安全编程之缓冲区溢出

1、安全编程之缓冲区溢出,内容,缓冲区溢出初步(标准栈溢出) 总结 strcpy(stack,input); void bar() printf(nAh,Ive been hacked!n); void main(int argc,char *argv) foo(argv1); ,main: pushl %ebp movl %esp,%ebp subl $8,%esp addl $-12,%esp movl 12(%ebp),%eax addl $4,%eax movl (%eax),%edx pushl %edx call foo addl $16,%esp .L4: leave ret,foo

2、: pushl %ebp movl %esp,%ebp subl $24,%esp addl $-8,%esp movl 8(%ebp),%eax pushl %eax leal -12(%ebp),%eax pushl %eax call strcpy addl $16,%esp .L2: leave ret,How the program works,call Pushes Instruction Pointer (and Code Segment for far calls) onto stack and loads Instruction Pointer with the addres

3、s of proc-name. Code continues with execution at CS:IP. ret Transfers control from a procedure back to the instruction address saved on the stack. n bytes is an optional number of bytes to release. Far returns pop the IP followed by the CS, while near returns pop only the IP register. strcpy copy a

4、string without boundary check Activation record (stack based) Frame pointer Stack pointer Return address Grow downwards buffer Grow upwards,How to exploit it,Cover the return address with your shellcode address. When the foo return, it will execute your shellcode. Shellcode ? It may be the var funct

5、ion which print “Ive been hacked” on the screen. En, lets continue,Shellcode,Binary code (Machine code) The CPU can execute it directly. Generally, it return a shell like bash$, or bind a shell with a special TCP/UDP port Please refer to for details,Summary,Buffer grows upwards while the stack grows

6、 downwards. (buffer may overwrite the activation record) Protect the activation record. String functions in lib do not check the array boundary. Safe string functions like strncpy The shellcode executes on stack. Non-executable stack,Question char *buf = new charBUF_LEN; 0 x4xxxxxxx upwards BSS (uni

7、nitialized data) staic char bufBUF_LEN; static char* buf; buf = “/etc/passwd”; 0 x08xxxxxx upwards Initialized data char bufBUF_LEN = 1; 0 x08xxxxxx upwards,Data we will overwrite,Stack Data on stack Activation Record Heap Data on heap The management block of malloc or new BSS for (; len The buffer

8、which user supplied may overwrite the frame pointer (ebp).,Integer Overflow,Integer Overflow 0 xfffffff + 1 = ? 0 x9000000 * 2 = ? 0 x0 1 = ? signed problem unsigned and signed 0 xfffffffc = -4 %d %u,Integer Overflow,int num, i; object_t *objs; num = get_user_num(); if(!(objs = (object_t *)malloc(nu

9、m * sizeof(object_t) perror(“malloc”); exit(errno); for(i = 0; i num; i+) objsi = get_user_object(); ,signed and unsigned,int http_init() char *buf, buf21024, *t2, *t3; int n; #ifndef SILENCE printf(Content-type: text/html; charset=%snnn, CHARSET); printf(n); printf(n, CHARSET); #endif n=atoi(getsen

10、v(CONTENT_LENGTH); if(n5000000) n=5000000; buf=calloc(n+1, 1); if(buf=0) http_fatal(memory overflow); fread(buf, 1, n, stdin); ,Errors in Looping,while (cp reqend ,Summary,Where is the buffer Stack Heap/BSS What we can overwrite. (the data can change eip) Activation Record (ret, ebp, ) The data can

11、make a jump. Implement in GCC and Glibc Defending buffer overflow Non-executable stack, data, heap/BSS (optimize online) Return to Lib (Solar Design ) Safe compiler Secure programming,Question snprintf(dst, src, strlen(dst); strncat(dst, src, strlen(dst); strncat(dst, src, strlen(dst) - 1);,strncpy

12、NULL termination problem,/* * strncpy() NULL termination problems * kk_ * ./a.out perl -e print A x49 */ int main(int argc, char* argv) char buf150; char buf250; strcpy(buf1,This is buf2); strncpy(buf2, argv1, sizeof(buf2)-1); printf(%sn, buf2); ,strncat off-by-one problem,/* * strncat() off-by-one

13、problem * kk_ */ int main(int argc, char* argv) char buf50; strcpy(buf,This is buf2); strncat(buf, argv1, sizeof(buf)-strlen(buf); printf(length: %d content:%sn, strlen(buf), buf); ,Underflow problem,/* undeflow problem * strncpy() NULL teimination problem * kk_ */ int main(int argc, char* argv) cha

14、r buf50; /buf49 = 0; strncpy(buf, argv1, sizeof(buf)-1); printf(size:%x, strlen:%x remain:%xn, sizeof(buf), strlen(buf), sizeof(buf)-strlen(buf)-1); strncat(buf, argv2, sizeof(buf)-strlen(buf)-1); printf(length:%d content:%sn, strlen(buf), buf); ,misuse of return value in snprintf(),/* misuse of ret

15、urn value in snprintf() * kk_ * ./a.out perl -e print A x51 perl -e print B x20 */ int main(int argc, char* argv) char buf50; char *ptr; ptr = buf; /buf49-1 = 0; ptr += snprintf(ptr, sizeof(buf), %s, argv1); ptr += snprintf(ptr, sizeof(buf)-(ptr-buf), %s, argv2); printf(%sn, buf); ,snprintf dstsizeo

16、f(dst) - 1 = 0; strncat strncat(dst, src, sizeof(dst) strlen(dst) - 1); dstsizeof(dst) 1 = 0; Do not use these functions like qmail,Question & Answer,Next topic : non-x86 & (the Eight Diagrams),Buffer overflow on non-x86 arch.,SPARC/Solaris The return address of current address is saved in register.

17、 Computer Arch. : Register Windows Leaf functions and non-leaf functions PA-RISC/HP-UX Buffer grow upwards Stack grows upwards Leaf functions and non-leaf functions MIPS/VxWorks (Cisco IOS hacking) PowerPC/AIX MIPS/IRIX,Whats ideal hacking?,Not intrude Not blackhat & whitehat Not inside details “exp

18、loring the limits of what is possible, in a spirit of playful cleverness” Richard Stallman Hacking : How the world works. Hacking : Find the way to free world.,Wonderful hacking world,http:/lsd- The poor and great hacking in Argus System. http:/team- .au/silvio/,Reference,/StackGuard/discex00.pdf http:/www.phrack-