Title: Buffer Overflow Exploits
1Buffer Overflow Exploits
2What is a buffer overflow?
- Memory
- global static
- heap
- malloc( ) , new
- Stack
- non-static local variabled
- value parameters
- Buffer is a contiguously allocated chunk of
memory - Anytime we put more data into a data structure
than it was designed for.
3Side Effects
- The side effects of a buffer overflow may cause
- the program may work strangely
- the program may fail
- the program may continue without any noticeable
problems
4Side Effects Depend on
- How much data was written past the end of the
buffer - What data (if any) are overwritten
- Whether the program attempts to read data that
are overwritten - What data ends up replacing the memory that gets
overwritten
5Three Basic Attacks
- Overrun a static buffer
- hurts data but little to no exposure for loss of
control - Stack smashing
- place attack code in memory, find some sloppy use
of the runtime stack, use stack to transfer
control to attack code - Heap overflow
- much harder to exploit as there isnt usually a
mechanism to gain control
6Defensive Programming
- The C Standard library has a number of highly
susceptible function calls - gets( ) - reads data from stdin until eof or a
newline character - strcpy( ) - copies a string into a buffer, number
of chars copied depend on length of source string
7strcpy()
if you know the size of the destination buffer
if (strlen(src) gt dst_size /
throw an error / else
strcpy(dst, src) - or -
strncpy(dst, src, dst_size-1)
dstdst_size -1 \0 / just to be safe
/ -or- / allocate the
destination buffer when you need it /
dst (char )malloc(strlen(src) 1)
srtcpy(dst, src)
8strcat( )
/ same as srtcpy( ) but cancatenates source
string to end of a buffer / / safer
alternative is to use strncat( ) still need to
insure you dont / / overrun the destination
buffer
/ strncat(dst, src, dst_size -
strlen(dst) -1)
9sprintf( ) vsprintf( )
/ usually used for formatting text but can
accidentally cause a buffer overrun / void
main(int argc, char argv) char
usage1024 sprintf(usage, USAGE s -f
flag arg1\n , argv0) / this program could
easily be subverted by
/ void main( )
exec1(/path/to/previous/program,
ltlt really long string here gtgt , NULL)
10sprintf( ) vsprintf( )
/ There is no really portable way around this
problem, sometimes a snprintf( ) / / is
provided that lets you specify max number of
characters to copy / void
main(int argc , char argv) char
usage1024 char format_string USAGE s
-f flag arg1\n snprintf(usage, 1024,
format_string, argv0) / asafer way is to
specify a precision for each argument
/ void main (int argc ,
char argv) char usage1024
sprintf(usage, USAGE .1000s -f flag arg1\n
, argv0)
11scanf( ), sscanf( ), fscanf( ), vfscanf( )
/ these are likewise poorly designed, in this
case destination buffers can overflow / void
main(int argc , char argv) char
buffer256 sscanf(argv0 , s ,
buffer) / if the word being scanned is
bigger than the buffer size it will overflow, fix
the / / problem by specifying a precision
for the arguement
/ void main(int argc , char argv)
char buffer256 sscanf(argv0
, 255s , buffer)
12streadd( ) , strecpy( )
strecpy() copies the input string, up to a null
byte, to the output string, expanding
non-graphic characters to their equivalent
C-language escape sequences (for example, \n,
\001). This means that to avoid a possible
overflow the destination must be 4x bigger than
the source streadd() is identical to strecpy(),
except that it returns the pointer to the null
byte that terminates the output.
13strtrns( )
strtrns() transforms string and copies it into
result. Any character that appears in old is
replaced with the character in the same
position in new. The new result is
returned. void main(int argc, char argv)
char lower abcdefg....xyz
char upper ABCDEFG....XYZ char
buffer if argc lt2
printf(USAGE s arg\n, argv0)
return 0 buffer (char
)malloc(strlen(argv11)
strtrns(argv1, lower, upper , buffer)
printf(s\n , buffer)
14functions to be wary of
gets( ) strcpy( ) strcat( ) sprintf( ) scanf(
) sscanf( ) fscanf( ) vfscanf( ) vsscanf(
) streadd( ) strecpy( )
strtrns( ) realpath( ) syslog( ) getopt(
) getopt_long( ) getpass( ) getchar( ) fgetc(
) getc( ) read( ) bcopy( )
fgets( ) memcpy( ) snprintf( ) strccpy(
) strcadd( ) strncpy( ) vsnprintf( )
15heap overflows
16stack overflows