Buffer Overflow Exploits - PowerPoint PPT Presentation

About This Presentation
Title:

Buffer Overflow Exploits

Description:

Buffer Overflow Exploits – PowerPoint PPT presentation

Number of Views:423
Avg rating:3.0/5.0
Slides: 17
Provided by: Dic972
Category:

less

Transcript and Presenter's Notes

Title: Buffer Overflow Exploits


1
Buffer Overflow Exploits
  • CS-480b
  • Dick Steflik

2
What is a buffer overflow?
  • Memory
  • global static
  • heap
  • malloc( ) , new
  • Stack
  • non-static local variabled
  • value parameters
  • Buffer is a contiguously allocated chunk of
    memory
  • Anytime we put more data into a data structure
    than it was designed for.

3
Side Effects
  • The side effects of a buffer overflow may cause
  • the program may work strangely
  • the program may fail
  • the program may continue without any noticeable
    problems

4
Side Effects Depend on
  • How much data was written past the end of the
    buffer
  • What data (if any) are overwritten
  • Whether the program attempts to read data that
    are overwritten
  • What data ends up replacing the memory that gets
    overwritten

5
Three Basic Attacks
  • Overrun a static buffer
  • hurts data but little to no exposure for loss of
    control
  • Stack smashing
  • place attack code in memory, find some sloppy use
    of the runtime stack, use stack to transfer
    control to attack code
  • Heap overflow
  • much harder to exploit as there isnt usually a
    mechanism to gain control

6
Defensive Programming
  • The C Standard library has a number of highly
    susceptible function calls
  • gets( ) - reads data from stdin until eof or a
    newline character
  • strcpy( ) - copies a string into a buffer, number
    of chars copied depend on length of source string

7
strcpy()
if you know the size of the destination buffer
if (strlen(src) gt dst_size /
throw an error / else
strcpy(dst, src) - or -
strncpy(dst, src, dst_size-1)
dstdst_size -1 \0 / just to be safe
/ -or- / allocate the
destination buffer when you need it /
dst (char )malloc(strlen(src) 1)
srtcpy(dst, src)
8
strcat( )
/ same as srtcpy( ) but cancatenates source
string to end of a buffer / / safer
alternative is to use strncat( ) still need to
insure you dont / / overrun the destination
buffer
/ strncat(dst, src, dst_size -
strlen(dst) -1)
9
sprintf( ) vsprintf( )
/ usually used for formatting text but can
accidentally cause a buffer overrun / void
main(int argc, char argv) char
usage1024 sprintf(usage, USAGE s -f
flag arg1\n , argv0) / this program could
easily be subverted by
/ void main( )
exec1(/path/to/previous/program,
ltlt really long string here gtgt , NULL)
10
sprintf( ) vsprintf( )
/ There is no really portable way around this
problem, sometimes a snprintf( ) / / is
provided that lets you specify max number of
characters to copy / void
main(int argc , char argv) char
usage1024 char format_string USAGE s
-f flag arg1\n snprintf(usage, 1024,
format_string, argv0) / asafer way is to
specify a precision for each argument
/ void main (int argc ,
char argv) char usage1024
sprintf(usage, USAGE .1000s -f flag arg1\n
, argv0)
11
scanf( ), sscanf( ), fscanf( ), vfscanf( )
/ these are likewise poorly designed, in this
case destination buffers can overflow / void
main(int argc , char argv) char
buffer256 sscanf(argv0 , s ,
buffer) / if the word being scanned is
bigger than the buffer size it will overflow, fix
the / / problem by specifying a precision
for the arguement
/ void main(int argc , char argv)
char buffer256 sscanf(argv0
, 255s , buffer)
12
streadd( ) , strecpy( )
strecpy() copies the input string, up to a null
byte, to the output string, expanding
non-graphic characters to their equivalent
C-language escape sequences (for example, \n,
\001). This means that to avoid a possible
overflow the destination must be 4x bigger than
the source streadd() is identical to strecpy(),
except that it returns the pointer to the null
byte that terminates the output.
13
strtrns( )
strtrns() transforms string and copies it into
result. Any character that appears in old is
replaced with the character in the same
position in new. The new result is
returned. void main(int argc, char argv)
char lower abcdefg....xyz
char upper ABCDEFG....XYZ char
buffer if argc lt2
printf(USAGE s arg\n, argv0)
return 0 buffer (char
)malloc(strlen(argv11)
strtrns(argv1, lower, upper , buffer)
printf(s\n , buffer)
14
functions to be wary of
gets( ) strcpy( ) strcat( ) sprintf( ) scanf(
) sscanf( ) fscanf( ) vfscanf( ) vsscanf(
) streadd( ) strecpy( )
strtrns( ) realpath( ) syslog( ) getopt(
) getopt_long( ) getpass( ) getchar( ) fgetc(
) getc( ) read( ) bcopy( )
fgets( ) memcpy( ) snprintf( ) strccpy(
) strcadd( ) strncpy( ) vsnprintf( )
15
heap overflows
16
stack overflows
Write a Comment
User Comments (0)
About PowerShow.com