CS- Spring Buffer Overflow Attacks Computer Systems..-,
CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance: Be a force for good not evil!
CS- Spring Disassembly program.c gcc -S gcc o program program.s program program objdump -d program.s
CS- Spring Disclaimer Buffer Overflow Attack DO NOT ABUSE! Ancient form of hacking First documented in Used in Morris Worm First internet virus Used to hack Unix, Windows, Xbox, PS, Wii Taught here as an example of what to watch out for!
CS- Spring Example Vulnerable Code char * getuserline() { char buffer[]; static char retbuf[]; if (gets(buffer)) { strcpy(retbuf,buffer); return retbuf; } return NULL; } gets reads from stdin until it finds either an end-of-file or a newline (returns ). gets copies whatever it reads into the argument (buffer). gets does not check to make sure result fits in space allocated.
CS- Spring getuserline in X (with stack frame) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret %ebp buffer / %ebp-x %esp / Parm return @ main s %ebp %ebp-
CS- Spring gets functionality gets reads a file that starts with %ebp return @ main s %ebp THE FIRST EIGHTY T x E I F I R S buffer / %ebp- T H E x %esp / parm %ebp-
CS- Spring Mixing Hex and ASCII We normally treat a file as a string of ASCII characters In fact, each ASCII character has a hex representation T H E F I R S T E I G H T Y We can use the command od t xz to show both ASCII and hex >THE FIRST EIGHTY< e e e >... < > < We can write a program to put non-ascii hex data in a file
CS- Spring Example of a file with ASCII and Hex ASCII Representation on terminal cat file THE FIRST EIGHTY... """"""""@ Mixed representation od -t xz xmphex.txt >THE FIRST EIGHTY< e e e >... < > < * >""""""""...@.< a >.<
CS- Spring GEDIT Mixed File
CS- Spring String in file (stdin) read by gets T H E F I R S T E I G H T Y... Alignment Padding main s ebp Return Address!
CS- Spring stack frame after gets returns gets reads a file whose first line ends with x x x <- little endian return @: x %ebp main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %esp %ebp-
CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret return @: x %ebp,%esp main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp-
CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret %esp return @: x main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp x %ebp-
CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret return @: x %eip main s %ebp: x x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp-
CS- Spring What s at x? Your evil code!
CS- Spring Problems with Buffer Overflow Attack Need to mix ASCII with hexadecimal in input file String can t contain newline (x) Need to know offset from buffer to top of stack / return @ Overwrites caller s return address %ebp has been overwritten lost top of caller s stack frame Need to know address of pirate routine to return to Can write a program to do that Basic restriction Get that from objdump d Can get from objdump d %esp points to bottom of caller s frame, and we can find its size from objdump -d Harder, but not impossible
CS- Spring Preventing Buffer Overflow w/ Guard char * getuserline() { char buffer[]; int guard=xfedcba; static char retbuf[]; if (gets(buffer)) { assert(guard==xfedcba); strcpy(retbuf,buffer); return retbuf; } return NULL; } guard goes in stack frame after (on top of) buffer If buffer overflow occurs, guard will be modified If buffer overflow occurs, assert will fail Unless hacker did objdump and put xfedcba in his hacked file
CS- Spring String in file (stdin) read by gets T H E F I R S T E I G H T Y... B A D C F E Alignment Padding main s ebp Return Address! Guard
CS- Spring Preventing Buffer Overflow Attacks char * getuserline() { char buffer[]; static char retbuf[]; if (fgets(buffer,sizeof(buffer),stdin)) { strcpy(retbuf,buffer); return retbuf; } return NULL; } fgets reads from any file (third parameter) fgets checks size (second parameter) fgets does not allow buffer overwrite