smashing the stack
play

Smashing The Stack A detailed look at buffer overflows as described - PowerPoint PPT Presentation

Sep 09, 2023 •37 likes •257 views

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

  1. Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1

  2. Process Memory Organization • Text – Fixed by program – Includes code and read-only data • Since read-only, attempts to write to this typically cause seg fault. • Data – Static variables (both initialized and uninitialized) • Stack – Usual LIFO data structure – Used because well suited for procedure calls – Used for dynamic allocation of local variables, passing of parameters, returning values from functions Summer 2017 Roadmap 2

  3. Process Memory Regions Summer 2016 Roadmap 3

  4. Stack Region • Stack is a contiguous block of memory containing data – Size dynamically adjusted by OS kernel at runtime • Stack pointer (SP) register: points to top of stack – Bottom of stack at fixed address • Stack Frame – Parameters to a function – Local variables of function – Data necessary to recover previous stack frame • Including value of instruction pointer (IP) at time of function call – PUSHed onto stack on function call, POPped on return Summer 2017 Roadmap 4

  5. Stack Region • Assumptions – Stack grows down (toward lower addresses) – SP points to last address on stack (as opposed to pointing to next free available address) • Frame Pointer (FP) a.k.a. local base pointer (LP) – Points to fixed location within frame – Local variables and parameters referenced via FP because their distance from FP do not change with PUSHes and POPs • Actual parameters PUSHed before new frame creation, so have positive offsets, local variables after, so negative offsets – On Intel CPUs, the EBP (32-bit BP) register is used Summer 2017 Roadmap 5

  6. On Procedure Call… • Procedure prolog (start of call) – Save previous FP (to be restored at proc. exit) – Copy SP into FP to create new FP – Advance SP to reserve space for local variables • Procedure epilogue (end of procedure) – Stack is cleaned up and restored to previous state • Often special instructions to handle these – Intel: ENTER and LEAVE – Motorola: LINK and UNLINK Summer 2017 Roadmap 6

  7. Example Summer 2016 Roadmap 7

  8. esp 500 ebp 545 500 Summer 2016 Roadmap 8

  9. pushl $3 esp 496 ebp 545 c 500 Summer 2016 Roadmap 9

  10. pushl $3 esp 492 pushl $2 ebp 545 b c 500 Summer 2016 Roadmap 10

  11. pushl $3 esp 488 pushl $2 pushl $1 ebp 545 a b c 500 Summer 2016 Roadmap 11

  12. pushl $3 esp 484 pushl $2 pushl $1 ebp 545 call function ret a b c 500 Summer 2016 Roadmap 12

  13. pushl $3 esp 482 pushl $2 pushl $1 ebp 545 call function pushl %ebp sfp:545 ret a b c 500 Summer 2016 Roadmap 13

  14. pushl $3 esp 482 pushl $2 pushl $1 ebp 482 call function pushl %ebp movl %esp,%ebp sfp:545 ret a b c 500 Summer 2016 Roadmap 14

  15. pushl $3 esp 462 pushl $2 pushl $1 ebp 482 call function pushl %ebp movl %esp,%ebp buffer2 subl $20,%esp buffer2 buffer2 buffer1 buffer1 sfp:545 ret a b c 500 Summer 2016 Roadmap 15

  16. Another Example Summer 2016 Roadmap 16

  17. Note that code copies a string esp 466 without using a bounds check (programmer used strcpy() ebp 482 instead of strncpy()). Thus the call to function() causes the buffer to be overwritten, in this case with 0x41414141, the ASCII code for ‘A’ buffer buffer buffer buffer sfp:545 ret *str 500 Summer 2016 Roadmap 17

  18. Let’s Get Creative… esp 226 Let’s assume now ebp 482 that buffer is a bit buffer bigger than 20 buffer bytes. Say, e.g., buffer 256 bytes. Ÿ Ÿ Ÿ 256 bytes buffer buffer buffer buffer sfp:545 ret *str 500 Summer 2016 Roadmap 18

  19. Let’s Get Creative… esp 226 Let’s assume now ebp 482 that buffer is a bit my code bigger than 20 my code bytes. Say, e.g., my code 256 bytes. If we know assembly code, Ÿ Ÿ Ÿ we can feed code in as a string, and my code overwrite the return my code address to point to this. my code my code my code ret *str 500 Summer 2016 Roadmap 19

  20. Let’s Get Creative… esp 226 We don’t even have ebp 482 to know the exact no op address of the start no op of the buffer. no op Ÿ Ÿ Ÿ no op my code my code my code my code ret *str 500 Summer 2016 Roadmap 20

  21. esp 462 ebp 482 StackGuard buffer2 buffer2 buffer2 buffer1 buffer1 sfp:545 canary ret b c 500 Summer 2016 Roadmap 21

  22. Summer 2016 Roadmap 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit

Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address

911 views • 13 slides
Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern

Smashing the Stack Based on the paper by Aleph One Slides by Prof Yan Chen, Northwestern University Smashing the Stack for Fun and Profit Review: Process memory organization The problem: Buffer overflows How to exploit the problem

660 views • 46 slides
64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my

Techorganic About PGP Disclaimer Vulnerabilities Musings from the brainpan 64-bit Linux stack smashing tutorial: Part 2 Written on April 21, 2015 This is part 2 of my 64-bit Linux Stack Smashing tutorial. In part 1 we exploited a 64- bit

451 views • 9 slides
p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff

p2 Jeff Chase Duke University vulnerable.c Smashing the Stack for Fun and Profit 0x7fffffff VAS example (32-bit) Reserved The program uses virtual memory through Stack its process Virtual Address Space: An addressable array

459 views • 22 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State

Binarylevel program analysis: Stack Smashing Gang Tan CSE 597 Spring 2019 Penn State University 1 Program Stack For implementing procedure calls and returns Keep track of program execution and state by storing local variables

257 views • 23 slides
Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on

\x90\x90\x90\x90\x90\x90\x90\x90 Stack Smashing as of Today A State-of-the-Art Overview on Buffer Overflow Protections on linux_x86_64 <fritsch+blackhat@in.tum.de> Hagen Fritsch Technische Universitt Mnchen Black Hat Europe

927 views • 49 slides
Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday

Stack Smashing 1 logistics LEX assignment out exam in on week come with questions on Monday (review) 2 last few times encrypted code changing code polymorphic, metamorphic anti-VM/emulation anti-debugging stealth tunneling

817 views • 71 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring

Exam Review 1 logistical note post-exam stack smashing assignment due two weeks after spring break (was one on schedule, but) likely harder than tricky will count for more 2 exam format around 20 question parts mostly multiple choice

634 views • 41 slides
Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't

Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman <erik@minemu.org> Traditional Stack Smashing buf[16] GET / HTTP/1.1 00baseretnarg1arg2 Traditional Stack Smashing buf[16]

1.29k views • 100 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend

Memory Exploits & Defenses Presenter: Kevin Snow What is the threat? How do we defend ourselves? What is the threat? Stack Smashing Return-to-libc Format String Error Heap Overflow Generic Stack Frame Caller Callee Stack

1.12k views • 79 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
CS453 Intro and PA1 1 Nested Procedures Example Nested Procedures Suggested Exercise int

CS453 Intro and PA1 1 Nested Procedures Example Nested Procedures Suggested Exercise int

Plan for Today Another example: where does each variable go? class A { Finish accesses to member variables public static void main(String[] a){ System.out.println(42); in general, how do we determine variable locations } how will the

178 views • 3 slides
Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE Server class PowerPC KVM port Nested SVM Founding member of SUSE ARM team Booting on ARM Booting on ARM Boot ROM Booting on ARM Boot

2.09k views • 160 slides
#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include

#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include

#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include <stdio.h> // fgets, fputs void reveal_secret() login { fputs("SUPER SECRET = 42\n", stdout); } login int verify(const char*

641 views • 15 slides
CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of

CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of

CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of instructions Oh No! Not Another Assembler F2XM1 Compute 2 x 1 Jonathan Misurda Computes the exponential value of 2 to the power of

417 views • 3 slides
Duality, definability and conceptual completeness for -pretoposes Christian Esp ndola

Duality, definability and conceptual completeness for -pretoposes Christian Esp ndola

Duality, definability and conceptual completeness for -pretoposes Christian Esp ndola POSTDOCTORAL RESEARCHER AT MASARYK UNIVERSITY BRNO, CZECH REPUBLIC July 11th, 2019 Christian Esp ndola (POSTDOCTORAL RESEARCHER AT MASARYK

814 views • 43 slides
The French Revolution Absolutism Absolute monarchs didnt share power with a counsel or

The French Revolution Absolutism Absolute monarchs didnt share power with a counsel or

The French Revolution Absolutism Absolute monarchs didnt share power with a counsel or parliament Divine Right of Kings King James I of England H1 The Seigneurial System Feudal method of land ownership and organization

75 views • 4 slides
rs stt s

rs stt s

s r rs stt s t

219 views • 5 slides
Frasers Commercial Trust Portfolio details as at 31 March 2018 20 April 2018 2 Portfolio

Frasers Commercial Trust Portfolio details as at 31 March 2018 20 April 2018 2 Portfolio

Frasers Commercial Trust Portfolio details as at 31 March 2018 20 April 2018 2 Portfolio Composition Asset values Net property income Total: S$2,219.2 million as at 31 March 2018 ^ Total: S$24.6 million for 2QFY18 # Singapore:

302 views • 11 slides

More recommend