Scribd
Upload
105 views

Buffer Overflow Exploits: Taken Shamelessly From: /courses/cse451/05sp/section/ove Rflow1

The document discusses buffer overflow exploits. Buffer overflows occur when a program copies a larger amount of data into a fixed-size buffer than it can hold, overwriting adjacent memory. This can be exploited by crafting an input string that overwrites the return address on the stack to redirect program flow and execute arbitrary code provided in the string. The document provides examples of how buffer overflows work at a low level on the stack and how to generate shellcode payloads to achieve remote code execution if a vulnerability exists.

Uploaded by

Avinash Avuthu
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
105 views

Buffer Overflow Exploits: Taken Shamelessly From: /courses/cse451/05sp/section/ove Rflow1

The document discusses buffer overflow exploits. Buffer overflows occur when a program copies a larger amount of data into a fixed-size buffer than it can hold, overwriting adjacent memory. This can be exploited by crafting an input string that overwrites the return address on the stack to redirect program flow and execute arbitrary code provided in the string. The document provides examples of how buffer overflows work at a low level on the stack and how to generate shellcode payloads to achieve remote code execution if a vulnerability exists.

Uploaded by

Avinash Avuthu
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 27

Buffer Overflow Exploits

Taken shamelessly from:


https://courses.cs.washington.edu
/courses/cse451/05sp/section/ove
rflow1.ppt

Taken shamelessly from:


http://www.cs.rpi.edu/~hollingd/
netprog/overflow.ppt
Netprog: Buffer Overflow 1
Serious Stuff
Try a web search for buffer overflow exploit

Smashing the Stack for Fun and Profit

Check alt.2600, rootshell.com, antionline.com you


can find long lists of exploits based on buffer
overflow.

Even the original version of ssh had a problem! (after


they made a big deal that there were no buffer
overflow problems in their code).
Netprog: Buffer Overflow 2
The Problem
void foo(char *s) {
char buf[10];
strcpy(buf,s);
printf(buf is %s\n,s);
}

foo(thisstringistoolongforfoo);

Netprog: Buffer Overflow 3


Exploitation
The general idea is to give servers very large
strings that will overflow a buffer.

For a server with sloppy code its easy to


crash the server by overflowing a buffer
(SEGV typically).

Its sometimes possible to actually make the


server do whatever you want (instead of
crashing).
Netprog: Buffer Overflow 4
Background Necessary
C functions and the stack.
A little knowledge of assembly/machine
language.
How system calls are made (at the
machine code level).
exec() system calls
How to guess some key parameters.
Netprog: Buffer Overflow 5
CPU/OS dependency
Building an exploit requires knowledge
of the specific CPU and operating
system of the target.
Ill just talk about x86 and Linux, but the
methods work for other CPUs and OSs.
Some details are very different, but the
concepts are the same.

Netprog: Buffer Overflow 6


C Call Stack
When a function call is made, the return
address is put on the stack.
Often the values of parameters are put
on the stack.
Usually the function saves the stack
frame pointer (on the stack).
Local variables are on the stack.

Netprog: Buffer Overflow 7


Stack Direction
On Linux (x86) the stack grows from
high addresses to low.

Pushing something on the stack moves


the Top Of Stack towards the address 0.

Netprog: Buffer Overflow 8


A Stack Frame
high
Parameters
Return Address
Calling Stack Pointer
SP+offset
Local Variables
SP

Addresses

00000000 low
Netprog: Buffer Overflow 9
18
addressof(y=3) return address
Sample saved stack pointer
y
Stack x
buf

x=2; void foo(int j) {


foo(18); int x,y;
y=3; char buf[100];
x=j;

}
Netprog: Buffer Overflow 10
Smashing the Stack*
The general idea is to overflow a buffer
so that it overwrites the return address.
When the function is done it will jump to
whatever address is on the stack.
We put some code in the buffer and set
the return address to point to it!

*taken from the title of an article in Phrack 49-7

Netprog: Buffer Overflow 11


void foo(char *s) {
char buf[100];
Before and After strcpy(buf,s);

address of s address of s
return-address pointer to pgm
saved sp

buf
Small Program

Netprog: Buffer Overflow 12


Issues
How do we know what value the pointer
should have (the new return address).
Its the address of the buffer, but how do
we know what address this is?

How do we build the small program


and put it in a string?

Netprog: Buffer Overflow 13


Guessing Addresses
Typically you need the source code so
you can estimate the address of both
the buffer and the return-address.

An estimate is often good enough!


(more on this in a bit).

Netprog: Buffer Overflow 14


Building the
small program

Typically, the small program stuffed in to


the buffer does an exec().

Sometimes it changes the password db


or other files

Netprog: Buffer Overflow 15


exec() example
#include <stdio.h>

char *args[] = {"/bin/ls", NULL};

void execls(void) {
execv("/bin/ls",args);
printf(Im not printed\n");
}
Netprog: Buffer Overflow 16
Generating a String
You can take code like the previous
slide, and generate machine language.
Copy down the individual byte values
and build a string.
To do a simple exec requires less than
100 bytes.

Netprog: Buffer Overflow 17


A Sample Program/String
Does an exec() of /bin/ls:

unsigned char cde[] =


"\xeb\x1f\x5e\x89\x76\x08\x31\xc0
\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c
\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/ls";
Netprog: Buffer Overflow 18
Some important issues
The small program should be position-
independent able to run at any
memory location.

It cant be too large, or we cant fit the


program and the new return-address on
the stack!

Netprog: Buffer Overflow 19


Sample Overflow Program
(see other slides on pages 3-5)

Netprog: Buffer Overflow 20


Attacking a real program
Recall that the idea is to feed a server a
string that is too big for a buffer.
This string overflows the buffer and
overwrites the return address on the
stack.
Assuming we put our small program in
the string, we need to know its address.

Netprog: Buffer Overflow 21


NOPs
Most CPUs have a No-Operation
instruction it does nothing but
advance the instruction pointer.
Usually we can put a bunch of these
ahead of our program (in the string).
As long as the new return-address
points to a NOP we are OK.

Netprog: Buffer Overflow 22


Using NOPs
new return address

Real program
(exec /bin/ls or whatever)

nop instructions

Netprog: Buffer Overflow 23


Estimating the stack size
We can also guess at the location of the
return address relative to the overflowed
buffer.

Put in a bunch of new return addresses!

Netprog: Buffer Overflow 24


Estimating the Location
new return address
new return address
new return address
new return address
new return address
new return address
Real program

nop instructions

Netprog: Buffer Overflow 25


Other Potential Problems
Buffer overflow is just the most common
programming problem exploited.

Integer arithmetic can also be a


problem!
foo = malloc(num * sizeof(struct blah));

what if num is 2^32-1? what if num is -1?

Netprog: Buffer Overflow 26


Summary
Don't use strcpy.
Check the return value on all calls to library
functions like malloc (as well as all system
calls).
Don't use multiplication (or addition).
Might as well not use subtraction or division
either.
It's probably best to avoid writing programs at
all

Netprog: Buffer Overflow 27

You might also like