Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 127: Ch 2: Stack overflows on Linux


Published on

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.

Instructor: Sam Bowne

Class website:

Published in: Education
  • Did u try to use external powers for studying? Like ⇒ ⇐ ? They helped me a lot once.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

CNIT 127: Ch 2: Stack overflows on Linux

  1. 1. CNIT 127: Exploit Development
 Ch 2: Stack Overflows in Linux Updated 8-28-19
  2. 2. Topics • Buffers in C • Information Disclosure • gdb: Gnu Debugger • Segmentation Fault • The Stack • Functions and the Stack • Stack Buffer Overflow
  3. 3. Stack-Based Buffer Overflows • Most popular and best understood exploitation method • Aleph One's "Smashing the Stack for Fun and Profit" (1996) – Link Ch 2a • Buffer – A limited, contiguously allocated set of memory – In C, usually an array
  4. 4. Exploit A: Information Disclosure
  5. 5. C and C++ Lack Bounds-Checking • It is the programmer's responsibility to ensure that array indices remain in the valid range #include <stdio.h> int main() { int array[5] = {1, 2, 3, 4, 5}; printf("%dn", array[5]); }
  6. 6. Reading Past End of Array • We can read data that we shouldn't be seeing • Information disclosure vulnerabilty
  7. 7. Using gdb (GNU Debugger) • Source code debugging • Because we compiled with gcc -g
  8. 8. Using gdb (GNU Debugger) • gdb commands list show source code run execute program break insert breakpoint x examine memory
  9. 9. Exploit B: Denial of Service
  10. 10. Writing Past End of Array • Program has crashed • Denial of service
  11. 11. Print Out More Information • printf uses a format string • %x means print in hexadecimal
  12. 12. Segmentation Fault • Cannot write to address ffffe188
  13. 13. Debug Insert breakpoint and run
  14. 14. Memory Map • Stack ends at 0xffffe000 • Trying to write past this address caused a segmentation fault
  15. 15. The Stack
  16. 16. LIFO (Last-In, First-Out) • ESP (Extended Stack Pointer) register points to the top of the stack • PUSH puts items on the stack – push 1 – push addr var
  17. 17. Stack • POP takes items off the stack – pop eax – pop ebx
  18. 18. EBP (Extended Base Pointer) • EBP is typically used for calculated addresses on the stack – mov eax, [ebp+10h] • Copies the data 16 bytes down the stack into the EAX register
  19. 19. Functions and the Stack
  20. 20. Purpose • The stack's primary purpose is to make the use of functions more efficient • When a function is called, these things occur: – Calling routine stops processing its instructions – Saves its current state – Transfers control to the function – Function processes its instructions – Function exits – State of the calling function is restored – Calling routine's execution resumes
  21. 21. Functions and the Stack • Primary purpose of the stack – To make functions more efficient • When a function is called – Push function's arguments onto the stack – Call function, which pushes the return address RET onto the stack, which is the EIP at the time the function is called
  22. 22. Functions and the Stack – Before function starts, a prolog executes, pushing EBP onto the stack – It then copies ESP into EBP – Calculates size of local variables – Reserves that space on the stack, by subtracting the size from ESP – Pushes local variables onto stack
  23. 23. Functions and the Stack #include <stdio.h> void function(int a, int b) { int array[5]; } main() { function(1,2); printf("This is where the
 return address pointsn"); }
  24. 24. Example of a Function
  25. 25. Debug and Set Breakpoints
  26. 26. In main() Stack frame goes from ebp to esp
  27. 27. In function() Stack frame goes from ebp to esp
  28. 28. Examine the Stack Frame • Highlighted region is the stack frame of function() • Below it is the stack frame of main()
  29. 29. Disassemble Main • To call a function: • push arguments onto the stack • call the function
  30. 30. Disassemble Function • Prolog: • push ebp onto stack • mov esp into ebp, starting a new stack frame • sub from esp, reserving room for local variables
  31. 31. Saved Return Address • Next word after stack frame • Address of next instruction to be executed in main()
  32. 32. Stack Buffer Overflow Exploit
  33. 33. Stack Buffer Overflow Vulnerability gets() reads user input Does not limit its length
  34. 34. Compile and Run Segmentation fault indicates an illegal operation
  35. 35. Debug and Set Breakpoint Break after gets()
  36. 36. Stack After HELLO • ASCII values for HELLO appear in the words outlined in red • Return value is outlined in green
  37. 37. ASCII •Google "ASCII" •0x41 is A •0x42 is B •etc.
  38. 38. Stack After AAAAA... • Stack frame is filled with many A characters • Return value is overwritten with 0x41414141
  39. 39. Examining the Crash • eip value is 0x41414141 • Controlled by user input!
  40. 40. gdb Commands list show source code run execute program break insert breakpoint x examine memory disassemble show asssembly code continue resume execution info registers see registers info proc mapping see memory map