CNIT 127 Ch 2: Stack overflows on Linux
2 likes1,040 views
The document discusses stack-based buffer overflows in Linux, detailing the mechanics and significance of this exploitation method, which is one of the most well-understood. It includes examples of using the GNU debugger (gdb) to illustrate how memory can be manipulated and how functions interact with the stack. The text emphasizes the stack's role in efficient function calls and provides a walkthrough of exploiting buffer overflows and controlling the instruction pointer (EIP).
![C and C++ Lack Bounds-Checking
• It is the programmer's responsibility to ensure
that array indices remain in the valid range
#include <stdio.h>
#include <string.h>
int main() {
int array[5] = {1, 2, 3, 4, 5};
printf("%dn", array[5]);
}](https://image.slidesharecdn.com/ch2-170127044459/85/CNIT-127-Ch-2-Stack-overflows-on-Linux-3-320.jpg)
![Reading Past End of Array
• array[5] = 0xb7fb63c4](https://image.slidesharecdn.com/ch2-170127044459/85/CNIT-127-Ch-2-Stack-overflows-on-Linux-7-320.jpg)
![EBP (Extended Base Pointer)
• EBP is typically used for calculated
addresses on the stack
– mov eax, [ebp+10h]
• Copies the data 16 bytes down the stack
into the EAX register](https://image.slidesharecdn.com/ch2-170127044459/85/CNIT-127-Ch-2-Stack-overflows-on-Linux-22-320.jpg)
![Functions and the Stack
#include <stdio.h>
void function(int a, int b)
{
int array[5];
}
main()
{
function(1,2);
printf("This is where the
return address pointsn");
}](https://image.slidesharecdn.com/ch2-170127044459/85/CNIT-127-Ch-2-Stack-overflows-on-Linux-37-320.jpg)
CNIT 127 Ch 2: Stack overflows on Linux
- 1. CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux
- 2. Stack-based Buffer Overflows • Most popular and best understood exploitation method • Aleph One's "Smashing the Stack for Fun and Profit" (1996) – Link Ch 2a • Buffer – A limited, contiguously allocated set of memory – In C, usually an array
- 3. C and C++ Lack Bounds-Checking • It is the programmer's responsibility to ensure that array indices remain in the valid range #include <stdio.h> #include <string.h> int main() { int array[5] = {1, 2, 3, 4, 5}; printf("%dn", array[5]); }
- 4. Using gdb (GNU Debugger) • Compile with symbols – gcc -g -o ch2a ch2a.c • Run program in debugger – gdb ch2a • Show code, place breakpoint, run to it – list – break 7 – run • Examine the memory storing "array" – x/10x &array
- 5. Reading Past End of Array
- 7. Reading Past End of Array • array[5] = 0xb7fb63c4
- 8. Writing Past End of Array
- 9. Compile and Run, Crash
- 10. Debug • Open in debugger – gdb ch2b • Run – run • Examine the memory storing "array" – x/50x &array
- 12. Buffer Overflow • Many RAM locations now contain 0xa • But why, precisely, did that cause a crash?
- 13. Debug • Examine registers – info registers • Examine assembly code near eip – x/10i $eip-10
- 14. 10 (0xa) is not in any register
- 15. Last Command Writes $0xa to RAM • Evidently we went so far we exited the RAM allocated to the program
- 16. Intel v. AT&T Format • gdb uses AT&T format by default, which is popular with Linux users – mov source, destination • Windows users more commonly use Intel format – MOV DESTINATION, SOURCE
- 19. The Stack
- 20. LIFO (Last-In, First-Out) • ESP (Extended Stack Pointer) register points to the top of the stack • PUSH puts items on the stack – push 1 – push addr var
- 21. Stack • POP takes items off the stack – pop eax – pop ebx
- 22. EBP (Extended Base Pointer) • EBP is typically used for calculated addresses on the stack – mov eax, [ebp+10h] • Copies the data 16 bytes down the stack into the EAX register
- 23. Functions and the Stack
- 24. Purpose • The stack's primary purpose is to make the use of functions more efficient • When a function is called, these things occur: – Calling routine stops processing its instructions – Saves its current state – Transfers control to the function – Function processes its instructions – Function exits – State of the calling function is restored – Calling routine's execution resumes
- 25. Example
- 26. Using gdb (GNU Debugger) • Compile with symbols – gcc -g -o ch2d ch2d.c • Run program in debugger – gdb ch2d • Show code, place breakpoint, run to it – list 1,12 – break 9 – break 11 – break 4
- 28. Using gdb (GNU Debugger) • Run to breakpoint after line 9 • run • Examine registers – info reg • Run to breakpoint after line 4 • continue • Examine registers – info reg
- 29. In main() before calling function() • esp 0xbffff460 • ebp 0xbffff468 (start of stack frame) • eip 0x8048414 <main+17>
- 30. In function() • esp 0xbffff430 • ebp 0xbffff450 (start of stack frame) • eip 0x8048401 <function+6>
- 31. Examine the Stack – x/12x $esp • Highlight is function()'s stack frame • Outlined area shows these items – Return address – Arguments of function(1,2) • Next to the left is the original value of $ebp
- 33. Using gdb (GNU Debugger) • Run to breakpoint after line 11 • continue • Examine registers – info reg
- 34. In main() after calling function() • esp 0xbffff460 • ebp 0xbffff468 • eip 0x8048420 <main+29>
- 35. Functions and the Stack • Primary purpose of the stack – To make functions more efficient • When a function is called – Push function's arguments onto the stack – Call function, which pushes the return address RET onto the stack, which is the EIP at the time the function is called
- 36. Functions and the Stack – Before function starts, a prolog executes, pushing EBP onto the stack – It then copies ESP into EBP – Calculates size of local variables – Reserves that space on the stack, by subtracting the size from ESP – Pushes local variables onto stack
- 37. Functions and the Stack #include <stdio.h> void function(int a, int b) { int array[5]; } main() { function(1,2); printf("This is where the return address pointsn"); }
- 39. • <main+3> puts a's value, 1, onto the stack • <main+5> puts b's value, 2, onto the stack • <main+7> calls function, which implicitly pushes RET (EIP) onto the stack
- 40. • Prolog – Push EBP onto stack – Move ESP into EBP – Subtract 0x14 from stack to reserve space for array • leave restores the original stack, same as – mov esp, ebp – pop ebp
- 41. Stack Buffer Overflow Vulnerability
- 42. Compile and Run
- 44. Set Breakpoints • At call to gets • And at ret
- 45. Disassemble main • Next instruction after the call to return_input is 0x08048453
- 46. Run Till First Breakpoint • Highlighted values are the saved EBP and the RET address
- 47. Continue and Input 40 Characters • 30 characters are stored correctly • Next four overwrite stored EBP with 0x44444444 ('DDDD') • Next four overwrite RET
- 48. Examine $eip, Step One Instruction • x/1i means "Examine one instruction" • stepi executes one machine language instruction
- 49. Observe Overwritten Registers • ebp and eip are 0x44444444 = 'DDDD'
- 50. Stack Overflow
- 51. Controlling eip • 0x44444444 is invalid and causes the program to halt • We can put any valid memory address there • However, at the point of the crash we have returned to main() so we should choose an instruction in main()
- 52. Call to return_input • 0x0804844e – stored backwards in a string – "x4ex84x04x08"
- 53. Python Exploit Code • sys.stdout.write doesn't put a space or linefeed at end
- 54. How to Debug with Arguments