1 ECE4112 Internetwork Security Lab 6: Buffer Overflows Date Issued: February 17, 2009 Due Date: February 24, 2009 Last Edited: November 6, 2007 Lab Goal This lab will introduce you to the memory stack used in computer processes and demonstrate how to overflow memory buffers in order to exploit application security flaws. You will then execute several buffer overflow attacks against your Linux and Windows XP machines in order to gain root or administrative access using application vulnerabilities. Pre-Lab The following readings are a must to understand this lab and complete it in a timely manner. 1. Carefully read the entire article Smashing the Stack for fun and profit by Aleph One (Appendix A). It is essential that you have a thorough understanding of this article before you attempt these attacks, and although the author’s computer system differs from ours, it will be useful as a reference during the lab. Note: Correction to the Aleph One paper – For example3.c (the 9th page of Smashing the Stack) , Aleph One says, “We can see that when calling function() the RET will be 0x8004a8. The next instruction we want to execute is the one at 0x8004b2. A little math tells us the distance is 8 bytes.” The number should be 10 bytes instead of 8 bytes. 2. Read the article Secure programmer: Countering buffer overflows Preventing today's top vulnerability David Wheeler ([email protected]), Research Staff Member, Institute for Defense Analyses 27 Jan 2004 at: http://www-128.ibm.com/developerworks/linux/library/l-sp4.html and answer the question: PLQ1: According to the article, what are the common problems with C/C++ which allow buffer overflows? 3. For this prelab section, you will need to use a computer which has internet access and a java enabled browser. a. Go to the website: http://nsfsecurity.pr.erau.edu/bom/ b. Scroll down to the middle of the page. c. We will be using the online demos of buffer overflow. d. Read the section on “How to use the Demo applets” before beginning. e. Complete the first 4 demos below (7 total), in the order listed. Be sure to use the “step” feature and always read the helpful text in the lower left. The read-only areas in memory2 (top-right) have been color coded with the C functions. You will see that the stack is also color coded as it starts growing (lower right) – be sure you understand the stack manipulation before and after function calls. Note: When asked for input, type in a long string and watch it erase data in the stack memory. Background Although computer programs are frequently written in English-based user-friendly languages such as C, they must be compiled to an assembly language built for the machine on which they will be executed. The assembly language has much fewer commands than C, and these commands are much less varying in structure and less obvious semantically. Commands are stored in memory so that each is referenced by its location in memory rather than its line number in the code. Commands are executed sequentially, and functions are executed by jumping to a particular memory location, continuing sequential execution, and jumping back at the end of the function. An assembly language tutorial describing the conversion from C code to x86 assembly can be found at: http://linuxgazette.net/issue94/ramankutty.html When a computer process is executed, it gains access to a portion of the computer’s memory system. In the lower set of addresses of the allocated memory, the compiled assembly instruction set is placed so that the computer can execute these instructions directly from memory. This part of memory is generally flagged as read-only, and attempting to modify it results in a segmentation fault. Segmentation faults can occur for other reasons as well, such as if an invalid instruction is executed. At a higher portion of addresses, variables are allocated and stored. Whenever a process saves some data to memory (e.g. int a=4), they are placed in this region. Finally, the highest portion of addresses contains the memory stack. The stack helps coordinate the hierarchical execution of functions within applications. When a function is called, a variable known as the frame pointer is pushed onto the stack, which references the memory locations of variables local to the function. Next, since a function is executed by a jump from a different location in memory, a return address is pushed onto the stack so that the computer knows where in memory to return once the function has been completed. Finally, when a function is passed variables (e.g. myfunc(a,b,c)) these variables are also placed on the stack. Theoretically, stack manipulation should be accomplished entirely by the process, which allocates and sets pointers and variables at appropriate stages of execution, such as function calls. The key to buffer overflow attacks is to maliciously manipulate the data in the stack. By changing the return pointer, for example, it is possible for the process to jump to a memory location containing user data rather than the correct location in the3 instruction set. If the user data is crafted to include malicious assembly commands, such as a backdoor, these will be executed. Finally, we’ll be taking a look at heap-overflows. Although heap overflows can be exploited just as easily as stack overflows, they’re much less known. System administrators often implement patches and precautions to prevent stack overflows but leave the heaps completely open to attacks! Although we won’t be doing any exercises in the lab about heap overflows, more information about it has been included as an appendix (Appendix B). Lab Scenario For most of the lab, you will be using only your Red Hat 7.2 host machine. You will need to use your Redhat 7.2 Copy virtual machine for remote buffer overflow attacks and you will use your Windows XP virtual machine in an exercise to see how contemporary attacks compromise windows systems. Section I – Experimentation with “Smashing the Stack for fun and profit” by Aleph One Connect to Network Attached Storage, and copy the file Lab6/stacksmash.tgz to your Red Hat 7.2 machine. Decompress it with the command: tar zxvf stacksmash.tgz Enter the stacksmash directory, and type make to compile. To recompile during the rest of this section, follow the instructions specific to the exercise or simply type make again. Exercise 1: The Stack Region Source file: example1.c For