; Non Malicious Program Errors _Buffer Overflows_
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Non Malicious Program Errors _Buffer Overflows_

VIEWS: 0 PAGES: 18

  • pg 1
									Gabe Kanzelmeyer

          CS 450

         4/14/10
 What    is buffer overflow?

 How   memory is processed and the stack

 The   threat

 Stack   overrun attack

 Dangers


 Prevention
A   buffer (array/string) that holds data

 Buffer   stored in memory (finite)

 Example.
  • char buffer[10] (sets aside buffer[0] – buffer[9])


  • Consider: buffer[10] = ‘A’;
  • What will happen?
 Compiler     detects out of bounds

 Consider:
  • buffer[i] = ‘A’;


 What   happens then?

 Depends, cant        identify problem until
 execution.
First two only effect the
user.



Malicious programmer
focuses
on accessing the second
two .
   Text – program code

   Data – global data

   Stack and Heap – allocate
    at run-time

   Stack - stores function
     arguments, local
    variables, values of
    selected registers
 When a procedure is called, the return
 address for function call, is put into the stack

 Key   importance for attacker

 Overwrite the return address stored on the
 stack, upon termination of the procedure, it
 would be loaded into the EIP register
 (instruction counter), potentially allowing
 any overflow code to be executed.
   void f(int a, int b)
    {
        char buf[10];
    }
    void main()
    {
        f(1, 2);
    }
 Howto recognize where an attack may
 occur?
 • Return address on stack
 • Data on stack



 With this in mind lets consider the
  following…
#include
                                 -Frame address
char *code =                     -Return address
  "AAAABBBBCCCCDDD";                   -overwritten
//including the character '\0‘
//size = 16 bytes
                                 Modified return
void main()
                                 address is pushed
{
                                 into instruction
  char buf[8];                   counter
   strcpy(buf, code);
}
 1. Discoveringa code, which is
     vulnerable to a buffer overflow.
               the number of bytes to be
 2. Determining
     long enough to overwrite the return
     address.
 3. Calculatingthe address to point the
     alternate code.
 4. Writing   the code to be executed.
 5. Linking   everything together and testing
#include
#define BUF_LEN 40

void main(int argc, char **argv)
{
    char buf[BUF_LEN];
    if (argv > 1)
    {
           printf(„\buffer length: %d\nparameter
           length: %d”, BUF_LEN, strlen(argv[1]) );

           strcpy(buf, argv[1]);
    }
}
 Consider:
  • victim.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAA


  If access violation error

  Try:
  •    victim.exe AAAABBBBCCCCDDDDEEEEFFFFGGGG………
 If   successful, error message:
   • “The instruction at “0x4b4b4b4b” referenced
       memory at “0x4b4b4b4b”. The memory could
       not be read.

   • 0x4b is ASCII“K”


   • Return address has been overwritten with KKKK
 From   here you can do whatever you want

 • Inject shell code to gain “super user” access


 • Inject address to malicious code


 • Use vulnerable system to exploit Denial of
   service attack
 Poor   programming practices

 Text/string   manipulation functions
  • strcpy()
  • strcat()
  • sprintf()
  • gets()
  • Etc…
 Library   based defenses

  • Re-implemented unsafe functions (Libsafe)


  • Detects illegitimate code on the stack
   (SecureWave)

  Compiler based runtime boundaries

								
To top