Memory Corruption Buffer-overflow
Memory Corruption Buffer-overflow
Institute for
Cybersecurity
Memory Corruption
Winter 2023
Feb 02 - 2023
• Mark Dowd, John McDonald, Justin Schuh. The Art of Software Security
Assessment: Identifying and Preventing Software Vulnerabilities. Addison-
Wesley Professional, (2006).
• http://etutorials.org/Networking/network+security+assessment/Chapter+13.
+Application-Level+Risks/13.4+Classic+Buffer-Overflow+Vulnerabilities/
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Memory Cybersecurity
int x = 2323231
Canadian
Institute for
Cybersecurity
Canadian
Memory Corruption Institute for
Cybersecurity
int x = 2323231
int x = 0X23731F
Each Hex digit -> 4 bits
Canadian
Memory Corruption Institute for
Cybersecurity
Two different ways in which a sequence of bytes are Smallest addr. highest
stored in computer memory
44 33 22 11
1000 1001……
- Little Endian 11 22 33 44
- Big Endian
- stores the most significant byte of a word at the smallest memory address
- the same number 0x11223344 is represented in memory as
least significant bits: Having the useful property of changing rapidly if the number
changes slightly
Canadian
Institute for
Cybersecurity
https://www.ibm.com/docs/ja/zvm/7.2?topic=domains-network-byte-order-host-byte-order
https://www.ibm.com/docs/en/zos/2.3.0?topic=api-tcpip-network-byte-ordering-convention
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Memory Corruption Cybersecurity
- Memory corruption
- the contents of a memory location are modified
- due to the programmatic behavior that exceeds the intention of the original
program/language constructs
- Cause
- most likely cause is programming error
- Popular approaches
-Stack overflow
Canadian
Institute for
Memory Layout for a typical C program Cybersecurity
static int a = 3
static int b
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Memory Layout Cybersecurity
Canadian
Institute for
Memory Layout Cybersecurity
BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout Cybersecurity
BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout
Cybersecurity
b = 2.5
a=2
Stack Frame
BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout Cybersecurity
bb==2.5
2.5
aa==22
Stack Frame
y BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout Cybersecurity
bb==2.5
2.5
aa==22
ptr
ptr Stack Frame
y BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout Cybersecurity
ba==2.5
2
ab==22.5
ptr
ptr Stack Frame
Heap
y BSS segment
x = 100
Data segment
Canadian
Institute for
Cybersecurity
Memory Layout
4 bytes
(typecasting) ptr =
Malloc will
just return 8 bytes of memory
Known at
address ?
compile time
Returns
Hey, it should be address
ptr
int !
Canadian
Institute for
Memory Layout Cybersecurity
ba==2.5
2
ab==22.5
ptr Stack Frame
5
Heap
6
y BSS segment
x = 100
Data segment
Canadian
Institute for
Memory Layout Cybersecurity
ba==2.5
2
ab==22.5
ptr Stack Frame
Heap
y BSS segment
x = 100
Data segment
Canadian
Institute for
Stack Cybersecurity
X86
source: https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86
Canadian
Institute for
Cybersecurity
Stack and Function Invocation
• Every time a function is called, the program creates a new stack frame, which is simply a
reserved block of contiguous memory that a function uses for storing local variables and
internal state information.
• This block of memory is reserved for exclusive use by the function until it returns, at which
time it's removed from the stack.
High address void func (int a, int b)
arguments
{
return address int x, y ;
Previous frame pointer
stack frame x = a +b ;
Current frame Local variables y = a – b;
pointer func (int 5, int 8) }
Low address
Canadian
Institute for
Stack and Function Invocation Cybersecurity
main()
ESP
foo()
bar()
Canadian
Institute for
Stack and Function Invocation Cybersecurity
ESP
foo()
bar()
Canadian
Institute for
Stack and Function Invocation Cybersecurity
bar()
Canadian
Institute for
2. Function Call Stack Cybersecurity
Stack pointer
(esp)
Canadian
Institute for
Function Call Stack Cybersecurity
• The processor usually has a special register that points to the top of the stack, which is modified by
using push() and pop() machine instructions.
• On Intel x86 CPUs, this register is called Extended Stack Pointer (ESP).
Canadian
Institute for
Function Call Stack Cybersecurity
- Before jumping to the entrance of the function, the computer pushes the address of the
next instruction
Canadian
Institute for
Cybersecurity
Function Call Stack
• Many programs make use of another register, called the "frame pointer" or "base pointer." On Intel
x86 CPUs, this register is called ِExtended base pointer EBP. This register points to the beginning of
the function's stack frame.
• Each variable in the given frame can be accessed by referencing a memory location that is a fixed
offset from the base pointer.
Canadian
Institute for
• Whenever a function is called, some space is allocated for it on a stack for the execution
Main ()
{
func (5,8)
printf(….)
}
Canadian
Institute for
Cybersecurity
Stack and Function Call
}
Canadian
Institute for
#include <string.h> Cybersecurity
Return 1;
}
Canadian
Institute for
Cybersecurity
3. Buffer Overflows (Stack)
#include <string.h>
- Local array buffer[] in foo() has 12
void foo(char *str)
{
bytes of memory
char buffer[12]; - foo() function uses strcpy() to copy
// the following statement will result in a the string from str to buffer[].
buffer overflow
strcpy (buffer,str);
- Strcpy() function does not stop until
} it sees a zero (‘\0’) in the source
int main() string.
{
- Since the source string is longer than
Char *str = “This is definitely longer than 12”;
Foo (str); 12 bytes, strcpy() will overwrite
some portion of the stack above the
Return 1;
buffer.
}
- This is called buffer overflow.
Canadian
Institute for
3. Buffer Overflows (Stack) Cybersecurity
Ø Affects where the program should jump to when the function returns
Shellcode = [
Task A : Find the offset distance between the base of the buffer and return
address.
Task B : Find the address to place the shellcode
Canadian
Institute for
Cybersecurity
Canadian
Institute for
Writing ShellCode Cybersecurity
Shell Program
- Typically, attackers want to inject that command which will allow them
to run more commands.
- If we can inject code to execute a shell program (e.g. /bin/sh), we can
get a shell prompt.
This code will execute a shell program using execve() system call but how to
put this code on the stack.
Canadian
Institute for
Writing ShellCode Cybersecurity
Shell Program
ü compile the above code into binary, and then save it to the input
badfile ?
ü Set the targeted return address field to the address of the main()
function
Canadian
Institute for
Writing ShellCode Cybersecurity
The above C code gives the shell prompt to execute more commands. We can compile the above
C code into binary and store it into the badfile with modified return address field to the address of
main().
1) Loader Issue : OS loader is responsible for setting up the memory, copying the program to the
memory and invoking dynamic linker to link libraries etc. to set up the running environment of the
program. After the initialization steps are completed, main() is called. If any of the steps are
missing, program won’t be loaded to the memory. In buffer flow program, code is not loaded by
OS but we are copying the code via memory copy. Therefore, all the initialization steps are
missing and hence, our shell code won’t be executed.
2) Zeros in the code : String copying (strcpy() )stops copying when a zero is found in the source
string. When the C code is compiled into binary, there will be zeros in the binary code which will
stop copying the badfile further.
Canadian
Institute for
Writing ShellCode Cybersecurity
- So , we cannot use the binary generated from a C program as our malicious code
- It is better to write the program using the assembly language.
- The assembly code for launching a shell is referred to as shellcode.
Objdump(machine code)
https://www.exploit-db.com/shellcodes
Q. What real challenges are there for an attacker to conduct BO attack.
Q. How can an attacker launch BO attack without knowing all the information
about the target program.