CSC 2400: Computer Systems Stack Buffer Overflow Attacks
Summary • Invoking a function ! CALL : call the function ! RET : return from the instruction • Stack Frame for a function call includes ! Function arguments ! Return address ! Local variables ! Saved registers • Base pointer EBP ! Fixed reference point in the Stack Frame ! Useful for referencing arguments and local variables
int add3(int a, int b, int c) { Function Calls int d; d = a + b + c; return d; • main calls add3 } ! Push arguments on the stack ! Push return address on stack int main() { ! Jump to add3 int sum, avg; ! Allocate local variables on stack, save registers, etc. sum = add3(3, 4, 5); avg = sum / 3; Return return avg Address } • Returning to main Stack Frame for add3 ! Clear the stack frame for add3 ! Pop return address from stack Return Addr. ESP Stack Frame Address 3 for main 4 5
Computer Malware Stack buffer overflow attacks: q •Low •Address buffer buffer Saved EBP valid address •Overflowed Return Address New Return Address •region Malicious code •High •Address •Normal stack •Buffer Overflow Attack Heap buffer overflow are also common (overwrite pointer addresses) q
0 EBP-4 buf[0] buf[1] buf[2] buf[3] EBP Old EBP Return Address (0x08048424)
0 EBP-4 buf[0] 0x31 buf[1] buf[2] buf[3] 0x32 0x33 0x00 EBP Old EBP Old EBP Return Address (0x08048424) Return Address (0x08048424) Before gets After gets
0 EBP-4 buf[0] 0x31 buf[1] buf[2] buf[3] 0x32 0x33 0x34 EBP 0x00 Old EBP ... Return Address (0x08048424) Return Address (0x08048424) Before gets After gets
0 EBP-4 buf[0] 0x31 buf[1] buf[2] buf[3] 0x32 0x33 0x34 EBP 0x35 0x36 0x37 0x00 Old EBP Return Address (0x08048424) Return Address (0x08048424) Before gets After gets
0 EBP-4 buf[0] 0x31 buf[1] buf[2] buf[3] 0x32 0x33 0x34 EBP 0x30 0x30 0x30 0x30 Old EBP 0x35 Return Address (0x08048424) 0x36 0x37 0x38 0x00 Before gets After gets
0 EBP-4 buf[0] 0x31 buf[1] buf[2] buf[3] 0x32 0x33 0x34 EBP Old EBP 0x00000000 Return Address (0x08048472) 0x38373635 0x00 Before gets After gets
0 EBP-4 buf[0] 0x00 buf[1] buf[2] buf[3] 0x00 0x00 0x00 EBP Old EBP Some valid address Return Address (0x08048472) Address of Fire Before gets After gets
#include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); return 0; } 13
14
15
16
Recommend
More recommend