9
Stack-based buffer overflows, part 2 Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium [email protected]

Stack-based buffer overflows, part 2

  • Upload
    bruis

  • View
    26

  • Download
    0

Embed Size (px)

DESCRIPTION

Stack-based buffer overflows, part 2. Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium [email protected]. Overview. Code injection. Code injection. Finding the inserted code is sometimes a problem - PowerPoint PPT Presentation

Citation preview

Page 1: Stack-based buffer overflows, part 2

Stack-based buffer overflows, part 2

Yves YounanDistriNet, Department of Computer Science

Katholieke Universiteit LeuvenBelgium

[email protected]

Page 2: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 2

Overview

Code injection

Page 3: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 3

Code injection

Finding the inserted code is sometimes a problem

Often an attacker will fill a buffer with nops and place the shellcode at the end

If he misses the address he may end up in the nops

Page 4: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 4

Gdb intro

Compile code with -g for debugging information Gdb program

break main -> tells the debugger to stop when main is reached

run -> run program x buffer -> prints out the contents of buffer (and address)

If the shellcode is stored in the buffer, that address will be what to overwrite the return address with

Page 5: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 5

Execve

Execve allows execution of a programint execve(const char *filename, char *const

argv [], char *const envp[]);Must pass an array of arguments, note that the

program name is argument 0, terminated with NULL

Must also pass an array of environment variables, terminated with NULL

Page 6: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 6

Execve

#include <unistd.h> Int main (int argc, char **argv) { char *execargv[3] = { "/bin/ls", "--color=always",

NULL }; char *env[2] = { "TEST=1", NULL }; execve(execargv[0],execargv,env); }

Page 7: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 7

Finding inserted code

Generally (on kernels < 2.6) the stack will start at a static address

Finding shell code means running the program with a fixed set of arguments/fixed environment

This will result in the same address Not very precise, small change can result in different

location of code Not mandatory to put shellcode in buffer used to overflow Pass as environment variable

Page 8: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 8

Controlling the environment

Program name

High addr

Low addr

0,0,0,0Stack start:0xBFFFFFFF

Env var n

Env var n-1

Env var 0

Arg n

Arg n-1

Arg 0

Passing shellcode as environment variable:

Stack start - 4 null bytes - strlen(program name) - - null byte (program name)- strlen(shellcode)

0xBFFFFFFF - 4 - strlen(program name) - - 1- strlen(shellcode)

Page 9: Stack-based buffer overflows, part 2

Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks March 22, 2005 - 9

Conclusion

Follow “Gera’s Insecure Programming by example”:http://community.corest.com/~gera/InsecureProgram

ming/Login/pass for the computers: cstudy/distrinet