Buffer Overflow Attack

Transcription

1 Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By

2 Abstract Buffer overflow. buffer overflow. buffer overflow.. buffer overflow. buffer overflow. Buffer overflow,,. IA32 (32-bit Intel Architecture), buffer overflow. overflow. return address,, Return into libc buffer overflow.

3 Contents Memory Architecture CPU Segment? simple.c step step step step step step step step Buffer overflow byte order shell code buffer overlow Return into Libc

4 1. Buffer Overflow. Buffer overflow.. Buffer overflow. Buffer overflow Memory Architecture High address Available Space Kernel Low address

5 < 2> (multi-tasking). segment. segment. segment < 2>. code segment, data segment, stack segment. 16,383 segment. segment 2 32 byte. code segment instruction.. instruction,. segment.

6 segment logical address. Logical address (physical address). segment segment selector (offset) (logical address). physical address offset + logical address. < 3> segment 0x code segment instruction IS 1 0x logical address instruction segment offset 0x segment 0x x segment segment selector segment offset instruction. data segment.. data segment. data segment data segment data structure,,,. stack segment handler, task, program stack segment. multiple switch..

7 stack pointer(sp). PUSH POP instruction... (PUSH). (PUSH).. (POP). PUSH POP CPU segment. CPU CPU. (Instruction set). CPU CPU. (register). < 4>. (General-Purpose register), (segment register), (Program status and control register), (instruction pointer).,,,. code segment, data segment, stack segment.. (instruction).

8 < 4. > < 5. >. 4 32bit. 16bit AX, BX, CX, DX.. 32bit E(Extended) EAX, EBX, ECX, EDX... AX AH AL. EAX, EBX, ECX, EDX

9 ... EAX EBX DS segment ECX EDX I/O ESI DS data segment. source. EDI ES data segment. destination. ESP SS stack segment EBP SS < 6. > < 6>. CS code segment, DS, ES, FS, GS data segment, SS stack segment. segment,. < 7>.

10 < 7. >,,. 0x , 3, 5, 15, 22~31. < 8>. < 8. >

11 . Status flags CF carry flag. carry borrow 1. Carry borrow bit bound. PF Parity flag AF Adjust flag. carry borrow 3bit 1. ZF Zero flag. zero. If set. SF Sign flag.. Signed 0, 1. OF Overflow flag. 1. DF Direction flag. 1 instruction ( high address low address ), 0. System flags IF Interrupt enable flag. mask interrupt 1. TF Trap flag. single-step 1. IOPL I/O privilege level field. task. CPL I/O address I/O privilege level. NT Nested task flag. Interrupt chain. 1 task task. RF Resume flag. Exception debug. VM Virtual-8086 mode flag. Virtual AC Alignment check flag. CR0 AM set alignment checking. VIF Virtual interrupt flag. IF flag. VIP flag. VIP Virtual interrupt pending flag. pending( ). ID Identification flag. CPUID instruction CPU. Instruction Pointer Instruction pointer code segment offset

12 .. JMP, Jcc, CALL, RET IRET instruction. EIP control-transfer instruction (JMP, Jcc, CALL, RET) interrupt exception. EIP CALL instruction (procedure stack) instruction address. return instruction pointer return instruction(ret, IRET) EIP CPU. buffer overflow padding return address assembly OK. buffer. 4. Segment?.. void function(int a, int b, int c){ char buffer1[15]; char buffer2[10]; } void main(){ } function(1, 2, 3); < 9. simple.c>.. < 9> C. $gcc S o simple.asm simple.c

13 -S..,... simple.asm.. bof]$ cat simple.asm.file "simple.c".text.globl function.type function: pushl %ebp movl %esp, %ebp subl $40, %esp leave ret.lfe1:.size function,.lfe1-function.globl main.type main: pushl %ebp movl %esp, %ebp subl $8, %esp andl $-16, %esp movl $0, %eax subl %eax, %esp subl $4, %esp pushl $3 pushl $2 pushl $1 call function addl $16, %esp leave

14 ret.lfe2:.size main,.lfe2-main.ident "GCC: (GNU) (Hancom Linux 3.2.3)" bof]$ < 10. gcc simple.asm> 3.0. gcc. gcc Red Hat Fedora core 3 gcc [dalgona@testbed bof]$ cat simple.asm.file "simple.c".text.globl function.type pushl %ebp movl %esp, %ebp subl $40, %esp leave ret.size tion,.-tion.globl main.type main: pushl %ebp movl %esp, %ebp subl $8, %esp andl $-16, %esp movl $0, %eax addl $15, %eax addl $15, %eax shrl $4, %eax sall $4, %eax subl %eax, %esp subl $4, %esp

15 pushl $3 pushl $2 pushl $1 call function addl $16, %esp leave ret.size "GCC: (GNU) (Red Hat fc3)" bof]$ < 11. gcc simple.asm>. gcc < 10>. gcc simple.c gdb logical address. bof]$ gcc -o simple simple.c simple.c: In function `main': simple.c:6: warning: return type of `main' is not `int' bof]$ gdb simple GNU gdb Red Hat Linux ( ) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) disas main Dump of assembler code for function main: 0x80482fc <main>: push %ebp 0x80482fd <main+1>: mov %esp,%ebp

16 0x80482ff <main+3>: sub $0x8,%esp 0x <main+6>: and $0xfffffff0,%esp 0x <main+9>: mov $0x0,%eax 0x804830a <main+14>: sub %eax,%esp 0x804830c <main+16>: sub $0x4,%esp 0x804830f <main+19>: push $0x3 0x <main+21>: push $0x2 0x <main+23>: push $0x1 0x <main+25>: call 0x80482f4 <function> 0x804831a <main+30>: add $0x10,%esp 0x804831d <main+33>: leave 0x804831e <main+34>: ret 0x804831f <main+35>: nop End of assembler dump. (gdb) disas function Dump of assembler code for function function: 0x80482f4 <function>: push %ebp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f7 <function+3>: sub $0x28,%esp 0x80482fa <function+6>: leave 0x80482fb <function+7>: ret End of assembler dump. (gdb) < 12. gcc gdb disassemble >. logical address. function() main(). segment < 13>. < 13> segment. segment.. segment logical address 0x stack segment 0xBFFFFFFF. simple.c

17 data segment. EIP, CPU main(). main() 0x80482fc.. ESP gdb. (gdb) break *0x80482fc Breakpoint 1 at 0x80482fc (gdb) r Starting program: /home/dalgona/work/bof/simple Breakpoint 1, 0x080482fc in main () (gdb) info register esp esp 0xbffffa7c 0xbffffa7c

18 Stack Segment, argc, argv pointer 0xBFFFFFFF Data Segment Code Segment 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp < 13. simple.c segment > 0x

19 <Step 1> 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp ESP 0xbffffa7c.. EIP main(). ESP. ESP PUSH POP PUSH, POP. PUSH ESP ESP system architecture. POP ESP ESP ebp. base pointer. stack pointer base pointer. EIP

20 <Step 2> base pointer EBP ESP 0xbffffa78 push %ebp base pointer stack pointer 4 0xbffffa78. 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp 0xbffffa70.. EIP mov %esp, %ebp ESP EBP. base pointer stack pointer. sub $0x8, %esp ESP 8. ESP ESP and $0xfffffff0, %esp ESP AND. ESP 4bit 0.. mov $0x0, %eax EAX 0 sub %eax, %esp ESP EAX. stack pointer EAX

21 0. sub $0x4, %esp 4. ESP 0xbffffa6c.

22 <Step 3> base pointer EBP 0xbffffa78 ESP 0xbffffa6c. ESP 12. 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp EIP push $0x03 push $0x02 push $0x01. function(1, 2, 3) 1, 2, 3. 3, 2, 1. < 13> argc, argv function(). call 0x80482f4 0x80482f4. 0x80482f4 function. call EIP. add $0x10, %esp. POP. buffer overflow return address. EIP function 0x80482f4.

23 <Step 4> base pointer x804831a EBP 0xbffffa78 ESP 0xbffffa5c EIP function() main(). 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp EIP push %ebp mov %esp, %ebp function(). main() base pointer stack pointer function() base pointer.

24 <Step 5> base pointer function() 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp sub $0x28, %esp simple.c function() buffer1[15] buffer2[10] buffer1[15] 15 word (4byte) 16 buffer2[10] gcc. gcc 2.96 word 28 gcc word 9 4 word. 8 dummy.. buffer1[15] 16 buffer2[10] dummy dummy x804831a 0xbffffa78 EBP ESP 0xbffffa58 EIP function function() base pointer return address. < 13> main argc, argv.? < 13>?

25 <Step 6> base pointer x804831a 0xbffffa78 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp EBP 0xbffffa58 ESP 0xbffffa30 EIP. mov $0x41, [$esp -4] mov $0x42, [$esp-8] ESP. simple.c.. < 14>.

26 <Step 7> base pointer x804831a EBP 0xbffffa78 ESP 0xbffffa5c leave instruction. leave instruction. push %ebp mov %esp, %ebp. 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp EIP mov %ebp, %esp pop %ebp. leave instruction. stack pointer base pointer function() PUSH, main() base pointer. POP stack pointer 1 word. stack pointer return address. ret instruction return. EIP return address POP. pop %eip EIP.

27 <Step 8> base pointer EBP 0xbffffa78 ESP 0xbffffa60 ret return address POP EIP stack pointer 1 word. 0x804831f <main+35>: nop 0x804831e <main+34>: ret 0x804831d <main+33>: leave 0x804831a <main+30>: add $0x10,%esp 0x <main+25>: call 0x80482f4 0x <main+23>: push $0x1 0x <main+21>: push $0x2 0x804830f <main+19>: push $0x3 0x804830c <main+16>: sub $0x4,%esp 0x804830a <main+14>: sub %eax,%esp 0x <main+9>: mov $0x0,%eax 0x <main+6>: and $0xfffffff0,%esp 0x80482ff <main+3>: sub $0x8,%esp 0x80482fd <main+1>: mov %esp,%ebp 0x80482fc <main>: push %ebp 0x80482fb <function+7>: ret 0x80482fa <function+6>: leave 0x80482f7 <function+3>: sub $0x28,%esp 0x80482f5 <function+1>: mov %esp,%ebp 0x80482f4 <function>: push %ebp. EIP add $0x10, %esp 16. stack pointer 0x804830c. leave ret main() main(). init_process().

28 5. Buffer overflow (buffer).... malloc() (free() ). buffer overflow. buffer overflow buffer overflow. < 14> ~44? base pointer. 45~48 return address 48 return address. return address. return address base pointer. base pointer EIP. buffer overflow return address EIP.,. return address return address. < 14> simple.c. function() buffer1[15] buffer2[10] 40. function().. strcpy(buffer2, receive_from_client);

29 client buffer2 buffer1. strncpy() strcpy receive_from_client NULL(\0). < 14> 45~48 return address. < 15> ( ). receive_from_client. < 15>. strcpy receive_from_client buffer2 < 14> < 15>.

30 base pointer main() base pointer stack (12 byte) x804831a 0xbffffa78 function() main() return address main() base pointer stack (40 byte) ESP (40byte) main() base pointer return address (24byte) E6B0C03 59FFE374 AC357D61 C0E39BCA CEA631F7 C9AD10CC6A2 < 16. > strcpy < 17>.

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63 , argc, argv ebp,esp : 0xbffffa88 EGG 0xbffffa85 argc, argv ebp,esp : 0xbffff288

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85