Introduction to Stack Buffer Overflow for beginners
1 like295 views
This presentation introduces stack buffer overflows and exploitation techniques for beginners. It discusses how buffer overflows work, potential impacts of exploitation including gaining system access and installing backdoors. It then demonstrates a sample vulnerable code, its disassembly, and how an attacker could exploit it by overwriting the return address on the stack to redirect execution to shellcode that starts a calculator program. The presentation concludes by reviewing protections like ASLR and DEP and a real-world exploit.
![Khashayar Fereidani
http://fereidani.com
12/23
Sample Code
bool authenticate(char *name){
char msg[32];
if (check_username(name)==0){
sprintf(msg, "Unauthorized user '%s'n", name);
Printf(“%s”,msg);
return 0;
}else{
printf("Welcome , %s n", name);
return 1;
}
}](https://image.slidesharecdn.com/presentation-150813202359-lva1-app6892/85/Introduction-to-Stack-Buffer-Over-flow-for-beginners-12-320.jpg)
![Khashayar Fereidani
http://fereidani.com
18/23
Implementation
ARGV
ARGC
RET
….
(0x[ADDRESS OF SHELLCODE])
0x90909090
NOPNOPNOPNOPNOP
SHELLCODE
SHELLCODE
SHELLCODE
SHELLCODE](https://image.slidesharecdn.com/presentation-150813202359-lva1-app6892/85/Introduction-to-Stack-Buffer-Over-flow-for-beginners-18-320.jpg)
Introduction to Stack Buffer Overflow for beginners
- 1. Khashayar Fereidani http://fereidani.com Introduction to Stack Buffer Overflow for beginners Islamic Azad University Of Najafabad Network Security Presentation By Khashayar Fereidani
- 2. Khashayar Fereidani http://fereidani.com Who Am I ? ● Khashayar Fereidani ● Just A Security Enthusiast
- 4. Khashayar Fereidani http://fereidani.com What Is Buffer Overflow ? From Dear Memory Corruption Family Heap Overflow , Use After Free Buffer Underflow , Integer Overflow Buffer Overflow and more ...
- 5. Khashayar Fereidani http://fereidani.com What After Exploitation ? 1- File Control 2- Operation System Access 3 – Installing Backdoor 4- Full Device Access ( webcam / monitor / mic )
- 6. Khashayar Fereidani http://fereidani.com Advantages And Disadvantages ● Advantages 1- Effective 2- Locally And Remotely Exploitable ● Disadvantages 1- architecture dependent 2-operation system and even version dependent 3- high exploitation skills needed for this era .
- 7. Khashayar Fereidani http://fereidani.com New Era For Commercial Exploit ● Exploits from $1000 to $10000000 ● Intelligent and Universal ● Die Dear Lamers
- 8. Khashayar Fereidani http://fereidani.com Some Historical Attacks 1- 1988 Morris worm 6000 machines ( 10% of internet ) 2- 2003 SQL Slammer : overflow in MS-SQL server 75,000 machines infected in 10 minutes 3- 2014 Multiple Vulnerabilities in Microsoft / Adobe / D-link / Cisco / Oracle products
- 9. Khashayar Fereidani http://fereidani.com 9/23 Remember Remember ● ESP : Pointer To Top Of Stack ● EBP : Base Pointer ● EIP : Instruction Pointer ● MOV , JMP , CALL , RET
- 10. Khashayar Fereidani http://fereidani.com 10/23 Introduction To Process Environment Block (PEB) ● Stack ( func , ret info , args ) ● Heap ● Data Segment 1- .bss ( Static and uninitialized globals ) 2- .data (initialized globals ) 3- .text ( usually read only ) ● Shared Libraries
- 12. Khashayar Fereidani http://fereidani.com 12/23 Sample Code bool authenticate(char *name){ char msg[32]; if (check_username(name)==0){ sprintf(msg, "Unauthorized user '%s'n", name); Printf(“%s”,msg); return 0; }else{ printf("Welcome , %s n", name); return 1; } }
- 13. Khashayar Fereidani http://fereidani.com 13/23 Disassembled Code 0x08048529 <+0>:push %ebp 0x0804852a <+1>:mov %esp,%ebp 0x0804852c <+3>:sub $0x38,%esp 0x0804852f <+6>: mov 0x8(%ebp),%eax 0x08048532 <+9>:mov %eax,(%esp) 0x08048535 <+12>: call 0x804851f <check_username> 0x0804853a <+17>: test %eax,%eax 0x0804853c <+19>: jne 0x8048572 <authenticate+73> 0x0804853e <+21>: mov 0x8(%ebp),%eax 0x08048541 <+24>: mov %eax,0x8(%esp) 0x08048545 <+28>: movl $0x8048620,0x4(%esp) 0x0804854d <+36>: lea -0x28(%ebp),%eax 0x08048550 <+39>: mov %eax,(%esp) 0x08048553 <+42>: call 0x8048390 <sprintf@plt> 0x08048558 <+47>: lea -0x28(%ebp),%eax 0x0804855b <+50>: mov %eax,0x4(%esp) 0x0804855f <+54>: movl $0x8048639,(%esp) 0x08048566 <+61>: call 0x8048350 <printf@plt> 0x0804856b <+66>: mov $0x0,%eax 0x08048570 <+71>: jmp 0x804858a <authenticate+97> 0x08048572 <+73>: mov 0x8(%ebp),%eax 0x08048575 <+76>: mov %eax,0x4(%esp)
- 14. Khashayar Fereidani http://fereidani.com 14/23 Point Of View From Stack ARGV ARGC RET …. main and previously called procedures …. SAVED EIP SAVED EBP msg Start Of authenticate frame 32 Byte
- 15. Khashayar Fereidani http://fereidani.com 15/23 For Simple Input ARGV ARGC RET …. SAVED EIP SAVED EBP ???????? ???????? ???????? ???????? khashayar
- 16. Khashayar Fereidani http://fereidani.com 16/23 For Evil One :D ! ARGV ARGC RET …. AAAA (0x41414141) AAAA (0x41414141) AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
- 17. Khashayar Fereidani http://fereidani.com 17/23 Exploitation Theory ● Write Our Shellcode to memory ● Get Control Of EIP ● Jump To Our Shellcode
- 18. Khashayar Fereidani http://fereidani.com 18/23 Implementation ARGV ARGC RET …. (0x[ADDRESS OF SHELLCODE]) 0x90909090 NOPNOPNOPNOPNOP SHELLCODE SHELLCODE SHELLCODE SHELLCODE
- 20. Khashayar Fereidani http://fereidani.com 20/23 After Compile xebx16x31xd2x5b x88x53x04x53xbb xedx2ax86x7cxff xd3x52xbbx12xcb x81x7cxffxd3xe8 xe5xffxffxffx63 x61x6cx63x4e ● 34 byte ● Exec Calc
- 21. Khashayar Fereidani http://fereidani.com 21/23 Some OS Level Protections ● ASLR (First OpenBSD & Linux) ● DEP ( Software & Hardware ) ● STACK GS / COOKIE ●But Bypassed in the wild !