Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
stack smashing

Stack Smashing 1 logistics LEX assignment out exam in on week - PowerPoint PPT Presentation

Jun 25, 2023 •99 likes •820 views

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

  1. Stack Smashing 1

  2. logistics LEX assignment out exam in on week come with questions on Monday (review) 2

  3. last few times “encrypted” code changing code — polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling retroviruses memory residence 3

  4. recall: vulnerabilities trojans: the vulnerability is the user and/or the user interface otherwise? unintended program behavior that can be used by an adversary 4 software vulnerability

  5. vulnerability versus exploit exploit — something that uses a vulnerability to do something proof-of-concept — something = demonstration the exploit is there example: open a calculator program 5

  6. recall: software vulnerability types (1) memory safety bugs problems with pointers big topic in this course commands/SQL within name, label, etc. integer overfmow/underfmow … 6 “injection” bugs — type confusion

  7. recall: software vulnerability types (2) not checking inputs/permissions http://webserver.com/../../../../file-I-shouldn' t-get.txt almost any ’s “undefjned behavior” in C/C++ synchronization bugs: time-to-check to time-of-use … more? 7

  8. vulnerabilities and malware “arbitrary code execution” vulnerabilities often more efgective than via copying executable recall: Morris worm 8 method for malware to spread when programs aren’t shared

  9. vulnerabilities and malware “arbitrary code execution” vulnerabilities often more efgective than via copying executable recall: Morris worm 8 method for malware to spread when programs aren’t shared

  10. Morris worm vulnerabilities command injection bug in sendmail (later) bufger overfmow in fjngerd send 536-byte string for 512-byte bufger service for looking up user info who is “john@mit”; how do I contact him? note: pre-search engine/web 9

  11. Szor taxonomy of exploits Szor divides bufger overfmows into fjrst-, second-, third-“generation” second-generation: other stack/pointer overwriting third-generation: format string, heap structure exploits (malloc internals, etc.) 10 fjrst-generation: simple stack smashing

  12. typical bufger overfmow pattern cause program to write past the end of a bufger that somehow causes difgerent code to run (usually code the attacker wrote) 11

  13. why bufger overfmows? probably most common type of vulnerability until recently (and not by a small margin) when website vulnerabilities became more common 12

  14. network worms and overfmows worms that connect to vulnerable servers: Morris worm included some bufger overfmow exploits in mail servers, user info servers 2001: Code Red worm that spread to web servers (running Microsoft IIS) 13

  15. overfmows without servers bugs dealing with corrupt fjles: Adobe Flash (web browser plugin) PDF readers web browser JavaScript engines image viewers movie viewers decompression programs … 14

  16. Stack Smashing original, most common bufger overfmow exploit worked for most bufgers on the stack (“worked”? we’ll talk later) 15

  17. Aleph1, Smashing the Stack for Fun and Profjt “non-traditional literature”; released 1996 by Aleph1 AKA Elias Levy .oO Phrack 49 Oo. Volume Seven, Issue Forty-Nine File 14 of 16 BugTraq, r00t, and Underground.Org bring you XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Smashing The Stack For Fun And Profit XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX by Aleph One aleph1@underground.org 16

  18. vulnerable code void vulnerable() { char buffer[100]; // read string from stdin scanf("%s", buffer); do_something_with(buffer); } what if I input 1000 character string? 17

  19. vulnerable code void vulnerable() { char buffer[100]; // read string from stdin scanf("%s", buffer); do_something_with(buffer); } what if I input 1000 character string? 17

  20. 1000 character string $ cat 1000-as.txt aaaaaaaaaaaaaaaaaaaaaaaa (1000 a’s total) $ ./vulnerable.exe <1000-as.txt Segmentation fault (core dumped) $ 18

  21. 1000 character string – debugger 0x6161616161616161 in ?? () (gdb) #111 0x0000000000000000 in ?? () #110 0x6161616161616161 in ?? () #109 0x6161616161616161 in ?? () #108 0x6161616161616161 in ?? () ... ... ... 0x6161616161616161 in ?? () #4 0x6161616161616161 in ?? () #3 #2 $ gdb ./vulnerable.exe 0x6161616161616161 in ?? () #1 0x0000000000400562 in vulnerable () at overflow.c:13 #0 (gdb) backtrace } 13 0x0000000000400562 in vulnerable () at overflow.c:13 Program received signal SIGSEGV, Segmentation fault. Starting program: /home/cr4bd/spring2017/cs4630/slides/20170220/overflow.exe <1000-as.txt (gdb) run <1000-as.txt Reading symbols from ./overflow.exe...done. ... 19

  22. vulnerable code — assembly __isoc99_scanf exercise: stack layout when scanf is running ret /* deallocate 120 bytes from stack */ $120, %rsp addq do_something_with call /* do_something_with arg 1 = rsp = buffer */ %rsp, %rdi movq /* call to scanf() */ call vulnerable: /* eax = 0 (see calling convention) */ %eax, %eax xorl $.LC0, %edi /* scanf arg 2 = "%s" */ movl /* scanf arg 1 = rsp = buffer */ %rsp, %rsi movq /* allocate 120 bytes on stack */ $120, %rsp subq 20

  23. vulnerable code — assembly __isoc99_scanf exercise: stack layout when scanf is running ret /* deallocate 120 bytes from stack */ $120, %rsp addq do_something_with call /* do_something_with arg 1 = rsp = buffer */ %rsp, %rdi movq /* call to scanf() */ call vulnerable: /* eax = 0 (see calling convention) */ %eax, %eax xorl $.LC0, %edi /* scanf arg 2 = "%s" */ movl /* scanf arg 1 = rsp = buffer */ %rsp, %rsi movq /* allocate 120 bytes on stack */ $120, %rsp subq 20

  24. vulnerable code — stack usage increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 41 02 40 00 00 00 00 00 (0x400241) unused space (20 bytes) bufger (100 bytes) return address for scanf 61 61 61 61 61 61 61 … (was bufger + unused) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 (0x6161616161616161) 61 61 61 61 61 61 61 61 21

  25. vulnerable code — stack usage increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 41 02 40 00 00 00 00 00 (0x400241) unused space (20 bytes) bufger (100 bytes) return address for scanf 61 61 61 61 61 61 61 … (was bufger + unused) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 (0x6161616161616161) 61 61 61 61 61 61 61 61 21

  26. vulnerable code — stack usage increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 41 02 40 00 00 00 00 00 (0x400241) unused space (20 bytes) bufger (100 bytes) return address for scanf 61 61 61 61 61 61 61 … (was bufger + unused) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 (0x6161616161616161) 61 61 61 61 61 61 61 61 21

  27. vulnerable code — stack usage 61 61 61 61 61 61 61 … (was bufger + unused) 61 61 61 61 61 61 61 61 … 61 61 61 61 61 61 61 61 (0x6161616161616161) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 return address for scanf increasing addresses bufger (100 bytes) unused space (20 bytes) 41 02 40 00 00 00 00 00 (0x400241) return address for vulnerable : lowest address (stack grows here) highest address (stack started here) 21

  28. vulnerable code — stack usage 61 61 61 61 61 61 61 … (was bufger + unused) 61 61 61 61 61 61 61 61 debugger’s guess: return address for 0x6161…6161 : 61 61 61 61 61 61 61 61 (0x6161616161616161) 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 return address for scanf increasing addresses bufger (100 bytes) unused space (20 bytes) 41 02 40 00 00 00 00 00 (0x400241) return address for vulnerable : lowest address (stack grows here) highest address (stack started here) 21

  29. the crash 0x0000000000400559 <+17>: what if it wasn’t invalid? …but there was nothing there retq tried to jump to 0x61616161 61616161 retq => 0x0000000000400562 <+26>: $0x78,%rsp add 0x000000000040055e <+22>: 0x400430 <__isoc99_scanf@plt> callq $0x0,%eax 0x0000000000400548 <+0>: mov 0x0000000000400554 <+12>: $0x400604,%edi mov 0x000000000040054f <+7>: %rsp,%rsi mov 0x000000000040054c <+4>: $0x78,%rsp sub 22

  30. the crash 0x0000000000400559 <+17>: what if it wasn’t invalid? …but there was nothing there retq tried to jump to 0x61616161 61616161 retq => 0x0000000000400562 <+26>: $0x78,%rsp add 0x000000000040055e <+22>: 0x400430 <__isoc99_scanf@plt> callq $0x0,%eax 0x0000000000400548 <+0>: mov 0x0000000000400554 <+12>: $0x400604,%edi mov 0x000000000040054f <+7>: %rsp,%rsi mov 0x000000000040054c <+4>: $0x78,%rsp sub 22

  31. return-to-stack increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 70 fd ff ff ff ff 00 00 (0x7fff ffff fd70) unused space (20 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 23

  32. return-to-stack increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 70 fd ff ff ff ff 00 00 (0x7fff ffff fd70) unused space (20 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 23

Recommend

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

260 views • 22 slides
Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap

Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap

Stack Stack Heap Heap Data Data Text Text Program A Program B Stack Stack Text Heap Heap Data Data Text Text Text Program A Program B Physical Memory Stack Stack Stack Heap Stack Kernel Heap Heap Data Heap Data

1.17k views • 62 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

662 views • 46 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

570 views • 44 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

466 views • 35 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.63k views • 116 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of &quot;top&quot; element) Topics stack grows Procedures toward lower

77 views • 5 slides
Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack

Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack

Sorting with Pop Stacks Lara Pudwell Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack sortability Polyominoes on a helix Lara Pudwell Width 2 Width 3 faculty.valpo.edu/lpudwell Wrapping up

1.31k views • 69 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

755 views • 8 slides
Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State University 1 Program Stack For implementing procedure calls and returns Keep track of program execution and state by storing local variables

259 views • 23 slides
p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff VAS example (32-bit) Reserved The program uses virtual memory through Stack its process Virtual Address Space: An addressable array

464 views • 22 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

714 views • 52 slides
Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an unbounded stack of symbols We'll represent these stacks as strings Left end of the string is the top of the stack For example, abc is a stack

407 views • 12 slides
Advanced Parallel Programming Basic MPI-IO Calls Dr David Henty HPC Training and Support

Advanced Parallel Programming Basic MPI-IO Calls Dr David Henty HPC Training and Support

Advanced Parallel Programming Basic MPI-IO Calls Dr David Henty HPC Training and Support Manager d.henty@epcc.ed.ac.uk +44 131 650 5960 Overview Lecture will cover MPI-IO model basic file handling routines setting the file

524 views • 17 slides
The &quot;Wrap&quot; Systolic Pipe for Sliding Window Compression input: a stream of

The &quot;Wrap&quot; Systolic Pipe for Sliding Window Compression input: a stream of

The &quot;Wrap&quot; Systolic Pipe for Sliding Window Compression input: a stream of uncompressed characters latch char[1] char[1] char[1] char[0] char[0] char[0] BestLength BestLength BestLength (0,0) BestDisp BestDisp BestDisp

49 views • 3 slides
Returns to Postgraduate Education in Portugal: Holding on to a Higher Ground? e Almeida 1 , Hugo

Returns to Postgraduate Education in Portugal: Holding on to a Higher Ground? e Almeida 1 , Hugo

Introduction Conclusion References Returns to Postgraduate Education in Portugal: Holding on to a Higher Ground? e Almeida 1 , Hugo Figueiredo 1 , 2 , Jo ao Cerejeira 1 , 3 , 4 , Miguel Andr Portela 1 , 3 , 4 , 5 , Carla S a 1 , 3 , 4 ,

354 views • 32 slides
Three-Phase Displacement Theory: Hyperbolic Models and Analytical Solutions Ruben Juanes and

Three-Phase Displacement Theory: Hyperbolic Models and Analytical Solutions Ruben Juanes and

Three-Phase Displacement Theory: Hyperbolic Models and Analytical Solutions Ruben Juanes and KnutAndreas Lie Petroleum Engineering, School of Earth Sciences, Stanford University SINTEF ICT, Dept. Applied Mathematics 17.11.04

720 views • 54 slides
Files and File Systems CS 416: Operating Systems Design Department of Computer Science Rutgers

Files and File Systems CS 416: Operating Systems Design Department of Computer Science Rutgers

Files and File Systems CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/teaching/416/ File Concept Contiguous logical address space Types: Data numeric

1.28k views • 90 slides
Simulation Engines TDA571|DIT030 3D Graphics - Part 2 Tommaso Piazza 1 Administrative stuff

Simulation Engines TDA571|DIT030 3D Graphics - Part 2 Tommaso Piazza 1 Administrative stuff

Simulation Engines TDA571|DIT030 3D Graphics - Part 2 Tommaso Piazza 1 Administrative stuff Today 3D Graphics presentation Meet me in front of Grace Hopper Have you started coding? Where are your repositories? Pssst...

604 views • 36 slides
Computational Social Choice: Autumn 2010 Ulle Endriss Institute for Logic, Language and

Computational Social Choice: Autumn 2010 Ulle Endriss Institute for Logic, Language and

Voting Procedures COMSOC 2010 Computational Social Choice: Autumn 2010 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Voting Procedures COMSOC 2010 Plan for Today We will introduce a few

684 views • 19 slides
Ha Ha ! In United States: Over 2 million reported burglaries in 2009 ~ An average $ 2000 loss per

Ha Ha ! In United States: Over 2 million reported burglaries in 2009 ~ An average $ 2000 loss per

Santanu Guha* , Kurt Plarre*, Daniel Lissner*, Somnath Mitra*, Bhagavathy Krishna*, Prabal Dutta~, Santosh Kumar* *University of Memphis ~University of Michigan Ha Ha ! In United States: Over 2 million reported burglaries in 2009 ~ An average $ 2000

622 views • 39 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.