Buffer Overflow   for fun and pr0fit                        Facundo M. de la Cruz (@_tty0)                          fdelac...
AGENDA➔   Brief introduction to the Intel x86/x86_64 architecture➔   Integer overflow➔   Stack based buffer overflows➔   A...
NOTESWhy do I need to learn about Buffers Overflow?- A common cause could be:Do you want to impress your girlfriend and be...
1    Intel Architecture
CPU operations modes➔   Real mode    - 20 bits segmented memory address space.    - Only 1 MB of memory can be addressed. ...
CPU RINGS➔   Mechanisms to protect data and functionality from faults.➔   Supervisor mode is a hardware-mediated flag whic...
CPU RegistersInternal CPU structures used for store only one world or value for time.➔   General purpose registers➔   Cont...
Memory sections
THE STACK
System calls
System calls➔   Our exit program in C➔   The same program in Intel x86 ASM
System calls➔   The same program in Intel x86 ASM                          From asm/unistd_32.h
System Calls➔   The same program in Intel x86 ASM                    Argument (exit status)                           From...
System calls            ➔   The same program in Intel x86 ASM                                Argument (exit status)Switch ...
Explotation
Integer OverflowAn arithmetic operation may produce a result larger than themaximum representable value, a potential error...
Pacman Kill screenThe games level counter was a single 8-bit byte and could thereforestore only 256 distinct values (0–255...
Integer Overflow➔   From /usr/include/limits.h➔   Our own example
Integer Overflow➔   From /usr/include/limits.h                                     0x7fffffff➔   Our own example
Integer Overflow➔   From /usr/include/limits.h                                     0x7fffffff➔   Our own example          ...
Integer Overflow➔   From /usr/include/limits.h                                     0x7fffffff➔   Our own example          ...
Demo time...
Integer Overflow            This is INT_MAX + 1
Integer OverflowOur format string: %dn   This is INT_MAX + 1
Integer OverflowOur format string: %dn   This is INT_MAX + 1                              We call to <printf@plt>
Everytime you made an overflow       God kills a kitten.
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Demo time...
Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the ...
Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the ...
Adjacent Memory corruption
Adjacent Memory corruption    strncpy(vuln_array, argv[1], sizeof(vuln_array) ­ 1);
Demo time...
Protections
NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will re...
NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will re...
WX MemoryW^X (write XOR eXecute) is a OpenBSD security feature, its a memoryprotection policy whereby every page in a proc...
ASLRASLR (Address Space Layout Randomization) involves randomlyarranging the position of key data areas, usually incluing ...
AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00).
AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00).     ...
CookiesThe cookies is a 32 bits or 64 bits value inserted between the buffer andsensitive data (0x00007fff3a115000 for exa...
Buffer Overflow for fun and pr0fit
Upcoming SlideShare
Loading in...5
×

Buffer Overflow for fun and pr0fit

950

Published on

Brief introduction to Buffer Overflow vulnerability explotation and protections for the 8.8 Computer Security Conference at Santiago de Chile on 18 and 19 October 2012.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
950
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Buffer Overflow for fun and pr0fit

  1. 1. Buffer Overflow for fun and pr0fit Facundo M. de la Cruz (@_tty0) fdelacruz@dc-solutions.com.ar
  2. 2. AGENDA➔ Brief introduction to the Intel x86/x86_64 architecture➔ Integer overflow➔ Stack based buffer overflows➔ Attacking a format string➔ Shellcodes: The ASM cocktail➔ OS Protections
  3. 3. NOTESWhy do I need to learn about Buffers Overflow?- A common cause could be:Do you want to impress your girlfriend and be cool and sexy?.1) Prepare your latest IE or Mozilla Firefox 0day.2) Send a email containing: «Hey! Checkout this amazing news talking about naked photos of Rihanna» alongside with a link pointing to an url where the exploit is located.3) Wait him to click.4) ????5) Pr0fit!- Secure your own software or the company software.- Or simply you are just a curious, and its cool :-)
  4. 4. 1 Intel Architecture
  5. 5. CPU operations modes➔ Real mode - 20 bits segmented memory address space. - Only 1 MB of memory can be addressed. - Direct access to BIOS.➔ Protected mode - Provide protected memory. - Memory paging support. - Global Descriptor Table (GDT) and Local Descriptor Table (LDT).➔ Virtual 8086 mode - Hybrid operating mode for backward compatibility. - Allows real mode programs run under Protected mode. - Only available in 32 bits CPUs.➔ Long mode - 64 bits address: 16 EB of memory address (16 billion of GB) - 64 bits instructions and registers. - 16 and 32 bits programs are executed in a sub mode. - Extension of the 32-bit instruction set, but unlike the 16–to–32-bit transition.
  6. 6. CPU RINGS➔ Mechanisms to protect data and functionality from faults.➔ Supervisor mode is a hardware-mediated flag which can be changed by code running in system-level software.
  7. 7. CPU RegistersInternal CPU structures used for store only one world or value for time.➔ General purpose registers➔ Control registers➔ Offset registers➔ Others registers
  8. 8. Memory sections
  9. 9. THE STACK
  10. 10. System calls
  11. 11. System calls➔ Our exit program in C➔ The same program in Intel x86 ASM
  12. 12. System calls➔ The same program in Intel x86 ASM From asm/unistd_32.h
  13. 13. System Calls➔ The same program in Intel x86 ASM Argument (exit status) From asm/unistd_32.h
  14. 14. System calls ➔ The same program in Intel x86 ASM Argument (exit status)Switch from userspace to supervisor From asm/unistd_32.h
  15. 15. Explotation
  16. 16. Integer OverflowAn arithmetic operation may produce a result larger than themaximum representable value, a potential error condition may result.In the ISO C99 standard, signed integer overflow causes undefinedbehavior.
  17. 17. Pacman Kill screenThe games level counter was a single 8-bit byte and could thereforestore only 256 distinct values (0–255). Reaching the 256th level causesan integer overflow in the counter...
  18. 18. Integer Overflow➔ From /usr/include/limits.h➔ Our own example
  19. 19. Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example
  20. 20. Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example 0x7fffffff + 0x1
  21. 21. Integer Overflow➔ From /usr/include/limits.h 0x7fffffff➔ Our own example 0x7fffffff + 0x1     0x80000000
  22. 22. Demo time...
  23. 23. Integer Overflow This is INT_MAX + 1
  24. 24. Integer OverflowOur format string: %dn This is INT_MAX + 1
  25. 25. Integer OverflowOur format string: %dn This is INT_MAX + 1 We call to <printf@plt>
  26. 26. Everytime you made an overflow God kills a kitten.
  27. 27. Stack overflow
  28. 28. Stack overflow
  29. 29. Stack overflow
  30. 30. Stack overflow
  31. 31. Stack overflow
  32. 32. Stack overflow
  33. 33. Demo time...
  34. 34. Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the use of unchecked user inputas the format string parameter in certain C functions that performformatting, such as printf().
  35. 35. Format StringsFormat string exploits can be used to crash a program or to executeharmful code. The problem stems from the use of unchecked user inputas the format string parameter in certain C functions that performformatting, such as printf(). Missing format string
  36. 36. Adjacent Memory corruption
  37. 37. Adjacent Memory corruption strncpy(vuln_array, argv[1], sizeof(vuln_array) ­ 1);
  38. 38. Demo time...
  39. 39. Protections
  40. 40. NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will refuse any code residing inthese areas of memory.Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.
  41. 41. NX STACKAn operative system with support for the NX bit may mark certain areasof memory as Non eXecutable. The CPU will refuse any code residing inthese areas of memory.Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection. Non executable stack CPU flag present.
  42. 42. WX MemoryW^X (write XOR eXecute) is a OpenBSD security feature, its a memoryprotection policy whereby every page in a process address space iseither writable or executable, but not both simultaneously.W^X first appeared in OpenBSD 3.3, released May 2003.Similar features are available for other operating systems, including thePaX and Exec Shield patches for Linux, and NetBSD 4+s implementationof PaX.
  43. 43. ASLRASLR (Address Space Layout Randomization) involves randomlyarranging the position of key data areas, usually incluing in the base ofthe executable and position of libraries, heap and stack.In a processs address space. It is more effective when more entropy ispresent in the random offset. Linux enable it by default since 2.6.12kernel version.
  44. 44. AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00).
  45. 45. AAASAAAS (ASCII Armored Address Space) loads the shares libraries inmemory address that start with NULL bytes (0x00). Start with nulls (0x00)
  46. 46. CookiesThe cookies is a 32 bits or 64 bits value inserted between the buffer andsensitive data (0x00007fff3a115000 for example).Whenever the canary is modified, the program jumps into an executionhandler, usually causing it to crash.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×