1 / 11

BUFFER OVERFLOW -Eswar Balasubramanian ECE578

BUFFER OVERFLOW -Eswar Balasubramanian ECE578. Precursor. How serious is this BO? Number of Vulnerabilities in the past week – 11 First Six vulnerabilities of 2002. Agenda. BO – what is it? About the stack Exploit Prevention. Buffer Overflow.

uma
Télécharger la présentation

BUFFER OVERFLOW -Eswar Balasubramanian ECE578

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BUFFER OVERFLOW -Eswar Balasubramanian ECE578

  2. Precursor How serious is this BO? • Number of Vulnerabilities in the past week – 11 • First Six vulnerabilities of 2002

  3. Agenda • BO – what is it? • About the stack • Exploit • Prevention

  4. Buffer Overflow • Copying more data into a buffer than it could hold char variable[10]; char safe[8] = “AAAAAAAA”; char unsafe[30] = “AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”; strcpy(variable, safe); strcpy(variable, insafe);

  5. Stack • Used by Functions • Variables are allocated dynamically • esp and ebp adjusted accordingly • /* vulnerable.c */ • int main() • { • char buffer[500]; • gets(buffer); • return 0; • } • Ret from gets  points to “return 0” sfp ret from gets esp buffer [500] ebp sfp [4] ret [4]

  6. What Next? • To alter the return address to our liking • To place a tailor made code to do what we like [ buffer ] [sfp] [ret] [xxxxxxxxxx] [xxxx] [xxxx]  500  4 4 Algorithm: • Copy the big string into the buffer area to overflow the sfp and ret • Overflow the ret such that the return address points to the beginning of the buffer • Upon completion the program will return to the place pointed by ret, which is altered to point to the beginning of the buffer. • This buffer will contain the code to do something we like

  7. To Do • Calculate return address • Construct large string • Return address calculated by finding the stack pointer of gets() • Subtract a guessed value from esp

  8. String initially filled entirely with the ret address • Beginning of the string with NOPs (1/3) • Fill with the tailor-made code • Overflow the buffer (usually by passing as argument)

  9. char buffer[SIZE]; ret = esp - offset; // fill buffer with ret addr's ptr = buffer; addr_ptr = (long *)ptr; for(i=0; i<SIZE; i+=4) *(addr_ptr++) = ret; // fill first half of buffer with NOPs for(i=0; i<SIZE/2; i++) buffer[i] = '\x90';  // insert shellcode in the middle ptr = buffer + ((SIZE/2) - (strlen(listDir)/2)); for(i=0; i<strlen(listDir); i++) *(ptr++) = listDir[i];

  10. EXECUTION

  11. PREVENTION • Use strncat(), strncpy(), fgets() • StackGuard • Patch to make stack non-executable • Wrapper libraries

More Related