Part II Let s make it real

Size: px

Start display at page:

Download "Part II Let s make it real"

Angel McCoy
6 years ago
Views:

2 Part II Let s make it real

3 Memory Layout of a Process

4 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x b <+3>: call 0x <geturl> 0x <+8>: pop %ebp 0x <+9>: ret

5 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x b <+3>: call 0x <geturl> 0x <+8>: pop %ebp 0x <+9>: ret

6 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x b <+3>: call 0x <geturl> 0x <+8>: pop %ebp 0x <+9>: ret

7 In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x b <+3>: call 0x <geturl> 0x <+8>: pop %ebp 0x <+9>: ret

8 Similarly The assembly code for geturl(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x <+3>: sub $0x18,%esp 0x a <+6>: 0x804a014,%eax 0x f <+11>: l $0x40,0x8(%esp) 0x <+19>: lea -0xc(%ebp),%edx 0x a <+22>: %edx,0x4(%esp) 0x e <+26>: %eax,(%esp) 0x <+29>: call 0x <read@plt> 0x <+34>: leave 0x <+35>: ret

9 Similarly The assembly code for geturl(): 0x <+0>: push %ebp 0x <+1>: %esp,%ebp 0x <+3>: sub $0x18,%esp 0x a <+6>: 0x804a014,%eax 0x f <+11>: l $0x40,0x8(%esp) 0x <+19>: lea -0xc(%ebp),%edx 0x a <+22>: %edx,0x4(%esp) 0x e <+26>: %eax,(%esp) 0x <+29>: call 0x <read@plt> 0x <+34>: leave 0x <+35>: ret

10 geturl IE read stack So we have: geturl () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { geturl (); } old FP 64 (buf) fd 0x x x x ret pop call push ret leave call lea l sub push (code for read) %ebp 0x <geturl> %esp,%ebp %ebp 0x <read@plt> %eax,(%esp) %edx,0x4(%esp) -0xc(%ebp),%edx $0x40,0x8(%esp) 0x804a014,%eax $0x18,%esp %esp,%ebp %ebp

11 geturl IE read stack So we have: geturl () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { geturl (); } old FP 64 (buf) fd 0x x x x ret pop call push ret leave call lea l sub push (code for read) %ebp 0x <geturl> %esp,%ebp %ebp 0x <read@plt> %eax,(%esp) %edx,0x4(%esp) -0xc(%ebp),%edx $0x40,0x8(%esp) 0x804a014,%eax $0x18,%esp %esp,%ebp %ebp

12 geturl IE read stack What about the stack? geturl () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { geturl (); } old FP 64 (buf) fd 0x x x x ret pop call push ret leave call lea l sub push (code for read) %ebp 0x <geturl> %esp,%ebp %ebp 0x <read@plt> %eax,(%esp) %edx,0x4(%esp) -0xc(%ebp),%edx $0x40,0x8(%esp) 0x804a014,%eax $0x18,%esp %esp,%ebp %ebp

13 geturl IE read What about the stack? geturl () { char buf[40]; read(stdin,buf,64); get_webpage (buf); } IE () { geturl (); } 0xbfffeedc 0xbfffeed8 0xbfffeed4 0xbfffeed0 0xbfffeecc 0xbfffeec8 0xbfffeec4 0xbfffeec0 0xbfffeebc 0xbfffeeb8 0xbfffeeb4 0xbfffeeb0 0xbfffeeac 0xbfffeea8 0xbfffeea4 0xbfffeea0 0xbfffee9c 4 bytes 0x old FP 64 (buf) fd 0x x x x ret pop call push ret leave call lea l sub push (code for read) %ebp 0x <geturl> %esp,%ebp %ebp 0x <read@plt> %eax,(%esp) %edx,0x4(%esp) -0xc(%ebp),%edx $0x40,0x8(%esp) 0x804a014,%eax $0x18,%esp %esp,%ebp %ebp 0xbfffee98

14 And now the exploit

15 buf geturl () { char buf[10]; read(fd, buf, 64); get_webpage (buf); } IE () { geturl (); } Exploit 0xbfffeedc 0xbfffeed8 0xbfffeed4 0xbfffeed0 0xbfffeecc 0xbfffeec8 0xbfffeec4 0xbfffeec0 0xbfffeebc 0xbfffeeb8 0xbfffeeb4 0xbfffeeb0 0xbfffeeac 0xbfffeea8 0xbfffeea4 0xbfffeeb0 0x xbfffee98

16 That is it, really all we need to do is stick our program in the buffer Easy to do: attacker controls what goes in the buffer! and that program simply consists of a few instructions (not unlike what we saw before)

17 But sometimes We don t even need to change the return address Or execute any of our code Let s have a look at an example, where the buffer overflow changes only data

18 get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); } Exploit against non control data if (authorized) show_medical_info (name); else printf ( sorry, not allowed );

19 Exploit against non control data get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); } if (authorized) show_medical_info (name); else printf ( sorry, not allowed );

20 name Exploit against non-control data get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); authorized=t if (authorized) show_medical_info (name); else printf ( sorry, not allowed ); }

21 Other return targets also possible! This is what we did before

22 But other locations also possible If we start the program ourselves, we control the env

23 So all the attacker needs to do... is stick a program in the buffer or environment! Easy: attacker controls what goes in the buffer! What does such code look like?

24 Typical injection vector NOP sled shellcode address of shellcode Shellcode address: the address of the memory region that contains the shellcode Shellcode: a sequence of machine instructions to be executed (e.g. execve("/bin/sh")) NOP sled: a sequence of do-nothing instructions (nop). It is used to ease the exploitation: attacker can jump anywhere inside, and will eventually reach the shellcode (optional)

$How do you create the vector? 1. Create the shellcode 2. Prepend the NOP sled: perl -e 'print "\x90"' ndisasm -b 32 00000000 90 nop 3.$

25 How do you create the vector? 1. Create the shellcode 2. Prepend the NOP sled: perl -e 'print "\x90"' ndisasm -b nop 3. Add the address 0xbfffeeb0 setreuid execve C0 B DB 31 C9 1..F CD 80 EB 16 5B 31 C [ B C C..[..C B0 0B 8D 4B 08 8D 53 0C...K..S CD 80 E8 E5 FF FF FF 2F.../ E 2F E 41 bin/shna AAABBBB. why this?

26 In reality, things are more complicated unpacker encoded shellcode why do you think encoding is so frequently used? think strcpy(), etc.

27 In reality, things are more complicated unpacker encoded shellcode why do you think encoding is so frequently used? think strcpy(), etc. A: if strcpy() is used to overflow the buffer, it will stop when it encounters the null byte. So if the shellcode contains a null byte, the attacker has a problem. So the attacker may have to encode the shellcode to ree null bytes and then generate them dynamically

28 name Exploit against non control data get_medical_info() { boolean authorized = false; char name [10]; authorized = check(); read_from_network (name); authorized = F if (authorized) show_medical_info (name); else printf ( sorry, not allowed ); }

29 That is, fundamentally, it. Let us see whether we understood this.

30 Can you exploit this?

31 Can you exploit this? without comments w

Advanced Buffer Overflow

Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering