Scribd
Upload
59 views16 pages

Week8 M

This document discusses buffer overflows and how they can be exploited to execute arbitrary code. It explains that a buffer overflow occurs when more data is written to a buffer than it can hold, overwriting adjacent memory. This can be used to overwrite a function's return address on the stack to redirect execution flow maliciously after the function returns. The document demonstrates a buffer overflow example that overwrites a program's return address, causing a crash. It also outlines steps for finding the overflow in a vulnerable web server program and modifying it to remove stack protection and enable exploiting the vulnerability remotely.

Uploaded by

leish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
59 views16 pages

Week8 M

This document discusses buffer overflows and how they can be exploited to execute arbitrary code. It explains that a buffer overflow occurs when more data is written to a buffer than it can hold, overwriting adjacent memory. This can be used to overwrite a function's return address on the stack to redirect execution flow maliciously after the function returns. The document demonstrates a buffer overflow example that overwrites a program's return address, causing a crash. It also outlines steps for finding the overflow in a vulnerable web server program and modifying it to remove stack protection and enable exploiting the vulnerability remotely.

Uploaded by

leish
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

Buffer Overflow

Lab 8

Process Memory Regions


Higher memory addresses
Fixed address
Stack pointer
(SP) points to
top of stack

Lower memory addresses

Stack Frame
Logical block
pushed when calling a function
popped when returning

Contains:
parameters to functions
local variables
data necessary to recover program state

Frame pointer points to fixed location within


frame
variables are referenced by offsets to the FP

Function Calls

Constructing a Stack Frame


void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
void main() {
function(1,2,3);
}

1. Push 3 arguments
2. Push return address
3. Copy SP into FP to create
new FP and save it on the
stack (SFP)
4. Advance SP to reserve
space for local variables and
state information

Buffer Overflow
What is a buffer?
a contiguous block of memory that holds multiple
instances of the same data type

Whats buffer overflow?


Stuffing more data into a buffer than it can handle

This common programming error can be taken


advantage of to execute arbitrary code

Example
void copy(char *str) {
char buffer[16];
strcpy(buffer,str);
}

int main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = 'A';
large_string[255] = '\0';
copy(large_string);
return 0;
}

strcpy() is copying the contents of *str (larger_string[]) into buffer[] until string NULL character
buffer[] is much smaller than *str. (16 bytes vs. 256 bytes)
All 240 bytes after buffer in the stack are being overwritten (INCLUDING the SFP and RET)
large_string is filled with the character 'A (0x41)
RET = 0x41414141 which is outside of the process address space
When the function returns and tries to read the next instruction from that address
=> Segmentation Fault!!!

Buffer Overflow Example


S
t
a
c
k
g
r
o
w
t
h

M
e
m
o
r
y

A
d
d
r
e
s
s
e
s

Parent Routines Stack


Frame

Parent Routines Stack


Frame

Parent Routines Stack


Frame

Function Arguments

Function Arguments

Return Address

Return Address

Saved Frame Pointer

Saved Frame Pointer

Char *bar

Char *bar

char buffer[16]

buffer[15]
char buffer[16]
buffer[0]
Unallocated Stack Space

\0

Unallocated Stack Space

Unallocated Stack Space

Exploiting Buffer Overflow


A buffer overflow allows us to change the
return address of a function
We can change the flow of execution of the
program and execute arbitrary code

How to Execute Our Code?


Place the code we are trying to execute in the
buffer we are overflowing
Overwrite the return address so it points back
into the buffer
Which code?
Spawn a shell so we can execute anything

Lab 8 Steps 1 & 2


Build sthttpd: light-weight HTTP server and apply patch
to introduce vulnerability

$ tar xvf sthttpd-2.26.4.tar.gz


$ cd sthttpd-2.26.4
$ patch pNUM < patch_file
$ ./configure and make (with -fno-stack-protector)

Run it on port 12100 12327 (on Linux server)


./thttpd p 12100
Run $ ps aux | grep thttpd, and make sure that no one
else is using your port

Do a simple request like


wget http://localhost:12100

Crashing The Server


Send the web server a suitably-formatted
request
$ wget http://localhost:12100/AAAA...AA
How many As should there be?

Where does the buffer overflow occur? Why?


Look at the code
Does it occur on the stack?

How To Crash The Server Steps 3 & 4


Open 2 terminals and SSH into lnxsrv on both
Make sure youre using the same lnxsrv for both (i.e. lnxsrv01, or lnxsrv02, etc.
on both)

In 1st terminal
Run the web server under GDB and get traceback (bt) after the crash
./thttpd p <port number>
Find the pid for thttpd
ps aux | grep thttpd

Run gdb
$ gdb
$ (gdb) attach <pid>

In 2nd terminal
Send your crashing request using wget or curl

In 1st terminal
Continue (c), and when it crashes, do bt
Include this in lab8.txt

Steps 5 & 6
Describe how you would build a remote exploit in the
modified thttpd
Smashing the stack for Fun and Profit
This lecture

-fstack-protector option
GCC flag that protects against stack-based overflow
Random canary is inserted after local variables, first thing to get corrupted
Arguments
Return Address
Frame Pointer

Canary
Local Variables

Lab Hints
How to create assembly language files (.s files)
Remove the .o file
$ rm thttpd.o

Edit Makefile using your favorite editor


$ vim Makefile

Search for CFLAGS flag


Add -S after -O2
CFLAGS = -O2 S
Save and quit

Make the removed .o file


$ make thttpd.o

You will see thttpd.s or thttps.o has been created with


assembly code in it

Lab Hints
Adding options to ./configure and make
$ CC=gcc CFLAGS=options1 ./configure
$ CC=gcc CFLAGS='-fno-stack-protector' ./configure

$ CC=gcc CFLAGS=options1 make


$ CC=gcc CFLAGS='-fno-stack-protector' make

Options for CFLAGS


-fno-stack-protector
-fstack-protector

Or change CFLAGS in Makefile

You might also like