DOC PREVIEW
Pitt IS 2620 - Pointer Subterfuge

This preview shows page 1-2-23-24 out of 24 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 24 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1Secure Coding in C and C++Pointer SubterfugeLecture 7Acknowledgement: These slides are based on author Seacord’s original presentationPointer Subterfugez Pointer subterfuge is a general term for exploits that modify a pointer’s value. z A pointer is a variable that contains the address of a function, array element, or other data structure. z Function pointers can be overwritten to transfer control to attacker-supplied shellcode.z Data pointers can also be modified to run arbitrary code. z attackers can control the address to modify other memory locations.2Data Locations -1z For a buffer overflow to overwrite a function or data pointer the buffer must bez allocated in the same segment as the target function or data pointer.z at a lower memory address than the target function or data pointer.z susceptible to a buffer overflow exploit.Data Locations -2z UNIX executables contain both a data and a BSS segment. z The data segment contains all initialized global variables and constants. z The Block Started by Symbols (BSS) segment contains all uninitialized global variables. z Initialized global variables are separated from uninitialized variables.31. static int GLOBAL_INIT = 1; /* data segment, global */ 2. static int global_uninit; /* BSS segment, global */ 3. 4. void main(int argc, char **argv) { /* stack, local */ 5. int local_init = 1; /* stack, local */ 6. int local_uninit; /* stack, local */ 7. static int local_static_init = 1; /* data seg, local */8. static int local_static_uninit; /* BSS segment, local*//* storage for buff_ptr is stack, local *//* allocated memory is heap, local */9. }Data declarations and process memory organizationfuncPtr declared are both uninitialized and stored in the BSS segment.Function Pointers - Example Program 11. void good_function(const char *str) {...} 2. void main(int argc, char **argv) {3. static char buff[BUFFSIZE]; 4. static void (*funcPtr)(const char *str); 5. funcPtr = &good_function;6. strncpy(buff, argv[1], strlen(argv[1])); 7. (void)(*funcPtr)(argv[2]); 8. } The static character array buff4Function Pointers - Example Program -21. void good_function(const char *str) {...} 2. void main(int argc, char **argv) {3. static char buff[BUFFSIZE]; 4. static void (*funcPtr)(const char *str); 5. funcPtr = &good_function;6. strncpy(buff, argv[1], strlen(argv[1])); 7. (void)(*funcPtr)(argv[2]); 8. }A buffer overflow occurs when the length of argv[1] exceeds BUFFSIZE.Function Pointers - Example Program -31. void good_function(const char *str) {...} 2. void main(int argc, char **argv) {3. static char buff[BUFFSIZE]; 4. static void (*funcPtr)(const char *str); 5. funcPtr = &good_function;6. strncpy(buff, argv[1], strlen(argv[1])); 7. (void)(*funcPtr)(argv[2]); 8. } When the program invokes the function identified by funcPtr, the shellcode is invoked instead of good_function().5Data Pointersz Used in C and C++ to refer toz dynamically allocated structures z call-by-reference function argumentsz arraysz other data structuresz Can be modified by an attacker when exploiting a buffer overflow vulnerability.z Arbitrary Memory Write occurs when an Attacker can control an address to modify other memory locationsData Pointers - Example Program1. void foo(void * arg, size_t len) {2. char buff[100];3. long val = ...;4. long *ptr = ...;5. memcpy(buff, arg, len); //unbounded memory copy 6. *ptr = val;7. ...8. return;9. }z After overflowing the buffer, an attacker can overwrite ptr and val. z When *ptr = val is evaluated (line 6), an arbitrary memory write is performed.6Modifying the Instruction Pointerz For an attacker to succeed an exploit needs to modify the value of the instruction pointer to reference the shellcode.1. void good_function(const char *str) {2. printf("%s", str);3. } 4. int _tmain(int argc, _TCHAR* argv[]) {5. static void (*funcPtr)(const char *str); // Function pointer declaration6. funcPtr = &good_function;7. (void)(*funcPtr)("hi "); 8. good_function("there!\n");9. return 0;10. }Function Pointer Disassembly Example - Programz (void)(*funcPtr)("hi "); z 00424178 mov esi, espz 0042417A push offset string "hi" (46802Ch) z 0042417F call dword ptr [funcPtr (478400h)] z 00424185 add esp, 4 z 00424188 cmp esi, espz good_function("there!\n");z 0042418F push offset string "there!\n" (468020h) z 00424194 call good_function (422479h) z 00424199 add esp, 4First function call invocation takes place at 0x0042417F. The machine code at this address is ff 15 00 84 47 00This address can also be found in the dword ptr[funcPtrThe actual address of good_function() stored at this address is 0x00422479.7Function Pointer Disassembly Example - Programz (void)(*funcPtr)("hi "); z 00424178 mov esi, espz 0042417A push offset string "hi" (46802Ch) z 0042417F call dword ptr [funcPtr (478400h)] z 00424185 add esp, 4 z 00424188 cmp esi, espz good_function("there!\n");z 0042418F push offset string "there!\n" (468020h) z 00424194 call good_function (422479h) z 00424199 add esp, 4The second, static call to good_function() takes place at 0x00424194. The machine code at this location is e8 e0 e2 ff ff.Function Pointer Disassembly Analysis - 1z This form of the call instruction indicates a near call with a displacement relative to the next instruction. z The displacement is a negative number, which means that good_function() appears at a lower addressz The invocations of good_function() provide examples of call instructions that can and cannot be attacked8Function pointer disassembly analysis -2z The static invocation uses an immediatevalue as relative displacement, z this displacement cannot be overwritten because it is in the code segment. z The invocation through the function pointer uses an indirect reference, z the address in the referenced location can be overwritten. z These indirect function references can be exploited to transfer control to arbitrary code. Global Offset Table - 1z Windows and Linux use a similar mechanism for linking and transferring control to library functions. z Linux solution is exploitablez Windows version is notz The default binary format on Linux, Solaris 2.x, and SVR4 is called the executable and linking format (ELF).z ELF was originally developed and published by UNIX System Laboratories (USL) as part of the application binary interface (ABI).z The ELF standard was adopted by the Tool Interface Standards committee (TIS) as a portable object file format for a variety of IA-32 operating systems.9Global Offset


View Full Document

Pitt IS 2620 - Pointer Subterfuge

Download Pointer Subterfuge
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Pointer Subterfuge and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Pointer Subterfuge 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?