Buffer Overflows – What is a Buffer? – An Example Attack

View Github Repository Open presentation in a new window

ztk4

See all presentation from ztk4

Buffer Overflows – What is a Buffer? – An Example Attack

0 0

BufferOverflow

Presentation on Buffer Overflows

On Github ztk4 / BufferOverflow

Buffer Overflows

Smashing the Stack for Fun and Profit - Aleph One

~ Zachary Trent Kaplan - ztk4@njit.edu Repository for this Presentation: Buffer Overflow Presentation Made with reveal.js - Repository

What is a Buffer?

Contiguous Memory

Memory in C

Command Line Input (CLI):  ./agree "Yes"
agree.c
#include <stdio.h>
#include <string.h>

int bad_code(char *arg1) {
    char cpy[16]; 
    strcpy(cpy, arg1);
    cpy[15] = '\0';
    
    return strcmp(cpy, "Yes");
}

int main(int argc, char **argv) {
    if(argc != 2) {
        printf("Usage: %s reply\n", *argv);
        return 1;
    }

    if(bad_code(argv[1]) == 0)
        printf("Thanks for agreeing!\n");
    else
        printf("I'm sorry, I don't understand\n");

    return 0;
}
Stack
Increasing Addresses →
 Parent Frame (main)Return AddressSaved Frame Pointerchar *arg1char cpy[16] \0 s e Y Unused Stack Space 

Memory in C

Command Line Input (CLI):  ./agree $(python -c "print 'A'*36")
agree.c
#include <stdio.h>
#include <string.h>

int bad_code(char *arg1) {
    char cpy[16]; 
    strcpy(cpy, arg1);
    cpy[15] = '\0';
    
    return strcmp(cpy, "Yes");
}

int main(int argc, char **argv) {
    if(argc != 2) {
        printf("Usage: %s reply\n", *argv);
        return 1;
    }

    if(bad_code(argv[1]) == 0)
        printf("Thanks for agreeing!\n");
    else
        printf("I'm sorry, I don't understand\n");

    return 0;
}
Stack
Increasing Addresses →
 Parent Frame (main)Return Address \0 A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Unused Stack Space 

An Example Attack

All the files shown can be found in this directory Remember to use the Makefile to compile overflow with symbols on and stack protection off to change the owner of overflow and it's privelages to u=rwxs; g=rx; o=r, and to disable aslr on your machine before compiling.

overflow.c

#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <openssl/md5.h>

void grant_shell() {
    printf("Welcome back superuser!\nHere's your shell:\n");
    setuid(geteuid());
    char *const args[] = {"/bin/sh",  NULL};
    execv(args[0], args);
}

//easy way of storing hash in source file 
//(16 bytes represented as 16 uint8's)
uint8_t valid_hash[] = {193, 179, 147, 105, 178, 122, 16, 111,
                        31, 197, 119, 133, 91, 193, 217, 252}; 

int verify(char *argv1) {
    char passwd[21];        //holds 20 characters plus a null byte
    strcpy(passwd, argv1);
    passwd[20] = '\0';      //set the last char to null

    uint8_t hash[16];       //enough space for 16 byte hash
    MD5(passwd, strlen(passwd), (char *)hash);

    return !memcmp(hash, valid_hash, 16);
}
int main(int argc, char **argv) {
    if(argc != 2) {
        printf("Usage: %s passwd\n", *argv);
        return 1;
    }

    if(verify(argv[1])) { //if password is okay
        grant_shell();
    } else {
        printf("You're not the superuser, "
                "you don't know the password!!\n");
    }
    
    return 0;
}

GDB

The GNU Project Debugger

Success!

We now have a shell with root privelages

Thank You!

Questions?
Buffer Overflows Smashing the Stack for Fun and Profit - Aleph One ~ Zachary Trent Kaplan - ztk4@njit.edu Repository for this Presentation: Buffer Overflow Presentation Made with reveal.js - Repository