Lab 2: Buffer Overflows

Similar documents
ISA 564, Laboratory I: Buffer Overflows

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Buffer Overflow Vulnerability

1 Recommended Readings

Buffer Overflow Vulnerability Lab

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

ENEE 757 Buffer Overflow Homework

Lab 6: OS Security for the Internet of Things

Lab 6: OS Security for the Internet of Things

CMSC 414 Computer and Network Security

Buffer Overflow Vulnerability Lab

Exercise 6: Buffer Overflow and return-into-libc Attacks

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

buffer overflow exploitation

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Università Ca Foscari Venezia

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Advanced Buffer Overflow

Is stack overflow still a problem?

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Buffer Overflow Attack

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

20: Exploits and Containment

Linux Fundamentals & Practice

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

CMPSC 497 Buffer Overflow Vulnerabilities

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS Programming Languages Fall Homework #2

Shellbased Wargaming

CS155: Computer Security Spring Project #1

CSC 405 Computer Security Stack Canaries & ASLR

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Advanced Buffer Overflow

Homework 1 CS 642: Information Security

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

We will focus on Buffer overflow attacks SQL injections. See book for other examples

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Introduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm

CS 241 Honors Security

Basic Buffer Overflows

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSE 565 Computer Security Fall 2018

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Lab 4: Metasploit Framework

CSE 509: Computer Security

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Outline. Format string attack layout. Null pointer dereference

CSC 405 Computer Security Shellcode

Buffer Overflows Defending against arbitrary code insertion and execution

Project 4: Application Security

Assignment 4 Buffer Overflows

2. Exercises ASI Using the tools : objdump, gdb, ida,...

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Buffer Overflow Attacks

Lab 2: Buffer Overflows

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Offensive Security My First Buffer Overflow: Tutorial

Project #1: Buffer Overflows

CS 161 Computer Security

Buffer Overflow & Format Strings

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Security: Buffer Overflow Defenses

Smashing the Buffer. Miroslav Štampar

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Buffer Overflow. An Introduction

Software Security II: Memory Errors - Attacks & Defenses

I run a Linux server, so we re secure

Outline. Heap meta-data. Non-control data overwrite

Lecture 08 Control-flow Hijacking Defenses

Exploits and gdb. Tutorial 5

CS 161 Computer Security

Project 1 Notes and Demo

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Secure Systems Engineering

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Buffer-Overflow Attacks on the Stack

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

ECS 153 Discussion Section. April 6, 2015

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer Overflow Attack

Intro to Segmentation Fault Handling in Linux. By Khanh Ngo-Duy

CSCD 303 Fall Lecture 15 Buffer Overflows

Transcription:

Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable programs. The goal is to investigate a program I provide and then figure out how to use it to gain shell access to systems. In 1996 Aleph One wrote the canonical paper on smashing the stack. You should read this as it gives a detailed description of how stack smashing works. Today, many compilers and operating systems have implemented security features, which stop the attacks described in the paper. However, it still provides very relevant background for newer attacks and (specifically) this lab assignment. Aleph One: Smashing the Stack for Fun and Profit: http://www1.telhai.ac.il/sources/private/academic/cs/557/2659/materials/smashing.pdf Another (long) description of Buffer Overflows is here: http://www.enderunix.org/docs/en/bof-eng.txt Software Requirements All required files and source code are packed in the provided Lab 2 virtual machine. - The VMWare Software - The Kali Linux, Penetration Testing Distribution - GDB: The GNU Project Debugger - GCC, the GNU Compiler Collection - C source file including BOF.c, createbadfile.c, and testshellcode.c Fengwei Zhang - CSC Couse: Cyber Security Practice 1

Starting the Virtual Machine The Kali Linux VM has all the required files. Select the VM named Lab2BufferOverflows for this lab. Login the Kali Linux with username root, and password [TBA in the class]. In the Kali Linux, you should be able to see a folder named Lab2-BufferOverflows. This file contains all of the source code for the lab 2. Fengwei Zhang - CSC Couse: Cyber Security Practice 2

Setting up the Environment There are many protections in current compilers and operating systems to stop stack attacks like the one we want to do. We have to disable some security options to allow the exploit to work (Note that the VM image you get has configured the environemnt). Disable Address Space Layout Randomization Address Space Layout Randomization (ASLR) is a security features used in most Operating system today. ASLR randomly arranges the address spaces of processes, including stack, heap, and libraries. It provides a mechanism for making the exploitation hard to success. You can configure ASLR in Linux using the /proc/sys/kernel/randomize_va_space interface. The following values are supported: 0 No randomization 1 Conservative randomization 2 Full randomization Disable ASLR, run: $ echo 0 > /proc/sys/kernel/randomize_va_space Enable ASLR, run: $ echo 2 > /proc/sys/kernel/randomize_va_space Note that you will need root privilege to configure the interface. Using vi to modify the interface may have errors. The screenshot below shows the value of /proc/sys/kernel/randomize_va_space However, this configuration will not survive after a reboot. You will have to configure this in sysctl. Add a file /etc/sysctl.d/01-disable-aslr.conf containing: kernel.randomize_va_space = 0 This will permanently disable ASLR. Fengwei Zhang - CSC Couse: Cyber Security Practice 3

The screenshot below shows you the ASLR configuration. You can open a and try it out. terminal Set compiler flags to disable security features When you compile the vulnerable program (explain in the next section) with gcc, use the following compiler flags to disable the security features. -z execstack Turn off the NX protection to make the stack executable -fno-stack-proector Remove StackGuard that detects stack smashing exploitations -g Enable the debugging symbols Fengwei Zhang - CSC Couse: Cyber Security Practice 4

Overview The goal of the exploitation is to teach you how buffer overflows work. You must gain a shell by passing a malicious input into a vulnerable program. The vulnerability takes as input a file named "badfile". Your job is to create a badfile that results in the vulnerable program producing a shell. Note that you also have a nop sled to make the vulnerability work even if your shellcode moves by a few bytes. In the Lab2- BufferOverflows folder, it contains the C files you need to use. The screenshot below shows that. BOF.c In BOF.c there is an un-bounded strcpy, which means anything that is not nullterminated will overwrite the buffer boundaries and (hopefully) put some information into the stack that you will design. Your exploit must work with my version of BOF.c (can't change it to make your code work). Fengwei Zhang - CSC Couse: Cyber Security Practice 5

To compile BOF.c, you need to add the compile flags mentioned. $ gcc g z execstack fno-stack-protector BOF.c o BOF Fengwei Zhang - CSC Couse: Cyber Security Practice 6

testshellcode.c This program simply lets you test shell code itself. There are a lot of different "shell codes" you can find or create, and this is a good way to see what they do, and if they'll work for you (on your operating system). The actual shellcode you are using is simply the assembly version of this C code: #include <stdio.h> int main( ) { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } Fengwei Zhang - CSC Couse: Cyber Security Practice 7

createbadfile.c This program writes out "badfile", however currently it is just full of nops (no ops). You need to modify it to place your shell code into it and cause the code to jump to the shellcode. The shellcode included already in badfile (as a char array) does work. You shouldn't need to modify it, but you're welcome to. To compile the testshellcode.c and createbadfile.c, you do not need to add the compile flags mentioned early. You can just simplely compile it with gcc Fengwei Zhang - CSC Couse: Cyber Security Practice 8

Starting the Exploitation There are really two challenges in the lab. To execute the shellcode you want to overwrite the return address in the bufferoverflow() function. You must make the return address of that function point to your shellcode. 1. You need to figure out what memory address the return address is stored in. 2. Then you need to figure out the address of your shellcode in memory, and write the shellcode's address into the return address you found in step 1. In the lab instruction, I will give you some hints for the step 1. Finding Return Address on the Stack In order to find the return address on stacks, we first use GDB, The GNU Project Debugger, to take a look at the assembly code. You can find more information about GDB from here: https://www.gnu.org/software/gdb/ Note that you can also use tool, objdump, to read the assembly code. $ gdb BOF Fengwei Zhang - CSC Couse: Cyber Security Practice 9

First, we disassemble the main() function of the BOF program. We find the bufferoverflow() function in the main() function (type disas main in the GDB). Then, we disassemble the bufferoverflow() function, which has a vulnerability in it. $ (gdb) disas main $ (gdb) disas bufferoverflow You need to understand the assembly code to find where the return address is on the stack. Next, type run in the GDB to execute the BOF program. $ (gdb) run As we expected, the BOF program generates an exception, segmentation fault. The Instruction Pointer (EIP) is 0x90909090. This is because we put NOP sleds on the badfile that overflows the buffer in the BOF program. Fengwei Zhang - CSC Couse: Cyber Security Practice 10

You also can see more register information by execute info register in the GDB $ (gdb) info register Note that you can always type help in the GDB to learn the commands. Fengwei Zhang - CSC Couse: Cyber Security Practice 11

Assignments for the Lab 2 A zip file containing: 1. Your updated createbadfile.c that generates the input for the BOF program 2. A copy of the badfile. This must gengerate a shell when BOF runs from the command line in the VM 3. A screenshot of using BOF program to gain a shell (see simple screenshot below) 4. A text file with answers to the following questions: a. What happens when you compile without -z execstack? b. What happens if you enable ASLR? Does the return address change? c. Does the address of the buffer[] in memory change when you run BOF using GDB, /home/root/desktop/lab2-bufferoverflows/bof, and./bof? Happy Exploiting! Fengwei Zhang - CSC Couse: Cyber Security Practice 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback