our injected code to run
![Page 56: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/56.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... … \x0f \x3c \x2f ...
Getting our injected code to run
![Page 57: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/57.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... … \x0f \x3c \x2f ...
Getting our injected code to run
![Page 58: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/58.jpg)
Challenge 2
• All we can do is write to memory from buffer onward• With this alone we want to get it to jump to our code • We have to use whatever code is already running
Thoughts?
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... … \x0f \x3c \x2f ...
Getting our injected code to run
![Page 59: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/59.jpg)
Stack and functions: SummaryCalling function:1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something
3.Jump to the function’s address
Called function:4.Push the old frame pointer onto the stack: %ebp 5.Set frame pointer %ebp to where the end of the stack is right now: %esp 6.Push local variables onto the stack; access them as offsets from %ebp
Returning function:7.Reset the previous stack frame: %ebp = (%ebp) 8.Jump back to return address: %eip = 4(%ebp)
![Page 60: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/60.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
%ebp
… \x0f \x3c \x2f ...
![Page 61: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/61.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
… \x0f \x3c \x2f ...
![Page 62: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/62.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
… \x0f \x3c \x2f ...
![Page 63: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/63.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
But how do we know the address?
%ebp
… \x0f \x3c \x2f ...
![Page 64: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/64.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…
What if we are wrong?
\x0f \x3c \x2f ...
![Page 65: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/65.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…
What if we are wrong?
0xbdf \x0f \x3c \x2f ...
![Page 66: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/66.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…
What if we are wrong?
0xbdf \x0f \x3c \x2f ...
![Page 67: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/67.jpg)
Hijacking the saved %eip
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…
What if we are wrong?
0xbdf
This is most likely data,so the CPU will panic(Invalid Instruction)
\x0f \x3c \x2f ...
![Page 68: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/68.jpg)
Challenge 3Finding the return address
![Page 69: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/69.jpg)
Challenge 3• If we don’t have access to the code, we don’t know
how far the buffer is from the saved %ebp
Finding the return address
![Page 70: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/70.jpg)
Challenge 3• If we don’t have access to the code, we don’t know
how far the buffer is from the saved %ebp
• One approach: just try a lot of different values!
Finding the return address
![Page 71: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/71.jpg)
Challenge 3• If we don’t have access to the code, we don’t know
how far the buffer is from the saved %ebp
• One approach: just try a lot of different values!
• Worst case scenario: it’s a 32 (or 64) bit memory space, which means 232 (264) possible answers
Finding the return address
![Page 72: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/72.jpg)
Challenge 3• If we don’t have access to the code, we don’t know
how far the buffer is from the saved %ebp
• One approach: just try a lot of different values!
• Worst case scenario: it’s a 32 (or 64) bit memory space, which means 232 (264) possible answers
• But without address randomization: • The stack always starts from the same, fixed address • The stack will grow, but usually it doesn’t grow very
deeply (unless the code is heavily recursive)
Finding the return address
![Page 73: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/73.jpg)
Improving our chances: nop sleds
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…0xbdf
nop is a single-byte instruction (just moves to the next instruction)
\x0f \x3c \x2f ...
![Page 74: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/74.jpg)
Improving our chances: nop sleds
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…0xbdf nop nop nop …
nop is a single-byte instruction (just moves to the next instruction)
\x0f \x3c \x2f ...
![Page 75: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/75.jpg)
Improving our chances: nop sleds
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
...
0xbff
0xbff
%ebp
…0xbdf nop nop nop …
nop is a single-byte instruction (just moves to the next instruction)
Jumping anywhere here will work
\x0f \x3c \x2f ...
![Page 76: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/76.jpg)
Improving our chances: nop sleds
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... 0xbff
%ebp
…0xbdf nop nop nop …
nop is a single-byte instruction (just moves to the next instruction)
Jumping anywhere here will work
\x0f \x3c \x2f ...
![Page 77: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/77.jpg)
Improving our chances: nop sleds
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... 0xbff
%ebp
…0xbdf nop nop nop …
nop is a single-byte instruction (just moves to the next instruction)
Now we improve our chances of guessing by a factor of #nops
Jumping anywhere here will work
\x0f \x3c \x2f ...
![Page 78: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/78.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …
![Page 79: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/79.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …
padding
![Page 80: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/80.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …
padding
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 81: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/81.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …0xbdf
goodguesspadding
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 82: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/82.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …nop nop nop …
nop sled
0xbdf
goodguesspadding
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 83: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/83.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …nop nop nop …
nop sled
0xbdf
goodguesspadding
\x0f \x3c \x2f ...
malicious code
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 84: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/84.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …nop nop nop …
nop sled
0xbdf
goodguesspadding
\x0f \x3c \x2f ...
malicious code
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 85: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/85.jpg)
Putting it all together
&arg1%eip%ebp00 00 00 00
buffer
Text
%eip
... …nop nop nop …
nop sled
0xbdf
goodguesspadding
\x0f \x3c \x2f ...
malicious code
But it has to be something; we have to start writing wherever
the input to gets/etc. begins.
![Page 86: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/86.jpg)
Setuid-root vulnerable code
• Let C be the vulnerable code (being attacked)
• Let P be the process executing C (when attacked)
• The attack, if successful, results in the attacker getting a shell that executes with the same privileges that P had in C
• Ideally the attacker wants a root-level shell• This happens if P is a root process
• It also happens if P is a non-root process but C is a “setuid-root” executable.Why? Read on.
![Page 87: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/87.jpg)
Privilege escalation
• An execution platform invariably has shared resources• cpus, memory, io devices, page maps, password files, etc
• Ordinary users need to access these resources,but only via special functions• cpu schedulers, device drivers, executable loaders, etc
• Ordinary-user code should be stopped at runtimefrom accessing these resources in any other way• eg, directly calling instructions that access the resources
• This is achieved by privilege-escalation mechanisms
![Page 88: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/88.jpg)
Privilege escalation in hardware
• Cpu has different modes: kernel, user, ...
• Instructions (and addresses) are partitioned intoprivileged and nonprivileged
• Kernel code is executed with cpu in kernel mode
• User code is executed with cpu in user mode
• To use kernel-level resources, user code calls kernel functions via so-called system calls (aka syscalls)• syscall n: sets cpu mode to kernel; target address is fixed
• Return from system-call sets cpu to user mode
![Page 89: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/89.jpg)
Permissions in Unix
• Each user has a userid (uid)• root user usually has uid 0
• Each process has a uid• set by the login process, and inherited after that
• Each file has:• owner: uid of the process that created the file• rwx (read/write/execute) attributes for owner• " " " " " for group• " " " " " for others
• Adequate to protect a user’s files from other users
• Not adequate for accessing shared resources
![Page 90: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/90.jpg)
Privilege escalation in Unix
• Each process has an effective userid (euid)• in addition to the previous uid (aka real userid (ruid))• euid initially equals ruid, but it can change temporarily
• Each executable file has a setuid bit• in addition to the previous owner uid and rwx attributes• if setuid is set: when a non-owner process executes the file,
its euid is set to the owner id during execution of the file• euid is set to owner id when entering the executable• euid is set back to ruid when returning from the executable
• setuid-root: short for owned by root, setuid bit set
• So a setuid-root executable file can be executed withroot permissions by a non-root user• Note analogy to a system call (at hardware level)
![Page 91: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/91.jpg)
Privilege escalation example
• Let pwds be the file of [userid, password] entries• root is the owner of pwds and has rwx access to it• other users have no access
• Let passwd be an executable file that manages pwds • passwd’s owner is root• all users have x-access• setuid bit is set
• passwd executed by root can access pwds because the executing process has ruid of root
• passwd executed by a non-root user u can access pwds because the executing process has euid of root
![Page 92: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/92.jpg)
gdb: your new best friendi f
i r
x/<n> <addr>
b <function> s
Set a breakpoint at <function> step through execution (into calls)
Examine <n> bytes of memory starting at address <addr>
Show info about registers(%ebp, %eip, %esp, etc.)
Show info about the current frame(prev. frame, locals/args, %ebp/%eip)
![Page 93: Stack layout when calling functions](https://reader030.vdocuments.mx/reader030/viewer/2022012419/6173c28b3cde531aa36bf582/html5/thumbnails/93.jpg)
• run, breakpoint, step, next, continue
• stepi, nexti
• print, x
• backtrace, info [frame, registers, args, locals]
• list, disas