Buffer Overflow Attacks

Post on 12-Jan-2016

39 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

Buffer Overflow Attacks. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1. 6.857. History. 6.857, Computer & Network Security. Basic Idea Sample Attacks Protection. 1960s. 1970s. 1980s. 1990s. Today. - PowerPoint PPT Presentation

Transcript of Buffer Overflow Attacks

Buffer Overflow Attacks

1

Basic Idea Sample Attacks Protection Basic Idea Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

History

2

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

1960s 1970s 1990s Today1980s

Vulnerability exploited on time-share machines

Attacks on early networkedmachines

Morris Worm usesbuffer overflow in

taking down significantportion of the Internet

Buffer overflow attacks become(arguably) the most pressing

security concerns facing the web(e..g., in 1998, 2/3 of CERT advisories

were buffer overflow related)

The problem persists(e.g., IE VML advisory from

two months ago).

Memory Layout

3

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addresses

Memory Layout

4

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

Memory Layout

5

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

Memory Layout

6

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp

Memory Layout

7

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

Memory Layout

8

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

Memory Layout

9

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

ret

Memory Layout

10

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

ret

sfp

Memory Layout

11

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

ret

sfp

Memory Layout

12

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

ret

sfp

Memory Layout

13

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10];}void main() {

func(1,2);}

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp

sp

fp2

1

ret

sfp

buffer

Memory Layout

14

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10]; strcpy(buffer, bigstr);}

sp

fp2

1

ret

sfp

buffer

Memory Layout

15

Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection

6.8576.857

6.857, Computer & Network Security

Text

Data

Heap

Stack

High Addresses

Low Addressesvoid func(int a, int b) {

char buffer[10]; strcpy(buffer, bigstr);}

sp

fp2

1

ret

sfp

bigstr

Sample Attacks

16

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

Modify local variables

Modify return address to skip/repeat code

Modify return address to run evil code

Modify Local Variables

17

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

Modify local variables

Modify return address to skip/repeat code

Modify return address to run evil code

Modify Local Variables

18

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

Modify Local Variables

19

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

ret

sfp

query

subject[]

recp[]

Modify Local Variables

20

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

ret

sfp

query

subject[]

recp[]

Modify Local Variables

21

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

ret

sfp

subject[]

recp[]

query

Modify Local Variables

22

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "admin@nsa.gov"; char query[8]; strcpy(query, getenv("QUERY_STRING"));

//send top secret e-mail to recp …}

ret

sfp

subject[]

recp[]

query

Demo…

Repeat Code…

23

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

Modify local variables

Modify return address to skip/repeat code

Modify return address to run evil code

Repeat Code…

24

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

buffer

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

Repeat Code…

25

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

buffer

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

Repeat Code…

26

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

addr

Repeat Code…

27

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

buffer

Repeat Code…

28

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

addr

Repeat Code…

29

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

b

a

ret

sfp

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}

main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}

addr

Demo…

Sample Attacks

30

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

Modify local variables

Modify return address to skip/repeat code

Modify return address to run evil code

Running Evil Code…

31

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

ret

sfp

buffer

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

Running Evil Code…

32

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb

Running Evil Code…

33

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb

Running Evil Code…

34

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb

Running Evil Code…

35

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb

Running Evil Code…

36

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

2

1

void func(int a, int b) {char buffer[32];

gets(buffer); …}

void func(int a, int b) {char buffer[32];

gets(buffer); …}

evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb

????

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

37

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

38

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

39

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

0xffffffff

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

40

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

0xffffffff

0x80884a80xfffffff8

“/bin/sh”

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

41

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

42

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

name

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

43

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

0xfffffff8

0x80884a8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

44

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

0x80884a8

0xfffffff8

ret

sfpfp (ebp)

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

45

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

ret

sfpfp (ebp)

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

ebx0x80884a8

0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

46

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

ret

sfpfp (ebp)

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

ebx

ecx0x80884a8

0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

47

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

ret

sfpfp (ebp)

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

ebx

ecx

edx

0x80884a8

0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

48

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

ret

sfpfp (ebp)

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

ebx

ecx

edx

0x80884a8

0xfffffff8

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

Running Evil Code…

49

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

0xffffffff

0x80884a80xfffffff8

NULL0xfffffffc

NULL

ret

sfpfp (ebp)

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80

ebx

ecx

edx

0x80884a8

0xfffffff8

Running Evil Code…

50

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfpfp (ebp)

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

Running Evil Code…

51

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfpfp (ebp)

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

string_addr

NULLecxebx

edx

0x8

Running Evil Code…

52

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80

string_addr

NULL

??????

Running Evil Code…

53

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Running Evil Code…

54

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

“bin/sh”

code

Running Evil Code…

55

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

“bin/sh”

code

Running Evil Code…

56

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

“bin/sh”

code

addr of “bin/sh”

Running Evil Code…

57

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

“bin/sh”

code

addr of “bin/sh” esi

Running Evil Code…

58

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

“bin/sh”

code

Running Evil Code…

59

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #1: Zero Bytes

Running Evil Code…

60

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #1: Zero BytesSolution: Generate on the fly(e.g., push $0x0 = xor %eax, %eax push %eax)

Running Evil Code…

61

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return Address

code

ret’ret’ret’ret’ret’ret’

Running Evil Code…

62

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return Address

code

ret’ret’ret’ret’ret’ret’

Running Evil Code…

63

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return Address

code

ret’ret’ret’ret’ret’ret’

Running Evil Code…

64

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.

code

ret’ret’ret’ret’ret’ret’

nopnopnop

Running Evil Code…

65

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.

code

ret’ret’ret’ret’ret’ret’

nopnopnop

Running Evil Code…

66

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.

code

ret’ret’ret’ret’ret’ret’

nopnopnop

Running Evil Code…

67

Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection

6.8576.857

6.857, Computer & Network Security

ret

sfp

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string

Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.

code

ret’ret’ret’ret’ret’ret’

nopnopnop

Top related

The OWASP Top 10 and Buffer Overflow Attacks Tom Chothia Computer Security, Lecture 14.
 Documents
Secure Cache: Run-Time Detection and Prevention of Buffer Overflow Attacks
 Documents
Buffer Overflow Attacks and Format String bugs
 Documents
Buffer Overflow Attacks - Donald Bren School of ...stasio/ics8-w12/Week4 - Buffer Overflow Attacks.pdf · Smashing The Stack For Fun And Profit. e-zine #49, 1996 •The attacker exploits
 Documents
Security services, Attacks, Session Hijacking, Buffer Overflow, Man-in-the-middle attacks
 Documents
Buffer overflow and stack smashing attacks Principles of application software security.
 Documents
Buffer Overflowpeople.cs.vt.edu/~gangwang/class/cs4264/4-buffer-overflow.pdf · Buffer Overflow Attacks 3 •What is a buffer? •A memory space in which data/code can be held •Buffer
 Documents
Blended attacks exploits, vulnerabilities and buffer overflow techniques in computer viruses
 Documents
Index [ptgmedia.pearsoncmg.com] · 2009. 6. 9. · INDEX 679 history of, 367-368 blocking buffer overflow attacks (worms). See buffer overflow attacks (worms) Microsoft SQL Server
 Documents
Module 5: Buffer Overflow Attacks - Jackson State University
 Documents
Software attacks Lorenzo Dematte’ (dematte@ieee.org) Software Attacks Buffer Overflow.
 Documents
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
 Documents
Buffer Overflow
 Documents
Module04 Buffer Overflow
 Documents
Application Layer Attacksathena.ecs.csus.edu/~cookd/115/notes/CSC 115 - Summer... · 2018. 6. 30. · • Web application attacks • Client-side attacks • Buffer overflow attacks
 Documents
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
 Documents
Software Security: Buffer Overflow Attacks · Buffer Overflow Attacks (continued) Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
 Documents
Chapter 3.4: Buffer Overflow Attacks
 Documents
Buffer Overflow Attack
 Documents
Chapter 10 Buffer Overflow Table 10.1 A Brief History of Some Buffer Overflow Attacks.
 Documents

Copyright © 2022 FDOCUMENTS