Buffer Overflow Exploits
Table of Contents
1 Abstract
A large number of exploits have been due to sloppy software development. Exceeding array bounds is referred to in security circles as "buffer overflow." These are by far the most common security problems in software. This lecture explains the stack-smashing technique, and presents a few techniques that help in avoiding the exploit.
- I often give 3 to 5 (55-minute) lectures on this topic.
- At least one on AlephOne.
- Lecture #1: Overview, Background, Ideas on: {Code Injection, Detection, Prevention}
- Lecture #2: Aleph One article, full exploration
- Lecture #3: Aleph One article, full exploration; past videos of mine
- Lecture #4: Experience the Exploit
- Lecture #5: Exploring recent CVEs on Buffer Overflow
- Coupled Topic: Software Development without Security Holes
2 Buffer Overflow Overview
- End result: a super-user owned shell process is born
- The enabling weaknesses
- data address space and executable code address space are not disjoint
- sloppy programming
- Intricately depends on: PL, Compiler, OS, CPU
- Arguably: The first security exploit (1988)
- Arguably: The most common exploit
- Arguably: The still prevalent exploit
- Alt names: buffer overrun, stack smashing, code injection
- Related exploits: heap overflow, format string exploit, …
- Famous Buffer Overflow Attacks: https://engineering.purdue.edu/ResearchGroups/SmashGuard/BoF.html
3 Background Knowledge
- Command line shells
- konsole + bash
- bash PS1 prompt
- Details (semantics and compiled code) of C
- String library methods:
strcpy
,strcat
- Array bounds
- Effective address calculation
- Stack frame
- ./C-intricacies.html
- ../LinuxSetup/StudyPrograms/
- String library methods:
- OS Details
- System call:
execv
- System call:
exit
- setuserid
suid
root
- System call:
4 Code Injection Idea
- The program is unmodified.
- The running process is modified.
- Modifying the return address (located on the stack)
- Insert (effectively) new machine code sequence into the process
- And return!
4.1 Choosing a binary
- Stack allocated local array
- Unchecked array index usage
- Copying a given argument into a local array
- Supplying a carefully constructed string argument
- The string has the executable machine code
4.2 Shell code
- Designing the shell-code to be injected
- Constructing the shell-code from disassembly
- Fine tuning the shell code as a proper string
4.3 Modifying the return address
- Studying ./modret/modret.c
- Modify the return address to the beginning of the "string"
- modReturnAddress-acer602-20080507.html These are the results of trying out the code examples from the AlephOne article. These notes were recorded with Auditor LiveCD on my old Acer laptop with Pentium III (Coppermine) running Debian GNU/Linux 3.1, gcc version 3.3.5 (Debian 1:3.3.5-2).
5 The Exploit
- Putting it all together
- Padding the Shell Code with NOPs so that jump target address is less critical
- Inputting the shell code as an argument
- ./AlephOne/alephOne.html One of the best exaplanation of Stack Smashing.
6 Experiencing the Exploit in the Lab
- As of 2019, many "standard" code injections have been prevented.
- Virtual Machines
- VirtualBox
- VMware
- Linux Distro: (BackTrack) Audtor.ISO
- An Old OS/C-compiler/bash
- Uses IDE drives; so not bootable on modern PCs
6.1 Disable Stack top randomization
- Compile any program (e.g. from StudyPrograms).
- Invoke it several times, and print the address of a local variable
of
main
Is it changing? That is Stack Top Randomization.
6.2 Disabling Stack Protection
- Compiler flags: no canaries
gcc overflow.c -o overflow -fno-stack-protector
- ./bo.c compile:
gcc -fno-stack-protector -z execstack -o bo bo.c
6.3 Disable ASLR
- ASLR Address Space Layout Randomization
- Disable ASLR:
sudo echo 0 > /proc/sys/kernel/randomize_va_space
Enabled:randomize_va_space
should be 2 - ASLR is effective only if the binary was PIE (position independent
code enabled).
-fPIC -pie
7 Detection
- Checking the caller of
execv
- Deep packet inspection
- Tools: Chaperon, Valgrind, CCured, CRED, Insure++, ProPolice and TinyCC, …
8 Prevention
- CPU/MMU: Separate address spaces for Data and Machine Instructions
- noexec-user-stack
- Never-eXecute (NX) bit http://en.wikipedia.org/wiki/NX_bit
- Intel: XD bit, eXecute Disable
- AMD: Enhanced Virus Protection
- ARM: XN for eXecute Never
- Stack top randomization
- ASLR Address space layout randomization
- Run-time Check for Input Taintedness
- Run-time Check for Array Bounds
8.1 Secure Programming Practices
- Techniques of Avoiding Buffer Overflow
- Safe String Libraries
- Static Analysis of Source Code
- Lectures on ../SecSoftware/
10 Reading List
- Readings are grouped into Required and Recommended.
- Required Readings are a must read. These are sources of exam questions.
- Recommended Readings bring more insight into the topic. But exam questions will not be derived from these.
- Some of our "readings" are actually web site visits.
10.1 Required Reading
- Aleph One, "Smashing The Stack For Fun And Profit," Phrack, Vol 7, Issue 49, File 14 of 16. 1996. A classic article. A local copy of the original Phrack article is ./AlephOne/phrack-article-p49-14.txt. An html-ized version of this paper with some corrections by me is ./AlephOne/alephOne.html.
- Prabhaker Mateti, Buffer Overflow Attacks. This article associated with this lecture. 2019.
- http://en.wikipedia.org, Buffer-overflow, Heap-overflow, Uncontrolled-format-string, Return-to-libc-attack, Return-oriented-programming. 2013. All Required Reading.
- Yves Younan, Wouter Joosen and Frank Piessens, "Runtime countermeasures for code injection attacks against C and C++ programs ", ACM Computing Surveys , 44(3), 2012. Recommended Reading.
10.2 Recommended Reading
- David A. Wheeler, "Secure Programming for Linux and Unix HOWTO," 2003, http://tldp.org/HOWTO/Secure-Programs-HOWTO/ Highly recommended reading.
- Matt Conover, and WSD, "w00w00 on Heap Overflows", January 1999, Originally at http://www.w00w00.org/ files/ articles/ heaptut.txt Web search for a copy. Highly recommended reading.
- skape, Understanding Windows Shellcode, http://nologin.org/ Downloads/ Papers/ win32-shellcode.pdf, 2003.
- Parvez Anwar, "Buffer Overflows in the Microsoft Windows Environment", 2009, https://www.ma.rhul.ac.uk/ static/ techrep/ 2009/ RHUL-MA-2009-06.pdf
10.3 Recommended Reading #2
- https://dl.packetstormsecurity.net/papers/attack/64bit-overflow.pdf 64 Bits Linux Stack Based Buffer Overflow 12pp
- https://bytesoverbombs.io/exploiting-a-64-bit-buffer-overflow-469e8b500f10
Nov 4, 2017;; {pm: Long winded. Uses Kali, python, metasploit
pattern find tool, msfvenom, python payload generator; uses
linux/x64/shell_reverse_tcp
payload so the remote mc controls our host when exploit happens. Explains the real rsp register.} - https://www.exploit-db.com/papers/24085/ Stack Smashing On A Modern Linux System, December 2012 {pm: "modern" = 2012}
- https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Buffer-Overflows-Linux-whitepaper.pdf 12pp April 16th, 2009
- Sebastian Krahmer, https://users.suse.com/~krahmer/no-nx.pdf 20pp {x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique} Sep 2005