90 likes | 199 Vues
Learn methodologies to defend against code injection attacks, including gdb intro, execve function, and controlling the environment to prevent buffer overflows. Follow Gera's Insecure Programming guide for practical examples.
E N D
Stack-based buffer overflows, part 2 Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
Overview • Code injection Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Code injection • Finding the inserted code is sometimes a problem • Often an attacker will fill a buffer with nops and place the shellcode at the end • If he misses the address he may end up in the nops Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Gdb intro • Compile code with -g for debugging information • Gdb program • break main -> tells the debugger to stop when main is reached • run -> run program • x buffer -> prints out the contents of buffer (and address) • If the shellcode is stored in the buffer, that address will be what to overwrite the return address with Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Execve • Execve allows execution of a program • int execve(const char *filename, char *const argv [], char *const envp[]); • Must pass an array of arguments, note that the program name is argument 0, terminated with NULL • Must also pass an array of environment variables, terminated with NULL Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Execve • #include <unistd.h> Int main (int argc, char **argv) { char *execargv[3] = { "/bin/ls", "--color=always", NULL }; char *env[2] = { "TEST=1", NULL }; execve(execargv[0],execargv,env); } Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Finding inserted code • Generally (on kernels < 2.6) the stack will start at a static address • Finding shell code means running the program with a fixed set of arguments/fixed environment • This will result in the same address • Not very precise, small change can result in different location of code • Not mandatory to put shellcode in buffer used to overflow • Pass as environment variable Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Controlling the environment Stack start: 0xBFFFFFFF High addr 0,0,0,0 Passing shellcode as environment variable: Program name Env var n • Stack start - 4 null bytes • strlen(program name) - • null byte (program name) • strlen(shellcode) Env var n-1 … Env var 0 Arg n • 0xBFFFFFFF - 4 • strlen(program name) - • 1 • strlen(shellcode) Arg n-1 … Arg 0 Low addr Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks
Conclusion • Follow “Gera’s Insecure Programming by example”: • http://community.corest.com/~gera/InsecureProgramming/ • Login/pass for the computers: cstudy/distrinet Yves Younan - Methodology for Designing Countermeasures against Code injection Attacks