Buffer Overflow for fun and pr0fit
-
Upload
facundo-de-la-cruz -
Category
Documents
-
view
801 -
download
2
description
Transcript of Buffer Overflow for fun and pr0fit
Buffer Overflowfor fun and pr0fit
Facundo M. de la Cruz (@_tty0) [email protected]
➔ Brief introduction to the Intel x86/x86_64 architecture
➔ Integer overflow
➔ Stack based buffer overflows
➔ Attacking a format string
➔ Shellcodes: The ASM cocktail
➔ OS Protections
AGENDA
Why do I need to learn about Buffers Overflow?
- A common cause could be: Do you want to impress your girlfriend and be cool and sexy?.
1)Prepare your latest IE or Mozilla Firefox 0day.2)Send a email containing:
«Hey! Checkout this amazing news talking about naked photos of Rihanna» alongside with a link pointing to an url where the exploit is located.
3)Wait him to click.4)????5)Pr0fit!
- Secure your own software or the company software.
- Or simply you are just a curious, and it's cool :-)
NOTES
1
Intel Architecture
➔ Real mode- 20 bits segmented memory address space.- Only 1 MB of memory can be addressed. - Direct access to BIOS.
➔ Protected mode - Provide protected memory.- Memory paging support.- Global Descriptor Table (GDT) and Local Descriptor Table (LDT).
➔ Virtual 8086 mode- Hybrid operating mode for backward compatibility.- Allows real mode programs run under Protected mode. - Only available in 32 bits CPU's.
➔ Long mode- 64 bits address: 16 EB of memory address (16 billion of GB)- 64 bits instructions and registers. - 16 and 32 bits programs are executed in a sub mode.
- Extension of the 32-bit instruction set, but unlike the 16–to–32-bit transition.
CPU operations modes
➔ Mechanisms to protect data and functionality from faults.
➔ Supervisor mode is a hardware-mediated flag which can be changed by code running in system-level software.
CPU RINGS
Internal CPU structures used for store only one world or value for time.
➔ General purpose registers
➔ Control registers
➔ Offset registers
➔ Others registers
CPU Registers
Memory sections
THE STACK
System calls
System calls
➔ Our exit program in C
➔ The same program in Intel x86 ASM
➔ The same program in Intel x86 ASM
From asm/unistd_32.h
System calls
System Calls
➔ The same program in Intel x86 ASM
Argument (exit status)
From asm/unistd_32.h
Switch from userspace to supervisor
➔ The same program in Intel x86 ASM
Argument (exit status)
From asm/unistd_32.h
System calls
Explotation
Integer Overflow
An arithmetic operation may produce a result larger than the maximum representable value, a potential error condition may result.
In the ISO C99 standard, signed integer overflow causes undefined behavior.
Pacman Kill screen
The game's level counter was a single 8-bit byte and could therefore store only 256 distinct values (0–255). Reaching the 256th level causes an integer overflow in the counter...
Integer Overflow
➔ From /usr/include/limits.h
➔ Our own example
Integer Overflow
➔ From /usr/include/limits.h
➔ Our own example
0x7fffffff
Integer Overflow
➔ From /usr/include/limits.h
➔ Our own example
0x7fffffff
0x7fffffff + 0x1
Integer Overflow
➔ From /usr/include/limits.h
➔ Our own example
0x7fffffff
0x7fffffff + 0x1 0x80000000
Demo time...
Integer Overflow
This is INT_MAX + 1
Integer Overflow
This is INT_MAX + 1 Our format string: %d\n
Integer Overflow
This is INT_MAX + 1 Our format string: %d\n
We call to <printf@plt>
Everytime you made an overflow God kills a kitten.
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Stack overflow
Demo time...
Format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf().
Format Strings
Format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf().
Format Strings
Missing format string
Adjacent Memory corruption
Adjacent Memory corruption
strncpy(vuln_array, argv[1], sizeof(vuln_array) 1);
Demo time...
Protections
An operative system with support for the NX bit may mark certain areas of memory as Non eXecutable. The CPU will refuse any code residing in these areas of memory.
Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.
NX STACK
An operative system with support for the NX bit may mark certain areas of memory as Non eXecutable. The CPU will refuse any code residing in these areas of memory.
Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.
NX STACK
Non executable stack CPU flag present.
W^X (write XOR eXecute) is a OpenBSD security feature, it's a memory protection policy whereby every page in a process address space is either writable or executable, but not both simultaneously.
W^X first appeared in OpenBSD 3.3, released May 2003.
Similar features are available for other operating systems, including the PaX and Exec Shield patches for Linux, and NetBSD 4+'s implementation of PaX.
WX Memory
ASLR (Address Space Layout Randomization) involves randomly arranging the position of key data areas, usually incluing in the base of the executable and position of libraries, heap and stack.
In a process's address space. It is more effective when more entropy is present in the random offset. Linux enable it by default since 2.6.12 kernel version.
ASLR
AAAS (ASCII Armored Address Space) loads the shares libraries in memory address that start with NULL bytes (0x00).
AAAS
AAAS (ASCII Armored Address Space) loads the shares libraries in memory address that start with NULL bytes (0x00).
AAAS
Start with nulls (0x00)
The cookies is a 32 bits or 64 bits value inserted between the buffer and sensitive data (0x00007fff3a115000 for example).
Whenever the canary is modified, the program jumps into an execution handler, usually causing it to crash.
Cookies