a buffer overflow example joão paulo magalhães ([email protected])april 2009
Post on 19-Dec-2015
213 views
TRANSCRIPT
A Buffer Overflow Example
João Paulo Magalhães ([email protected]) April 2009
2
Buffer Overflow
3
Buffer Overflow – A simple program
4
Buffer Overflow – A simple program
• Our goal is to execute the hack() function
Could be worst!
5
Buffer Overflow – Internal aspects of the program
Stack before the scanf call
Stack after the scanf call
print_it() and hack() functions addresses
6
Buffer Overflow – Running the program
The code of ‘A’ is 0x41!
7
Buffer Overflow – The x86 stack
Call parameters
Return Address
%EBP register
Preserve original register values
Make space for local variables in subroutines%ESP
Stack Pointer (32
bits)
Ends of the stack
Stack Frame(currently)
Stack Frame(Of who calls the subroutine)
8
Buffer Overflow – The attack
Call parameters
Return Address
%EBP register
Preserve original register values
Make space for local variables in subroutines
Buffer s stays here
Ends of the stack
Stack Frame(currently)
Stack Frame(Of who calls the subroutine)
Write chars until change
the return address
9
Buffer Overflow – Running once more
We want to put this address here
10
Buffer Overflow – The attack
11
Buffer Overflow – The attack
It’s used a String larger than s buffer is expecting and that stays over the return value
The return address was changed
Mallicious code
12
Buffer Overflow – But where came from the hack() function??
Usually buffers don’t have enought space to store all the code that is going to be executed (i.e. s[] buffer does not have enought space to the binary code of hack()), so we only need to make the program to read data from someplace, and store it in a way that is possible to locate it later. In this case is just necessary to make the returning address point to the right location (e.g., a image!)
13
Buffer Overflow – But...
• Hackers could not have access to the source code to discover the buffer sizes...
It’s very easy to incrementally enlarge the input data until a crash occur. This way, the buffer size is discovered.
14
Buffer Overflow – The correct code
Don’t use “insecure functions”, or when it’s absolutely necessary to use them special cares are needed. E.g.,
gets()/fgets()scanf()/fscanf()strcat()/strcpy()...
15
Bibliography
16
Credits...
Paulo Marques Departamento de Eng. Informática Universidade de Coimbra [email protected]
The original (and Portuguese) version of these presentation belongs to Professor Paulo Marques