IT Security - 2 Exercise 3 (Buer Overows)

Tanmaya Mahapatra Matriculation Number : 340959 tanmaya.mahapatra@rwth-aachen.de Bharath Rangaraj Matriculation Number : 340909 bharath.rangaraj@rwth-aachen.de

Mohibullah Kamal Matriculation Number : 341323 mohibullah.kamal@rwth-aachen.de October 31, 2013

Task - 1 : Heap and Stack

Question 1 What is the heap and what is the stack used for ? Solution: The stack is the memory set aside as scratch space for a thread of execution. When a function is called, a block is reserved on the top of the stack for local variables and some bookkeeping data. When that function returns, the block becomes unused and can be used the next time a function is called. The stack is always reserved in a LIFO order; the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack; freeing a block from the stack is nothing more than adjusting one pointer. The heap is memory set aside for dynamic allocation. Unlike the stack, theres no enforced pattern to the allocation and deallocation of blocks from the heap; you can allocate a block at any time and free it at any time. This makes it much more complex to keep track of which parts of the heap are allocated or free at any given time; there are many custom heap allocators available to tune heap performance for dierent usage patterns. Each thread gets a stack, while theres typically only one heap for the application (although it isnt uncommon to have multiple heaps for dierent types of allocation). Question 2 Where are stack and heap located in memory, in which direction do they grow (on the x86 architecture) ?

Solution: The stack is typically stored in the low addresses of memory and lls upward toward its upper limit. The heap is typically stored at the top of the address space and grows toward the stack. Because they usually have to share the same address space, and as a convenience they each begin on one end of the address space. Then they grow towards each other, giving that grow down-grow up behavior. Some systems (some HP systems, for example), the stack grows up instead of down. And on other systems (e.g., IBM/390) there is no real hardware stack at all, but rather a pool of pages that are dynamically allocated from user space memory. The heap can, in general, grow in any direction, since it may contain many allocation and deallocation holes, so it is better to think of it as a loose collection of pages than as a LIFO-stack type structure. But most heap implementations expand their space usage within a predetermined address range, growing and shrinking it as necessary. Question 3 Why do buer overow attacks always depend on heap or stack memory ? Solution: By Buer overow we mean that a program while writing data to a buer, overruns the buers boundary and overwrites adjacent memory. This is a special case of violation of memory safety. The Buer overow techniques are mainly targeted on Stack and Heap because : The Text Segment is Read only. No alterations can be done. Data Segment : Cant change return address : Systems prevent crossing data, stack boundary Heap and stack shrink and grow dynamically during program execution. 1. The stack is an area of memory set aside for local variables which are allocated when a function is called and which are de-allocated when that function returns. This includes the automatic variables of C, and it may include the return address and other registers saved when a function is called. If by buer overow these return addresses are manipulated then we can execute arbitrary code without any problems. 2. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specic ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer. Thus the Heap is prone to Buer overow attacks. So the Buer Overow attacks target on Stack and Heap portion of the Executable program Segments.

Page 2

Task - 2 : Shellcode

Question 1 What is a shellcode and where is it used within the process of exploitation ? Solution: Shellcode is a small piece of code written in assembly level language which is used as a payload for the exploitation of vulnerabilities. It is called a shellcode because it starts a command shell from which the attacker can typically control the system. Shellcodes are generally used in : shellcodes are used to exploit codes directly in the stack or other parts of the memory, which deal with binary, we need assembly codes that represent a raw set of machine instructions of the target machines. Shellcode is used to spawn a (root) shell because it will give us the highest privilege. A shellcode may be used as an exploit payload, providing a hacker or attacker with command line access to a computer system. Shellcodes exploit stack or heap based buer overow vulnerabilities or format string attack. Question 2 Name at least 2 types of shellcodes and briey describe their benets. Solution: Download and execute shellcode Download and execute is a type of remote shellcode that downloads and executes some form of malware on the target system. This type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable le o the network, save it to disk and execute it. Nowadays, it is commonly used in drive-by download attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victims machine. Benets include: The code is smaller as that it does not require the shellcode to spawn a new process on the target system. Shellcode does not need code to clean up the targeted process as this can be done by the library loaded into the process. It contain an encoded copy of the executable which it can decode and write to the disc and it can also download copies of encoded executables from the attackers web site. Omelette shellcode A small piece of shellcode written in assembler that can scan the user-land address space for small blocks of memory (eggs) and recombine the eggs into one large block. When done, the large block is executed. Benets Include: i) This is useful when you can only insert small blocks at random locations into a process and not one contiguous large block containing your shellcode in one piece: this code will recombine the eggs to create your shellcode in the process and execute it.

Page 3

Question 3 Consider the following scenario: You have found an exploitable vulnerability for a platformindependent software (e.g. a web-browser). What problem arises when you are looking for a suitable shellcode ? What could you do to make your life easier ? Solution: 1. Once vulnerability is detected on a system it can be exploited with the help of a shell code but the problem arises when we want to nd the most suitable and eective shellcode because the target machine architecture, operating system and the service pack is unknown. Since the shellcode is not unique for all machines we need to know the specics of the machine for a successful attack. 2. Life can me made easier by creating multiple versions of the shellcode that target the various platforms and creating a header that branches to the correct version for the platform the code is running on. When executed, the code behaves dierently for dierent platforms and executes the right part of the shellcode for the platform it is running on.

Task - 3 : NOPs

Question 1 How can an attacker use NOPs to increase his chances for success in a buer overow attack ? Solution: An attacker in a buer overow attack scenario does not have to know the precise starting address of code because he/she can exploit the fact that the code is much smaller than the space between the buer therefore he/she can place code near the end of the buer by padding the memory area before it with no operations (NOP) instructions, a computer processing unit (CPU) instruction which tells the CPU to do nothing. As these instructions do nothing the attacker can designate the return address used to enter this code at a location somewhere in the run of NOPs which is known as the NOP sled, many consecutive NOPs. If the return address is overwritten with any address within the no operation region of the buer it will slide down the NOPs until it is redirected to the actual malicious code by the jump at the end. Question 2 How hard is the detection of this technique ? Solution: The detection only occurs when the designated address is in between the NOP sled where by the attacker guess can dier from the actual buer address by half the size of the NOP sled. Question 3 How can an attacker avoid detection while using the same principle ?

Page 4

Solution:

Task - 4 : Exploit Mitigation Techniques

Question 1 What are mitigation techniques and what are they good for? Solution: ASLR: Attacker does not know address of executable code. Stack Canaries. 2 types are used : 1. Choose random canary string on program start. Attacker cant guess what the value of canary will be. 2. Terminator canary: any termination symbol for C string library functions such as \0, newline, linefeed, EOF String functions like strcpy wont copy beyond \0. Question 2 What is the underlying problem (besides missed bound checking) that makes it possible to execute shellcode from within a buer that is lled with (benign) data during regular program execution ? Which mitigation technique tries to solve this problem ? Solution: Question 3 Which mitigation technique tries to make the prediction of memory addresses harder ? Solution: Address Space layout Randomization (ASLR), an operating system shues up all the location addresses for an application as well as all the supporting libraries surrounding the application. Therefore, the only choice left with the attacker is to predict addresses, which makes buer overow much harder.

Page 5