Buffer Overflows with Content

  • Published on
    14-Feb-2017

  • View
    217

  • Download
    0

Embed Size (px)

Transcript

  • 1

    Buffer Overflows with Content

  • 2

    A Process Stack

  • 3

    Buffer Overflow

    Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the

    INETD daemon The addition of new users to a system Establishing a trust relationship between the

    victim machine and the attackers machine

  • 4

    Example - AMD Buffer Overflow

    Port 2222 is a rootshell left by the AMD exploit

  • 5

    Detecting Buffer Overflows by Protocol Signatures

    Protocol Signature Look for anomalous traffic, such as remote traffic

    targeted at facilities that should not be accessible to a remote user.

    e.g. a remote user trying to connect to the Portmapperprocess

    Payload Signature No-OP instructions to pad the exploit code Script signatures Abnormal user data and responses

  • 6

    IMAP Buffer Overflow

  • 7

    IMAP Buffer Overflow Cont

  • 8

    IMAP Buffer Overflow Cont

  • 9

    IMAP Buffer Overflow Cont

    ls aecho + + > /.rhosts

  • 10

    NO-OP Hex Code Based on Processor Type

  • 11

    Script Signatures NO-OP Overflow

  • 12

    Script Signatures NO-OP Overflow Cont

  • 13

    Script Signatures NO-OP Overflow Cont

    This frame shows a large number of hex 90s followed by some machine code, some ASCII strings, and a literal command /bin/sh -c

  • 14

    Abnormal ResponsesFTP Authentication Buffer Overflow FTPD exploit

    The password supplied in response to the FTPD prompt is suspiciously large

  • 15

    Defending Against Buffer Overflows

    strcpy and strncpy Introduce bounds checking into C programs Stack-based buffer overflow - CPU executes

    code that is resident on the stack Only code in the code space can be executed

  • 16

    Fragmentation

  • 17

    Fragmentation

    Attackers can use fragmentation to mask their probes and exploits

    Fragment offset is specified as a quantity of 8-byte chunk The size of all legal nonterminal fragments must

    be multiples of 8 bytes Any fragmented packets with a byte size

    divisible by 8, except for the last one

  • 18

    Boink Attack

    IP stack has no concept of negative math

    Availability DoS

  • 19

    Teardrop Attack

  • 20

    evilPing

    .

  • 21

    evilPing

  • 22

    Modified Ping of Death

  • 23

    Modified Ping of Death

  • 24

    CGI Scan

    The attacker is running a script that attempts a number of Web server exploits, such as /cgi-bin/rwwwshell.pl

  • 25

    CGI Scan Cont

  • 26

    PHF Attack

    CVE-1999-0067

  • 27

    Some Example CGI CVE Entries

    CVE-1999-0068 CGI PHP mylog script allows an attacker to read any file

    on the target server. CVE-1999-0467

    The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter

    CVE-1999-0509 Perl, sh, csh, or other shell interpreters are installed in the

    cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

  • 28

    SGI IRIX Object Server

    CVE-2000-0245 A vulnerability in an SGI IRIX object server

    daemon Allow remote attackers to create user accounts Port 5135: the SGI object server

    Scan one to goodguy-a.com yields nothing

  • 29

    SGI Object Server Cont The scan to goodguy-b.com is a bust

  • 30

    SGI Object Server Cont The start of the bad guy

    The user zippy is added

    Buffer Overflows with ContentA Process StackBuffer OverflowExample - AMD Buffer OverflowDetecting Buffer Overflows by Protocol SignaturesIMAP Buffer OverflowIMAP Buffer Overflow ContIMAP Buffer Overflow ContIMAP Buffer Overflow ContNO-OP Hex Code Based on Processor TypeScript Signatures NO-OP OverflowScript Signatures NO-OP Overflow ContScript Signatures NO-OP Overflow ContAbnormal ResponsesDefending Against Buffer OverflowsFragmentationFragmentationBoink AttackTeardrop AttackevilPingevilPingModified Ping of DeathModified Ping of Death CGI ScanCGI Scan ContPHF AttackSome Example CGI CVE EntriesSGI IRIX Object ServerSGI Object Server ContSGI Object Server Cont

Recommended

View more >