CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Similar documents
Buffer Overflows Defending against arbitrary code insertion and execution

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Program Exploitation Intro

CSC 2400: Computer Systems. Using the Stack for Function Calls

Practical Malware Analysis

CSC 2400: Computer Systems. Using the Stack for Function Calls

CSC 8400: Computer Systems. Using the Stack for Function Calls

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack

buffer overflow exploitation

Project 1 Notes and Demo

Buffer Overflow Attack

x86 assembly CS449 Fall 2017

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Function Call Convention

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Lab 10: Introduction to x86 Assembly

Buffer Overflow Attack (AskCypert CLaaS)

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Offensive Security My First Buffer Overflow: Tutorial

Exercise 6: Buffer Overflow and return-into-libc Attacks

Stack overflow exploitation

Assembly Language: Function Calls

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Assembly Language: Function Calls" Goals of this Lecture"

Intro x86 Part 3: Linux Tools & Analysis

ROP It Like It s Hot!

UMBC. contain new IP while 4th and 5th bytes contain CS. CALL BX and CALL [BX] versions also exist. contain displacement added to IP.

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

Computer Systems Lecture 9

CPS104 Recitation: Assembly Programming

CSE 565 Computer Security Fall 2018

Advanced Computer Networks Smashing the Stack for Fun and Profit

Exploits and gdb. Tutorial 5

GDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Lab 2: Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Università Ca Foscari Venezia

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

GDB Tutorial. Young W. Lim Thr. Young W. Lim GDB Tutorial Thr 1 / 24

18-600: Recitation #3

Understanding Software Vulnerabilities: C, Debugging Assembly, and Buffer Overflows

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

GDB Tutorial. Young W. Lim Fri. Young W. Lim GDB Tutorial Fri 1 / 24

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Machine Programming 1: Introduction

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Sistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T

Recitation: Attack Lab

Using the GNU Debugger

Systems I. Machine-Level Programming V: Procedures

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Using the GNU Debugger

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

238P: Operating Systems. Lecture 3: Calling conventions. Anton Burtsev October, 2018

143A: Principles of Operating Systems. Lecture 5: Calling conventions. Anton Burtsev January, 2017

Biography. Background

X86 Stack Calling Function POV

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

From Over ow to Shell

Mechanisms for entering the system

The x86 Architecture

W4118: PC Hardware and x86. Junfeng Yang

CSE 361S Intro to Systems Software Lab Assignment #4

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CMPSC 497 Buffer Overflow Vulnerabilities

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 7. Procedures and the Stack

Buffer Overflows Complete

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Computer Architecture and System Programming Laboratory. TA Session 3

CMSC 313 Lecture 12 [draft] How C functions pass parameters

CS642: Computer Security

CS 270 Systems Programming. Debugging Tools. CS 270: Systems Programming. Instructor: Raphael Finkel

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Chapter 7: User Defined Functions and Stack Mechanics

143A: Principles of Operating Systems. Lecture 4: Calling conventions. Anton Burtsev October, 2017

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

mith College Computer Science CSC231 Assembly Week #12 Thanksgiving 2017 Dominique Thiébaut

CS/COE 0449 term 2174 Lab 5: gdb

Transcription:

CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux

Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996) Link Ch 2a Buffer A limited, contiguously allocated set of memory In C, usually an array

C and C++ Lack Bounds-Checking It is the programmer's responsibility to ensure that array indices remain in the valid range #include <stdio.h> #include <string.h> int main() { int array[5] = {1, 2, 3, 4, 5}; } printf("%d\n", array[5]);

Using gdb (GNU Debugger) Compile with symbols gcc -g -o ch2a ch2a.c Run program in debugger gdb ch2a Show code, place breakpoint, run to it list break 7 run Examine the memory storing "array" x/10x &array

Reading Past End of Array

Reading Past End of Array array[5] = 0xb7fb63c4

Writing Past End of Array

Compile and Run, Crash

Debug Open in debugger gdb ch2b Run run Examine the memory storing "array" x/50x &array

Buffer Overflow Many RAM locations now contain 0xa But why, precisely, did that cause a crash?

Debug Examine registers info registers Examine assembly code near eip x/10i $eip-10

10 (0xa) is not in any register

Last Command Writes $0xa to RAM Evidently we went so far we exited the RAM allocated to the program

Intel v. AT&T Format gdb uses AT&T format by default, which is popular with Linux users mov source, destination Windows users more commonly use Intel format MOV DESTINATION, SOURCE

Jasmin Assembly Language Simulator

The Stack

LIFO (Last-In, First-Out) ESP (Extended Stack Pointer) register points to the top of the stack PUSH puts items on the stack push 1 push addr var

Stack POP takes items off the stack pop eax pop ebx

EBP (Extended Base Pointer) EBP is typically used for calculated addresses on the stack mov eax, [ebp+10h] Copies the data 16 bytes down the stack into the EAX register

Functions and the Stack

Purpose The stack's primary purpose is to make the use of functions more efficient When a function is called, these things occur: Calling routine stops processing its instructions Saves its current state Transfers control to the function Function processes its instructions Function exits State of the calling function is restored Calling routine's execution resumes

Example

Using gdb (GNU Debugger) Compile with symbols gcc -g -o ch2d ch2d.c Run program in debugger gdb ch2d Show code, place breakpoint, run to it list 1,12 break 9 break 11 break 4

Using gdb (GNU Debugger) Run to breakpoint after line 9 run Examine registers info reg Run to breakpoint after line 4 continue Examine registers info reg

In main() before calling function() esp 0xbffff460 ebp 0xbffff468 (start of stack frame) eip 0x8048414 <main+17>

In function() esp 0xbffff430 ebp 0xbffff450 (start of stack frame) eip 0x8048401 <function+6>

Examine the Stack x/12x $esp Highlight is function()'s stack frame Outlined area shows these items Return address Arguments of function(1,2) Next to the left is the original value of $ebp

Using gdb (GNU Debugger) Run to breakpoint after line 11 continue Examine registers info reg

In main() after calling function() esp 0xbffff460 ebp 0xbffff468 eip 0x8048420 <main+29>

Functions and the Stack Primary purpose of the stack To make functions more efficient When a function is called Push function's arguments onto the stack Call function, which pushes the return address RET onto the stack, which is the EIP at the time the function is called

Functions and the Stack Before function starts, a prolog executes, pushing EBP onto the stack It then copies ESP into EBP Calculates size of local variables Reserves that space on the stack, by subtracting the size from ESP Pushes local variables onto stack

Functions and the Stack #include <stdio.h> void function(int a, int b) { } int array[5]; main() { } function(1,2); printf("this is where the return address points\n");

<main+3> puts a's value, 1, onto the stack <main+5> puts b's value, 2, onto the stack <main+7> calls function, which implicitly pushes RET (EIP) onto the stack

Prolog Push EBP onto stack Move ESP into EBP Subtract 0x14 from stack to reserve space for array leave restores the original stack, same as mov esp, ebp pop ebp

Stack Buffer Overflow Vulnerability

Compile and Run

Disassemble return_input

At call to gets And at ret Set Breakpoints

Disassemble main Next instruction after the call to return_input is 0x08048453

Run Till First Breakpoint Highlighted values are the saved EBP and the RET address

Continue and Input 40 Characters 30 characters are stored correctly Next four overwrite stored EBP with 0x44444444 ('DDDD') Next four overwrite RET

Examine $eip, Step One Instruction x/1i means "Examine one instruction" stepi executes one machine language instruction

Observe Overwritten Registers ebp and eip are 0x44444444 = 'DDDD'

Stack Overflow

Controlling eip 0x44444444 is invalid and causes the program to halt We can put any valid memory address there However, at the point of the crash we have returned to main() so we should choose an instruction in main()

Call to return_input 0x0804844e stored backwards in a string "\x4e\x84\x04\x08"

Python Exploit Code sys.stdout.write doesn't put a space or linefeed at end

How to Debug with Arguments

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback