Stack Buffer Overflows - cs.gmu.edusetia/cs367-F06/slides/lecture13.pdf · 5 9 Buffer Overflow Stack Example Buffer Overflow Stack Example Before call to gets unix> gdb bufdemo (gdb)

Embed Size (px)

Citation preview

  • 1

    Stack Buffer OverflowsStack Buffer Overflows

    ACKNOWLEDGEMENT:ACKNOWLEDGEMENT:

    This lecture uses slides that were prepared by This lecture uses slides that were prepared by Prof. Dave Prof. Dave OHalloranOHalloran (CMU)(CMU)

    2

    Internet Worm and IM WarInternet Worm and IM WarNovember, 1988November, 1988

    Internet Worm attacks thousands of Internet hosts.How did it happen?

    July, 1999July, 1999Microsoft launches MSN Messenger (instant messaging system).Messenger clients can access popular AOL Instant Messaging Service (AIM) servers

    AIMserver

    AIMclient

    AIMclient

    MSNclient

    MSNserver

  • 2

    3

    Internet Worm and IM War (cont.)Internet Worm and IM War (cont.)August 1999August 1999

    Mysteriously, Messenger clients can no longer access AIM servers.Microsoft and AOL begin the IM war:

    AOL changes server to disallow Messenger clientsMicrosoft makes changes to clients to defeat AOL changes.At least 13 such skirmishes.

    How did it happen?

    The Internet Worm and AOL/Microsoft War were both The Internet Worm and AOL/Microsoft War were both based on based on stack buffer overflowstack buffer overflow exploits!exploits!

    many Unix functions do not check argument sizes.allows target buffers to overflow.

    4

    String Library CodeString Library CodeImplementation of Unix function gets

    No way to specify limit on number of characters to read

    Similar problems with other Unix functionsstrcpy: Copies string of arbitrary lengthscanf, fscanf, sscanf, when given %s conversion specification

    /* Get string from stdin */char *gets(char *dest){

    int c = getc();char *p = dest;while (c != EOF && c != '\n') {

    *p++ = c;c = getc();

    }*p = '\0';return dest;

    }

  • 3

    5

    Vulnerable Buffer CodeVulnerable Buffer Code

    int main(){

    printf("Type a string:");echo();return 0;

    }

    /* Echo Line */void echo(){

    char buf[4]; /* Way too small! */gets(buf);puts(buf);

    }

    6

    Buffer Overflow ExecutionsBuffer Overflow Executions

    unix>./bufdemoType a string:123123

    unix>./bufdemoType a string:12345Segmentation Fault

    unix>./bufdemoType a string:12345678Segmentation Fault

  • 4

    7

    IA32/Linux Stack FrameIA32/Linux Stack FrameCurrent Stack Frame (Top Current Stack Frame (Top

    to Bottom)to Bottom)Parameters for function about to call

    Argument buildLocal variables

    If cant keep in registersSaved register contextOld frame pointer

    Caller Stack FrameCaller Stack FrameReturn address

    Pushed by call instruction

    Arguments for this call Stack Pointer(%esp)

    Frame Pointer(%ebp)

    Return Addr

    SavedRegisters

    +Local

    Variables

    ArgumentBuild

    Old %ebp

    Arguments

    CallerFrame

    8

    Buffer Overflow StackBuffer Overflow Stack

    echo:pushl %ebp # Save %ebp on stackmovl %esp,%ebpsubl $20,%esp # Allocate space on stackpushl %ebx # Save %ebxaddl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4pushl %ebx # Push buf on stackcall gets # Call gets. . .

    /* Echo Line */void echo(){

    char buf[4]; /* Way too small! */gets(buf);puts(buf);

    }

    Return AddressSaved %ebp

    [3][2][1][0] buf%ebp

    StackFrame

    for main

    StackFrame

    for echo

  • 5

    9

    Buffer Overflow Stack Example

    Buffer Overflow Stack Example

    Before call to gets

    unix> gdb bufdemo(gdb) break echoBreakpoint 1 at 0x8048583(gdb) runBreakpoint 1, 0x8048583 in echo ()(gdb) print /x *(unsigned *)$ebp$1 = 0xbffff8f8(gdb) print /x *((unsigned *)$ebp + 1)$3 = 0x804864d

    8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

    Return AddressSaved %ebp

    [3][2][1][0] buf%ebp

    StackFrame

    for main

    StackFrame

    for echo

    0xbffff8d8

    Return AddressSaved %ebp

    [3][2][1][0] buf

    StackFrame

    for main

    StackFrame

    for echo

    bf ff f8 f808 04 86 4d

    xx xx xx xx

    10

    Buffer Overflow Example #1Buffer Overflow Example #1

    Before Call to gets Input = 123

    No Problem

    0xbffff8d8

    Return AddressSaved %ebp

    [3][2][1][0] buf

    StackFrame

    for main

    StackFrame

    for echo

    bf ff f8 f808 04 86 4d

    00 33 32 31

    Return AddressSaved %ebp

    [3][2][1][0] buf%ebp

    StackFrame

    for main

    StackFrame

    for echo

  • 6

    11

    Buffer Overflow Stack Example #2Buffer Overflow Stack Example #2Input = 12345

    8048592: push %ebx8048593: call 80483e4 # gets8048598: mov 0xffffffe8(%ebp),%ebx804859b: mov %ebp,%esp804859d: pop %ebp # %ebp gets set to invalid value804859e: ret

    echo code:

    0xbffff8d8

    Return AddressSaved %ebp

    [3][2][1][0] buf

    StackFrame

    for main

    StackFrame

    for echo

    bf ff 00 3508 04 86 4d

    34 33 32 31

    Return AddressSaved %ebp

    [3][2][1][0] buf%ebp

    StackFrame

    for main

    StackFrame

    for echo

    Saved value of %ebp set to 0xbfff0035

    Bad news when later attempt to restore %ebp

    12

    Buffer Overflow Stack Example #3Buffer Overflow Stack Example #3

    Input = 12345678

    Return AddressSaved %ebp

    [3][2][1][0] buf%ebp

    StackFrame

    for main

    StackFrame

    for echo

    8048648: call 804857c 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

    0xbffff8d8

    Return AddressSaved %ebp

    [3][2][1][0] buf

    StackFrame

    for main

    StackFrame

    for echo

    38 37 36 35

    08 04 86 00

    34 33 32 31

    Invalid address

    No longer pointing to desired return point

    %ebp and return address corrupted

  • 7

    13

    Malicious Use of Buffer OverflowMalicious Use of Buffer Overflow

    Input string contains byte representation of executable codeOverwrite return address with address of bufferWhen bar() executes ret, will jump to exploit code

    void bar() {char buf[64]; gets(buf); ...

    }

    void foo(){bar();...

    }

    Stack after call to gets()

    B

    returnaddress

    A

    foo stack frame

    bar stack frame

    B

    exploitcode

    pad

    data written

    bygets()

    14

    LC3 Activation RecordLC3 Activation Recordintint NoName(intNoName(int a, a, intint b)b)

    {{char w[3];char w[3];

    gets(wgets(w););

    return y;return y;

    }}Name Type Offset Scope

    abw

    intintchar

    45-2

    NoNameNoNameNoName

    w[0]w[1]w[2]

    dynamic linkreturn address

    return valueab

    bookkeeping

    locals

    args

    R5

  • 8

    15

    Exploits Based on Buffer OverflowsExploits Based on Buffer OverflowsBuffer overflow bugs allow remote machines to execute Buffer overflow bugs allow remote machines to execute

    arbitrary code on victim machines.arbitrary code on victim machines.

    Internet wormInternet wormEarly versions of the finger server (fingerd) used gets() to read the argument sent by the client:

    finger [email protected]

    Worm attacked fingerd server by sending phony argument:finger exploit-code padding new-return-addressexploit code: executed a root shell on the victim machine with adirect TCP connection to the attacker.

    16

    Exploits Based on Buffer OverflowsExploits Based on Buffer OverflowsBuffer overflow bugs allow remote machines to execute Buffer overflow bugs allow remote machines to execute

    arbitrary code on victim machines.arbitrary code on victim machines.

    IM WarIM WarAOL exploited existing buffer overflow bug in AIM clientsexploit code: returned 4-byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location.

  • 9

    17

    Avoiding Overflow VulnerabilityAvoiding Overflow Vulnerability

    Use Library Routines that Limit String LengthsUse Library Routines that Limit String Lengthsfgets instead of getsstrncpy instead of strcpyDont use scanf with %s conversion specification

    Use fgets to read the string

    /* Echo Line */void echo(){

    char buf[4]; /* Way too small! */fgets(buf, 4, stdin);puts(buf);

    }

    18

    Extra Credit AssignmentExtra Credit AssignmentConstruct a buffer overflow attack on the LCConstruct a buffer overflow attack on the LC--33

    Assume that there is a procedure test() as shown belowAssume that there is a procedure test() as shown belowAssume that the activation record for a procedure follows the foAssume that the activation record for a procedure follows the format rmat discussed in previous lecturesdiscussed in previous lecturesWrite LC3 assembly code for test(), and construct an attack wherWrite LC3 assembly code for test(), and construct an attack where your e your exploit code is executedexploit code is executed

    Assume that the input string typed in by the user is stored in aAssume that the input string typed in by the user is stored in a packed packed array, i.e. assume that each character takes 1 byte instead of 1array, i.e. assume that each character takes 1 byte instead of 1 word as word as is the default in the LC3is the default in the LC3

    You can make your exploit code print out a message to the screenYou can make your exploit code print out a message to the screen. Can . Can you construct an attack where your exploit code is executed, theyou construct an attack where your exploit code is executed, thedamage to the stack is repaired, and then test() appears to retudamage to the stack is repaired, and then test() appears to return rn normally?normally?

    void test(){

    char buf[4]; /* Way too small! */gets(buf);return(1);

    }

    Stack Buffer OverflowsInternet Worm and IM WarInternet Worm and IM War (cont.)String Library CodeVulnerable Buffer CodeBuffer Overflow ExecutionsIA32/Linux Stack FrameBuffer Overflow StackBuffer Overflow Stack ExampleBuffer Overflow Example #1Buffer Overflow Stack Example #2Buffer Overflow Stack Example #3Malicious Use of Buffer OverflowLC3 Activation RecordExploits Based on Buffer OverflowsExploits Based on Buffer OverflowsAvoiding Overflow VulnerabilityExtra Credit Assignment