If you can't read please download the document
Upload
truongque
View
216
Download
0
Embed Size (px)
Citation preview
1
Stack Buffer OverflowsStack Buffer Overflows
ACKNOWLEDGEMENT:ACKNOWLEDGEMENT:
This lecture uses slides that were prepared by This lecture uses slides that were prepared by Prof. Dave Prof. Dave OHalloranOHalloran (CMU)(CMU)
2
Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988
Internet Worm attacks thousands of Internet hosts.How did it happen?
July, 1999July, 1999Microsoft launches MSN Messenger (instant messaging system).Messenger clients can access popular AOL Instant Messaging Service (AIM) servers
AIMserver
AIMclient
AIMclient
MSNclient
MSNserver
2
3
Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999
Mysteriously, Messenger clients can no longer access AIM servers.Microsoft and AOL begin the IM war:
AOL changes server to disallow Messenger clientsMicrosoft makes changes to clients to defeat AOL changes.At least 13 such skirmishes.
How did it happen?
The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflow exploits!exploits!
many Unix functions do not check argument sizes.allows target buffers to overflow.
4
String Library CodeString Library CodeImplementation of Unix function gets
No way to specify limit on number of characters to read
Similar problems with other Unix functionsstrcpy: Copies string of arbitrary lengthscanf, fscanf, sscanf, when given %s conversion specification
/* Get string from stdin */char *gets(char *dest){
int c = getc();char *p = dest;while (c != EOF && c != '\n') {
*p++ = c;c = getc();
}*p = '\0';return dest;
}
3
5
Vulnerable Buffer CodeVulnerable Buffer Code
int main(){
printf("Type a string:");echo();return 0;
}
/* Echo Line */void echo(){
char buf[4]; /* Way too small! */gets(buf);puts(buf);
}
6
Buffer Overflow ExecutionsBuffer Overflow Executions
unix>./bufdemoType a string:123123
unix>./bufdemoType a string:12345Segmentation Fault
unix>./bufdemoType a string:12345678Segmentation Fault
4
7
IA32/Linux Stack FrameIA32/Linux Stack FrameCurrent Stack Frame (Top Current Stack Frame (Top
to Bottom)to Bottom)Parameters for function about to call
Argument buildLocal variables
If cant keep in registersSaved register contextOld frame pointer
Caller Stack FrameCaller Stack FrameReturn address
Pushed by call instruction
Arguments for this call Stack Pointer(%esp)
Frame Pointer(%ebp)
Return Addr
SavedRegisters
+Local
Variables
ArgumentBuild
Old %ebp
Arguments
CallerFrame
8
Buffer Overflow StackBuffer Overflow Stack
echo:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . .
/* Echo Line */void echo(){
char buf[4]; /* Way too small! */gets(buf);puts(buf);
}
Return AddressSaved %ebp
[3][2][1][0] buf%ebp
StackFrame
for main
StackFrame
for echo
5
9
Buffer Overflow Stack Example
Buffer Overflow Stack Example
Before call to gets
unix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d
8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
Return AddressSaved %ebp
[3][2][1][0] buf%ebp
StackFrame
for main
StackFrame
for echo
0xbffff8d8
Return AddressSaved %ebp
[3][2][1][0] buf
StackFrame
for main
StackFrame
for echo
bf ff f8 f808 04 86 4d
xx xx xx xx
10
Buffer Overflow Example #1Buffer Overflow Example #1
Before Call to gets Input = 123
No Problem
0xbffff8d8
Return AddressSaved %ebp
[3][2][1][0] buf
StackFrame
for main
StackFrame
for echo
bf ff f8 f808 04 86 4d
00 33 32 31
Return AddressSaved %ebp
[3][2][1][0] buf%ebp
StackFrame
for main
StackFrame
for echo
6
11
Buffer Overflow Stack Example #2Buffer Overflow Stack Example #2Input = 12345
8048592: push %ebx8048593: call 80483e4 # gets8048598: mov 0xffffffe8(%ebp),%ebx804859b: mov %ebp,%esp804859d: pop %ebp # %ebp gets set to invalid value804859e: ret
echo code:
0xbffff8d8
Return AddressSaved %ebp
[3][2][1][0] buf
StackFrame
for main
StackFrame
for echo
bf ff 00 3508 04 86 4d
34 33 32 31
Return AddressSaved %ebp
[3][2][1][0] buf%ebp
StackFrame
for main
StackFrame
for echo
Saved value of %ebp set to 0xbfff0035
Bad news when later attempt to restore %ebp
12
Buffer Overflow Stack Example #3Buffer Overflow Stack Example #3
Input = 12345678
Return AddressSaved %ebp
[3][2][1][0] buf%ebp
StackFrame
for main
StackFrame
for echo
8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
0xbffff8d8
Return AddressSaved %ebp
[3][2][1][0] buf
StackFrame
for main
StackFrame
for echo
38 37 36 35
08 04 86 00
34 33 32 31
Invalid address
No longer pointing to desired return point
%ebp and return address corrupted
7
13
Malicious Use of Buffer OverflowMalicious Use of Buffer Overflow
Input string contains byte representation of executable codeOverwrite return address with address of bufferWhen bar() executes ret, will jump to exploit code
void bar() {char buf[64]; gets(buf); ...
}
void foo(){bar();...
}
Stack after call to gets()
B
returnaddress
A
foo stack frame
bar stack frame
B
exploitcode
pad
data written
bygets()
14
LC3 Activation RecordLC3 Activation Recordintint NoName(intNoName(int a, a, intint b)b)
{{char w[3];char w[3];
gets(wgets(w););
return y;return y;
}}Name Type Offset Scope
abw
intintchar
45-2
NoNameNoNameNoName
w[0]w[1]w[2]
dynamic linkreturn address
return valueab
bookkeeping
locals
args
R5
8
15
Exploits Based on Buffer OverflowsExploits Based on Buffer OverflowsBuffer overflow bugs allow remote machines to execute Buffer overflow bugs allow remote machines to execute
arbitrary code on victim machines.arbitrary code on victim machines.
Internet wormInternet wormEarly versions of the finger server (fingerd) used gets() to read the argument sent by the client:
finger [email protected]
Worm attacked fingerd server by sending phony argument:finger exploit-code padding new-return-addressexploit code: executed a root shell on the victim machine with adirect TCP connection to the attacker.
16
Exploits Based on Buffer OverflowsExploits Based on Buffer OverflowsBuffer overflow bugs allow remote machines to execute Buffer overflow bugs allow remote machines to execute
arbitrary code on victim machines.arbitrary code on victim machines.
IM WarIM WarAOL exploited existing buffer overflow bug in AIM clientsexploit code: returned 4-byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location.
9
17
Avoiding Overflow VulnerabilityAvoiding Overflow Vulnerability
Use Library Routines that Limit String LengthsUse Library Routines that Limit String Lengthsfgets instead of getsstrncpy instead of strcpyDont use scanf with %s conversion specification
Use fgets to read the string
/* Echo Line */void echo(){
char buf[4]; /* Way too small! */fgets(buf, 4, stdin);puts(buf);
}
18
Extra Credit AssignmentExtra Credit AssignmentConstruct a buffer overflow attack on the LCConstruct a buffer overflow attack on the LC--33
Assume that there is a procedure test() as shown belowAssume that there is a procedure test() as shown belowAssume that the activation record for a procedure follows the foAssume that the activation record for a procedure follows the format rmat discussed in previous lecturesdiscussed in previous lecturesWrite LC3 assembly code for test(), and construct an attack wherWrite LC3 assembly code for test(), and construct an attack where your e your exploit code is executedexploit code is executed
Assume that the input string typed in by the user is stored in aAssume that the input string typed in by the user is stored in a packed packed array, i.e. assume that each character takes 1 byte instead of 1array, i.e. assume that each character takes 1 byte instead of 1 word as word as is the default in the LC3is the default in the LC3
You can make your exploit code print out a message to the screenYou can make your exploit code print out a message to the screen. Can . Can you construct an attack where your exploit code is executed, theyou construct an attack where your exploit code is executed, thedamage to the stack is repaired, and then test() appears to retudamage to the stack is repaired, and then test() appears to return rn normally?normally?
void test(){
char buf[4]; /* Way too small! */gets(buf);return(1);
}
Stack Buffer OverflowsInternet Worm and IM WarInternet Worm and IM War (cont.)String Library CodeVulnerable Buffer CodeBuffer Overflow ExecutionsIA32/Linux Stack FrameBuffer Overflow StackBuffer Overflow Stack ExampleBuffer Overflow Example #1Buffer Overflow Stack Example #2Buffer Overflow Stack Example #3Malicious Use of Buffer OverflowLC3 Activation RecordExploits Based on Buffer OverflowsExploits Based on Buffer OverflowsAvoiding Overflow VulnerabilityExtra Credit Assignment