CEHv8 module 18 buffer overflow

Học viện Công Nghệ Thông Tin Bach Khoa Buffer Overtiow Loncepts Pen Testing Capyrght © ty EC Cewmcll Atl Rights Recerved.. Học viện Công Nghệ Thông Tin Bach Khoa A Stack The stack ts

Trang 1

Module

18 Engineered by Presented by Professionals

IM

Certified Ethical Hacker

Trang 2

Học viện Công Nghệ Thông Tin Bach Khoa

released this week

We proved that the current enplementation of the Steam Browser Protocol handing mechanism is am excefient attack

vector, which enables attackers to explor local ssues » a remote fashion.” Aursemma and Ferrante wrote “Because of the big e@udeence, the support for several different pletiogns and the amount of effort required to explo bee vis the Stearn Browser Protocol commands, Steam can be considered a high enpact attack vector”

Arip.//ttreatpost cam

Trang 3

PA Module Objectives

‘ ` “« "+ *tứa Z ẹ£ > £ at ; Heap Based Buffer Overflow riOw To fy Litasit <a Họ fé f C}ựé iow

Exploit

Why Are Programs and Applications ;

identifying Buffer Overfiows

Vulnerable to Buffer Overflows?

How to Detect Butfer Overflowsina

Sete “ice xế if 7 , ¬

Knowledge Required to Program Program

Buffer Overtiow Exploits

BoF Detection Tools

Detense Against Buffer Overtiows Overtiow Using Format String - -

Bufter Overflow Securtty Tools Buffer Overfiow ”” ý VỊ BROT Examples Buffer Overfiow Penetration Testing ¬

Trang 4

Buffer Overtiow Loncepts

Pen Testing

Capyrght © ty EC Cewmcll Atl Rights Recerved Ae procuction is Mirctly Protibted

Trang 5

XQ

ev L⁄

Buffer CIEH

A generic buffer overflow occurs when a program tries to In a

| buffer than it was intended to hold

When the shown below is compiled and run, an

array “ ” of size 11 bytes (s allocated to hold the “ ” string

will copy the string Irrto the array “ “, which

will exceed the buffer size of 11 bytes, resulting in buffer overfiow

ooso 8 OO 8 8

Thés type of wulmerabilitty = prevalent in UNIK- and NT-based systems

Capyright © by Ce ee ee Te ee Ee ess]

Trang 6

Why Are Programs and Applications Vulnerable to Buffer Overflows?

are not done fully of, in most cases, they

" C furmctions Go mot validate target Suffer size

Programs and applications do not adhere to

Trang 7

A

Stack

The stack ts created at the beginning = growth

of the execution of 4 tunction and Xop of J : directio

Trang 8

Stack-Based Buffer Overflow

A stack-based buffer overflow occurs when a buffer has been +

J Attacker on the stack and overfliowsthe stack to overwrite the

return pointer so that the flow of control switchesto the malicious code

Segment Segment Segment rertwr@ticr

v

mn Bytes More Data on p Sở cuc Overwritten Data a

sP >} End of Stack SP: > End of Stack

Trang 9

= Heand stores all instances or attributes constructors, and methods of a class or object

Control Data Control Data Controt Data

Trang 10

Attackers overflow buffers on the lower lower part of heap, overwriting other dynamic variables, whah can have

unexpected and unwanted effects

Note: In most environments, this may allow the attacker to control the program's execution

Trang 11

Extended instruction

Pointer EIP points to the code that you sre curremly executing

VLÁC ee eee) Be Bil dele thts gets saved on the stack

for later use

Extended Stack Pointer

ESP points to the currer+

position on the stack and

Seige ke nels and removed from the stack

useng push and pop

operations or direct stack

pointer manipulations

Capyright © by [£C Commcl Atl Rights Reserved Re producton is Strictly Prof sa

Extended Base Pointer EBP serves as 2 static point

for referencing stack-based information like variables

and data (n a furnction using

offsets This almost always points to the top of the stack

ee Ba et ny

Trang 12

“\a092\000 3\\ca0\ e008 \ a 94\ ela \ e801 xÓa XxớcŠX x03 xaãaÐ0 ` x1 O`xxec ` x3 Ðb`xÐ£`xx#£60“

~\a09 1 \ sod \ ec 60 \0 1 90 \ cb \ ac} 20f \ 82 \ 0102 0\ 001 \ 291 \ tS \260\n01"

Trang 13

aetna

No Operations (NOPs)

Most CPUs have a Mioost intrusson Getection Attacker changes identified IP to start

(polymorphism)

- ¬ Attacker pads the beginning of the ADMmutate (by htto/ /www.ktwo.ca) accepts

miended bulfer overtiow with a tong s butter overflow @xÐpÌO(t 25 input and = |

cò rum of NOP instructions ja NOP slide randomly creates a functionally equewaient

— = or sled) sothe CPU will do nothing version

ee until it gets to the “main event” Note: # is the NOP siec that ADMAutate Ge

iwhich preceded the “return pointer”) mutates (mot the sheticode]

Trang 14

Pen Testing

Trang 15

and

machine language

Trang 16

Write more data into the buffer

than it can handle

Overwrite the return address of

Ï

Change the execution flow to

the hacker code

Trang 17

Attacking a Real Program

The return pointer of the functionis

_ and the attacker succeeds

in altering the flow of the execution

_ if the attacker inserts code as mput, he or she has to know the

-—————— point to the code for execution

Trang 18

Most likely program will crash causing a DoS

if not, prograrn will print memory contents

Similar exploit occurs using user = “Sin”

ant funcichar *user)

{ fprintf( stdout, user):

Correct form is:

ant func(char *user)

{ fpriíntf ( stdout,„,

“$s”, user); }

Copynght © by FC Csoœcf A4) Rights Reserved Reproduction Is Strictly Prohibred

Trang 20

Put some code ín the bufíer and set the return address to point to ít

Trang 21

Pain normal access

Use Netcat to make raw and

Using Trivial FIP CTETP) nncuded with Widows UNIX -specific GU

Trang 22

| —~

wes BK ACAD

Bufter Overflow

Counter-

measures

Buffer Overflow

Trang 23

Học viện Cơng Nghệ Thơng Tin Bach Khoa

/” Program to show @ 3sigic heàg ewer1low”/

(* Prowraes to show a simple worontralied overficow of the € 3

stack */ Siancicce aecsac.h

Trang 24

[QUA eee eT 14A2 ee a eee ee sh At A ee

ee eee ee ee) ee i Be ee ee eee ee

ee ee ee ee ee

a= Bee}

ay «Com (desgerous eee ee)

first thing the program does is declare two strme variables and asse@n memory to them

i\wrech will abow 4đ to ho(d 2 10-character string)

variable +s given 10 bytes of memory

dangerous sy: nm command variabée ts given 128 bytes

to these

next to each other in the virtusi mernory space gven to the program

Trang 25

Simple Buffer Overflow in C:

Code Analysis

The “ " coenmand, which reads a string from the standard input to the specified memory location, does not

have a “length” specification

the memory allocated

xnowing this, an attacker can the ~ " memory mnto the * memory,

and run whatever command he or she wahes

r wee 7 Ve ‘ wer = as < ywe © Te

tX‹1sã yer run AGarens of name ie Ld45186Pe

Acciy ese S$ meme te 12346451 8¢9¢ Maairean f erect te 194528712

Aig eee OOF aes Le 1 14 ”“14 712

Mha*“s« v 4 xX _

Heli ~ ia

(xx]$ tr tin: * t /z se + /bÍ hs/ba42t

: : xticli:bin:/bin:

The 20cresis @ven to the

` eel cee w 2: ‹X«=dsf› jatin

” ‹£# tangerous ‘ system , $ ‘ cenancl” ` ” varwble i 4 16 tĐ>ựt« ~~ *® adie: 001 3+ 4+ a@n:+ fees! ate

from tre start of the “name verisbie bp: a: 4: 7cip: /war/epool /ifrd

< , j

— * extrad Oytes are GQwerhead uted By the “malice sy? ; = w yr f/abiz ; /l ` tr " = yre s

shvet dow "1 ehuitcown: / eahin: J 6G ty /4«teartđ+eẲ«

ywiterm call te alicow the memory to be returned tc genera : 5

melt:x: }:O:hait: fabio: jabin/hait sae whenitis tree 5 i

— v:#:-12:©x«a(t ivar/apoocl/ mei t

Trang 26

Exploiting Semantic Comments

in C (Annotations)

considered a comment in C) ts recognized as = are passed to functions

syntactic entities by the I | e is a4 alt cl ca

©* So, ina parameter declaration, it indicates = functions return, assumptions and

that the value passed forthisparametermay mạ constraints used in the example below

es

°°’ Example: /*@ this value may not be null@*/

Trang 27

How to Mutate a Buffer

Appty to combine code

with a random key

unintelligible to iOS The

CPU code must also

the gibberish in time to

execute payload The

XORing makes the payload polymorphs and and

therefore hard to spot

Trang 28

bo |

—_—~ w =

Butter

Overflow Counter-

measures

Buffer Overtiow

Pen Testing

Trang 29

Identifying Buffer Overflows _cÍEH

if web server

Issue requests

with long tags

Trang 30

How to Detect Buffer Overflows

in a Program

Local Variables

In this case, the attacker can look for — Cs

Trang 31

Testing for Heap Overflow

Test for heap overfiows by

supplying longer mput

Strings than expected

1 Allow overwriting function 1 A pointer exchange taking 1 One of the addresses can

pointers piace after t?›e heap potit to a function pointer

2 Explolt memory managermert routirxe which needs to be

management structures comes into action overwritten, for example

7 fter)

supplied code that needs

to be executed

On the next slide, when the MOV instructions shown in the left pane of the a)

screenshot are executed, the overwrite takes place When the function is called, the

user-supplied code gets executed

Trang 33

Steps for Testing for Stack Overflow

in OliyDbg Debugger

Trang 34

Demonstration of how an attacker

the instruction pointer (with user-suppliec

“sample exe” sequence of executadte with

in a đebugger characters such the supplied

._l

supplied in the

argurnent field

as shown in figure 1 in next slide

(AAAAAAAA )

and continue

execution The result ts shown

im figure 2 in next slide

"41414141", wich

represents the hexadecimal AAAA”

Trang 35

/

7

Testing for Stack Overflow in

(Cont'd) panel Gnid Gute

a <1 AS tights Reserved Re proGuction |s Strictly Prohitrted

Trang 36

Testing for Format String Conditions Using IDA Pro

Format String Manipulating 4

Format string vulnerabilities Attacker manipulates input are most often exploited parameters to include %x or %n within: type specifies

Trang 37

being pushed on the stack is Clearly visible

before a call to print s made

Command Prompt

ant main(int argc, char **argv)

Trang 38

Trang 40

bo |

—_—~

— = “=

Buffer Overfiow

Concepts

Butter Overtiow

Trang 41

Manual

Auditing

of the Code

Compiler Techniques

Trang 42

Trang 43

wl

Disable Stack Execution (it’s possible with hardware Prevent return addresses segmentation, or software ` from being overwritten segmentation such as DEP)

Validate arguments and reduce the amount of code that runs with root privilege

Test and debug the code to

find errors

Prevent all sensitive

information from being

overwritten

Prevent use of dangerous functions: gets, strcpy, etc

Trang 44

Change the at the compile lewe! thst does bourds chece rg o-

protects addresses from overer tins

marge Te 2s ot The or whch T!e™Cry Psges ae

Ss owes tc od exeruitsa& ec casts

Trang 45

DEP is a set of and

technologies that monitors programs to

vorify whether they are using system memory anc

—

t prevents applications from accessirg

memory that wasn't sssigned for the

and in another region

When @ violation is attempted,

detects code that is runing

from these locations and races an exception

DEP helps in preventing code execution from

within data pages, such as the

—< or or er oo are ade cf wt soe

Trang 46

(EMET)

Enhanced Matigation Experience Tootkit (EMET) & designed to make @ more difficult for

an attacker to exploit the vulnerabilities of software and gain access to the systern

itsupports mitigation techniques that prevent common attack techniques, primarily

related to stack overflows and the techniques used by malware to interact with the :

operating system as it atternpts 2 compromse

used for exploding stack memory mon-executable, address space tayout

validation vulnerabilities on all new Windows Versions

Se ee eM Dee ee RE a ed Bee es

Tiêu đề	Buffer Overflow
Trường học	Học viện Cụng Nghệ Thụng Tin Bach Khoa
Chuyên ngành	Computer Security
Thể loại	lecture notes
Thành phố	Hanoi

Định dạng
Số trang	58
Dung lượng	2,27 MB