Exploiting Buffer Overflows on - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Exploiting Buffer Overflows on

Description:

Buffer overflow conditions are caused by missed boundary checks of user-supplied ... Buffer overflow exploitations on non-intel platforms are nearly as trivial as on ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 17
Provided by: Orac
Category:

less

Transcript and Presenter's Notes

Title: Exploiting Buffer Overflows on


1
Exploiting Buffer Overflows on
  • AIX/PowerPCHP-UX/PA-RISCSolaris/SPARC

2
Buffer Overflow
  • Buffer overflow is a famous/infamous hacking
    technique in computer security.
  • Buffer overflow conditions are caused by missed
    boundary checks of user-supplied data.
  • Implementation and exploitation of buffer
    overflow vulnerabilities is heavily dependant on
    the target OS and architecture.
  • Exotic architecture doesnt mean secure.

3
Function Call and Stack
Text
Instruction Pointer
Data
Stack Pointer
Stack
Frame Pointer
4
Function Call and Stack specifics
  • Stack could grow in different directions
  • Stack frame formats are different
  • Different conditions has to be met on different
    platforms for buffer overflow to be
    exploitable.(double return, calls of sub
    procedures, alignments )
  • Return address has to be overwritten
  • Frame ptr/stack ptr has to be overwritten

5
Function Call and Stack
6
Smashing the Stack
  • How to overwrite the return address?
  • void sickfunc(char str)
  • char buf512
  • strcpy(buf, str)
  • int main(int argc, char argv)
  • if (argv1)
  • sickfunc(argv1)

7
Smashing the Stack
  • Generate a string length are more than 512, here
    we use 520 As (distance may differ)
  • Use the string as argument of the program, and
    look at the stack.

8
Smashing the Stack
  • It overwrites the return address to
    0x41414141(AAAA)
  • You can design an executable code in the string
    and overwrite the return address to the address
    of the code, then you can control the system.

9
Smashing the Stack
  • The above example, buffer overflow is caused by
    absence of boundary checks.
  • Not only absence of boundary checks, but also
    wrong typecastings lead to buffer overflow
    conditions.

10
Smashing the Stack
  • void sickfunc(char foo)
  • int lengthfoo0
  • char baz64
  • if (lengthgt64)
  • return
  • strncpy(baz, foo1, length)
  • buff63\x0

11
Smashing the Stack
  • Although in most cases, exploiting buffer
    overflow try to overwrite the return address to
    return the stack, but there are other ways.
  • Overwrite the frame pointer is an alternative.
  • Overwrite a local variable pointer, and use the
    pointer to overwrite GOT entries (stack and heap
    overflows).
  • Overwrite the return address to libc (getting
    around non-executable stack protections)

12
Shellcode
  • Shellcode is a short fragment of machine code
    which is injected into execution flow.
  • Shellcode is machine/OS specific
  • The most common shellcodes are shell-spawns using
    execve syscalls (but not the only
    implementations)

13
What to do?
  • Because of the implementation of stack
    differences in platform, to exploit buffer
    overflows on non-intel platform are a bit tricky
  • These tricks and specifics are going to be
    explored in our presentation.
  • An multi-platform shellcode design concept will
    be covered briefly.

14
What we will see?
  • Buffer overflow exploitations on non-intel
    platforms are nearly as trivial as on its intel
    brother.
  • Having vulnerable software running on some exotic
    platform doesnt give you security
  • Something else p

15
What you have to know
  • Understanding of basics of assembly language
  • Understanding of i386 platform buffer overflows
    concept
  • Tools and utilities (perl, adb, gdb, gcc, as)

16
What we will learn
  • Writing shellcodes on HP-UX, Solaris and AIX
    platforms.
  • Basic requirements for buffer overflows on these
    platforms to be exploitable
  • Injecting shellcode platform specifics
  • Creating advanced shellcodes
Write a Comment
User Comments (0)
About PowerShow.com