CMPSC 597G Module: Stack Overflows Ryan Sheatsley Professor - - PowerPoint PPT Presentation

CMPSC 597G Module: Stack Overflows

Ryan Sheatsley Professor Patrick McDaniel Fall 2015

Page

Agenda

• Reading
• Virtual Memory
• Attack vector
• Obtaining a root shell
• Utilizing NOP Sleds
• Mitigation techniques
• Practice

Page

Virtual Memory – A Review

• In Linux, static and global variables are allocated at load time
• n the data segment, while local and dynamic variables are

allocated on the stack.

• Defenses in VM?
• ASLR – Address space layout randomization
• Disabling ASLR
• echo 0 > /proc/sys/kernel/randomize_va_space

Page

Reading

• The Shellcoder's Handbook by Jack Koziol, David

Litchfield, Dave Aitel, Chris Anley, Sinan “noir” Eren, Neel Mehta and Riley Hassell

• Chapter 2 – Stack Overflows

Page

Attack vector

• Exercise #1 – Buffer Overflow Loop
• 1) Find frame pointer address of foo();
• GDB
• 2) Pipe addr to our vulnerable executable
• What is happening here?

Page

Obtaining a shell

• Exercise #2 – From C to BASH
• 1) Obtain a shell
• 2) Construct input to foo() to obtain a shell
• What is happening here?

Page

Utilizing NOP Sleds

• Exercise #3 – Increasing your attack surface
• 1) Modify payload to put return address on the NOP sled
• What range of offsets work?

Page

Mitigation Techniques

• Non-executable stacks – many operating systems have at

least some support for this

• Compiler tools – StackShield, StackGuard, and Libsafe,

among others

• Safe functions – use strncat instead of strcat, strncpy

instead of strcpy, etc

Page

Practice

• Exercise #4 – Application
• Join ad-hoc network
• Exploit vulnerable input
• Obtain a shell
• Where to go next
• Obtaining root privilege