Ceh v5 module 20 buffer overflow

Module XX
Buffer Overflows
Ethical Hacking
Version 5

EC-Council
Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
Buffer Overflows
Reasons for buffer overflow attacks
Types of buffer overflow
Stacks
Shell code
Detecting buffer overflows in a program
Mutating buffer Overflow exploit
Buffer overflow countermeasures
Code Analysis

EC-Council
Module Flow
Buffer Overflows
Code Analysis
Types of Buffer Overflow
Reasons for
Buffer Overflow Attacks
Detecting Buffer Overflows
In a Program
Shell Code
Defense against
Buffer OverflowsStacks
Mutating
Buffer Overflow Exploit
Attacking a Real Program

EC-Council
Why are Programs/Applications
Vulnerable?
Since there is lot of pressure to maintain the turnaround of
deliverables, programmers are bound to make mistakes that
are often overlooked
Boundary checks are not done fully or, in most cases, they are
skipped entirely
Programming languages, such as C, which programmers use
to develop packages or applications, have errors in it
The strcat(), strcpy(), sprintf(), vsprintf(), bcopy(), gets(), and
scanf() calls in C language can be exploited because these
functions do not check to see if the buffer, allocated on the
stack, is large enough for the data copied into the buffer
Good programming practices are not adhered to

EC-Council
Buffer Overflows
A buffer overrun is when a program allocates a block of memory of a certain length
and then tries to stuff too much data into the buffer, with extra overflowing and
overwriting possibly critical information crucial to the normal execution of the
program
Consider the following source code. When the source is compiled and turned into a
program and the program is run, it will assign a block of memory 32 bytes long to
hold the name string
#include<stdio.h>
int main ( int argc , char **argv)
{
char target[5]=”TTTT”;
char attacker[11]=”AAAAAAAAAA”;
strcpy( attacker,” DDDDDDDDDDDDDD”);
printf(“% n”,target);
return 0;
}
This type of vulnerability is prevalent in UNIX- and NT-based systems

EC-Council
Reasons for Buffer Overflow Attacks
Buffer overflow attacks depend on two things: the lack of
boundary testing and a machine that can execute code that
resides in the data/stack segment
The lack of boundary is very common and, usually, the
program ends with segmentation fault or bus error. In
order to exploit buffer overflow to gain access to or
escalate privileges, the offender must create the data to be
fed to the application
Random data will generate a segmentation fault or bus
error, never a remote shell or the execution of a command

EC-Council
Knowledge Required to Program
Buffer Overflow Exploits
1. C functions and the stack
2. A little knowledge of assembly/machine language
3. How system calls are made (at the machine code level)
4. exec( ) system calls
5. How to guess some key parameters

EC-Council
Types of Buffer Overflows
Stack-based Buffer Overflow
Heap/BSS-based Buffer Overflow

EC-Council
Stack-based Buffer Overflow
Buffer is expecting a maximum number of guests
Send the buffer more than x guests
If the system does not perform boundary checks, extra guests
continue to be placed at positions beyond the legitimate locations
within the buffer. (Java does not permit to run off the end of an array
or string as C and C++ do)
Malicious code can be pushed on the stack
The overflow can overwrite the return pointer so that the flow of
control switches to the malicious code

EC-Council
Understanding Assembly Language
The two most important operations in a stack:
• 1. Push – put one item on the top of the stack
• 2. Pop – "remove" one item from the top of the stack
• Typically, returns the contents pointed to by a pointer and
changes the pointer (not the memory contents)

EC-Council
Understanding Stacks
The stack is a (LIFO)
mechanism that computers
use both to pass arguments to
functions and to reference
local variables
It acts like a buffer, holding all
of the information that the
function needs
The stack is created at the
beginning of a function and
released at the end of it
BP
anywhere
within the
stack
frame
SP
points
here
Stack
growth
direction

EC-Council
A Normal Stack

EC-Council
Shellcode
Shellcode is a method used to exploit stack-based
overflows
Shellcodes exploit computer bugs in how the stack is
handled
Buffers are soft targets for attackers as they overflow
very easily if the conditions match
"x2dx0bxd8x9axacx15xa1x6ex2fx0bxdcxdax90x0bx80x0e"
"x92x03xa0x08x94x1ax80x0ax9cx03xa0x10xecx3bxbfxf0"
"xdcx23xbfxf8xc0x23xbfxfcx82x10x20x3bxaax10x3fxff"
"x91xd5x60x01x90x1bxc0x0fx82x10x20x01x91xd5x60x01"

EC-Council
Heap-based Buffer Overflow
Variables that are dynamically allocated with functions,
such as malloc(), are created on the heap
Heap is a memory that is dynamically allocated. It is
different from the memory that is allocated for stack and
code
In a heap-based buffer overflow attack, an attacker
overflows a buffer that is placed on the lower part of
heap, overwriting other dynamic variables, which can
have unexpected and unwanted effects

EC-Council
How to Detect Buffer Overflows in a
Program
There are two ways to detect buffer overflows:
• One way is to look at the source code. In this case, the hacker can
look for strings declared as local variables in functions or methods
and verify the presence of boundary checks. It is also necessary to
check for improper use of standard functions, especially those
related to strings and input/output
• Another way is to feed the application with huge amounts of data
and check for abnormal behavior

EC-Council
Attacking a Real Program
Assuming that a string function is being exploited, the attacker can
send a long string as the input
This string overflows the buffer and causes a segmentation error
The return pointer of the function is overwritten, and the attacker
succeeds in altering the flow of execution
If he has to insert his code in the input, he has to:
• Know the exact address on the stack
• Know the size of the stack
• Make the return pointer point to his code for execution

EC-Council
NOPS
Most CPUs have a No
Operation (NOP)
instruction – it does
nothing but advance the
instruction pointer
Usually, we can put some of
these ahead of our program
(in the string)
As long as the new return
address points to a NOP,
we are OK
Attacker pads the beginning of the
intended buffer overflow with a
long run of NOP instructions (a
NOP slide or sled) so the CPU will
do nothing until it gets to the 'main
event' (which preceded the 'return
pointer')
Most intrusion detection systems
(IDSs) look for signatures of NOP
sleds. ADMutate (by K2) accepts a
buffer overflow exploit as input
and randomly creates a
functionally equivalent version
(polymorphism)

EC-Council
How to Mutate a Buffer Overflow
Exploit
For the NOP portion
Randomly replace the NOPs with functionally equivalent segments of
code (e.g.: x++; x-; ? NOP NOP)
For the "main event"
Apply XOR to combine code with a random key unintelligible to IDS.
The CPU code must also decode the gibberish in time in order to run
the decoder. By itself, the decoder is polymorphic and, therefore,
hard to spot
For the "return pointer"
Randomly tweak LSB of pointer to land in the NOP-zone

EC-Council
Once the Stack is Smashed...
Once the vulnerable process is commandeered, the attacker has the
same privileges as the process and can gain normal access. He can
then exploit a local buffer overflow vulnerability to gain super-user
access
Create a backdoor
Using (UNIX-specific) inetd
Using Trivial FTP (TFTP) included with Windows 2000 and some
UNIX flavors
Use Netcat to make raw, interactive connections
Shoot back an Xterminal connection
UNIX-specific GUI

EC-Council
Defense Against Buffer Overflows
Manual auditing of code
Disabling stack execution
Safer C library support
Compiler techniques

EC-Council
Tool to Defend Buffer Overflow:
Return Address Defender (RAD)
RAD is a simple patch for the compiler that
automatically creates a safe area to store a copy of
return addresses
After that, RAD automatically adds protection code into
applications that it compiles to defend programs against
buffer overflow attacks
RAD does not change the stack layout

EC-Council
StackGuard
StackGuard: Protects systems from stack smashing attacks
StackGuard is a compiler approach for defending programs and
systems against "stack smashing" attacks
Programs that have been compiled with StackGuard are largely
immune to stack smashing attacks
Protection requires no source code changes at all. When a
vulnerability is exploited, StackGuard detects the attack in progress,
raises an intrusion alert, and halts the victim program
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

EC-Council
Immunix System
Immunix System is an Immunix-enabled RedHat Linux distribution
and suite of application-level security tools
Immunix secures a Linux OS and applications
Immunix works by hardening existing software components and
platforms so that attempts to exploit security vulnerabilities will fail
safe. That is, the compromised process halts instead of giving control to
the attacker, and then is restarted
http://immunix.org

EC-Council
Simple Buffer Overflow in C
Vulnerable C Program overrun.c
#include <stdio.h>
main() {
char *name;
char *dangerous_system_command;
name = (char *) malloc(10);
dangerous_system_command = (char *) malloc(128);
printf("Address of name is %dn", name);
printf("Address of command is %dn", dangerous_system_command);
sprintf(dangerous_system_command, "echo %s", "Hello world!");
printf("What's your name?");
gets(name);
system(dangerous_system_command);
}

EC-Council
Summary
A buffer overflow occurs when a program or process tries to store more data in a buffer
(temporary data storage area) than it was intended to hold
Buffer overflow attacks depend on: the lack of boundary testing, and a machine that
can execute code that resides in the data/stack segment
Buffer overflow vulnerability can be detected by skilled auditing of the code as well as
boundary testing
Once the stack is smashed, the attacker can deploy his payload and take control of the
attacked system
Countermeasures include checking the code, disabling stack execution, safer C library
support, and using safer compiler techniques
Tools like stackguard, Immunix, and vulnerability scanners help in securing systems

Ceh v5 module 20 buffer overflow

In this document

More Related Content

What's hot

Viewers also liked

Similar to Ceh v5 module 20 buffer overflow

More from Vi Tính Hoàng Nam

Recently uploaded

Ceh v5 module 20 buffer overflow