Post on 05-Jan-2016
description
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Stack allocation and buffer overflow
CSCE 531 Presentationby
Miao XUxum@engr.sc.edu
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Outline
• Stack allocation in Windows
• What is buffer overflow
• How to exploit buffer overflow
• Demo
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Stack allocation in TAM
SB
LB
ST
callframe
SB = Stack baseLB = Locals baseST = Stack top
callframe Dynamic link
globals
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Stack allocation in TAM (Contd.)
A frame contains• A dynamic link: to next frame on
the stack (the frame of the caller)• Return address• Local variables for the current
activation
return address
locals
Link data
Local data
LB
ST
link
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What’s going on inside Windows?
• Initial stack state
EBP
ESP
EBP: Extended Base PointerESP: Extended Stack Pointer
Current frame
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What’s going on inside Windows?
• Before call f(arg1, arg2)– Push arguments
EBP
ESP
EBP: Extended Base PointerESP: Extended Stack Pointer
Current frame
agr2
arg1
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What’s going on inside Windows?
• Before call f(arg1, arg2)– Push next instruction address
EBP
ESP
EBP: Extended Base PointerESP: Extended Stack Pointer
Current frame
agr2
arg1
Ret. Addr.
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What’s going on inside Windows?
• Enter into f(arg1, arg2)– Push current EBP
EBP
ESP
EBP: Extended Base PointerESP: Extended Stack Pointer
Current frame
agr2
arg1
Ret. Addr.
Prev. EBP
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What’s going on inside Windows?
• Enter into f(arg1, arg2)– Move EBP to ESP
EBPESP
EBP: Extended Base PointerESP: Extended Stack Pointer
Current frame
agr2
arg1
Ret. Addr.
Prev. EBP
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
• Enter into f(arg1, arg2)
EBP
ESP
Previous frame
agr2
arg1
Ret. Addr.
Prev. EBP
Current frame
What’s going on inside Windows?
EBP: Extended Base PointerESP: Extended Stack Pointer
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
What is buffer overflow?
• Related with stack allocation
• A buffer overflow, or buffer overrun, is an anomaly where a process stores data in a buffer outside the memory the programmer set aside for it.– Wikipedia
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Buffer overflow
void function(char *str) { char buffer[8]; strcpy(buffer,str); }
void main() { char large_string[256]; for( int i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
void function(char *str) { char buffer[8]; strcpy(buffer,str); }
void main() { char large_string[256]; for( int i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
An example
Return to 0x41414141
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Problems with buffer overflow
• A demo
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Acknowledgement
• The demo and part of this slides are from the training when the presenter was in Symantec, Chinese Development Center, Beijing
• The example comes from the following reference:– Aleph One, Smashing the stack for
fun and profit, Phrack Magzine, Vol. 7 (49) , 1996
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering
Questions?
UNIVERSITY OF SOUTH CAROLINAUNIVERSITY OF SOUTH CAROLINADepartment of Computer Science and
Engineering
Department of Computer Science and Engineering