Escolar Documentos
Profissional Documentos
Cultura Documentos
Overview
Race Conditions
Concentration in BO and FS
Background Information
Buffer Overflows
Format Strings
An Example
Race Conditions
Anomolous behavior due to unexpected critical
dependence on the relative timing of events.
(dict.die.net)
Focus
What if the event is access to a resource?
What if the resource is a file? (In Linux
Everything is a File)
What if we can get access to the file before the
original process?
RC 2 An Example
1.
2.
RC 3 An Example Cont
Memory
IP (Instruction Pointer)
EBP (Extended Base Pointer)
ESP (Extended Stack Pointer)
PML 3 An Example
int globalInt;
int main(int argc, char *argv[])
{
int localInt;
char localChar;
char* heapChar = malloc(1);
}
Environment of home=/
<-Error
call procedure
;pushes ip into stack
;inside procedure this is the procedure prolog
push %ebp
mov %esp, %ebp
sub $x, %esp
;x is total size in bytes of arguments
Buffer Overflows
Two Kinds
BO 3 strcpy() example
Before
After
0xbffffffb
0xffffff
0xbfffffffb
0xffff0041
0xbffffff8
0x00000000 0xbffffff8
3' '2' '1' '0'
BO 4 Off by 1 errors
Before
0xbffffffb
0xbffffff8
After
4
0xbfffffffb 0x00000041
0x00000000 0xbffffff8
"AAAA"
BO 5 A Little Fun
What is the output of the following code snippet?
int counter;
char[4] ca;
for(counter = 0; counter < 100; ++counter)
{
sprintf(ca,abcd);
printf(%d,counter);
}
A nop region
A shellcode region
Return address region
BO 7 Egg Components
BO 8 Structure of an Egg
In buffer overflows, the egg is usually in the form
of:
nop,nop,nop,nop,shellcode,ret,ret,ret
After
We want this structure because since
Why? 0xbffffffb Before
Saved RET 0xbfffffffb ret (0xbffff010) instructions get processed from down to
0xbffffff8
0xbffff000
Buffer
0xbffff000
ret
ret
ret
ret
ret
(0xbffff010)
(0xbffff010)
(0xbffff010)
(0xbffff010)
(0xbffff010)
e
lcod
shel
nop
nop
nop
nop
Format Strings
FS 2 printf()
printf(char* fstr, )
FS 3 printf() algorithm
for each char in fstr until NULL
if curChar == % then
switch (nextChar)
case % : write a % to output
case x : pop* a word off the stack and write that word as hex to output
case s : pop* a word off the stack, treat that as a pointer to a
character array, starting at that position write each
character to output until 0 is reached
case n : pop* a word from the stack and treats it as an address, writes the
number of characters written so far to that address
else
write curChar to output
*Popping a word off the stack for format string functions does not mean use the pop instruction. It
means read a word off the stack starting at EBP+4 (This is where the 2nd parameter passed to
printf() starts and incrementing by 4 bytes each pop (read).
FS 4 The Problem
printf(message);
Well these are format string escape sequences which means printf() will process them.
If memory of printf() looks like this
0xbffffffb
0xbffffff8
0xbffffff4
0xbffffff0
0xbfffffeb
Since the first %08x will take the word starting from EBP+4 (From Function Prolog
EBP points to word right above Saved RET) and the second will take the word from
EBP+8 the output will look like
0000ffff 000000ff : Problem unexpected string in message (Who would have thought
a message would contain weird %08x in it)
%--x pops a word from the stack and prints it out in character spaces
%n pops a word from the stack and treats it as an address, writes the number
of characters written so far to that address.
%hn same as %n but only writes to 2 bytes of address specified by stack pop
FS 6 The Procedure
2.
3.
2.
3.
Split format string attack into two parts. First find out
how many %xs it takes to get back to the start of the
format string (to targetAdd) then try to do the attack
To write to a memory address, have two targetAdds
separated with a dummy word
(targetAdd,dummyword,targetAdd+2) This way we can
use the combination %hn %--x %hn to write a whole
word specified by targetAdd where -- is the proper
number so targetAdd+2 contains the 2-byte value of
our choice
The counter that keeps track of number of characters
written to output is 16 bits, and it cycles.
FS 8 An Example
Buffer Overflows
DOS with
No Printing Of Memory
Format Strings
DOS with
Use %s%n%s%n
Use %f%f
Use %x
Code Analysis
printf(message);
strcpy(message,source);
The Attack
To illustrate both buffer overflows and
format string attacks I will use a format
string attack to change the address
where source is pointing to, to a string of
my choice so as to cause a buffer
overflow and open a shell
TA 2 Format String
\xec\xee\xff\xbf\xff\xff\xff\xff\xea\xee\xff\xbf
%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x%08x
%00008x%8x%00008x%8x
\x90\x90\x90\x90\x90\x90\x90\x90\x90
shellcodeRETRETRETRETRETRET
TA 4 Notes
You dont have to start a shell. These are just tools, use
them to your hearts content.
The exploit code is machine and even instance
dependent, the addresses that works for one machine
may not work for another. (Think about the environment
and arguments memory area.)
The points made here are labor intensive, there are
papers that describe how to automate the process of
finding the addresses and building the proper length
strings.
The only proper way to prevent these problems is
through the education and understanding of the
functions being used.
References
[1] Race Conditions, Files, and Security Flaws; or
the Tortoise and the Hare Redux Matt Bishop
http://seclab.cs.ucdavis.edu/projects/vulnerabiliti
es/scriv/ucd-ecs-95-08.pdf
[2] "Smashing the Stack for Fun and Profit Aleph
One
http://www.shmoo.com/phrack/Phrack49/p49-14
Questions?