Buffer Overflow for fun and pr0fit
Upcoming SlideShare
Loading in...5
×
 

Buffer Overflow for fun and pr0fit

on

  • 1,111 views

Brief introduction to Buffer Overflow vulnerability explotation and protections for the 8.8 Computer Security Conference at Santiago de Chile on 18 and 19 October 2012.

Brief introduction to Buffer Overflow vulnerability explotation and protections for the 8.8 Computer Security Conference at Santiago de Chile on 18 and 19 October 2012.

Statistics

Views

Total Views
1,111
Views on SlideShare
1,095
Embed Views
16

Actions

Likes
0
Downloads
17
Comments
0

2 Embeds 16

http://www.linkedin.com 15
http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Buffer Overflow for fun and pr0fit Buffer Overflow for fun and pr0fit Presentation Transcript

    • Buffer Overflow for fun and pr0fit Facundo M. de la Cruz (@_tty0) fdelacruz@dc-solutions.com.ar
    • AGENDA➔ Brief introduction to the Intel x86/x86_64 architecture➔ Integer overflow➔ Stack based buffer overflows➔ Attacking a format string➔ Shellcodes: The ASM cocktail➔ OS Protections
    • NOTESWhy do I need to learn about Buffers Overflow?- A common cause could be:Do you want to impress your girlfriend and be cool and sexy?.1) Prepare your latest IE or Mozilla Firefox 0day.2) Send a email containing: «Hey! Checkout this amazing news talking about naked photos of Rihanna» alongside with a link pointing to an url where the exploit is located.3) Wait him to click.4) ????5) Pr0fit!- Secure your own software or the company software.- Or simply you are just a curious, and its cool :-)
    • 1 Intel Architecture
    • CPU operations modes➔ Real mode - 20 bits segmented memory address space. - Only 1 MB of memory can be addressed. - Direct access to BIOS.➔ Protected mode - Provide protected memory. - Memory paging support. - Global Descriptor Table (GDT) and Local Descriptor Table (LDT).➔ Virtual 8086 mode - Hybrid operating mode for backward compatibility. - Allows real mode programs run under Protected mode. - Only available in 32 bits CPUs.➔ Long mode - 64 bits address: 16 EB of memory address (16 billion of GB) - 64 bits instructions and registers. - 16 and 32 bits programs are executed in a sub mode. - Extension of the 32-bit instruction set, but unlike the 16–to–32-bit transition.
    • CPU RINGS➔ Mechanisms to protect data and functionality from faults.➔ Supervisor mode is a hardware-mediated flag which can be changed by code running in system-level software.
    • CPU RegistersInternal CPU structures used for store only one world or value for time.➔ General purpose registers➔ Control registers➔ Offset registers➔ Others registers
    • Memory sections
    • THE STACK
    • System calls
    • System calls➔ Our exit program in C➔ The same program in Intel x86 ASM
    • System calls➔ The same program in Intel x86 ASM From asm/unistd_32.h
    • System Calls➔ The same program in Intel x86 ASM Argument (exit status) From asm/unistd_32.h
    • System calls ➔ The same program in Intel x86 ASM Argument (exit status)Switch from userspace to supervisor From asm/unistd_32.h
    • Explotation
    • Integer OverflowAn arithmetic operation may produce a result larger than themaximum representable value, a potential error condition may result.In the ISO C99 standard, signed integer overflow causes undefinedbehavior.
    • Pacman Kill screenThe games level counter was a single 8-bit byte and could thereforestore only 256 distinct values (0–255). Reaching the 256th level causesan integer overflow in the counter...
    • Integer Overflow➔ From /usr/include/limits.h➔ Our own example
    • Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example
    • Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example 0x7fffffff + 0x1
    • Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example 0x7fffffff + 0x1     0x80000000
    • Demo time...
    • Integer Overflow This is INT_MAX + 1
    • Integer OverflowOur format string: %dn This is INT_MAX + 1
    • Integer OverflowOur format string: %dn This is INT_MAX + 1 We call to <printf@plt>
    • Everytime you made an overflow God kills a kitten.
    • Stack overflow
    • Stack overflow
    • Stack overflow
    • Stack overflow
    • Stack overflow
    • Stack overflow
    • Demo time...
    • Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the use of unchecked user inputas the format string parameter in certain C functions that performformatting, such as printf().
    • Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the use of unchecked user inputas the format string parameter in certain C functions that performformatting, such as printf(). Missing format string
    • Adjacent Memory corruption
    • Adjacent Memory corruption strncpy(vuln_array, argv[1], sizeof(vuln_array) ­ 1);
    • Demo time...
    • Protections
    • NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will refuse any code residing inthese areas of memory.Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.
    • NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will refuse any code residing inthese areas of memory.Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection. Non executable stack CPU flag present.
    • WX MemoryW^X (write XOR eXecute) is a OpenBSD security feature, its a memoryprotection policy whereby every page in a process address space iseither writable or executable, but not both simultaneously.W^X first appeared in OpenBSD 3.3, released May 2003.Similar features are available for other operating systems, including thePaX and Exec Shield patches for Linux, and NetBSD 4+s implementationof PaX.
    • ASLRASLR (Address Space Layout Randomization) involves randomlyarranging the position of key data areas, usually incluing in the base ofthe executable and position of libraries, heap and stack.In a processs address space. It is more effective when more entropy ispresent in the random offset. Linux enable it by default since 2.6.12kernel version.
    • AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00).
    • AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00). Start with nulls (0x00)
    • CookiesThe cookies is a 32 bits or 64 bits value inserted between the buffer andsensitive data (0x00007fff3a115000 for example).Whenever the canary is modified, the program jumps into an executionhandler, usually causing it to crash.