Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
39 views42 pages

Stack Overflows

The document outlines the history and mechanics of stack overflow vulnerabilities, starting from early understanding in 1972 to notable exploits like the Morris Worm and SQL Slammer. It explains the concept of buffer overflow, its implications in programming languages like C/C++, and common unsafe functions that can lead to such vulnerabilities. Additionally, it discusses the importance of bounds checking and the potential targets for exploitation in stack overflow attacks.

Uploaded by

Younes Et Talby
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views42 pages

Stack Overflows

The document outlines the history and mechanics of stack overflow vulnerabilities, starting from early understanding in 1972 to notable exploits like the Morris Worm and SQL Slammer. It explains the concept of buffer overflow, its implications in programming languages like C/C++, and common unsafe functions that can lead to such vulnerabilities. Additionally, it discusses the importance of bounds checking and the potential targets for exploitation in stack overflow attacks.

Uploaded by

Younes Et Talby
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 42

History

 of  the  Stack  


Overflow  
!  Buffer  Overflow  
"  Understood  as  early  as  1972  
!  Computer  Security  Technology  Planning  Study  
!  Morris  Worm  
"  First  hostile  stack  overflow  exploit,  1988  
"  Targeted  Unix’s  finger  service  
!  Phrack  
"  “Smashing  the  Stack  for  Fun  and  Profit”  
!  By  Aleph  One  
"  Educated  the  hacking  community  
2
Stack  Overflow  in  Practice  

!  Code  Red  
"  July  13,  2001  
"  Worm  targeted  IIS  5.0  stack  overflow  
"  Infected  359,000  computers  in  one  day  

3
Stack  Overflow  in  Practice  

!  SQL  Slammer  
"  January  25,  2003  
"  376  byte  worm  targeted  Microsoft  SQL  Server  
2000  
"  Patch  was  available  6  months  beforehand  
"  Even  infected  computers  belonging  to  Microsoft  
"  90%  of  all  vulnerable  machines  were  infected  
within  10  minutes  

4
Stack  Overflow  in  Practice  

!  Twilight  Hack  
"  Exploit  for  the  Wii  
"  Renamed  Legend  of  Zelda  horse  “Epona”  
"  Triggered  when  brought  up  in  conversation  

5
Percent  of  Total  
Vulnerabilities  

6
The  Name  

!  Stack  Overflow  
"  Occurs  when  the  size  of  the  stack  is  insufficient  
"  Not  an  exploit,  just  an  out  of  memory  exception  
!  Stack  Buffer  Overflow  
"  Most  often  called  a  stack  overflow  
!  Sometimes  a  stack  overrun  
!  Sometimes  referred  to  as  stack  smashing  

7
Buffers  

!  Buffer  
"  A  contiguous  section  of  limited  memory  
"  C  buffers  most  commonly  exist  as  arrays  
"  C  strings  are  null-­‐terminated  char  arrays  

8
Bounds  Checking  

!  Bounds  Checking  
"  C/C++  implement  no  inherent  bounds  checking  
"  It  is  possible  to  index  values  outside  of  an  array  
"  Enables  memory  corruption  
!  Enables  exploitation  

9
Buffer  Overflow  

!  Buffer  Overflow  
"  The  writing  of  data  past  a  buffer’s  boundary  
"  Ex:  
!  What  indexes  are  allocated  for  n?  
!  What  indexes  are  written  to  for  n?  

10
Stack  Overflow  

!  Stack  Overflow  
"  A  subset  of  the  buffer  overflow  
"  A  buffer  overflow  of  a  variable  on  the  stack  

11
C  String  Operations  

!  C  Strings  
"  Just  arrays  of  characters  
"  Terminated  with  the  NULL  character  (0x00)  
"  String  operations  are  terminated  when  the  string  
terminator  is  encountered  
"  Ex:  

12
Stack  Overflow  

!  Example  
"  gets()  overwrites  str  with  an  input  string  

13
Stack  Overflow  

14
Stack  Overflow  

15
Stack  Overflow  

!  Example  
"  Prints  successfully  
"  Restores  a  bad  base  pointer  (0x44434241)  
!  Not  a  critical  error  
"  Returns  to  a  bad  address  (0x00474645)  
!  Critical  error  

16
Highland  and  Lowland  
Addresses  
!  Highland  
"  Most  significant  byte  in  address  is  not  0x00  
"  Unlimited  injected  code  size  
"  Linux  stacks  are  in  highland  address  space  
!  0x08xxxxxx  
!  Lowland  
"  Most  significant  byte  in  address  is  0x00  
"  Limited  injected  code  size  
"  Windows  stacks  are  in  lowland  address  space  
!  WinXP:  0x0012xxxx  
!  WinNT:  0x0040xxxx  
17
Endianness    

!  x86  Endianness  
"  Little-­‐endian  
!  Endianness  and  Lowland  Addresses  
"  Lowland  addresses  may  be  injected  
!  On  the  condition  that  they  are  the  last  item  

18
Endianness    

!  Stack  Overflows  and  Endianness  


"  Sometimes  only  a  partial  overwrite  is  needed  
"  Sometimes  only  a  partial  overwrite  is  present  
!  Off-­‐by-­‐one  

19
Endianness    

!  Stack  Overflows  and  Endianness  


"  Ex:  Overwrite  4/4  bytes  with  A’s  (0x41)  

20
Endianness    

!  Stack  Overflows  and  Endianness  


"  Ex:  Overwrite  3/4  bytes  with  A’s  (0x41)  

21
Endianness    

!  Stack  Overflows  and  Endianness  


"  Ex:  Overwrite  2/4  bytes  with  A’s  (0x41)  

22
Endianness    

!  Stack  Overflows  and  Endianness  


"  Ex:  Overwrite  1/4  bytes  with  A’s  (0x41)  

23
Endianness    

!  Stack  Overflows  and  Endianness  


"  Ex:  Overwrite  0/4  bytes  with  A’s  (0x41)  

24
Potential  Stack  Overflow  
Exploit  Vectors  
!  Common  Unsafe  I/O  Functions  
"  gets()  
!  Incredibly  unsafe,  never  use  
"  scanf()  family  
!  Without  precision  specifiers  there  is  no  bounds  
checking  
"  cin  >>  char[]  
!  No  bounds  checking  
!  Use  cin.get(),  cin.getline()  with  length  specifiers  

25
Potential  Stack  Overflow  
Exploit  Vectors  
!  Common  Unsafe  String  Functions  
"  strcpy(),  strcat()  
!  No  length  specifiers,  use  strncpy  and  strncat  
"  fgets(),  strncpy(),  …,  functions  w/  length  specifiers  
!  Specify  your  length  correctly!  
!  Notorious  for  off-­‐by-­‐one  errors  

26
Targets  for  a  Stack  Overflow    

!  Control  Pointers  
"  Return  pointer  (ret)  
"  Stack  exception  handlers  (SEH)  
"  vtable  pointers  
"  Function  pointers  in  general  
!  Local  Data  
"  Variables  
!  Control  
!  Authentication  
!  Pricing  

27
Exploiting  the  Return  
Address  
!  Return  Address  
"  All  data  is  “overrun”  up  to  the  return  address  
"  Hacker  gains  control  when  the  function  returns  
!  Function  must  reach  its  return  instruction  

28
Exploiting  the  Return  
Address  
!  Normal  Execution  

29
Exploiting  the  Return  
Address  
!  Exploit  

30
Exploiting  the  Return  
Address  
!  Exploit  

31
Exploiting  the  SEH  

!  Structured  Exception  Handler  (SEH)  


"  When  an  exception  occurs  
!  The  SEH  chain  is  travelled  
!  Each  handler  chooses  to  handle  or  pass  on  the  
exception  
!  If  no  exception  handler  is  called,  the  default  (UEF)  
deals  with  it  

32
Exploiting  the  SEH  

!  Structured  Exception  Handler  (SEH)  


"  Linked  list  of  exception  handlers  

33
Exploiting  the  SEH  

!  Structured  Exception  Handler  (SEH)  


"  Example  of  a  programmer-­‐defined  SEH  

34
Exploiting  the  SEH  

!  Structured  Exception  Handler  (SEH)  


"  Exception  handler  is  “registered”  
"  EXCEPTION_REGISTRATION  
!  Pointer  to  next  SEH  
!  Pointer  to  exception  handler  (this  is  a  function  pointer!)  

35
Exploiting  the  SEH  

!  Structured  Exception  Handler  (SEH)  


"  Default  structured  exception  handler  
"  Stored  near  bottom  of  the  stack  
"  Note  the  end  of  SEH  chain  value  

36
Exploiting  the  SEH  

!  Exploiting  the  SEH  


"  Overwrite  the  next  SEH  pointer  
!  JMP+6  (0xEB06)  
"  Overwrite  the  SE  handler  
!  Make  it  point  to  a  POP,  POP,  RET  in  NTDLL  
!  Msfpescan  can  find  this  for  us  
"  Create  an  access  violation  to  be  handled  by  the  
SEH  chain  
!  Generate  one  using  your  egregious  overwrite  

37
Exploiting  the  SEH  

!  Exploiting  the  SEH  


"  Why  POP,  POP,  RET?  
!  EXCEPTION_DISPOSITION  is  placed  on  an  independent  exception  
dispatcher  stack  
!  EstablisherFrame  points  to  our  SEH  registration  (which  we  overwrote)  and  
is  located  at  [ESP  +  8]  on  the  new  stack  
!  We  execute  our  SE  handler  (pointer  to  POP,  POP,  RET)  
!  POP,  POP,  RET  will  begin  execution  at  our  SEH  registration  

typedef EXCEPTION_DISPOSITION (*ExceptionHandler)(


IN EXCEPTION_RECORD ExceptionRecord,
IN PVOID EstablisherFrame,
IN PCONTEXT ContextRecord,
IN PVOID DispatcherContext);

38
Exploiting  the  SEH  

!  Exploiting  the  SEH  


"  Why  not  just  make  POP,  POP,  RET  address  point  
to  the  shellcode???  

39
Exploiting  the  SEH  

!  Exploiting  the  SEH  


"  From:  
http://www.i-­‐hacked.com/freefiles/EasyChat_SEH_exploit_v1.3.pdf  

40
Exploiting  the  SEH  

!  Exploiting  the  SEH  

41
Questions/Comments?  

42

You might also like