Introduction to Stack Buffer Overflow for beginners
•
1 like•291 views
This presentation introduces stack buffer overflows and exploitation techniques for beginners. It discusses how buffer overflows work, potential impacts of exploitation including gaining system access and installing backdoors. It then demonstrates a sample vulnerable code, its disassembly, and how an attacker could exploit it by overwriting the return address on the stack to redirect execution to shellcode that starts a calculator program. The presentation concludes by reviewing protections like ASLR and DEP and a real-world exploit.
Recommended
More Related Content
Similar to Introduction to Stack Buffer Overflow for beginners
Similar to Introduction to Stack Buffer Overflow for beginners (20)
Recently uploaded
Recently uploaded (20)
Introduction to Stack Buffer Overflow for beginners
- 1. Khashayar Fereidani http://fereidani.com Introduction to Stack Buffer Overflow for beginners Islamic Azad University Of Najafabad Network Security Presentation By Khashayar Fereidani
- 2. Khashayar Fereidani http://fereidani.com Who Am I ? ● Khashayar Fereidani ● Just A Security Enthusiast
- 4. Khashayar Fereidani http://fereidani.com What Is Buffer Overflow ? From Dear Memory Corruption Family Heap Overflow , Use After Free Buffer Underflow , Integer Overflow Buffer Overflow and more ...
- 5. Khashayar Fereidani http://fereidani.com What After Exploitation ? 1- File Control 2- Operation System Access 3 – Installing Backdoor 4- Full Device Access ( webcam / monitor / mic )
- 6. Khashayar Fereidani http://fereidani.com Advantages And Disadvantages ● Advantages 1- Effective 2- Locally And Remotely Exploitable ● Disadvantages 1- architecture dependent 2-operation system and even version dependent 3- high exploitation skills needed for this era .
- 7. Khashayar Fereidani http://fereidani.com New Era For Commercial Exploit ● Exploits from $1000 to $10000000 ● Intelligent and Universal ● Die Dear Lamers
- 8. Khashayar Fereidani http://fereidani.com Some Historical Attacks 1- 1988 Morris worm 6000 machines ( 10% of internet ) 2- 2003 SQL Slammer : overflow in MS-SQL server 75,000 machines infected in 10 minutes 3- 2014 Multiple Vulnerabilities in Microsoft / Adobe / D-link / Cisco / Oracle products
- 9. Khashayar Fereidani http://fereidani.com 9/23 Remember Remember ● ESP : Pointer To Top Of Stack ● EBP : Base Pointer ● EIP : Instruction Pointer ● MOV , JMP , CALL , RET
- 10. Khashayar Fereidani http://fereidani.com 10/23 Introduction To Process Environment Block (PEB) ● Stack ( func , ret info , args ) ● Heap ● Data Segment 1- .bss ( Static and uninitialized globals ) 2- .data (initialized globals ) 3- .text ( usually read only ) ● Shared Libraries
- 12. Khashayar Fereidani http://fereidani.com 12/23 Sample Code bool authenticate(char *name){ char msg[32]; if (check_username(name)==0){ sprintf(msg, "Unauthorized user '%s'n", name); Printf(“%s”,msg); return 0; }else{ printf("Welcome , %s n", name); return 1; } }
- 13. Khashayar Fereidani http://fereidani.com 13/23 Disassembled Code 0x08048529 <+0>:push %ebp 0x0804852a <+1>:mov %esp,%ebp 0x0804852c <+3>:sub $0x38,%esp 0x0804852f <+6>: mov 0x8(%ebp),%eax 0x08048532 <+9>:mov %eax,(%esp) 0x08048535 <+12>: call 0x804851f <check_username> 0x0804853a <+17>: test %eax,%eax 0x0804853c <+19>: jne 0x8048572 <authenticate+73> 0x0804853e <+21>: mov 0x8(%ebp),%eax 0x08048541 <+24>: mov %eax,0x8(%esp) 0x08048545 <+28>: movl $0x8048620,0x4(%esp) 0x0804854d <+36>: lea -0x28(%ebp),%eax 0x08048550 <+39>: mov %eax,(%esp) 0x08048553 <+42>: call 0x8048390 <sprintf@plt> 0x08048558 <+47>: lea -0x28(%ebp),%eax 0x0804855b <+50>: mov %eax,0x4(%esp) 0x0804855f <+54>: movl $0x8048639,(%esp) 0x08048566 <+61>: call 0x8048350 <printf@plt> 0x0804856b <+66>: mov $0x0,%eax 0x08048570 <+71>: jmp 0x804858a <authenticate+97> 0x08048572 <+73>: mov 0x8(%ebp),%eax 0x08048575 <+76>: mov %eax,0x4(%esp)
- 14. Khashayar Fereidani http://fereidani.com 14/23 Point Of View From Stack ARGV ARGC RET …. main and previously called procedures …. SAVED EIP SAVED EBP msg Start Of authenticate frame 32 Byte
- 15. Khashayar Fereidani http://fereidani.com 15/23 For Simple Input ARGV ARGC RET …. SAVED EIP SAVED EBP ???????? ???????? ???????? ???????? khashayar
- 16. Khashayar Fereidani http://fereidani.com 16/23 For Evil One :D ! ARGV ARGC RET …. AAAA (0x41414141) AAAA (0x41414141) AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
- 17. Khashayar Fereidani http://fereidani.com 17/23 Exploitation Theory ● Write Our Shellcode to memory ● Get Control Of EIP ● Jump To Our Shellcode
- 18. Khashayar Fereidani http://fereidani.com 18/23 Implementation ARGV ARGC RET …. (0x[ADDRESS OF SHELLCODE]) 0x90909090 NOPNOPNOPNOPNOP SHELLCODE SHELLCODE SHELLCODE SHELLCODE
- 19. Khashayar Fereidani http://fereidani.com 19/23 What Is Shellcode ?
- 20. Khashayar Fereidani http://fereidani.com 20/23 After Compile xebx16x31xd2x5b x88x53x04x53xbb xedx2ax86x7cxff xd3x52xbbx12xcb x81x7cxffxd3xe8 xe5xffxffxffx63 x61x6cx63x4e ● 34 byte ● Exec Calc
- 21. Khashayar Fereidani http://fereidani.com 21/23 Some OS Level Protections ● ASLR (First OpenBSD & Linux) ● DEP ( Software & Hardware ) ● STACK GS / COOKIE ●But Bypassed in the wild !