Advanced Computer Networks Smashing the Stack for Fun and Profit

Transcription

1 Smashing the Stack for Fun and Profit 1

2 appeared in: Phrack 49 Volume Seven, Issue Forty-Nine by: Aleph One (Elias Levy) Where the title comes from 2

3 The stack Buffer Overflows Shellcode Be aware of the inaccuracy Examples Outline 3

4 Function parameters Prolog Stackframe (local variables) Epilog The Stack 4

5 Function parameters Prolog Stackframe CALL P (local variables) P: ENTER size, 0 LEAVE RET n Epilog The Stack 5

6 Prolog (1) (2) ESP ESP Return Addr Return Addr Dyn. Link size (1) (2) CALL P ENTER size, 0 ESP Push( EIP ) EIP = Addr( P ) Push( ) = ESP ESP = ESP -size The Stack 6

7 Epilog (1) (2) Return Addr Dyn. Link ESP Return Addr ESP ESP LEAVE RET n ESP = POP( ) POP( EIP ) ESP = ESP +n The Stack 7

8 ' x Param2 (int 9) Param1 (int 6) Return Address C int main( void ) { } int x; x = foo( 6, 9 ); printf( The answer is: %d\n, x ); return 0; Dynamic Link -10 int foo( int a, int b ) { bar [4.. ] bar [0..3] c char bar[5]; int c = a * b; itoa( c, bar, 13 ); return atoi( bar ); } The Stack today this is not always true 8

9 ' x Param2 (int 9) Param1 (int 6) Return Address C int main( void ) { } int x; x = foo( 6, 9 ); printf( The answer is: %d\n, x ); return 0; Dynamic Link -10 int foo( int a, int b ) { c bar [1..4] bar [0] char bar[5]; int c = a * b; itoa( c, bar, 13 ); return atoi( bar ); } The Stack 9

10 int main( void ) { ' x Return Address int x = 0; foo( ); if (x) { printf( Unreachable code\n ); } return 0; Dynamic Link *ret bar [0..3] } void foo( void ) { char bar[4]; int *ret= bar +12; (*ret) += 6; } The Stack Changing the return address 10

11 A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data. Wikipedia, April 2007 Return Address Dynamic Link bar [0..3] Buffer Overflows 11

12 A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which typically allows an unauthorised user to communicate with the computer via the operating system's command line as a result of exploiting a vulnerability in software running on the machine. Normally stored as a null terminated string, it usually cannot contain null characters. Wikipedia, April 2007 int main( void ) { } char *callee = "/bin/bash", *parameters = NULL; execve( callee, parameters, NULL ); exit( 0 ); Shellcode 12

13 Return Address ' prev. Dynamic Link bar [4..7] bar [0..3] Position of the buffer Absolute Relative to the ret addr. Position of the callee string Amount of memory 0-terminating char arrays Things to take into account 13

14 A 0B 0C 0D 0E 0F A 0B 0C 0D 0E 0F JJ JJ SC SC SC SC SC SC SC SC SC SC SC SC SC SC A 0B 0C 0D 0E 0F SC CC CC 2F E 2F ???????? / b i n / b a s h Things to take into account 14

15 References [Levy, 1996] E. Levy. (1996) Smashing the stack for fun and profit, Phrack Magazine 7(49): file 0x0D [Heffner, 2007] C. J. Heffner. (2007) Smashing the modern stack for fun and profit, URL: [Mössenböck, 2006] HP. Mössenböck. (2006) Fortgeschrittene Techniken des Übersetzerbaues, Course Notes, Institut für Systemsoftware, JKU, Linz [Wikipedia, 2007a] Wikimedia Foundation Inc. (2007) Buffer Overflow, Wikipedia, April 2007, URL: [Wikipedia, 2007b] Wikimedia Foundation Inc. (2007) Shellcode, Wikipedia, April 2007, URL: References 15

16 (1) Give the structure of a buffer overflow cf. slide 14 (2) Explain the JMP/CALL technique cf. [Levy, 1996] line Exam questions 16