Exploits
Exploits
By Hon Ching Lo
By Hon Ching Lo
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community
Ask the community for help and clear up your study doubts
University Rankings
Discover the best universities in your country according to Docsity users
Free resources
Our save-the-student-ebooks!
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
buffers different types of buffers
Typology: Exams
2017/2018
1 / 49
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download buffer overflow attacks and more Exams Network security in PDF only on Docsity!
Exploits
Exploits
By Hon Ching Lo
By Hon Ching Lo
Buffer Overflow
Buffer Overflow
Virus & Worms
Virus & Worms
The āstacheldrahtā
The āstacheldrahtā
distributed denial of
distributed denial of
service attack tool
service attack tool
Stack Basics
Stack Basics
ļµ
A stack is contiguous block of memory containing
A stack is contiguous block of memory containing
data.
data.
ļµ
Stack pointer (SP) ā a register that points to the
Stack pointer (SP) ā a register that points to the
top of the stack.
top of the stack.
ļµ
The bottom of the stack is at fixed address.
The bottom of the stack is at fixed address.
ļµ
Its size is dynamically adjusted by kernel at run
Its size is dynamically adjusted by kernel at run
time.
time.
ļµ
CPU implements instructions to PUSH onto and
CPU implements instructions to PUSH onto and
POP off the stack.
POP off the stack.
Stack Basics
Stack Basics
ļµ
A stack consists of logical stack
A stack consists of logical stack
frames that are pushed when
frames that are pushed when
calling a function and popped when
calling a function and popped when
returning.
returning. Frame pointer (FP) ā points to a
Frame pointer (FP) ā points to a
fixed location within a frame. fixed location within a frame.
ļµ
When a function is called, the
When a function is called, the
return address, stack frame pointer
return address, stack frame pointer
and the variables are pushed on
and the variables are pushed on
the stack (in that order).
the stack (in that order).
ļµ
So the return address has a higher
So the return address has a higher
address as the buffer.
address as the buffer.
ļµ
When we overflow the buffer, the
When we overflow the buffer, the
return address will be overwritten.
return address will be overwritten.
High memory
addresses
Lower memory
addresses
Another Example Code
Another Example Code
void function(int a, int b, int c) {
void function(int a, int b, int c) {
char buffer1[5];
char buffer1[5];
char buffer2[10];
char buffer2[10];
}
}
void main(){
void main(){
function(1,2,3);
function(1,2,3);
}
}
Stack layout for the example code
Stack layout for the example code
bottom of
bottom of top of
top of
memory
memory memory
memory
buffer
buffer buffer1 sfp ret a b c
buffer1 sfp ret a b c
<------ [ ][ ][ ][ ][ ][ ][ ]
<------ [ ][ ][ ][ ][ ][ ][ ]
Top of stack
Top of stack bottom of
bottom of
stack
stack
How can we place arbitrary
How can we place arbitrary
instruction into its address space?
instruction into its address space?
ļ
ļ place the code that you are trying to
place the code that you are trying to
execute in the buffer we are
execute in the buffer we are
overflowing, and overwrite the return
overflowing, and overwrite the return
address so it points back into the
address so it points back into the
buffer.
buffer.
bottom of
bottom of top of
top of
memory
memory memory
memory
DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF
DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF
89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF
89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF
buffer
buffer sfp ret a b c
sfp ret a b c
<---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]
<---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]
^
^
|____________________________|
|____________________________|
top of
top of bottom of
bottom of
stack
stack stack
stack
We want:
We want:
(iii) executing the attack code
Shellcode.c
Shellcode.c
#include<stdio.h>
#include<stdio.h>
void main() {
void main() {
char *name[2];
char *name[2];
name[0] = "/bin/sh";
name[0] = "/bin/sh";
name[1] = NULL;
name[1] = NULL;
execve(name[0], name, NULL);
execve(name[0], name, NULL);
}
}
Some modifications to the
Some modifications to the
shellcode:
shellcode:
We want the program to exit cleanly if the execve
We want the program to exit cleanly if the execve
syscall fails. We add exit(0); as the last line in the
syscall fails. We add exit(0); as the last line in the
code.
code.
Our list of steps:
Our list of steps:
ļµ
Have the null terminated stringHave the null terminated string
"/bin/sh" somewhere in memory.
"/bin/sh" somewhere in memory.
ļµ
Have the address of the string
Have the address of the string
"/bin/sh" somewhere in memory
"/bin/sh" somewhere in memory
followed by a null long word. followed by a null long word.
ļµ
Copy 0xb into the EAX register.Copy 0xb into the EAX register.
ļµ
Copy the address of the address ofCopy the address of the address of
the string "/bin/sh" into the EBX
the string "/bin/sh" into the EBX
register.
register.
ļµ
Copy the address of the string
Copy the address of the string
"/bin/sh" into the ECX register. "/bin/sh" into the ECX register.
ļµ
Copy the address of the null longCopy the address of the null long
word into the EDX register.
word into the EDX register.
ļµ
Execute the int $0x80 instruction.Execute the int $0x80 instruction.
ļµ
Copy 0x1 into the EAX register.Copy 0x1 into the EAX register.
ļµ
Copy 0x0 into the EBX register.Copy 0x0 into the EBX register.
ļµ
Execute the int $0x80 instruction.Execute the int $0x80 instruction.
Trying to put this together in
Trying to put this together in
Assembly language
Assembly language , we have:
, we have:
movl string_addr,string_addr_addr
movl string_addr,string_addr_addr
movb $0x0,null_byte_addr
movb $0x0,null_byte_addr
movl $0x0,null_addr
movl $0x0,null_addr
movl $0xb,%eax
movl $0xb,%eax
movl string_addr,%ebx
movl string_addr,%ebx
leal string_addr,%ecx
leal string_addr,%ecx
leal null_string,%edx
leal null_string,%edx
int $0x
int $0x
movl $0x1, %eax
movl $0x1, %eax
movl $0x0, %ebx
movl $0x0, %ebx
int $0x
int $0x
/bin/sh string goes here.
/bin/sh string goes here.
Then, place the string after
the code.
Inserting JMP and CALL instructions
Inserting JMP and CALL instructions
bottom of
bottom of top of
top of
memory
memory memory
memory
DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF
DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF
89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF
89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF
buffer
buffer sfp ret a b c
sfp ret a b c
<---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^
<---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^
^| |
^| |
|||_______________| |__________| (1)
|||_______________| |__________| (1)
(2)
(2) ||_______________| |
||_______________| |
|_________________| (3)
|_________________| (3)
top of stack
top of stack bottom of stack
bottom of stack
Running the shellcode
Running the shellcode
We must place the code we wish to
We must place the code we wish to
execute in the stack or data segment.
execute in the stack or data segment.
(Recall: text region of a process is
(Recall: text region of a process is
marked read-only)
marked read-only)
To do so, weāll place our code in a global
To do so, weāll place our code in a global
array in the data segment. We need hex
array in the data segment. We need hex
representation of the binary code.
representation of the binary code.