Professional Documents
Culture Documents
W1 BufferOverflows
W1 BufferOverflows
Binary Exploitation 1
Chester Rebeiro
expected flow
of a program
2
Parts of Malware
• Two parts Malware takes complete
control of the process. Has all
Subvert execution:
the privileges that the process
change the normal execution behavior of the program
has
Payload:
the code which the attacker wants to execute
Execute
payload
Subvert execution
expected flow
of a program
3
Subvert Execution
• In system software
– Buffers overflows and overreads
– Heap: double free, use after free
– Integer overflows
– Format string
– Control Flow
4
Buffer Overflows in the Stack
• We need to first know how a stack is managed
http://insecure.org/stf/smashstack.html 5
Stack in a Program
(when function is executing)
In main In !nc"on
Put 3 in stack push %ebp
Put 2 in stack mov %esp, %ebp %ebp: Frame Pointer
sub $0x10, %esp %esp : Stack Pointer
Put 1 in stack
call function
7
Stack Usage (example)
Stack (top to bottom):
address stored data
1000 to 997 3
996 to 993 2
992 to 989 1
Parameters
for function 988 to 985 return address
996 to 993 2
992 to 989 1
Legal range of buffer2 is from 975 to 966 988 to 985 return address
10
Big Picture of the exploit
(execute an arbitrary payload)
Fill the stack as follows
BA
(where BA is buffer address) BA
Parameters BA
for function BA
BA
Return Address
BA
frame pointer prev frame pointer
BA
buffer BA
stack pointer Exploit code BA
buffer Address
11
Payload
• Lets say the attacker wants to spawn a shell
• ie. do as follows:
Defined on stack
O
O
O
O
o
Can cause buffer to
overflow
14
Step 3 :
Put Machine Code in Large String
large_string
shellcode
15
Step 3 (contd) :
Fill up Large String with BA
Address of buffer is BA
large_string
shellcode BA BA BA BA BA BA BA BA
16
Final state of Stack BA
BA
• Copy large string into buffer BA
BA
BA
BA
• When strcpy returns the BA
BA
exploit code would be executed buffer
shellcode
large_string
shellcode BA BA BA BA BA BA BA BA BA
BA buffer Address
17
Putting it all together
bash$ ./a.out
$ shell created
19
CODERED Worm
• Targeted a bug in Microsoft s IIS web
server
• CODERED s string
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090
%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909
0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
=a HTTP/1.0
20
Some Defense Mechanisms
already Incorporated
23
Points to Ponder
WHY?
• objdump –disassemble-all shellcode.o
• Get machine code : eb 1e 5e 89 76 08 c6
46 07 00 c7 46 0c 00 00 00 00 b8 0b 00 00
00 89 f3 8d 4e 08 8d 56 0c cd 80 cd 80
• If there are 00s replace it with other
instructions
24