Buffer Overflows. Security 2011

Similar documents
Software Vulnerabilities

Stack Overflows. Mitchell Adair

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Off-by-One exploitation tutorial

Assembly Language: Function Calls" Jennifer Rexford!

Systems Design & Programming Data Movement Instructions. Intel Assembly

Return-oriented programming without returns

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

64-Bit NASM Notes. Invoking 64-Bit NASM

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

For a 64-bit system. I - Presentation Of The Shellcode

An introduction to the Return Oriented Programming. Why and How

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

CS61: Systems Programing and Machine Organization

1. General function and functionality of the malware

Attacking x86 Windows Binaries by Jump Oriented Programming

esrever gnireenigne tfosorcim seiranib

CHAPTER 6 TASK MANAGEMENT

Intel 8086 architecture

Practical taint analysis for protecting buggy binaries

Software Fingerprinting for Automated Malicious Code Analysis

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

MSc Computer Science Dissertation

A Tiny Guide to Programming in 32-bit x86 Assembly Language

How Compilers Work. by Walter Bright. Digital Mars

TODAY, FEW PROGRAMMERS USE ASSEMBLY LANGUAGE. Higher-level languages such

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Instruction Set Architecture

Reversing C++ Paul Vincent Sabanal. Mark Vincent Yason

Hacking the Preboot execution Environment

W4118 Operating Systems. Junfeng Yang

Computer Organization and Architecture

Test Driven Development in Assembler a little story about growing software from nothing

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

Introduction. Figure 1 Schema of DarunGrim2

Understanding a Simple Operating System

Assembly Language Tutorial

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

Dynamic Behavior Analysis Using Binary Instrumentation

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

MPLAB TM C30 Managed PSV Pointers. Beta support included with MPLAB C30 V3.00

x64 Cheat Sheet Fall 2015

X86-64 Architecture Guide

Faculty of Engineering Student Number:

Computer Architectures

PC Assembly Language. Paul A. Carter

Lecture 27 C and Assembly

Phoenix Technologies Ltd.

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Hotpatching and the Rise of Third-Party Patches

Analysis of Win32.Scream

Under The Hood: The System Call

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

An Analysis of Address Space Layout Randomization on Windows Vista

Machine-Level Programming II: Arithmetic & Control

Introduction to Intel x86 Assembly, Architecture, Applications, & Alliteration

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

High-speed image processing algorithms using MMX hardware

Abysssec Research. 1) Advisory information. 2) Vulnerable version

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

ECS 165B: Database System Implementa6on Lecture 2

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Fighting malware on your own

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

There s a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research

OpenBSD Remote Exploit

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

Introduction to Reverse Engineering

Computer Organization and Components

Machine Programming II: Instruc8ons

Computer Organization and Assembly Language

Bypassing Windows Hardware-enforced Data Execution Prevention

CPU performance monitoring using the Time-Stamp Counter register

SYMANTEC ADVANCED THREAT RESEARCH. An Analysis of Address Space Layout Randomization on Windows Vista

Using fuzzing to detect security vulnerabilities

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Violating Database - Enforced Security Mechanisms

Lecture 21: Buffer Overflow Attack. Lecture Notes on Computer and Network Security. by Avi Kak

Intel Assembler. Project administration. Non-standard project. Project administration: Repository

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

Andreas Herrmann. AMD Operating System Research Center

Administration. Instruction scheduling. Modern processors. Examples. Simplified architecture model. CS 412 Introduction to Compilers

Chapter 1. Bootstrap. Hardware

Leak Check Version 2.1 for Linux TM

Betriebssysteme KU Security

Embedded x86 Programming: Protected Mode

Automated Repair of Binary and Assembly Programs for Cooperating Embedded Devices

5. Calling conventions for different C++ compilers and operating systems

Transcription:

Buffer Overflows Security 2011

Memory Organiza;on Topics Kernel organizes memory in pages Typically 4k bytes Processes operate in a Virtual Memory Space Mapped to real 4k pages Could live in RAM or be swapped Kernel splits program in several segments Increases security segment based permissions Increases performance some are dynamic: invalidated when program terminates some are sta;c: can be ained, speed repeated startup

0xfffffff Stack grows top->bottom Stack Segment (SS) Shared Libraries Heap grows bottom->top malloc(sizeof(int)) BSS Unitialized global variables (char a[5]) Data Segment (DS) Data Constant variables (const int i = 0) Code Program Code Code Segment (CS) 0x00000000

CPU Registers (x86) General Purpose: EAX, EBX, ECX, EDX A: 8bits, AX: 16bits, EAX: 32bits, RAX: 64bits : Base Pointer EIP: Instruc;on Pointer ESI: Stack Index EDI: Data Index

Stack Segment Stack is used to pass parameters to func;ons Ex: foo(int a) Stack is used to store local variables Ex: int a; Values are PUSHed or POPed from stack Ex: push ebp, pop ebp points to start of stack Ex: Accessing a variable: ebp+4 ESP points to end of stack Ex: alloca;ng 4 bytes in stack: sub esp,4

mem.c Internal Variables (Page = 4096) &argc = bfeb8590 -> stack = bfeb8000 malloc = 08435008 -> heap = 08435000 bssvar = 0804a034 -> bss = 0804a000 cntvar = 08048920 -> const = 08048000 &main = 0804865c -> text = 08048000

mem.c Content of /proc/self/maps 08048000-08049000 r-xp 00000000 08:01 26845750 /home/s/seguranca/mem 08049000-0804a000 r--p 00000000 08:01 26845750 /home/s/seguranca/mem 0804a000-0804b000 rw-p 00001000 08:01 26845750 /home/s/mem 08435000-08456000 rw-p 00000000 00:00 0 [heap] b7616000-b7617000 rw-p 00000000 00:00 0 b7617000-b776a000 r-xp 00000000 08:01 1574823 /lib/tls/i686/cmov/libc-2.11.1.so b776a000-b776b000 ---p 00153000 08:01 1574823 b776b000-b776d000 r--p 00153000 08:01 1574823 b776d000-b776e000 rw-p 00155000 08:01 1574823 b776e000-b7771000 rw-p 00000000 00:00 0 b777e000-b7782000 rw-p 00000000 00:00 0 b7782000-b7783000 r-xp 00000000 00:00 0 b7783000-b779e000 r-xp 00000000 08:01 1565567 b779e000-b779f000 r--p 0001a000 08:01 1565567 b779f000-b77a0000 rw-p 0001b000 08:01 1565567 bfe99000-bfeba000 rw-p 00000000 00:00 0 /lib/tls/i686/cmov/libc-2.11.1.so /lib/tls/i686/cmov/libc-2.11.1.so /lib/tls/i686/cmov/libc-2.11.1.so [vdso] /lib/ld-2.11.1.so /lib/ld-2.11.1.so /lib/ld-2.11.1.so [stack]

mem.c Stack evolution: foo [000]: &argc = bfeb8140 -> stack = bfeb8000 foo [001]: &argc = bfdb8110 -> stack = bfdb8000 foo [002]: &argc = bfcb80e0 -> stack = bfcb8000 foo [003]: &argc = bfbb80b0 -> stack = bfbb8000 foo [004]: &argc = bfab8080 -> stack = bfab8000 foo [005]: &argc = bf9b8050 -> stack = bf9b8000 foo [006]: &argc = bf8b8020 -> stack = bf8b8000 foo [007]: &argc = bf7b7ff0 -> stack = bf7b7000 foo [008]: &argc = bf6b7fc0 -> stack = bf6b7000 Segmentation fault

stack.c 0xfffffff main int foo(int bar) { urn 3; } int main(int argc, char** argv) { foo(argc); } urn 0; foo

stack.c main foo foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP ESP Return EIP foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP, Return EIP foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP, ESP Return EIP foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP Return EIP EAX (+8, ARGC) foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP ESP Return EIP EAX (+8, ARGC) Return EIP to main Return EIP to main foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP Return EIP EAX (+8, ARGC) Return EIP to main Return EIP to main foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP, Return EIP EAX (+8, ARGC) Return EIP to main Return EIP to main foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

stack.c ESP Return EIP EAX (+8, ARGC) Return EIP to main Return EIP to main foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

ESP Return EIP EAX (+8, ARGC) Return EIP to main Return EIP to main foo: mov eax, 3 pop ebp main: sub esp, 4 mov eax, DWORD PTR [ebp+8] mov DWORD PTR [esp], eax call foo mov eax, 0 leave

Buffer Overflow Write over the boundaries of a buffer Consequences Write over other variables in local func;on Write over Return EIP Jump to any address on urn! Put code in stack and jump to stack Execute injected code

bo.c.lc0:.string "%s".text foo: sub esp, 40 mov eax, OFFSET FLAT:.LC0 lea edx, [ebp-12] mov DWORD PTR [esp+4], edx mov DWORD PTR [esp], eax call isoc99_scanf Leave int foo(int bar) { char a[4]; scanf("%s",a); }

bo.c.lc0:.string "%s".text foo: sub esp, 40 mov eax, OFFSET FLAT:.LC0 lea edx, [ebp-12] mov DWORD PTR [esp+4], edx mov DWORD PTR [esp], eax call isoc99_scanf Leave Parameters to scanf Return EIP to main empty empty empty a (4 bytes) empty empty empty empty address a address %s Return EIP to foo ESP

Buffer Overflow Write inside a Write inside a Write outside a Write over stored

Reference Moodle- >Contents- >Buffer Overflow stack.c, bo.c, mem.c GDB refcard Intel ASM Code Table

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information