Buffer Overflowfor fun and pr0fit

Facundo M. de la Cruz (@_tty0) fdelacruz@dc-solutions.com.ar

➔ Brief introduction to the Intel x86/x86_64 architecture

➔ Integer overflow

➔ Stack based buffer overflows

➔ Attacking a format string

➔ Shellcodes: The ASM cocktail

➔ OS Protections

AGENDA

Why do I need to learn about Buffers Overflow?

- A common cause could be: Do you want to impress your girlfriend and be cool and sexy?.

1)Prepare your latest IE or Mozilla Firefox 0day.2)Send a email containing:

«Hey! Checkout this amazing news talking about naked photos of Rihanna» alongside with a link pointing to an url where the exploit is located.

3)Wait him to click.4)????5)Pr0fit!

- Secure your own software or the company software.

- Or simply you are just a curious, and it's cool :-)

NOTES

1

Intel Architecture

➔ Real mode- 20 bits segmented memory address space.- Only 1 MB of memory can be addressed. - Direct access to BIOS.

➔ Protected mode - Provide protected memory.- Memory paging support.- Global Descriptor Table (GDT) and Local Descriptor Table (LDT).

➔ Virtual 8086 mode- Hybrid operating mode for backward compatibility.- Allows real mode programs run under Protected mode. - Only available in 32 bits CPU's.

➔ Long mode- 64 bits address: 16 EB of memory address (16 billion of GB)- 64 bits instructions and registers. - 16 and 32 bits programs are executed in a sub mode.

- Extension of the 32-bit instruction set, but unlike the 16–to–32-bit transition.

CPU operations modes

➔ Mechanisms to protect data and functionality from faults.

➔ Supervisor mode is a hardware-mediated flag which can be changed by code running in system-level software.

CPU RINGS

Internal CPU structures used for store only one world or value for time.

➔ General purpose registers

➔ Control registers

➔ Offset registers

➔ Others registers

CPU Registers

Memory sections

THE STACK

System calls

System calls

➔ Our exit program in C

➔ The same program in Intel x86 ASM

➔ The same program in Intel x86 ASM

From asm/unistd_32.h

System calls

System Calls

➔ The same program in Intel x86 ASM

Argument (exit status)

From asm/unistd_32.h

Switch from userspace to supervisor

➔ The same program in Intel x86 ASM

Argument (exit status)

From asm/unistd_32.h

System calls

Explotation

Integer Overflow

An arithmetic operation may produce a result larger than the maximum representable value, a potential error condition may result.

In the ISO C99 standard, signed integer overflow causes undefined behavior.

Pacman Kill screen

The game's level counter was a single 8-bit byte and could therefore store only 256 distinct values (0–255). Reaching the 256th level causes an integer overflow in the counter...

Integer Overflow

➔ From /usr/include/limits.h

➔ Our own example

Integer Overflow

➔ From /usr/include/limits.h

➔ Our own example

0x7fffffff

Integer Overflow

➔ From /usr/include/limits.h

➔ Our own example

0x7fffffff

0x7fffffff + 0x1

Integer Overflow

➔ From /usr/include/limits.h

➔ Our own example

0x7fffffff

0x7fffffff + 0x1    0x80000000

Demo time...

Integer Overflow

This is INT_MAX + 1

Integer Overflow

This is INT_MAX + 1 Our format string: %d\n

Integer Overflow

This is INT_MAX + 1 Our format string: %d\n

We call to <printf@plt>

Everytime you made an overflow God kills a kitten.

Stack overflow

Stack overflow

Stack overflow

Stack overflow

Stack overflow

Stack overflow

Demo time...

Format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf().

Format Strings

Format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf().

Format Strings

Missing format string

Adjacent Memory corruption

Adjacent Memory corruption

strncpy(vuln_array, argv[1], sizeof(vuln_array) ­ 1);

Demo time...

Protections

An operative system with support for the NX bit may mark certain areas of memory as Non eXecutable. The CPU will refuse any code residing in these areas of memory.

Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.

NX STACK

An operative system with support for the NX bit may mark certain areas of memory as Non eXecutable. The CPU will refuse any code residing in these areas of memory.

Intel markets the feature as the XD bit for eXecute Disable.AMD uses the name Enhanced Virus Protection.

NX STACK

Non executable stack CPU flag present.

W^X (write XOR eXecute) is a OpenBSD security feature, it's a memory protection policy whereby every page in a process address space is either writable or executable, but not both simultaneously.

W^X first appeared in OpenBSD 3.3, released May 2003.

Similar features are available for other operating systems, including the PaX and Exec Shield patches for Linux, and NetBSD 4+'s implementation of PaX.

WX Memory

ASLR (Address Space Layout Randomization) involves randomly arranging the position of key data areas, usually incluing in the base of the executable and position of libraries, heap and stack.

In a process's address space. It is more effective when more entropy is present in the random offset. Linux enable it by default since 2.6.12 kernel version.

ASLR

AAAS (ASCII Armored Address Space) loads the shares libraries in memory address that start with NULL bytes (0x00).

AAAS

AAAS (ASCII Armored Address Space) loads the shares libraries in memory address that start with NULL bytes (0x00).

AAAS

Start with nulls (0x00)

The cookies is a 32 bits or 64 bits value inserted between the buffer and sensitive data (0x00007fff3a115000 for example).

Whenever the canary is modified, the program jumps into an execution handler, usually causing it to crash.

Cookies