ISA 564, Laboratory I: Buffer Overflows
|
|
- Scot Ryan
- 6 years ago
- Views:
Transcription
1 ISA 564, Laboratory I: Buffer Overflows Lab Submission Instructions To complete the lab, you need to submit the compressed files (either tar or zip) using the GMU Blackboard system. Please make sure that you upload, before the due date, as a single compressed file containing all the individual task files and descriptions. Lab Description Shellcode is a set of foreign/injected bytes which is, in the original meaning of the word, native machine code that spawns an interactive shell. The term is now broadly applied to any process control flow redirection to enable the attacker s intentions, and not necessarily machine code. This lab is designed to familiarize the student with shellcode and its design. Initial Lab Setup We will conduct the lab with one VMware-based virtual machine (VM): VM1 (Kali Linux). You will need to download the following software on your local machine: VMware workstation or Player: VM1: o Select the 32 bit PAE for VMware image Getting Started We will conduct the lab on the VM. Turn on VM1, and sync with the course repository. cd Desktop If you have not cloned the repo, do so: git clone Else, update the repo: o cd course-material o git pull Ensure that you can compile code. cd ~/Desktop/course-material/shellcode make testsc If you have errors, run this and try again: o sudo apt-get install gdb build-essential gcc-multilib Directories will be referred by their path under ~/Desktop/course-material. For instance, alephone is ~/Desktop/course-material/alephone and bof is ~/Desktop/course-material/bof. Unless otherwise specified, assume alephone. 1
2 There are many protections in current compilers and operating systems to stop stack attacks like the one we want to do. We have to disable some security options to allow the exploit to work. Most of this setup is done, but when you compile manually, you'll need to set the compiler flags. Disable ASLR: sudo sysctl -w kernel.randomize_va_space=0 Setting this doesn't survive a reboot, so I created the file: /etc/sysctl.d/01-disable-aslr with the line: kernel.randomize_va_space = 0 Set the following compiler flags when you compile: -z execstack // Make the stack executable by turning off NX protection -fno-stack-protector // Remove stack smashing detection StackGuard -g // Enable debugging output 2
3 Task I: Understanding the Stack and Function Call Conventions Subtask I In the alephone directory, type the following command to generate the corresponding assembly file from the C source file: gcc -S -o example1.s example1.c Please try to understand how the original C file is converted to the assembly (.s) file. Note that the Aleph One s paper also contains the generated assembly code. Are your results different from Aleph One s? Why? (Task I.1) Draw the stack frame changes at the time that the function() is called (Task I.2). Subtask II Compile our second example example2.c with the following command: gcc m32 O0 -o example2 example2.c Execute the generated binary by typing:./example2. What are your results? And why? (Task I.3). You may consider drawing related stack frame changes to explain the result. Subtask III In our third example (example3.c) we aim to understand how the function return address can be inferred from a local variable and then manipulated. In this particular example, we first identify the stack return address of function(), then modify the value to skip the x=1 line (in example3.c), so that the example prints 0. Compile and run example3.c with the following commands: gcc -g m32 O0 -o example3 example3.c gdb example3 You can disassembly the main function within gdb: disassemble main. From the gdb output, you need to determine the correct change of the return address value in order to skip the x=1 line. Modify the line of the code (*ret) += 8; appropriately. Next, modify the return variable pointer line of the code ret = buffer1 + 12; appropriately. Note the location of the return address pointer in memory cannot be calculated explicitly, 3
4 because it is dependent on your memory stack. You may have to use trial and error to determine the offset between buffer1 and the return pointer. Remember that the offset must be at least the size of buffer1 and the frame pointer, and that although the offset is in bytes, it must be an integral number of words. Record the necessary code changes (Task I.4), execute:./example3, and capture the screenshot of the result (Task I.5). Task II: Shellcode Basics While Task I contains the basic concepts behind modifying the return address (and consequently the execution flow), Task II introduces how to prepare shellcode that will be executed after hijacking the execution flow. Note that shellcode is essentially machine code that will be recognized and executed by the CPU. Shellcode is a bit of a misnomer, due to historical reasons it used to be primarily for launching interactive shells. In our experiments, we will be using the following C program (shell_test.c) to test the shellcode, you can find it under the alephone directory: #include <stdio.h> char shellcode[] = ""; /* global array */ int main (int argc, char **argv) { int (*ret)(); /* ret is a function pointer */ ret = (int(*)())shellcode; /* ret points to our shellcode */ /* cast shellcode to function */ (int)(*ret)(); /* execute it as a function */ exit(0); /* exit() */ } A typical way to write the shellcode is to prepare a C program with the same features. Then we can compile the C program and the generated assembly instructions can be used for our shellcode purposes. As an example, consider the example program (shellcode.c): #include <stdio.h> int main(void) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } You can compile the program and obtain its assembly instructions. Make sure you have a clear understanding of the assembly code, using the AlephOne paper as a guide. gcc m32 O0 -o shellcode -ggdb -static shellcode.c 4
5 gdb shellcode disassemble main disassemble execve We are going to use this code to execute a shell from a victim program. However, we want to make sure our process will quit normally after our shellcode is executed; for instance, in case execve fails. Otherwise, the computer could continue to execute data in memory, likely causing a core dump or segmentation fault. View the assembly translation of the exit command so that we can use this to stop the execution of our shellcode after the execve call. Do this by obtaining the corresponding assembly code of exit.c. gcc m32 O0 -o exit -ggdb -static exit.c gdb exit disassemble _exit Now, we must prepare the hex representation of the binary code to use when we eventually inject it into the vulnerable program s memory. When complete, we will be able to use testsc.c to execute our binary code. First, let s observe the assembly code for our task. In separate windows: open the disassembled shellcode, the disassembled exit, and the source file shellcodeasm.c. Compare these until you notice and understand how that the essential components of shellcode and exit have been placed into shellcodeasm.c. gcc m32 O0 -o shellcodeasm -g -ggdb -static shellcodeasm.c gdb shellcodeasm disassemble main Our intention is now to copy these assembly commands into a string that we can use to inject into vulnerable processes. To do this, you must use gdb to show the binary machine code representations of the assembly code in shellcodeasm.c. In gdb use x/bx main to see the representation of the first line. For any other line (e.g. main+3) simply include the offset (e.g. x/bx main+3). Use x/48bx main to get the first 40 bytes in main. We can now test our shellcode by using a wrapper program to place it in memory and execute it. Conveniently, the machine code values determined from above have been placed in a character array in testsc.c. gcc -m32 -O0 -fno-stack-protector -z execstack -o testsc testsc.c./testsc 5
6 After running this, you should have access to a shell prompt (on Kali the sh prompt is #). While this exploit works, because we are storing it as an array of characters and the NULL character in our string could potentially cause problems. To solve this problem, we rewrite the assembly code to remove all NULL bytes (testsc2.c). Type the following commands and you should have a shell. gcc -m32 -O0 -fno-stack-protector -z execstack -o testsc2 testsc2.c./testsc2 Please explain why it is important to eliminate NULL characters (Task II.1) and how we can modify the assembly code to remove null characters (Task II.2). Note that the current testsc2.c file does not contain any explanation. Please add the corresponding explanation via comments for testsc2.c (Task II.3). The needed documentation should be consistent include what assembly mnemonics are executed and a short comment about what an instruction or groups of instructions are doing (Hint: objdump -D). What would be the result of directly executing./shellcodeasm? And why? (Task II.4) Task III: Advanced Shellcode As mentioned earlier, shellcode can contain functionalities other than spawning a simple shell. In the alephone directory, there is a file testsc3.c, which, unfortunately, is not documented. Please document this file, a la Task II.3, and explain what additional features are contained in the shellcode (Task III.1). There is also a file testsc4.c, which contains packed, or obfuscated shellcode, document how this encoding works, what the shellcode output is, and why an attacker would pack shellcode (Task III.2). For each of these, execute them and capture a screenshot to demonstrate how the shellcode can be used (Task III.3). For instance, show me a dialogue of interaction with the shellcode or pre/post shots that demonstrate your shellcode was successful. The Metasploit framework can also be used to generate the shellcode. We will use the msfconsole interface. For example, the following commands creates a port-binding shellcode in Linux. root@kali:/desktop/course-material/alephone# msfconsole msf > use linux/x86/shell_bind_tcp msf payload(shell_bind_tcp)> generate h msf payload(shell_bind_tcp)> generate t c Put this output into the file testsc5.c. Test that it works, when running connect to it with nc Please analyze and document the shellcode, a la Task II.3 (Task III.4). 6
7 Submission Checklist Task I (25 points): Answer those questions in Task I.1, I.2 I.3, I.4, and I.5. Task II (30 points): Answer those questions in Task II.1, II.2, II.3, and II.4. Task III (40 points): Answer those questions in Task III.1, III.2, III.3, and III.4. Lab survey (5 points) References [1] Aleph One, Smashing the Stack for Fun and Profit. Phrack Magazine, Volume 0x07, Issue 49, File 14of 16, November, 1996 [2] Avicoder, Smashing the Stack for Fun & Profit : Revived, February,
Lab 2: Buffer Overflows
Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationBuffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to
CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse
More information1 Recommended Readings
CSC 482/582 Assignment #5 Buffer Overflow Due: November 14, 2013 The learning objective of this assignment is for students to gain first-hand experience with a buffer overflow vulnerability, applying what
More informationCS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS
Laboratory for Computer Security Education 1 CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS Copyright c Wenliang Du, Syracuse University.
More informationBuffer Overflow Vulnerability Lab
SEED Labs Buffer Overflow Vulnerability Lab 1 Buffer Overflow Vulnerability Lab Copyright c 2006-2013 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from
More information1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012
CSC 666 Lab #11 Buffer Overflow November 29, 2012 Copyright c 2012 James Walden, Northern Kentucky University. Original document version c 2006-2012 Wenliang Du, Syracuse University. The development of
More information2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup
CSC 482/582 Assignment #3 Buffer Overflow Due: October 15, 2015 The learning objective of this assignment is for students to gain first-hand experience with a buffer overflow vulnerability, applying what
More informationENEE 757 Buffer Overflow Homework
Buffer Overflow Homework Copyright 2006-2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National Science Foundation: Awards No. 0231122
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationProject 4: Application Security
CS461/ECE422 October 23, 2015 Computer Security I Project 4: Application Security Project 4: Application Security This project is split into two parts, with the first checkpoint due on Friday, October
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationCS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities
CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationHW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005
HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities 1 Motivation DUE 12/18/2005 Memory corruption vulnerabilities to change program execution flow
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationBuffer Overflow Vulnerability Lab
SEED Labs Buffer Overflow Vulnerability Lab 1 Buffer Overflow Vulnerability Lab Copyright 2006-2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National
More informationIntroduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm
Dawn Song Fall 2012 CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm Introduction In this lab, you will get a hands-on approach to circumventing user permissions
More informationLab 6: OS Security for the Internet of Things
Department of Computer Science: Cyber Security Practice Lab 6: OS Security for the Internet of Things Introduction The Internet of Things (IoT) is an emerging technology that will affect our daily life.
More informationLab 6: OS Security for the Internet of Things
Department of Computer Science: Cyber Security Practice Lab 6: OS Security for the Internet of Things Introduction The Internet of Things (IoT) is an emerging technology that will affect our daily life.
More informationCS Programming Languages Fall Homework #2
CS 345 - Programming Languages Fall 2010 Homework #2 Due: 2pm CDT (in class), September 30, 2010 Collaboration policy This assignment can be done in teams at most two students. Any cheating (e.g., submitting
More informationProject 4: Application Security
EECS 388 October 25, 2018 Intro to Computer Security Project 4: Application Security Project 4: Application Security This project is due on November 15, 2018 at 6 p.m. and counts for 8% of your course
More informationHomework 1 CS 642: Information Security
Homework 1 CS 642: Information Security September 22, 2012 This homework assignment tasks you with understanding vulnerabilities in five target programs. You may (optionally) work with a partner. It is
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationBuffer Overflow Attack
Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer
More informationCS155: Computer Security Spring Project #1
CS155: Computer Security Spring 2018 Project #1 Due: Part 1: Thursday, April 12-11:59pm, Parts 2 and 3: Thursday, April 19-11:59pm. The goal of this assignment is to gain hands-on experience finding vulnerabilities
More informationThis is an example C code used to try out our codes, there several ways to write this but they works out all the same.
...._ _... _.;_/ [_) (_]\_ [ )(_](_. \.net._ "LINUX SHELLCODING REFERENCE" Author: Nexus Email: nexus.hack@gmail.com Website: http://www.playhack.net Introduction ------------- One of the most important
More informationCS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.
CS155: Computer Security Spring 2008 Project #1 Due: Part 1: Thursday, April 17-1159 pm, Part 2: Monday, April 21-1159 pm. Goal 1. The goal of this assignment is to gain hands-on experience with the effect
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationLecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin
More informationCMSC 414 Computer and Network Security
CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun
More informationISA 564 SECURITY LAB. Introduction & Class Mechanics. Angelos Stavrou, George Mason University
ISA 564 SECURITY LAB Introduction & Class Mechanics Angelos Stavrou, George Mason University Course Mechanics Course URL: http://cs.gmu.edu/~astavrou/isa564_f16.html Instructor Angelos Stavrou Email: astavrou@gmu.edu
More informationLecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2016 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) HW3 submitted Course Admin Being graded Solution
More informationStack overflow exploitation
Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationShell Code For Beginners
Shell Code For Beginners Beenu Arora Site: www.beenuarora.com Email: beenudel1986@gmail.com ################################################################ #.. # # _/ \ _ \ _/ # # / \ \\ \ / // \/ /_\
More informationCS 361S - Network Security and Privacy Spring Project #2
CS 361S - Network Security and Privacy Spring 2017 Project #2 Part 1 due: 11:00, April 3, 2017 Part 2 due: 11:00, April 10, 2017 Submission instructions Follow the submission instructions in the Deliverables
More informationSandwiches for everyone
Inf2C :: Computer Systems Today s menu ( And finally, monsieur, a wafer-thin mint ) Notes on security Or, why safety is an illusion, why ignorance is bliss, and why knowledge is power Stack overflows Or,
More informationTopics. What is a Buffer Overflow? Buffer Overflows
Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention.
More informationJackson State University Department of Computer Science CSC / Advanced Information Security Spring 2013 Lab Project # 5
Jackson State University Department of Computer Science CSC 439-01/539-02 Advanced Information Security Spring 2013 Lab Project # 5 Use of GNU Debugger (GDB) for Reverse Engineering of C Programs in a
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More information2. Exercises ASI Using the tools : objdump, gdb, ida,...
2. Exercises ASI6 2018 1 Using the tools : objdump, gdb, ida,... The following tools can be of help: objdump, to display various in information about object files; nm, to list symbols from object files;
More informationLinux Fundamentals & Practice
Operating Systems Security Linux Fundamentals & Practice (Manual, Commands, Alignment, ) Seong-je Cho Fall 2018 Computer Security & Operating Systems Lab, DKU - 1-524870, F 18 Sources / References Linux
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationProblem Set 1: Unix Commands 1
Problem Set 1: Unix Commands 1 WARNING: IF YOU DO NOT FIND THIS PROBLEM SET TRIVIAL, I WOULD NOT RECOMMEND YOU TAKE THIS OFFERING OF 300 AS YOU DO NOT POSSESS THE REQUISITE BACKGROUND TO PASS THE COURSE.
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationCS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!
CS 642 Homework #4 Due Date: 11:59 p.m. on Tuesday, May 1, 2007 Warning! In this assignment, you will construct and launch attacks against a vulnerable computer on the CS network. The network administrators
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationCS 361S - Network Security and Privacy Spring Project #2
CS 361S - Network Security and Privacy Spring 2014 Project #2 Part 1 due: 11am CDT, March 25, 2014 Part 2 due: 11am CDT, April 3, 2014 Submission instructions Follow the submission instructions in the
More informationPractical Anti-virus Evasion
Practical Anti-virus Evasion by Daniel Sauder During a penetration test, situation might occur where it is possible to upload and remotely execute a binary file. For example, you can execute the file on
More informationExploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development
Exploit Development License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. All included software source
More informationWe will focus on Buffer overflow attacks SQL injections. See book for other examples
We will focus on Buffer overflow attacks SQL injections See book for other examples Buffer overrun is another common term Buffer Overflow A condition at an interface under which more input can be placed
More informationStack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security
Running Head: BUFFER OVERFLOW 1 Stack-Based Buffer Overflow Explained Marc Koser East Carolina University ICTN 4040: Enterprise Information Security Instructor: Dr. Philip Lunsford 03-17-2015 Prepared
More informationBuffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.
Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures
More informationBuffer Overflow. An Introduction
Buffer Overflow An Introduction Workshop Flow-1 Revision (4-10) How a program runs Registers Memory Layout of a Process Layout of a StackFrame Layout of stack frame using GDB and looking at Assembly code
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationISA 564 SECURITY LAB. Introduction & Class Mechanics. Angelos Stavrou, George Mason University
ISA 564 SECURITY LAB Introduction & Class Mechanics Angelos Stavrou, George Mason University Course Mechanics Course URL: http://cs.gmu.edu/~astavrou/isa564_f15.html Instructor Angelos Stavrou Email: astavrou@gmu.edu
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationRace Condition Vulnerability Lab
Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationShellbased Wargaming
Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationBlossom Hands-on exercises for computer forensics and security. Buffer Overflow
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Project #1 Due Today Please hand in to me Project #2 rsautl has no base64
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationLab 03 - x86-64: atoi
CSCI0330 Intro Computer Systems Doeppner Lab 03 - x86-64: atoi Due: October 1, 2017 at 4pm 1 Introduction 1 2 Assignment 1 2.1 Algorithm 2 3 Assembling and Testing 3 3.1 A Text Editor, Makefile, and gdb
More informationProject #1 Exceptions and Simple System Calls
Project #1 Exceptions and Simple System Calls Introduction to Operating Systems Assigned: January 21, 2004 CSE421 Due: February 17, 2004 11:59:59 PM The first project is designed to further your understanding
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationCS 241 Honors Security
CS 241 Honors Security Ben Kurtovic University of Illinois Urbana-Champaign September 20, 2017 Ben Kurtovic (UIUC) CS 241 Honors: Security September 20, 2017 1 / 45 Reminder! Project proposals are due
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Linux Platform Security Module 8 Arbitrary Code Execution: Threats & Countermeasures
More information1. Install a Virtual Machine Download Ubuntu Create a New Virtual Machine Seamless Operation between Windows an Linux...
Introduction APPLICATION NOTE The purpose of this document is to explain how to create a Virtual Machine on a Windows PC such that a Linux environment can be created in order to build a Linux kernel and
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More information1/31/2007 C. Edward Chow. CS591 Page 1
Page 1 History of Buffer Overflow Attacks Buffer Overflow Attack and related Background Knowledge Linux VirtualMemory Map Shellcode Egg: No-ops/shellcode/returnAddresses Countermeasures: StackGuard StackShield
More informationCS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri
CS356: Discussion #8 Buffer-Overflow Attacks Marco Paolieri (paolieri@usc.edu) Previous Example #include void unreachable() { printf("impossible.\n"); void hello() { char buffer[6]; scanf("%s",
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationLecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422
Lecture 04 Control Flow II Stehen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422 Function calls on 32-bit x86 Stack grows down (from high to low addresses)
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More information