Buffer Overflows

By

Tim Peterson

Joel Miller

Dan Block

Overview

What is a Buffer Overflow? Demo of a Stack Overflow Prevention Techniques Resources

Definition

via wikipedia… “a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.”

Why does this matter?

You can overwrite the return address! Why does that matter? Because you can overwrite the return address,

you can jump to an arbitrary code segment (in particular your own)

How does it workArg

Arg

Return Addr

Local vars

Local vars (buffer)

Stack

Heap

High

Low

•Does it matter which way the Stack grows?• What about size of variables and alignment?•Once the return address is overwritten you ideally want to have it jump back into the buffer you overwrote

How does it work….

int main(){

char buf[16];

gets(buf);

}

Functions like gets and strcpy don’t check bounds of the buffer and therefore are susceptible to an attack.

How to execute arbitrary code Assume at this point you know there exists a buffer which is

exploitable. Step 1: Using GDB determine the absolute address of the

buffer. Step 2: Create a well-crafted string which includes the code

you would like to execute and the address of the buffer.“code|buffer address”

Step 3: Pass this string into the buffer

Well-crafted String??

Metasploit.com is your friend If it is going to be handcrafted watch out for

null bytes For the return address you really have 2

options Find the exact offset to the return address and

pad the string Write the return address multiple times on the end

of the string and cross your fingers.

Reality

In theory this all makes sense but how could I find an exploitable buffer?

Guess and check Disassemble and check for calls to

exploitable functions (strcpy,gets…) Source code?

Prevention

From a developer perspective Don’t write exploitable code

Use fgets, strncpy…. Pay attention to compiler and linker warnings

From a Sys admin perspective On POSIX-patch gcc to have stack smashing protector AMD64- Data Execution Prevention (windows, Linux?) PaX - software emulated Data Execution Prevention

(Linux) Windows update

Resources

Wikipedia -en.wikipedia.com Metaploit Project - metasploit.com Stack Smashing for fun and Profit

-http://www.phrack.org/phrack/49/P49-14 Stack Smashing

Protector-http://www.research.ibm.com/trl/projects/security/ssp/

PAX - pax.grsecurity.net