My Stack Overflow Presentation To Ort Singalovsky Software Engineering Students In ironSource Office.

1. Buffer Overflow – Smashing The Stack
Tomer Zait - Application Security Engineer

2. root@kali:~# whoami
ironSourceTomer Zait
• Application Security Engineer at
• Practical Software Engineer (Ort Singalovsky)
• Offensive Security Certified Professional (OSCP)
• OpenSource Projects:
o PyMultitor
o HackMe Credit
o AutoBrowser
o SubDomain Analyzer
o Proxist
• 1st Place at The Israel Cyber Challenge, 2014

3. Today we will focus on:
• Past Events
• What Is Stack
• Assembly – Registers
• Stack Overflow
• Shell Code
• Exploit Development

4. Past Events

5. • Exploits a buffer overflow vulnerability in Microsoft DCOM RPC interface.
• Worm downloads a copy of mblast.exe to compromised host from infecting host via TFTP
and runs commands to execute it.
• mblast.exe attempts to carry out SYN flood attack on windowsupdate.com as well as
scanning/infecting other hosts.
BLASTER WORM
Hex dump of the Blaster worm

6. • DOS attack on windowsupdate.com failed - the regular domain name is
windowsupdate.microsoft.com.
• Windowsupdate.com was just a pointer to the windowsupdate.microsoft.com - so
Microsoft just decomissioned it.
BLASTER WORM - EFFECTS

7. • August 11, 2003: Original version of the worm appears on the internet.
• August 12, 2003: The number of infected systems is reported at 30,000.
• August 15, 2003:The number of infected systems is reported at 423,000.
• August 16, 2003: DDoS attack against windowsupdate.com starts.
(Largely unsuccessful because that url is merely a redirect to the real site,
windowsupdate.microsoft.com)
• January 28, 2005: The creator of the "B" variant of MSBlaster is sentenced to 18 months in
jail.
BLASTER WORM - TIMELINE

8. • Exploits a buffer overflow vulnerability in Microsoft NET BIOS interface (MS08-067).
• Dictionary attack on ADMIN$ shares.
• Creates DLL-based AutoRun trojan on attached removable drives.
• Downloads daily from any of 250 pseudorandom domains over 5 TLDs (Top-level domains).
• Updates self to Conficker B, C or D.
CONFICKER WORM

9. • Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent
Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
• Domain controllers responding slowly to client requests.
• Congestion on local area networks (ARP flood as consequence of network scan).
• Web sites related to antivirus software or the Windows Update service becoming
inaccessible
CONFICKER WORM - EFFECTS

10. • Discovered in early November 2008.
• The French Navy computer network, was infected with Conficker on 15 January 2009.
• An infection of Manchester City Council's IT system caused an estimated £1.5m worth of
disruption in February 2009.
• The estimated number of infected computers ranged from almost 9 million to 15 million.
• Microsoft has reported the total number of infected computers detected by its
antimalware products has remained steady at around 1.7 million from mid-2010 to mid-
2011.
CONFICKER WORM - TIMELINE

11. What Is Stack

12. It's a special region of your computer's memory that stores temporary variables created by
each function (including the main() function),
The stack is a “LIFO” (last in , first out) data structure.
Principal operations:
• push adds an element to the collection.
• pop removes the last element that was added.
• Stack Real Life example is weapon's magazine
STACK - EXPLANATION

13. Assembly – Registers

14. On today’s average WinTel CPU you have 9 32bit registers (w/o flag registers).
Their names are:
EAX: Extended Accumulator Register
EBX: Extended Base Register
ECX: Extended Counter Register
EDX: Extended Data Register
ESI: Extended Source Index
EDI: Extended Destination Index
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
EIP: Extended Instruction Pointer
CPU REGISTERS

15. The ESP register serves as an indirect memory operand pointing to the top of the stack at any
time.
WORD takes 2 bytes In memory.
• When a word value is pushed onto the stack, the assembler decreases the ESP (Stack
Pointer) register by 2.
• When a word value is popped off the stack, the assembler increases the ESP register by 2.
ESP REGISTER

16. The instruction pointer register points to the memory addresswhich the processor will next
attempt to execute.
it cannot be directly accessed in 16-bit or 32-bit mode,
but a sequence like the following can be written to put the address of next_line into eax:
call next_line
next_line:
pop eax
This sequence of instructions generates position-independent code because call takes an
instruction-pointer-relative immediate operand describing the offset in bytes of the target
instruction from the next instruction (in this case 0).
EIP REGISTER

17. Stack Overflow

18. A stack overflow is an undesirable condition in which a particular computer program tries to
use more memory space than the call stack has available.
In programming, the call stack is a buffer that stores requests that need to be handled.
The size of a call stack depends on various factors.
It is usually defined at the start of a program.
Its size can depend on the architecture of the computer on which the program runs,
the language in which the program is written,
and the total amount of available memory in the system.
When a stack overflow occurs as a result of a program's excessive demand for memory space,
that program (and sometimes the entire computer) may crash.
STACK OVERFLOW - EXPLANATION

19. Shell Code

20. # Metasploit generated – write.exe – x86 – Windows XP Pro SP2
shellcode="x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0”;
Let’s disassemble these bytes into instructions :
You don’t need to run this code to figure out what it will do.
SHELLCODE - WINDOWS XP PRO SP2 32BIT (1)
C:shellcode>"c:program filesnasmndisasm.exe" -b 32 c:tmpshellcode.bin
00000000 68974C807C push dword 0x7c804c97
00000005 B84D11867C mov eax,0x7c86114d
0000000A FFD0 call eax

21. If the exploit is indeed written for Windows XP Pro SP2 then this will happen:
at 0x7c804c97 on XP SP2, we find (windbg output) :
So push dword 0x7c804c97 will push “Write” onto the stack.
SHELLCODE - WINDOWS XP PRO SP2 32BIT (2)
0:001> d 0x7c804c97
7c804c97 57 72 69 74 65 00 42 61-73 65 43 68 65 63 6b 41 Write.BaseCheckA
7c804ca7 70 70 63 6f 6d 70 61 74-43 61 63 68 65 00 42 61 ppcompatCache.Ba
7c804cb7 73 65 43 6c 65 61 6e 75-70 41 70 70 63 6f 6d 70 seCleanupAppcomp
7c804cc7 61 74 43 61 63 68 65 00-42 61 73 65 43 6c 65 61 atCache.BaseClea
7c804cd7 6e 75 70 41 70 70 63 6f-6d 70 61 74 43 61 63 68 nupAppcompatCach
7c804ce7 65 53 75 70 70 6f 72 74-00 42 61 73 65 44 75 6d eSupport.BaseDum
7c804cf7 70 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 pAppcompatCache.
7c804d07 42 61 73 65 46 6c 75 73-68 41 70 70 63 6f 6d 70 BaseFlushAppcomp

22. Next, 0x7c86114d is moved into eax and a call eax is made.
At 0x7c86114d, we find :
Conclusion : this code will execute “write” (=wordpad).
SHELLCODE - WINDOWS XP PRO SP2 32BIT (3)
0:001> ln 0x7c86114d
(7c86114d) kernel32!WinExec | (7c86123c) kernel32!`string'
Exact matches:
kernel32!WinExec =

23. SHELLCODE TEST - WINDOWS XP PRO SP2 32BIT
char code[] = "x68x97x4Cx80x7CxB8x4Dx11x86x7CxFFxD0";
int main(int argc, char **argv) {
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

24. Exploit Development

25. VULNERABLE CODE - EXAMPLE
#include <string.h>
void foo (char *bar) {
char c[12];
strcpy(c, bar); // no bounds checking
}
int main (int argc, char **argv) {
foo(argv[1]);
}

27. VULNERABLE CODE - EXPLOTION
This code takes an argument from the command line and copies it to a local stack variable c.
This works fine for command line arguments smaller than 12 characters (as you can see in
figure B below).
Any arguments larger than 11 characters long will result in corruption of the stack.
(The maximum number of characters that is safe is one less than the size of the buffer here
because in the C programming language strings are terminated by a zero byte character.
A twelve-character input thus requires thirteen bytes to store, the input followed by the
sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte
beyond the end of the buffer.)

28. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (1)
A. - Before data is copied.

29. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (2)
B. - "hello" is the first
command line argument.

30. THE PROGRAM STACK IN foo() WITH VARIOUS INPUTS (3)
A. - Before data is copied.

31. VULNERABLE CODE - SUMMARY
Notice in figure C above, when an argument larger than 11 bytes is supplied on the command
line foo() overwrites local stack data, the saved frame pointer, and most importantly,
the return address. When foo() returns it pops the return address off the stack and jumps to
that address (i.e. starts executing instructions from that address).
Thus, the attacker has overwritten the return address with a pointer to the stack buffer char
c[12], which now contains attacker-supplied data.
In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable
to the platform and desired function.
If this program had special privileges (e.g. the SUID bit set to run as the superuser),
then the attacker could use this vulnerability to gain superuser privileges on the affected
machine.

32. { THANK YOU

33. 1. Wikipedia - http://www.wikipedia.org/
2. Corelan Team- https://www.corelan.be/
3. Natashenka - http://natashenka.ca/
BIBLIOGRAPHY