Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Similar documents
Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflow Attack (AskCypert CLaaS)

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer-Overflow Attacks on the Stack

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Buffer-Overflow Attacks on the Stack

Buffer Overflow Attacks

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CSE 361S Intro to Systems Software Lab Assignment #4

Computer Systems Lecture 9

N e xt G e n e ra tio n S e c u rity S o f t w a r e Lt d. Blind Exploitation of Stack Overflow

CS 161 Computer Security

Analysis of Buffer Overflow Attacks

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CS 161 Computer Security

Università Ca Foscari Venezia

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Assembly Language: Function Calls

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

System Security Class Notes 09/23/2013

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Assembly Language: Function Calls" Goals of this Lecture"

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

20: Exploits and Containment

Exploiting Windows NT 4 Buffer Overruns

Q: Exploit Hardening Made Easy

Is stack overflow still a problem?

buffer overflow exploitation

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Practical Malware Analysis

Chapter 7: User Defined Functions and Stack Mechanics

Shellcode Analysis. Chapter 19

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Stack overflow exploitation

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Lecture 4 September Required reading materials for this class

Program Exploitation Intro

Advanced Buffer Overflow

Lecture 08 Control-flow Hijacking Defenses

CSC 2400: Computer Systems. Using the Stack for Function Calls

Buffer Overflows Complete

Sample slides and handout

Buffer Overflow & Format Strings

CSC 8400: Computer Systems. Using the Stack for Function Calls

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Offensive Security My First Buffer Overflow: Tutorial

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Function Call Convention

CSC 2400: Computer Systems. Using the Stack for Function Calls

UW CSE 351, Winter 2013 Midterm Exam

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

The cross-page overwrite and it s application in heap overflows. By Greg Hoglund 2003 HBGary, LLC

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

18-600: Recitation #4 Exploits

Islamic University Gaza Engineering Faculty Department of Computer Engineering ECOM 2125: Assembly Language LAB. Lab # 10. Advanced Procedures

United States Naval Academy Electrical and Computer Engineering Department EC312-6 Week Midterm Spring 2016

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Subprograms, Subroutines, and Functions

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

Sungkyunkwan University

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CSCI 334: Principles of Programming Languages. Computer Architecture (a really really fast introduction) Lecture 11: Control Structures II

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CSE 509: Computer Security

Advanced Buffer Overflow

Machine and Assembly Language Principles

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

ROP It Like It s Hot!

MSRPC Heap Overflow Part II

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Memory Safety (cont d) Software Security

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

CS61 Section Solutions 3

Return-orientated Programming

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Autodesk AutoCAD DWG-AC1021 Heap Corruption

CSE 565 Computer Security Fall 2018

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Exploits and gdb. Tutorial 5

Lab 8 The Stack (LIFO) Structure

Transcription:

A NGSSoftware Insight Security Research Publication Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/20/XP David Litchfield (david@ngssoftware.com) 5 th March 22 www.ngssoftware.com 1

Contents Introduction What is a buffer overrun? How does the stack-based overflow differ from the non-stack based overflow? Calling functions under normal operation Considerations for exploitation Examples Conclusion Introduction Most buffer overflow exploits for Windows have relied on getting code on the stack and somehow jumping process execution to there, but as more products arrive in the market to prevent such attacks from succeeding the non-stack based overflow exploit will become more and more common. This document will describe what they are and how to write one. As will be seen they are easy to write, more so than traditional stack based overflows and as they only require only an understanding of how functions are called at a low level. The non-stack based buffer overflow exploit writer doesn't even need to know assembly language. What is a buffer overrun? A buffer overrun is where too much data is stuffed into a buffer in memory. If this buffer is too small to hold all of this data then the buffer overflows and critical information that controls the path of a program's execution is overwritten. An attacker can fill this buffer with their own computer code and cause the program to start executing this code rather than the code it was supposed to execute. Many good documents have been written on traditional buffer overflows - if the reader doesn't fully know or understand what a buffer overrun vulnerability is then the author suggests reading some of these before continuing here. How does the stack-based overflow differ from the non-stack based overflow? With a stack based overflow computer code is stuffed into the buffer and after control of the process' execution has been gain the processor is directed to this code located on the stack. This code is machine code, the numerical representation of assembly language. A non-stack based exploit on the other hand doesn't require any code to be written. Like a stack based overflow, it requires that the saved return address on the stack is overwritten but rather than pointing the processor to an instruction that will jump back into the buffer the saved return address is overwritten with the address of a function such as WinExec() or system (). On overflow, the stack is modified in such a way that it appears to the function that will eventually be executed that it has been called normally. This requires that the parameters used by the function will be left on the stack for later use. Generally the non-stack based overflow will be considerably smaller than its stack based cousin as often the part of the buffer that precedes the section used to overwrite the saved return address is munged or removed. This leaves only buffer after this section. This is where a stack based exploit will place its code that may be hundreds of bytes in length whereas a non-stack based exploit requires only a few bytes. The non-stack based buffer overflow exploit models the way functions are passed parameters and are called to be successful. 2

Calling functions under normal operation When a C function is called any parameters it requires are passed to it via the stack. These parameters are said to be PUSHed onto the stack and this is done before the process calls the function. Consider the following snippet of C source code... WinExec(command,SW_HIDE);.. This translates to the following assembly code mov eax, 0 push eax lea eax, [ebp-8] push eax call WinExec // Move into the eax register SW_HIDE // push this onto the stack // load the effective address of the command into eax // push this onto the stack // call the function As can be seen parameters are pushed onto the stack in reverse. An idealized picture of the stack just before the call operation is execute would appear as -ESP 80 FF Pointer to command to run 12 - SW_HIDE - When the call operation is executed several actions happen. The contents of the Instruction Pointer (EIP) register is changed to that of the address of the procedure being called and the address following the call instruction is pushed onto the stack. Assuming the call instruction was found at address 0x401020 then 0x401022 will be pushed onto the stack. Consequently the ESP is decremented by 4. This address is now the saved return address and is used to keep track of the process' execution. When the called procedure returns this address is peeled off of the stack and is placed in the EIP. Execution continues from there. This now presents a picture of -ESP 22 10 Saved Return Address 40 3

- 80 FF Pointer to command to run 12 - SW_HIDE - This is what the stack looks like to the WinExec() function. In terms of writing an non-stack based exploit this is what needs to be replicated. Considerations for exploitation On overflowing the buffer a successful exploit must first overwrite the saved return address with the address of the function the attacker wishes to call. This paper will use WinExec() as an example. Further, the stack needs to be left in a useable state for WinExec(). This requires creating a dummy saved return address after the real saved return address and a pointer to the command to be run. WinExec() will quite happily accept any DWORD value for the SW_* parameter so it is possible just to let it use whatever was on the stack in the first place. This negates the need to place an SW_* parameter onto the stack and also solves the problem that may occur if the pointer to the command to run has a NULL in it. If there is then it wouldn't be possible to place this parameter onto the stack, anyway, so this proves useful. All that is required then is a NULL terminated string of the command to run somewhere in memory. This may present some problems as the string used to overflow the buffer will have to be in this format: +... command+padding+saved_return_address+dummy_saved_return_address+parameters As it is in this format the extra padding, return addresses and parameters may cause the command to be run to fail. The way to work around this problem is to run the command in a cmd shell and separate the command and the padding plus extras with an ampersand. cmd /c command & +padding+saved_return_address+dummy_saved_return_address+parameters+... This way the extra is treated as a second command and has no bearing on the successful execution of the first command. 4

Examples Consider the following C source code for a program called overrun.exe #include <stdio.h> int main () { char buffer[256]=""; FILE *fd=null; } fd = fopen("file.txt","rb"); if(fd == NULL) return printf("couldn't open file.txt for reading\n"); fgets(buffer,10,fd); return 0; This program opens a file called "file.txt" and reads in up to 10 characters into a buffer. The buffer is only 256 bytes long and as such if more than 256 characters are read in from the file the buffer will overflow. To exploit this overflow using a non-stack based exploit we need to write a program that will create a "file.txt" that contains the exploit. Here is the code. #include <stdio.h> int main() { char buffer[5]="cmd /c calc & AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB"; char sraddress[8]="\xaf\xa7\xe9\x77"; char padding[8]="\x90\x90\x90\x90"; char pointer_to_command[8]="\x70\x51\x2f\x"; FILE *fd=null; fd = fopen("file.txt","w+"); strcat(buffer,sraddress); strcat(buffer,padding); strcat(buffer,pointer_to_command); fprintf(fd,"%s",buffer); fclose(fd); } return 0; As can be seen the command that will be run is "cmd /c calc". If successful, the Calculator program should start. The saved return address is overwritten with the address of WinExec. A dummy saved return address is created for the benefit of WinExec and a pointer to this whole string is tacked on to the end. 5

On successful exploitation the saved return address will be overwritten with the address of WinExec(). When the relevant return operation is executed the processor returns to WinExec(). WinExec ignores the dummy saved return address and picks off its parameters and proceeds to execute the command. When the WinExec function returns the program will invariably crash but by that time the attacker's supplied command should already be in the process of executing. Conclusion Non-stack based exploits are easy to write and this method can be applied to remote exploitation of buffer overflow vulnerabilities, too. If they're not already doing so network based IDS software should keep a "look out" for this kind of attack; The non-stack based exploit may end up being one of the last bastions of hope for exploitation of buffer overflow vulnerabilities. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback