Upload
aldous-gray
View
215
Download
1
Embed Size (px)
Citation preview
Buffer Overflows
By
Tim Peterson
Joel Miller
Dan Block
Overview
What is a Buffer Overflow? Demo of a Stack Overflow Prevention Techniques Resources
Definition
via wikipedia… “a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.”
Why does this matter?
You can overwrite the return address! Why does that matter? Because you can overwrite the return address,
you can jump to an arbitrary code segment (in particular your own)
How does it workArg
Arg
Return Addr
Local vars
Local vars (buffer)
Stack
Heap
High
Low
•Does it matter which way the Stack grows?• What about size of variables and alignment?•Once the return address is overwritten you ideally want to have it jump back into the buffer you overwrote
How does it work….
int main(){
char buf[16];
gets(buf);
}
Functions like gets and strcpy don’t check bounds of the buffer and therefore are susceptible to an attack.
How to execute arbitrary code Assume at this point you know there exists a buffer which is
exploitable. Step 1: Using GDB determine the absolute address of the
buffer. Step 2: Create a well-crafted string which includes the code
you would like to execute and the address of the buffer.“code|buffer address”
Step 3: Pass this string into the buffer
Well-crafted String??
Metasploit.com is your friend If it is going to be handcrafted watch out for
null bytes For the return address you really have 2
options Find the exact offset to the return address and
pad the string Write the return address multiple times on the end
of the string and cross your fingers.
Reality
In theory this all makes sense but how could I find an exploitable buffer?
Guess and check Disassemble and check for calls to
exploitable functions (strcpy,gets…) Source code?
Prevention
From a developer perspective Don’t write exploitable code
Use fgets, strncpy…. Pay attention to compiler and linker warnings
From a Sys admin perspective On POSIX-patch gcc to have stack smashing protector AMD64- Data Execution Prevention (windows, Linux?) PaX - software emulated Data Execution Prevention
(Linux) Windows update
Resources
Wikipedia -en.wikipedia.com Metaploit Project - metasploit.com Stack Smashing for fun and Profit
-http://www.phrack.org/phrack/49/P49-14 Stack Smashing
Protector-http://www.research.ibm.com/trl/projects/security/ssp/
PAX - pax.grsecurity.net