intro to exploitation stack overflows
DESCRIPTION
Intro to Exploitation Stack Overflows. James McFadyen UTD Computer Security Group 10/20/2011. Intro to Exploitation. Only an intro to stack overflow Basic theory and application One of many types of exploitation. Outline. What is a buffer overflow? Tools Vulnerable C Functions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/1.jpg)
Intro to Exploitation Stack Overflows
James McFadyen UTD Computer Security Group
10/20/2011
![Page 2: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/2.jpg)
Intro to Exploitation
Only an intro to stack overflow Basic theory and application One of many types of exploitation
![Page 3: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/3.jpg)
Outline
What is a buffer overflow? Tools Vulnerable C Functions Remember the memory Learn to love assembly Stack overflow Protection Mechanisms ret2libc in Linux
![Page 4: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/4.jpg)
Buffer Overflow
“In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.” - Wikipedia
![Page 5: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/5.jpg)
Buffer Overflow
In our examples.. Give the program too much input, hijack the
instruction pointer (EIP) Control EIP Execute arbitrary code locally or remotely Achieve what we want as elevated user
![Page 6: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/6.jpg)
Tools
Linux GDB, gcc, vi, perl/python/ruby, readelf,
objdump, ltrace, strace, ropeme Windows
WinDBG, OllyDBG, ImmunityDBG, IDA, Python, Mona (ImmunityDBG plugin)
![Page 7: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/7.jpg)
Vulnerable C Code
strcpy(), strncpy() strcat(), strncat() sprintf(), snprintf() gets() sscanf() Many others...
![Page 8: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/8.jpg)
Vulnerable C Code
strcpy() doesn't check size If we have
char buf[128];
strcpy(buf, userSuppliedString);
This makes it too easy...
![Page 9: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/9.jpg)
Vulnerable C Code
char *strncpy(char *dest, const char *src, size_t n);
We have a size, but what if..
strncpy(somebuffer, str, strlen(str)); or..
strncpy(somebuffer, str, sizeof(somebuffer)); Where str is supplied by user
![Page 10: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/10.jpg)
Vulnerable C Code
Common bug, proper fix:
strncpy(somebuffer, str, sizeof(somebuffer)-1);
![Page 11: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/11.jpg)
Vulnerable C Code
char *strncat(char *dest, const char *src, size_t n); Ex:
int vulnerable(char *str1, char *str2)
{
char buf[256];
strncpy(buf, str1, 100);
strncat(buf, str2, sizeof(buf)-1);
return;
}
![Page 12: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/12.jpg)
Vulnerable C Code
Fix: strncat(buf, str2, sizeof(buf) - strlen(buf) -1);
![Page 13: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/13.jpg)
Remember the Memory
Text
Data
BSS
Heap
Stack
Initialized global and static variables
Uninitialized global and static variables
Program scratch space. Local variables, pass arguments, etc..
Code segment, machine instr.
Dynamic space.malloc(...) / free(...)new(...) / ~
Low
High * Taken from Mitchell Adair's “Stack Overflows”
![Page 14: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/14.jpg)
Remember the Memory: The Stack
ESP
EBP
RET
arguments...previous stack frame
local variables ...
High
Low
EBP
EBP - x
EBP + x
* Taken from Mitchell Adair's “Stack Overflows”
![Page 15: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/15.jpg)
Love the Assembly
EIP – Extended Instruction Pointer
ESP – Extended Stack Pointer
EBP – Extended Base Pointer
EAX
ECX
EDX
ESI
EDI
Next Instruction executed
Data register
Source index
Destination Index
Counter register
Accumulator register
EBX Base register
Top of stack
Base Pointer
* Taken from Mitchell Adair's “Stack Overflows”
![Page 16: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/16.jpg)
Stack Overflow
ESP
EBP
RET
argc
*argv[]
EBP
char buf[100]
100 bytes
4 bytes
4 bytes
* Taken from Mitchell Adair's “Stack Overflows”
![Page 17: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/17.jpg)
Stack Overflow
ESP
EBP
RET
argc
*argv[]
EBP
100 bytes
4 bytes
4 bytesRET overwrittenRET
108 bytes( 0x41 * 108)
Ret will pop the instruction pointeroff of the stack
EIP will now point to 0x41414141
Ex: $ ./program $(python -c 'print "A" * 108 ')
* Taken from Mitchell Adair's “Stack Overflows”
![Page 18: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/18.jpg)
Stack Overflow
ESP
EBP
RET
argc
*argv[]
EBP
100 bytes
4 bytes
4 bytes0xdeadbeefRET
104 bytes( 0x41 * 104
EIP will now point to 0xdeadbeef
We can now point EIP where we want
Ex: $ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')
* Taken from Mitchell Adair's “Stack Overflows”
![Page 19: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/19.jpg)
Stack Overflow
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')
We have 104 bytes for a payload
Payload can be anything, but for our purpose we would spawn a shell
The payload will be fixed size, so when we insert it, we must reduce the # of A's by the size of the payload
![Page 20: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/20.jpg)
Stack Overflow
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')
If we had a 32 byte payload .. (real payload will not be a bunch of \xff)
$ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ')
We have adjusted the buffer so the payload will fit We will then have to point EIP (\xef\xbe\xad\xde) to our
payload on the stack
![Page 21: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/21.jpg)
Stack Overflow
$ ./program $(python -c 'print "A" * 72 + “\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff” + “\xef\xbe\xad\xde” ')
“\xef\xbe\xad\xde” would be replaced with the address of our payload
EIP will now point to the address of our payload, which will spawn a shell
NOPs help create a bigger “landing area” This technique is not very effective anymore...
why?
![Page 22: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/22.jpg)
Protection Mechanisms (Windows)
DEP – Data execution Prevention Can't execute on the stack
/GS Flag – cookie / canary detects if stack has been altered
SafeSEH – Structured Exception Handler Try / except, catches exceptions
ASLR - Address Space Layout Randomization
Randomizes addresses in memory
![Page 23: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/23.jpg)
Protection Mechanisms (Linux)
NX – Stack Execute Invalidation Processor feature Like DEP, can't execute on the stack
Stack Smashing Protection – cookie / canary Generally enabled by default
ASLR - Address Space Layout Randomization
Many other compiler protections...
![Page 24: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/24.jpg)
ret2libc
Bypasses NX Point EIP to a function in libc
system(), exec() etc... system(“/bin/sh”);
We will get a shell by using the system() function in libc
![Page 25: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/25.jpg)
ret2libc
$ ./program $(python -c 'print "A" * 104 + “\xef\xbe\xad\xde” ')
We don't need the payload where the A's are anymore
We now will point EIP to the address of system(), then the next 4 bytes will be a return address, followed by system() arguments (which will be /bin/sh)
$ ./program $(python -c 'print "A" * 104 + address_of_system + return_address + payload ')
![Page 26: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/26.jpg)
Demo!
How to use GDB for exploitation Exploring the stack Finding important memory addresses
(ret2libc) Breakpoints Using Perl/Python/Ruby for arguments in GDB
Basic Stack Overflow Ret2libc
![Page 27: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/27.jpg)
Additional Resources
https://www.corelan.be/index.php/articles/ http://beej.us/guide/bggdb/ http://en.wikibooks.org/wiki/X86_Assembly http://www.alexonlinux.com/how-debugger-w
orks http://smashthestack.org/ http://intruded.net/
![Page 28: Intro to Exploitation Stack Overflows](https://reader035.vdocuments.mx/reader035/viewer/2022062217/56815a0c550346895dc75867/html5/thumbnails/28.jpg)
Sources
“Source Code Auditing” - Jared Demott “Smashing the stack in 2010” - Andrea
Cugliari + Mariano Graziano “Stack Overflows” - Mitchell Adair http://en.wikipedia.org/wiki/Buffer_overflow http://en.wikipedia.org/wiki/Return-to-libc_atta
ck