Download as ODP, PPTX
Uploaded byAnkur Tyagi
Exploiting Memory Overflows
The document provides an overview of buffer overflow vulnerabilities including: 1) It explains how buffer overflows work by writing more data to a buffer than it was allocated to hold, overwriting adjacent memory. 2) An example is given of a function that is vulnerable to buffer overflow by copying user input into a fixed-size buffer without checks. 3) It shows how by passing too much input data, the buffer can be overflown and the return address on the stack overwritten to point to the injected data instead of the intended return location.
More Related Content
Similar to Exploiting Memory Overflows
Exploiting Memory Overflows
- 1.
- 2. Action Plan SystemOrganization Basics
- 3.
- 4.
- 5.
- 6.
- 7.
- 8. System Organization BasicsCPU System Bus A/D/C
- 9. Numbering Systems Octal: 33 Hexadecimal: 1B Binary: 11011 Decimal: 27
- 10. Data Representations Bit: 1 bit (0/1) Nibble: 4 bits (0-15)
- 11. Byte: 8bits (0-255)
- 12. Word: 16bits (0-65535)
- 13. Double Word(DWORD): 32 bits (0-4294967295) Quad Word(QWORD): 64 bits (0-18446744073709551615) 32bits DWORD 16bits WORD 8bits BYTE 4bits NIBBLE 10 148 33,373 1,881,526,604
- 14. MSB LSB 1211 10 9 8 7 6 5 4 3 2 1 13 14 15 Little Endian Big Endian Motorola Intel x86, x86_64 Memory Organization Basics 0x2A 0x2A 0x2A 0x6D20 0x20 0x6D 0x6D 0x20 0x461DAB69 0x69 0xAB 0x1D 0x46 0x69 0xAB 0x1D 0x46
- 15. EAX – Accumulator, used for default operands and results EBX – Base, used to store pointers to data ECX – Counter, used to count up or down EDX – Data, used as an I/O pointer EIP – Instruction Pointer, points to the next instruction Flag – Provides result for the latest operation CS – Code Segment, points to the source of code segment CS – Extra Segment, points to the source of extra segment SS – Stack Segment, points to the source of stack segment DS – Data Segment, points to the source of data segment EBP – Base Pointer, points to the base of the stack frame ESP – Stack Pointer, points to the top of the stack frame EDI – Destination Index, points to the data destination ESI – Source Index, points to the source for data C P U R E G I S T E R S
- 16. 0x100 0x200 0x3000x400 . LOW . . .HIGH ES SS DS CS ESP, EBP EIP EDX, EBX, ESI, EDI EDX, EBX, ESI, EDI Segment Size: 0x100 S E G M EN T A T I O N
- 17. Buffer Overflow Basics44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP Stack Operations PUSH – Subtract 4 from ESP and put new value at that address POP – Add 4 to ESP 1A AC 09 CF PUSH 1A P USH CF PUSH 09 POP PUSH AC OPER EBP ESP 36 36 32 28 32 28 36 36 36 36 Stack grows in this direction...
- 18. main() main() main()main() main() main() fun1() fun1() fun1() fun2() LOW HIGH 1 5 4 3 2 -> fun1() -> fun2() -> fun1() -> main() Stack grows in this direction... Function Calls and Stack
- 19. int fun (intarg1, int arg2){ int lvar1 = arg1 + arg2; } int main () { int local_var1; fun (arg1, arg2); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP OLD EBP lvar1 local_var1 arg2 arg1 RETN ADDR Stack Organization for Function Calls
- 20. int add (inta, int b) { int c = a + b; } int main () { int x = 18; add (3, 6); } 44 40 36 32 28 24 20 16 12 8 4 0 48 52 56 EBP ESP x=18 6 3 RA=999 OLD EBP=48 c=9 Stack Organization for Function Calls
- 21. int vuln (char*argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 EBP ESP 200 220 216 212 208 Buffer Overflow Example
- 22. int vuln (char*argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 python -c 'print “A”*80' EBP ESP Buffer Overflow Example
- 23. int vuln (char*argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*84'
- 24. int vuln (char*argv) { char buf[80]; int a = 9; strcpy (buf, argv); } int main (int argc, char **argv) { int x = 6; vuln (argv[1]); } 120 116 112 108 104 204 200 220 216 212 208 EBP ESP Buffer Overflow Example python -c 'print “A”*88'
- 25. So, you canoverflow a buffer... now what? Sky is the limit...! Well, not really :) Let's just dig deep and see what exactly the scope of such a vulnerability is
- 26. 120 116 112108 104 204 200 220 216 212 208 EBP ESP 120 116 112 108 104 204 200 220 216 212 208 RTN ADDR EIP 41414141 EIP 00000120 GAME OVER! SIGSEGV
- 27. Finally, its timeto witness some live action...!
- 28. That’s all folks!!!Ready with your questions? Start firing them, now...