Exploiting Buffer Overflows on

1
Exploiting Buffer Overflows on

• AIX/PowerPCHP-UX/PA-RISCSolaris/SPARC

2
Buffer Overflow

• Buffer overflow is a famous/infamous hacking
  technique in computer security.
• Buffer overflow conditions are caused by missed
  boundary checks of user-supplied data.
• Implementation and exploitation of buffer
  overflow vulnerabilities is heavily dependant on
  the target OS and architecture.
• Exotic architecture doesnt mean secure.

3
Function Call and Stack
Text
Instruction Pointer
Data
Stack Pointer
Stack
Frame Pointer
4
Function Call and Stack specifics

• Stack could grow in different directions
• Stack frame formats are different
• Different conditions has to be met on different
  platforms for buffer overflow to be
  exploitable.(double return, calls of sub
  procedures, alignments )
• Return address has to be overwritten
• Frame ptr/stack ptr has to be overwritten

5
Function Call and Stack
6
Smashing the Stack

• How to overwrite the return address?
• void sickfunc(char str)
• char buf512
• strcpy(buf, str)
• int main(int argc, char argv)
• if (argv1)
• sickfunc(argv1)

7
Smashing the Stack

• Generate a string length are more than 512, here
  we use 520 As (distance may differ)
• Use the string as argument of the program, and
  look at the stack.

8
Smashing the Stack

• It overwrites the return address to
  0x41414141(AAAA)
• You can design an executable code in the string
  and overwrite the return address to the address
  of the code, then you can control the system.

9
Smashing the Stack

• The above example, buffer overflow is caused by
  absence of boundary checks.
• Not only absence of boundary checks, but also
  wrong typecastings lead to buffer overflow
  conditions.

10
Smashing the Stack

• void sickfunc(char foo)
• int lengthfoo0
• char baz64
• if (lengthgt64)
• return
• strncpy(baz, foo1, length)
• buff63\x0

11
Smashing the Stack

• Although in most cases, exploiting buffer
  overflow try to overwrite the return address to
  return the stack, but there are other ways.
• Overwrite the frame pointer is an alternative.
• Overwrite a local variable pointer, and use the
  pointer to overwrite GOT entries (stack and heap
  overflows).
• Overwrite the return address to libc (getting
  around non-executable stack protections)

12
Shellcode

• Shellcode is a short fragment of machine code
  which is injected into execution flow.
• Shellcode is machine/OS specific
• The most common shellcodes are shell-spawns using
  execve syscalls (but not the only
  implementations)

13
What to do?

• Because of the implementation of stack
  differences in platform, to exploit buffer
  overflows on non-intel platform are a bit tricky
• These tricks and specifics are going to be
  explored in our presentation.
• An multi-platform shellcode design concept will
  be covered briefly.

14
What we will see?

• Buffer overflow exploitations on non-intel
  platforms are nearly as trivial as on its intel
  brother.
• Having vulnerable software running on some exotic
  platform doesnt give you security
• Something else p

15
What you have to know

• Understanding of basics of assembly language
• Understanding of i386 platform buffer overflows
  concept
• Tools and utilities (perl, adb, gdb, gcc, as)

16
What we will learn

• Writing shellcodes on HP-UX, Solaris and AIX
  platforms.
• Basic requirements for buffer overflows on these
  platforms to be exploitable
• Injecting shellcode platform specifics
• Creating advanced shellcodes