CMPSC 597G Module: Stack Overflows Ryan Sheatsley Professor Patrick McDaniel Fall 2015
Agenda ‣ Reading ‣ Virtual Memory ‣ Attack vector ‣ Obtaining a root shell • Utilizing NOP Sleds ‣ Mitigation techniques ‣ Practice Page
Virtual Memory – A Review • In Linux, static and global variables are allocated at load time on the data segment, while local and dynamic variables are allocated on the stack. ‣ Defenses in VM? • ASLR – Address space layout randomization ‣ Disabling ASLR • echo 0 > /proc/sys/kernel/randomize_va_space Page
Reading • The Shellcoder's Handbook by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan “noir” Eren, Neel Mehta and Riley Hassell ‣ Chapter 2 – Stack Overflows Page
Attack vector • Exercise #1 – Buffer Overflow Loop ‣ 1) Find frame pointer address of foo(); • GDB ‣ 2) Pipe addr to our vulnerable executable • What is happening here? Page
Obtaining a shell • Exercise #2 – From C to BASH ‣ 1) Obtain a shell ‣ 2) Construct input to foo() to obtain a shell • What is happening here? Page
Utilizing NOP Sleds • Exercise #3 – Increasing your attack surface ‣ 1) Modify payload to put return address on the NOP sled • What range of offsets work? Page
Mitigation Techniques • Non-executable stacks – many operating systems have at least some support for this • Compiler tools – StackShield, StackGuard, and Libsafe, among others • Safe functions – use strncat instead of strcat, strncpy instead of strcpy, etc Page
Practice • Exercise #4 – Application ‣ Join ad-hoc network ‣ Exploit vulnerable input ‣ Obtain a shell ‣ Where to go next • Obtaining root privilege Page
Recommend
More recommend