Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CNIT 127: Exploit Development



Ch 2: Stack Overflows in Linux
Updated 8-28-19
Topics
• Buffers in C
• Information Disclosure
• gdb: Gnu Debugger
• Segmentation Fault
• The Stack
• Functions and the St...
Stack-Based Buffer Overflows
• Most popular and best understood
exploitation method
• Aleph One's "Smashing the Stack for ...
Exploit A: Information Disclosure
C and C++ Lack Bounds-Checking
• It is the programmer's responsibility to ensure
that array indices remain in the valid ra...
Reading Past End of Array
• We can read data that we shouldn't be seeing
• Information disclosure vulnerabilty
Using gdb (GNU Debugger)
• Source code debugging
• Because we compiled with gcc -g
Using gdb (GNU Debugger)
• gdb commands
list show source code
run execute program
break insert breakpoint
x examine memory
Exploit B: Denial of Service
Writing Past End of Array
• Program has crashed
• Denial of service
Print Out More Information
• printf uses a format string
• %x means print in hexadecimal
Segmentation Fault
• Cannot write to address ffffe188
Debug
Insert
breakpoint
and run
Memory Map
• Stack ends at 0xffffe000
• Trying to write past this address caused a
segmentation fault
The Stack
LIFO (Last-In, First-Out)
• ESP (Extended Stack Pointer) register
points to the top of the stack
• PUSH puts items on the ...
Stack
• POP takes items off the stack
– pop eax
– pop ebx
EBP (Extended Base Pointer)
• EBP is typically used for calculated
addresses on the stack
– mov eax, [ebp+10h]
• Copies th...
Functions and the Stack
Purpose
• The stack's primary purpose is to make the
use of functions more efficient
• When a function is called, these th...
Functions and the Stack
• Primary purpose of the stack
– To make functions more efficient
• When a function is called
– Pu...
Functions and the Stack
– Before function starts, a prolog executes,
pushing EBP onto the stack
– It then copies ESP into ...
Functions and the Stack
#include <stdio.h>
void function(int a, int b)
{
int array[5];
}
main()
{
function(1,2);
printf("T...
Example of a Function
Debug and Set Breakpoints
In main()
Stack frame goes from ebp to esp
In function()
Stack frame goes from ebp to esp
Examine the Stack Frame
• Highlighted region is the stack frame of
function()
• Below it is the stack frame of main()
Disassemble Main
• To call a function:
• push arguments onto the stack
• call the function
Disassemble Function
• Prolog:
• push ebp onto stack
• mov esp into ebp, starting a new stack frame
• sub from esp, reserv...
Saved Return Address
• Next word
after stack
frame
• Address of
next
instruction to
be executed
in main()
Stack Buffer Overflow Exploit
Stack Buffer Overflow Vulnerability
gets() reads user input
Does not limit its length
Compile and Run
Segmentation fault indicates an illegal operation
Debug and Set Breakpoint
Break after gets()
Stack After HELLO
• ASCII values for HELLO appear in the
words outlined in red
• Return value is outlined in green
ASCII
•Google "ASCII"
•0x41 is A
•0x42 is B
•etc.
Stack After AAAAA...
• Stack frame is filled with many A characters
• Return value is overwritten with 0x41414141
Examining the Crash
• eip value is 0x41414141
• Controlled by user input!
gdb Commands
list show source code
run execute program
break insert breakpoint
x examine memory
disassemble show asssembly...
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
Upcoming SlideShare
Loading in …5
×

CNIT 127: Ch 2: Stack overflows on Linux

52 views

Published on

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.

Instructor: Sam Bowne

Class website: https://samsclass.info/127/127_F19.shtml

Published in: Education
  • Be the first to comment

  • Be the first to like this

CNIT 127: Ch 2: Stack overflows on Linux

  1. 1. CNIT 127: Exploit Development
 
 Ch 2: Stack Overflows in Linux Updated 8-28-19
  2. 2. Topics • Buffers in C • Information Disclosure • gdb: Gnu Debugger • Segmentation Fault • The Stack • Functions and the Stack • Stack Buffer Overflow
  3. 3. Stack-Based Buffer Overflows • Most popular and best understood exploitation method • Aleph One's "Smashing the Stack for Fun and Profit" (1996) – Link Ch 2a • Buffer – A limited, contiguously allocated set of memory – In C, usually an array
  4. 4. Exploit A: Information Disclosure
  5. 5. C and C++ Lack Bounds-Checking • It is the programmer's responsibility to ensure that array indices remain in the valid range #include <stdio.h> int main() { int array[5] = {1, 2, 3, 4, 5}; printf("%dn", array[5]); }
  6. 6. Reading Past End of Array • We can read data that we shouldn't be seeing • Information disclosure vulnerabilty
  7. 7. Using gdb (GNU Debugger) • Source code debugging • Because we compiled with gcc -g
  8. 8. Using gdb (GNU Debugger) • gdb commands list show source code run execute program break insert breakpoint x examine memory
  9. 9. Exploit B: Denial of Service
  10. 10. Writing Past End of Array • Program has crashed • Denial of service
  11. 11. Print Out More Information • printf uses a format string • %x means print in hexadecimal
  12. 12. Segmentation Fault • Cannot write to address ffffe188
  13. 13. Debug Insert breakpoint and run
  14. 14. Memory Map • Stack ends at 0xffffe000 • Trying to write past this address caused a segmentation fault
  15. 15. The Stack
  16. 16. LIFO (Last-In, First-Out) • ESP (Extended Stack Pointer) register points to the top of the stack • PUSH puts items on the stack – push 1 – push addr var
  17. 17. Stack • POP takes items off the stack – pop eax – pop ebx
  18. 18. EBP (Extended Base Pointer) • EBP is typically used for calculated addresses on the stack – mov eax, [ebp+10h] • Copies the data 16 bytes down the stack into the EAX register
  19. 19. Functions and the Stack
  20. 20. Purpose • The stack's primary purpose is to make the use of functions more efficient • When a function is called, these things occur: – Calling routine stops processing its instructions – Saves its current state – Transfers control to the function – Function processes its instructions – Function exits – State of the calling function is restored – Calling routine's execution resumes
  21. 21. Functions and the Stack • Primary purpose of the stack – To make functions more efficient • When a function is called – Push function's arguments onto the stack – Call function, which pushes the return address RET onto the stack, which is the EIP at the time the function is called
  22. 22. Functions and the Stack – Before function starts, a prolog executes, pushing EBP onto the stack – It then copies ESP into EBP – Calculates size of local variables – Reserves that space on the stack, by subtracting the size from ESP – Pushes local variables onto stack
  23. 23. Functions and the Stack #include <stdio.h> void function(int a, int b) { int array[5]; } main() { function(1,2); printf("This is where the
 return address pointsn"); }
  24. 24. Example of a Function
  25. 25. Debug and Set Breakpoints
  26. 26. In main() Stack frame goes from ebp to esp
  27. 27. In function() Stack frame goes from ebp to esp
  28. 28. Examine the Stack Frame • Highlighted region is the stack frame of function() • Below it is the stack frame of main()
  29. 29. Disassemble Main • To call a function: • push arguments onto the stack • call the function
  30. 30. Disassemble Function • Prolog: • push ebp onto stack • mov esp into ebp, starting a new stack frame • sub from esp, reserving room for local variables
  31. 31. Saved Return Address • Next word after stack frame • Address of next instruction to be executed in main()
  32. 32. Stack Buffer Overflow Exploit
  33. 33. Stack Buffer Overflow Vulnerability gets() reads user input Does not limit its length
  34. 34. Compile and Run Segmentation fault indicates an illegal operation
  35. 35. Debug and Set Breakpoint Break after gets()
  36. 36. Stack After HELLO • ASCII values for HELLO appear in the words outlined in red • Return value is outlined in green
  37. 37. ASCII •Google "ASCII" •0x41 is A •0x42 is B •etc.
  38. 38. Stack After AAAAA... • Stack frame is filled with many A characters • Return value is overwritten with 0x41414141
  39. 39. Examining the Crash • eip value is 0x41414141 • Controlled by user input!
  40. 40. gdb Commands list show source code run execute program break insert breakpoint x examine memory disassemble show asssembly code continue resume execution info registers see registers info proc mapping see memory map

×