Buffer Overflows with Content 2 A Process Stack Buffer Overflow - - PDF document

▶

Feb 08, 2023 179 likes •498 views

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

SLIDE 1

Buffer Overflows with Content

SLIDE 2

A Process Stack

SLIDE 3

Buffer Overflow

Common Techniques employed in buffer
verflow exploits to create backdoors

– Execution of additional network services via the INETD daemon – The addition of new users to a system – Establishing a “trust” relationship between the victim machine and the attacker’s machine

SLIDE 4

Example - AMD Buffer Overflow

Port 2222 is a rootshell left by the AMD exploit

SLIDE 5

Detecting Buffer Overflows by Protocol Signatures

Protocol Signature

– Look for anomalous traffic, such as remote traffic targeted at facilities that should not be accessible to a remote user.

e.g. a remote user trying to connect to the Portmapper

process

Payload Signature

– No-OP instructions to pad the exploit code – Script signatures – Abnormal user data and responses

SLIDE 6

IMAP Buffer Overflow

SLIDE 7

IMAP Buffer Overflow – Con’t

SLIDE 8

IMAP Buffer Overflow – Con’t

SLIDE 9

IMAP Buffer Overflow – Con’t

ls –a

echo “+ + ”> /.rhosts

SLIDE 10

NO-OP Hex Code Based on Processor Type

SLIDE 11

Script Signatures – NO-OP Overflow

SLIDE 12

Script Signatures – NO-OP Overflow Con’t

SLIDE 13

Script Signatures – NO-OP Overflow Con’t

This frame shows a large number of hex 90s followed

by some machine code, some ASCII strings, and a literal command /bin/sh -c

SLIDE 14

Abnormal Responses

FTP Authentication Buffer Overflow – FTPD exploit The password supplied in response to the FTPD prompt is suspiciously large

SLIDE 15

Defending Against Buffer Overflows

strcpy and strncpy
Introduce bounds checking into C programs
Stack-based buffer overflow - CPU executes

code that is resident on the stack

– Only code in the code space can be executed

SLIDE 16

Fragmentation

SLIDE 17

Fragmentation

Attackers can use fragmentation to mask their

probes and exploits

Fragment offset is specified as a quantity of 8-

byte chunk

– The size of all legal nonterminal fragments must be multiples of 8 bytes

Any fragmented packets with a byte size

divisible by 8, except for the last one

SLIDE 18

Boink Attack

IP stack has no concept
f negative math
Availability DoS

SLIDE 19

Teardrop Attack

SLIDE 20

evilPing ….

SLIDE 21

evilPing

SLIDE 22

Modified Ping of Death

SLIDE 23

Modified Ping of Death

SLIDE 24

CGI Scan

The attacker is running a

script that attempts a number of Web server exploits, such as /cgi- bin/rwwwshell.pl

SLIDE 25

CGI Scan – Con’t

SLIDE 26

PHF Attack

CVE-1999-0067

SLIDE 27

Some Example CGI CVE Entries

CVE-1999-0068

– CGI PHP mylog script allows an attacker to read any file

n the target server.
CVE-1999-0467

– The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter

CVE-1999-0509

– Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.

SLIDE 28

SGI IRIX Object Server

CVE-2000-0245
A vulnerability in an SGI IRIX object server

daemon

– Allow remote attackers to create user accounts – Port 5135: the SGI object server

Scan one to goodguy-a.com yields nothing

SLIDE 29

SGI Object Server – Con’t

The scan to goodguy-b.com is a bust

SLIDE 30

SGI Object Server – Con’t

The start of the bad guy
The user zippy is added