Buffer-Overflow Attacks on the Stack

Similar documents
Buffer-Overflow Attacks on the Stack

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Program Exploitation Intro

Project 1 Notes and Demo

Buffer Overflow Attacks

Stack overflow exploitation

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Sungkyunkwan University

Practical Malware Analysis

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

buffer overflow exploitation

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Lab 3. The Art of Assembly Language (II)

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Intro x86 Part 3: Linux Tools & Analysis

CSC 2400: Computer Systems. Using the Stack for Function Calls

Buffer Overflow. An Introduction

Buffer Overflows Defending against arbitrary code insertion and execution

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

Chapter 7: User Defined Functions and Stack Mechanics

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

CSC 405 Computer Security Stack Canaries & ASLR

Is stack overflow still a problem?

Buffer Overflow Attack

Offensive Security My First Buffer Overflow: Tutorial

Machine- Level Programming V: Advanced Topics

Recitation: Bomb Lab. September 17 th 2018

Buffer overflows. Specific topics:

16.317: Microprocessor Systems Design I Fall 2015


Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

ROP It Like It s Hot!

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

CSE509 System Security

ANITA S SUPER AWESOME RECITATION SLIDES

Lab 10: Introduction to x86 Assembly

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Lecture 08 Control-flow Hijacking Defenses

CSC 2400: Computer Systems. Using the Stack for Function Calls

Full Name: CISC 360, Fall 2008 Example of Exam

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

x86 assembly CS449 Fall 2017

Obstacle Course Buffer Overflow Hacking Exercise

CSC 8400: Computer Systems. Using the Stack for Function Calls

CSE 361S Intro to Systems Software Lab Assignment #4

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Function Call Convention

THEORY OF COMPILATION

Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Mitchell Adair January, 2014

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Basic Buffer Overflows

From Over ow to Shell

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Biography. Background

18-600: Recitation #3

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002

CSC 373, Winter 2012 Lab Assignment 3: The Buffer Bomb

20: Exploits and Containment

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

18-600: Recitation #4 Exploits

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Machine-Level Programming V: Buffer overflow

Machine Language, Assemblers and Linkers"

Machine-Level Programming V: Advanced Topics

CSC 405 Computer Security Reverse Engineering Part 1

Università Ca Foscari Venezia

Giving credit where credit is due

15-213/18-243, Fall 2010 Exam 1 - Version A

Advanced Buffer Overflow

16.317: Microprocessor Systems Design I Fall 2014

Recitation: Attack Lab

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Exercise 6: Buffer Overflow and return-into-libc Attacks

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Instruction Set Architectures

Buffer Overflow Attack (AskCypert CLaaS)

FLARE-On 4: Challenge 3 Solution greek_to_me.exe

Computer Architecture and Assembly Language. Practical Session 3

Systems I. Machine-Level Programming I: Introduction

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017

18-600: Recitation #4 Exploits (Attack Lab)

Transcription:

Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent locations. Programming languages commonly associated with buffer overflows include C and C++, which have no built-in protection against writing anywhere in memory. Buffer overflows are the basis of many software vulnerabilities and can be maliciously exploited. They have been used by malicious hackers and virus writers for a long time. In this lab we will experiment with harmless buffer overflows that trigger calls to unused functions in our program. A classic exploit would however fill the buffer with its own malicious code. If you wish to learn more about buffer-overflow techniques, refer to https://www.symantec.com/avcenter/reference/blended.attacks.pdf Part1 Understanding Array Allocation and Vulnerable C Functions 1. Copy bufdemo.c from /mnt/a/mdamian/courses/x86 into your csc2400/x86 directory. #include <stdio.h> void Echo() char buf[4]; gets(buf); puts(buf); int main() printf("\n Type in a string: "); Echo(); return 0; 2. Compile with gcc bufdemo.c o xbufdemo

3. Load xbufdemo into the debugger (gdb), then disassemble the code for main: gdb xbufdemo set disassembly-flavor intel disas main Disassembled code for main: 0x0804840c <main+10>: push 0x0804840d <main+11>: mov 0x0804840f <main+13>: push 0x08048410 <main+14>: sub 0x08048413 <main+17>: mov 0x0804841a <main+24>: call 0x0804841f <main+29>: call 0x08048424 <main+34>: mov 0x08048429 <main+39>: add 0x0804842c <main+42>: pop 0x0804842d <main+43>: pop 0x0804842e <main+44>: lea 0x08048431 <main+47>: ret ebp ebp,esp ecx esp,0x4 DWORD PTR [esp],0x8048504 0x8048320 <puts@plt> 0x80483e4 <Echo> eax,0x0 esp,0x4 ecx ebp esp,[ecx-0x4] 4. Next disassemble the code for Echo: Echo: 0x080483e4 <Echo+0>: push ebp 0x080483e5 <Echo+1>: mov ebp,esp 0x080483e7 <Echo+3>: sub esp,0x18 0x080483ea <Echo+6>: lea eax,[ebp-0x4] 0x080483ed <Echo+9>: mov DWORD PTR [esp],eax 0x080483f0 <Echo+12>: call 0x8048300 <gets@plt> 0x080483f5 <Echo+17>: lea eax,[ebp-0x4] 0x080483f8 <Echo+20>: mov DWORD PTR [esp],eax 0x080483fb <Echo+23>: call 0x8048320 <puts@plt> 0x08048400 <Echo+30>: pop 0x08048401 <Echo+31>: ret ebp

5. Inspect the stack contents as you step through the program with the debugger: break *(Echo+12) display /i $eip run x /x $esp nexti x /4bc ($ebp-4) x /4bx ($ebp-4) x /1wx ($ebp-4) # This is the buf address # Use nexti so that you don t go into the gets function # Type in the string 123 # Display 4 bytes as chars starting at memory address $ebp-4 # Display 4 bytes in hex starting at memory address $ebp-4 # Display 1 word (4 bytes) in hex starting at address $ebp-4 # Is this machine little endian or big endian? # Display 4 words (16 bytes) in hex starting at address $ebp-4 # You ll see the user string (4 bytes), the old EBP, and the # address to return to the main function RA (main) disas main 6. Rerun xbufdemo (in the debugger) with input string 1234. What are the four values printed by 7. Rerun xbufdemo (in the debugger) with input string 1234567. What are the four values printed by 8. Rerun xbufdemo (in the debugger) with input string 123456789ABC. What are the values printed by 9. What happened to the return address for the main function? Write down the address that the execution jumps to when the ret instruction in Echo gets executed:

Part 2 Understanding Buffer Overflow Attacks 1. Copy bufattack.c and sendstring (an executable file) from /mnt/a/mdamian/courses/x86 into your csc2400/x86 directory. #include <stdio.h> #include <stdlib.h> /* for exit */ void Echo() char buf[4]; gets(buf); puts(buf); void Fire() printf("\nyou called Fire?!\n"); exit(1); int main() printf("\ntype a string:\n"); Echo(); return 0; 2. Compile with gcc bufattack.c o xbufattack 3. Load xbufattack into the debugger (gdb), then disassemble the code for main: gdb xbufattack set disassembly-flavor intel disas main Code of interest (main): 0x08048468 <main+24>: call 0x8048340 <puts@plt> 0x0804846d <main+29>: call 0x8048414 <Echo> 0x08048472 <main+34>: mov eax,0x0 4. Disassemble the code for Echo: Code of interest (Echo): 0x08048414 <Echo+0>: push ebp 0x08048415 <Echo+1>: mov ebp,esp 0x0804841a <Echo+6>: lea eax,[ebp-0x4] 0x0804841d <Echo+9>: mov DWORD PTR [esp],eax

0x08048420 <Echo+12>: call 0x8048320 <gets@plt> 0x08048430 <Echo+28>: leave 0x08048431 <Echo+29>: ret 5. Disassemble the code for Fire: 0x08048432 <Fire+0>: push ebp 0x08048433 <Fire+1>: mov ebp,esp 0x08048435 <Fire+3>: sub esp,0x8 0x08048438 <Fire+6>: mov DWORD PTR [esp],0x8048544 0x0804843f <Fire+13>: call 0x8048340 <puts@plt> 0x08048444 <Fire+18>: mov DWORD PTR [esp],0x0 0x0804844b <Fire+25>: call 0x8048350 <exit@plt> 6. Inspect the stack during the program execution by stepping though with the debugger. Here are some debugger commands to get you started: break *(Echo+12) # Prior to the gets call display /i $eip run x /3xw $ebp-4 nexti # Type in 1234abcd5678 x /3xw $ebp-4 # Note the changes in the stack contents. Identify your input # Notice the little endian representation 7. Write down an exploit string in hexadecimal that causes Fire to execute when gets terminates. Use the address of Fire to overwrite the old EBP as well. 8. To test out the correctness of your answer in the previous step, we will need to convert your hexadecimal string into a byte string that will serve as input to your program. To do so, first quit the debugger. Write your exploit string into a file, say in.txt, then use sendstring to produce the corresponding byte string as follows: sendstring < in.txt > in.raw The result is a binary file in.raw that contains the bytes you wish to feed to the xbufattack program. 9. Reinvoke the debugger on xbufattack, then repeat the activities from step 6 above, with the only difference that this time you will provide your exploit string as input when running: run < in.raw 10. Step through the code (using nexti or ni). If your exploit string is correct, the execution will jump to the first instruction in Fire after the ret instruction from Echo.

11. Add two arguments to Fire as shown below. Then repeat steps 7 through 10 to force Fire(0x11, 0x22) to execute when gets terminates. void Fire(int x, int y) printf("\nyou called Fire(%d, %d)?!\n", x, y); exit(1); Write down the exploit string (in hexadecimal):

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback