Buffer Overflow Attacks

Similar documents
Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Buffer Overflow Attack

Sungkyunkwan University

Full Name: CISC 360, Fall 2008 Example of Exam

Advanced Buffer Overflow

CS , Spring 2004 Exam 1

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

ANITA S SUPER AWESOME RECITATION SLIDES

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Lecture 08 Control-flow Hijacking Defenses

Advanced Buffer Overflow

CS , Fall 2002 Exam 1

20: Exploits and Containment

CSE 361S Intro to Systems Software Lab Assignment #4

CS , Fall 2001 Exam 1

CMPSC 497 Buffer Overflow Vulnerabilities

Lab 10: Introduction to x86 Assembly

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Buffer overflows. Specific topics:

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Is stack overflow still a problem?

Project 1 Notes and Demo

15-213/18-243, Fall 2010 Exam 1 - Version A


Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflow Attack (AskCypert CLaaS)

CS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CS , Fall 2004 Exam 1

CMSC 313 Lecture 12 [draft] How C functions pass parameters

buffer overflow exploitation

Obstacle Course Buffer Overflow Hacking Exercise

CSC 2400: Computer Systems. Using the Stack for Function Calls

Machine-Level Programming V: Buffer overflow

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS642: Computer Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

Practical Malware Analysis

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002

CSC 8400: Computer Systems. Using the Stack for Function Calls

Machine- Level Programming V: Advanced Topics

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Link 2. Object Files

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Instruction Set Architectures

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Giving credit where credit is due

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Software Security (cont.): Defenses, Adv. Attacks, & More

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

18-600: Recitation #4 Exploits

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CS / ECE , Spring 2010 Exam 1

Computer Systems Architecture I. CSE 560M Lecture 3 Prof. Patrick Crowley

Computer Systems CEN591(502) Fall 2011

CSC 373, Winter 2012 Lab Assignment 3: The Buffer Bomb

Instruction Set Architectures

Università Ca Foscari Venezia

ROP It Like It s Hot!

Instruction Set Architecture

Instruction Set Architecture

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CS/ECE 354 Practice Midterm Exam Solutions Spring 2016

THEORY OF COMPILATION

Assembly Language: Function Calls

Program Exploitation Intro

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Link 2. Object Files

Machine-Level Prog. V Miscellaneous Topics

Assembly Language: Function Calls" Goals of this Lecture"

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

238P: Operating Systems. Lecture 7: Basic Architecture of a Program. Anton Burtsev January, 2018

Tales of the Unknown. Part One.

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

Machine Programming 5: Buffer Overruns and Stack Exploits

Link Edits and Relocatable Code

Systems I. Machine-Level Programming I: Introduction

Stack Overflow COMP620

CS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:

CSC 252: Computer Organization Spring 2018: Lecture 9

Part II Let s make it real

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Transcription:

CS- Spring Buffer Overflow Attacks Computer Systems..-,

CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance: Be a force for good not evil!

CS- Spring Disassembly program.c gcc -S gcc o program program.s program program objdump -d program.s

CS- Spring Disclaimer Buffer Overflow Attack DO NOT ABUSE! Ancient form of hacking First documented in Used in Morris Worm First internet virus Used to hack Unix, Windows, Xbox, PS, Wii Taught here as an example of what to watch out for!

CS- Spring Example Vulnerable Code char * getuserline() { char buffer[]; static char retbuf[]; if (gets(buffer)) { strcpy(retbuf,buffer); return retbuf; } return NULL; } gets reads from stdin until it finds either an end-of-file or a newline (returns ). gets copies whatever it reads into the argument (buffer). gets does not check to make sure result fits in space allocated.

CS- Spring getuserline in X (with stack frame) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret %ebp buffer / %ebp-x %esp / Parm return @ main s %ebp %ebp-

CS- Spring gets functionality gets reads a file that starts with %ebp return @ main s %ebp THE FIRST EIGHTY T x E I F I R S buffer / %ebp- T H E x %esp / parm %ebp-

CS- Spring Mixing Hex and ASCII We normally treat a file as a string of ASCII characters In fact, each ASCII character has a hex representation T H E F I R S T E I G H T Y We can use the command od t xz to show both ASCII and hex >THE FIRST EIGHTY< e e e >... < > < We can write a program to put non-ascii hex data in a file

CS- Spring Example of a file with ASCII and Hex ASCII Representation on terminal cat file THE FIRST EIGHTY... """"""""@ Mixed representation od -t xz xmphex.txt >THE FIRST EIGHTY< e e e >... < > < * >""""""""...@.< a >.<

CS- Spring GEDIT Mixed File

CS- Spring String in file (stdin) read by gets T H E F I R S T E I G H T Y... Alignment Padding main s ebp Return Address!

CS- Spring stack frame after gets returns gets reads a file whose first line ends with x x x <- little endian return @: x %ebp main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %esp %ebp-

CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret return @: x %ebp,%esp main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp-

CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret %esp return @: x main s %ebp: x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp x %ebp-

CS- Spring getuserline in X (with stack) getuserline: push %ebp mov %esp,%ebp sub $x,%esp lea -x(%ebp),%eax mov %eax,(%esp) call <_gets> test %eax,%eax move %ebp,%esp pop %ebp ret return @: x %eip main s %ebp: x x x T x E I F I R S %eax / buffer / %ebp- T H E x %ebp-

CS- Spring What s at x? Your evil code!

CS- Spring Problems with Buffer Overflow Attack Need to mix ASCII with hexadecimal in input file String can t contain newline (x) Need to know offset from buffer to top of stack / return @ Overwrites caller s return address %ebp has been overwritten lost top of caller s stack frame Need to know address of pirate routine to return to Can write a program to do that Basic restriction Get that from objdump d Can get from objdump d %esp points to bottom of caller s frame, and we can find its size from objdump -d Harder, but not impossible

CS- Spring Preventing Buffer Overflow w/ Guard char * getuserline() { char buffer[]; int guard=xfedcba; static char retbuf[]; if (gets(buffer)) { assert(guard==xfedcba); strcpy(retbuf,buffer); return retbuf; } return NULL; } guard goes in stack frame after (on top of) buffer If buffer overflow occurs, guard will be modified If buffer overflow occurs, assert will fail Unless hacker did objdump and put xfedcba in his hacked file

CS- Spring String in file (stdin) read by gets T H E F I R S T E I G H T Y... B A D C F E Alignment Padding main s ebp Return Address! Guard

CS- Spring Preventing Buffer Overflow Attacks char * getuserline() { char buffer[]; static char retbuf[]; if (fgets(buffer,sizeof(buffer),stdin)) { strcpy(retbuf,buffer); return retbuf; } return NULL; } fgets reads from any file (third parameter) fgets checks size (second parameter) fgets does not allow buffer overwrite

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback