Smashing the Stack for Fun and Profit 1
appeared in: Phrack 49 Volume Seven, Issue Forty-Nine by: Aleph One (Elias Levy) Where the title comes from 2
The stack Buffer Overflows Shellcode Be aware of the inaccuracy Examples Outline 3
Function parameters Prolog Stackframe (local variables) Epilog The Stack 4
Function parameters Prolog Stackframe CALL P (local variables) P: ENTER size, 0 LEAVE RET n Epilog The Stack 5
Prolog (1) (2) ESP ESP Return Addr Return Addr Dyn. Link size (1) (2) CALL P ENTER size, 0 ESP Push( EIP ) EIP = Addr( P ) Push( ) = ESP ESP = ESP -size The Stack 6
Epilog (1) (2) Return Addr Dyn. Link ESP Return Addr ESP ESP LEAVE RET n ESP = POP( ) POP( EIP ) ESP = ESP +n The Stack 7
' x Param2 (int 9) Param1 (int 6) Return Address -00-04 -08-0C int main( void ) { } int x; x = foo( 6, 9 ); printf( The answer is: %d\n, x ); return 0; Dynamic Link -10 int foo( int a, int b ) { bar [4.. ] bar [0..3] c -00-04 -08 char bar[5]; int c = a * b; itoa( c, bar, 13 ); return atoi( bar ); } The Stack today this is not always true 8
' x Param2 (int 9) Param1 (int 6) Return Address -00-04 -08-0C int main( void ) { } int x; x = foo( 6, 9 ); printf( The answer is: %d\n, x ); return 0; Dynamic Link -10 int foo( int a, int b ) { c bar [1..4] bar [0] -00-04 -08 char bar[5]; int c = a * b; itoa( c, bar, 13 ); return atoi( bar ); } The Stack 9
int main( void ) { ' x Return Address -00-04 int x = 0; foo( ); if (x) { printf( Unreachable code\n ); } return 0; Dynamic Link *ret bar [0..3] -08-00 -04-08 } void foo( void ) { char bar[4]; int *ret= bar +12; (*ret) += 6; } The Stack Changing the return address 10
A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data. Wikipedia, April 2007 Return Address Dynamic Link bar [0..3] -00-04 -08 Buffer Overflows 11
A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which typically allows an unauthorised user to communicate with the computer via the operating system's command line as a result of exploiting a vulnerability in software running on the machine. Normally stored as a null terminated string, it usually cannot contain null characters. Wikipedia, April 2007 int main( void ) { } char *callee = "/bin/bash", *parameters = NULL; execve( callee, parameters, NULL ); exit( 0 ); Shellcode 12
Return Address ' prev. Dynamic Link bar [4..7] bar [0..3] -00-04 -08 Position of the buffer Absolute Relative to the ret addr. Position of the callee string Amount of memory 0-terminating char arrays Things to take into account 13
00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00 01 02 0 3 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F JJ JJ SC SC SC SC SC SC SC SC SC SC SC SC SC SC 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F SC CC CC 2F 62 69 6E 2F 62 61 73 68???????? / b i n / b a s h Things to take into account 14
References [Levy, 1996] E. Levy. (1996) Smashing the stack for fun and profit, Phrack Magazine 7(49): file 0x0D [Heffner, 2007] C. J. Heffner. (2007) Smashing the modern stack for fun and profit, URL: http://www.craigheffner.com/security/stacksmash.html [Mössenböck, 2006] HP. Mössenböck. (2006) Fortgeschrittene Techniken des Übersetzerbaues, Course Notes, Institut für Systemsoftware, JKU, Linz [Wikipedia, 2007a] Wikimedia Foundation Inc. (2007) Buffer Overflow, Wikipedia, April 2007, URL: http://en.wikipedia.org/wiki/buffer_overflow [Wikipedia, 2007b] Wikimedia Foundation Inc. (2007) Shellcode, Wikipedia, April 2007, URL: http://en.wikipedia.org/wiki/shellcode References 15
(1) Give the structure of a buffer overflow cf. slide 14 (2) Explain the JMP/CALL technique cf. [Levy, 1996] line 652-677 Exam questions 16