Home> Schools> Penn State University> Computer Science and Engineering (CSE) > CSE 544> Buffer Overflow
PSU CSE 544 - Buffer Overflow
School name Penn State University
Course Cse 544- System Security
Pages 17

Unformatted text preview:

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University University Park PA Project 1 Buffer Overflow Trent Jaeger Systems and Internet Infrastructure Security SIIS Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security SIIS Laboratory January 19 2010 Page 1 Project Overview Due Jan 28 2010 Given Vulnerable Program cse544 victim c Attack Program cse544 attack c Configure attack program to overflow buffer and take control of victim program Identify vulnerable buffer Overflow buffer to call function shell Correct injection causes the execution of a new shell Systems and Internet Infrastructure Security SIIS Laboratory Page 2 The Players A buffer in the victim Allocated on the stack Attack code Call the victim with inputs necessary to overflow buffer Overwrites the return address on the stack Exploit In a specific manner necessary to gain control of the execution Jump to libc actually a local function attack Systems and Internet Infrastructure Security SIIS Laboratory Page 3 The Players A buffer in the victim Allocated on the stack Attack code Call the victim with inputs necessary to overflow buffer Overwrites the return address on the stack Exploit In a specific manner necessary to gain control of the execution Jump to libc actually a local function attack Systems and Internet Infrastructure Security SIIS Laboratory Page 4 Vulnerability Find an appropriate buffer in cse544 victim c Not hard as there are not that many Systems and Internet Infrastructure Security SIIS Laboratory Page 5 Determine how to attack Print Stack Examine stack as victim runs Victim function BEFORE picture of stack 0xbfa3b854 0x3 0xbfa3b855 0x0 0xbfa3b856 0x0 0xbfa3b857 0x0 BEFORE picture of stack 0xbfa3b858 0x3 0xbfa3b854 0x3 0xbfa3b859 0x0 0xbfa3b855 0x0 0xbfa3b85a 0x0 0xbfa3b856 0x0 printf BEFORE picture of stack n 0xbfa3b85b 0x0 0xbfa3b857 0x0 for i unsigned buf 8 i unsigned char ct 8 i 0xbfa3b85c 0x0 0xbfa3b858 0x3 printf p 0x x n void i unsigned char i 0xbfa3b85d 0x0 0xbfa3b859 0x0 0xbfa3b85e 0x0 0xbfa3b85a 0x0 run overflow of stack n printf BEFORE picture 0xbfa3b85f 0x0 0xbfa3b85b 0x0 i 1 i tmp i i unsigned char ct 8 i forfor i unsigned buf 8 0xbfa3b860 0x0 0xbfa3b85c 0x0 printf i0x x n d tmp ct unsigned d tmp p n printf p void d i char i i tmp ct void tmp 0xbfa3b861 0x0 0xbfa3b85d 0x0 strcpy p inputs i 0xbfa3b85e 0x0 0xbfa3b862 0x0 run overflow 0xbfa3b85f 0x0 0xbfa3b863 0x0 for i 1 i tmp i after 0xbfa3b860 0x0 print stack the fact 0xbfa3b864 0x0 printf i d tmp d ct d n d tmp 0xbfa3b861 0x0 printf AFTER iteration i p n i tmp ct void tmp 0xbfa3b865 0x0 strcpy p inputs i 0xbfa3b862 0x0 for j unsigned buf 8 j unsigned char ct 8 j 0xbfa3b866 0x0 0xbfa3b863 0x0 printf p 0x x n void j unsigned char j 0xbfa3b867 0x0 print stack after the fact 0xbfa3b864 0x0 0xbfa3b868 0xa8 printf AFTER iteration d n i 0xbfa3b865 0x0 p strlen inputs i 0xbfa3b869 0xb8 for j unsigned buf 8 j unsigned char ct 8 j 0xbfa3b866 0x0 if i 1 tmp 0xbfa3b86a 0xa3 printf p 0x x n void j unsigned char j 0xbfa3b867 0x0 p 0xbfa3b86b 0xbf 0xbfa3b868 0xa8 p strlen inputs i 0xbfa3b86c 0x71 0xbfa3b869 0xb8 printf buf s n buf if i 1 tmp 0xbfa3b86d 0x84 0xbfa3b86a 0xa3 p printf victim p n void victim 0xbfa3b86b 0xbf 0xbfa3b86e 0x4 0xbfa3b86c 0x71 0xbfa3b86f 0x8 printf buf return 0 s n buf 0xbfa3b86d 0x84 0xbfa3b870 0x3 printf victim p n void victim 0xbfa3b86e 0x4 0xbfa3b871 0x0 0xbfa3b86f 0x8 0xbfa3b872 0x0 return 0 0xbfa3b870 0x3 0xbfa3b873 0x0 Print Stack Dumps contents of stack Build make victim Victim function Dumps contents stack Run victim fooofbar buf buf ebp ebp rtn addr rtn addr ct CSE497b Introduction to Computer and Network Security Spring 2007 Professor Jaeger Systems and Internet Infrastructure Security SIIS Laboratory 0xbfa3b871 0x0 0xbfa3b872 0x0 0xbfa3b873 0x0 ct Page Page 6 Configure Attack Configure following Distance to return address from buffer Where to write Location of start of attacker s code Where to take control What to write on stack How to invoke code jump to existing function How to launch the attack How to send the malicious buffer to the victim Systems and Internet Infrastructure Security SIIS Laboratory Page 7 Return Address Print Stack Victim function x86 Architecture Dumps contents of stack Build 32 bit code for Linux environment printf BEFORE picture of stack n for i unsigned buf 8 i unsigned char ct 8 i printf p 0x x n void i unsigned char i Remember integers are represented in little endian format run overflow for i 1 i tmp i printf i d tmp d ct d tmp p n i tmp ct void tmp strcpy p inputs i Take address 0x8048471 print stack after the fact printf AFTER iteration d n i for j unsigned buf 8 j unsigned char ct 8 j printf p 0x x n void j unsigned char j See trace at right p strlen inputs i if i 1 tmp p printf buf s n buf printf victim p n void victim return 0 BEFORE picture of stack 0xbfa3b854 0x3 0xbfa3b855 0x0 0xbfa3b856 0x0 0xbfa3b857 0x0 0xbfa3b858 0x3 0xbfa3b859 0x0 0xbfa3b85a 0x0 0xbfa3b85b 0x0 0xbfa3b85c 0x0 0xbfa3b85d 0x0 0xbfa3b85e 0x0 0xbfa3b85f 0x0 0xbfa3b860 0x0 0xbfa3b861 0x0 0xbfa3b862 0x0 0xbfa3b863 0x0 0xbfa3b864 0x0 0xbfa3b865 0x0 0xbfa3b866 0x0 0xbfa3b867 0x0 0xbfa3b868 0xa8 0xbfa3b869 0xb8 0xbfa3b86a 0xa3 0xbfa3b86b 0xbf 0xbfa3b86c 0x71 0xbfa3b86d 0x84 0xbfa3b86e 0x4 0xbfa3b86f 0x8 0xbfa3b870 0x3 0xbfa3b871 0x0 0xbfa3b872 0x0 0xbfa3b873 0x0 buf ebp rtn addr ct CSE497b Introduction to Computer and Network Security Spring 2007 Professor Jaeger Systems and Internet Infrastructure Security SIIS Laboratory Page Page 8 Find Return Address Offset Find Offset Build and run victim make victim victim foo bar Find buffer address printed at start of victim output In shell i 3 inputs 0xbfa3b944 main 0x8048424 shell 0x8048648 inputs 0 0xbfa3b944 buf 0 0xbfa3b854 BEFORE picture of stack To start of return address read from stack 0xbfa3b86c How do we know its the rtn addr Must be an address in caller main Systems and Internet Infrastructure Security SIIS Laboratory CSE497b Introduction to Computer and Network Security Spring 2007 Professor Jaeger BEFORE picture of stack 0xbfa3b854 0x3 0xbfa3b855 0x0 0xbfa3b856 0x0 0xbfa3b857 0x0 0xbfa3b858 0x3 0xbfa3b859 0x0 0xbfa3b85a 0x0 0xbfa3b85b 0x0 0xbfa3b85c 0x0 0xbfa3b85d 0x0 0xbfa3b85e 0x0 0xbfa3b85f 0x0 0xbfa3b860 0x0 0xbfa3b861 0x0 0xbfa3b862 0x0 0xbfa3b863 0x0 0xbfa3b864 0x0 0xbfa3b865 0x0 0xbfa3b866

View Full Document

Please select your school

Login

Join to view Buffer Overflow and access 3M+ class-specific study document.

Continue
or
We will never post anything without your permission.
Don't have an account?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.

Sign Up

Join to view Buffer Overflow and access 3M+ class-specific study document.

Continue
or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.