65 \noindent The text region contains the program code (usually |
65 \noindent The text region contains the program code (usually |
66 this region is read-only). The heap stores all data the |
66 this region is read-only). The heap stores all data the |
67 programmer explicitly allocates. For us the most interesting |
67 programmer explicitly allocates. For us the most interesting |
68 region is the stack, which contains data mostly associated |
68 region is the stack, which contains data mostly associated |
69 with the control flow of the program. Notice that the stack |
69 with the control flow of the program. Notice that the stack |
70 grows from a higher addresses to lower addresses. That means |
70 grows from higher addresses to lower addresses (i.e.~from the |
71 that older items on the stack will be stored behind, or after, |
71 back to the front). That means that older items on the stack |
72 newer items. Let's look a bit closer what happens with the |
72 will be stored behind, or after, newer items. Let's look a bit |
73 stack when a program is running. Consider the following simple |
73 closer what happens with the stack when a program is running. |
74 C program. |
74 Consider the following simple C program. |
75 |
75 |
76 \lstinputlisting[language=C]{../progs/example1.c} |
76 \lstinputlisting[language=C]{../progs/example1.c} |
77 |
77 |
78 \noindent The \code{main} function calls in Line 7 the |
78 \noindent The \code{main} function calls in Line 7 the |
79 function \code{foo} with three arguments. \code{Foo} creates |
79 function \code{foo} with three arguments. \code{Foo} creates |
170 computation should resume (Line 9 in the code on the left-hand |
170 computation should resume (Line 9 in the code on the left-hand |
171 side). The instruction \code{ret} then transfers control back |
171 side). The instruction \code{ret} then transfers control back |
172 to the function \pcode{main} to the the instruction just after |
172 to the function \pcode{main} to the the instruction just after |
173 the call to \pcode{foo}, that is Line 9. |
173 the call to \pcode{foo}, that is Line 9. |
174 |
174 |
175 Another part of the ``conspiracy'' is that library functions |
175 Another part of the ``conspiracy'' of buffer overflow attacks |
176 in C look typically as follows: |
176 is that library functions in C look typically as follows: |
177 |
177 |
178 \begin{center} |
178 \begin{center} |
179 \lstinputlisting[language=C,numbers=none]{../progs/app5.c} |
179 \lstinputlisting[language=C,numbers=none]{../progs/app5.c} |
180 \end{center} |
180 \end{center} |
181 |
181 |
182 \noindent This function copies data from a source \pcode{src} |
182 \noindent This function copies data from a source \pcode{src} |
183 to a destination \pcode{dst}. The important point is that it |
183 to a destination \pcode{dst}. The important point is that it |
184 copies the data until it reaches a zero-byte (\code{"\\0"}). |
184 copies the data until it reaches a zero-byte (\code{"\\0"}). |
|
185 This is a convention of the C language which assumes all |
|
186 strings are terminated by such a zero-byte. |
185 |
187 |
186 The central idea of the buffer overflow attack is to overwrite |
188 The central idea of the buffer overflow attack is to overwrite |
187 the return address on the stack which designates where the |
189 the return address on the stack. This address decides where |
188 control flow of the program should resume once the function at |
190 the control flow of the program should resume once the |
189 hand has finished its computation. So if we have somewhere in |
191 function at hand has finished its computation. So if we |
190 a function a local a buffer, say |
192 can control this address, then we can modify the control |
|
193 flow of a program. To launch an attack we need |
|
194 somewhere in a function a local a buffer, say |
191 |
195 |
192 \begin{center} |
196 \begin{center} |
193 \code{char buf[8];} |
197 \code{char buf[8];} |
194 \end{center} |
198 \end{center} |
195 |
199 |
196 \noindent |
200 \noindent which is filled by some user input. The |
197 then the corresponding stack will look as follows |
201 corresponding stack of such a function will look as follows |
198 |
202 |
199 \begin{center} |
203 \begin{center} |
200 \begin{tikzpicture}[scale=0.65] |
204 \begin{tikzpicture}[scale=0.65] |
201 %\draw[step=1cm] (-3,-1) grid (3,8); |
205 %\draw[step=1cm] (-3,-1) grid (3,8); |
202 \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); |
206 \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1); |
251 will copy everything up to the zero-byte. Notice that this |
255 will copy everything up to the zero-byte. Notice that this |
252 overwriting of the buffer only works since the newer item, the |
256 overwriting of the buffer only works since the newer item, the |
253 buffer, is stored on the stack before the older items, like |
257 buffer, is stored on the stack before the older items, like |
254 return address and arguments. If it had be the other way |
258 return address and arguments. If it had be the other way |
255 around, then such an overwriting by overflowing a local buffer |
259 around, then such an overwriting by overflowing a local buffer |
256 would just not work. |
260 would just not work. If the designers of C had just been able |
|
261 to foresee what headaches their way of arranging the stack |
|
262 caused in the time where computers are accessible from |
|
263 everywhere. |
257 |
264 |
258 What the outcome of such an attack is can be illustrated with |
265 What the outcome of such an attack is can be illustrated with |
259 the code shown in Figure~\ref{C2}. Under ``normal operation'' |
266 the code shown in Figure~\ref{C2}. Under ``normal operation'' |
260 this program ask for a login-name and a password. Both of |
267 this program ask for a login-name and a password. Both of |
261 which are stored in \code{char} buffers of length 8. The |
268 which are stored in \code{char} buffers of length 8. The |
262 function \pcode{match} tests whether two such buffers contain |
269 function \pcode{match} tests whether two such buffers contain |
263 the same. If yes, then the function lets you ``in'' (by |
270 the same content. If yes, then the function lets you ``in'' |
264 printing \pcode{Welcome}). If not, it denies access (by |
271 (by printing \pcode{Welcome}). If not, it denies access (by |
265 printing \pcode{Wrong identity}). The vulnerable function is |
272 printing \pcode{Wrong identity}). The vulnerable function is |
266 \code{get_line} in Lines 11 to 19. This function does not take |
273 \code{get_line} in Lines 11 to 19. This function does not take |
267 any precautions about the buffer of 8 characters being filled |
274 any precautions about the buffer of 8 characters being filled |
268 beyond this 8-character-limit. Let us suppose the login name |
275 beyond its 8-character-limit. Let us suppose the login name |
269 is \pcode{test}. Then the buffer overflow can be triggered |
276 is \pcode{test}. Then the buffer overflow can be triggered |
270 with a specially crafted string as password: |
277 with a specially crafted string as password: |
271 |
278 |
272 \begin{center} |
279 \begin{center} |
273 \code{AAAAAAAABBBB\\x2c\\x85\\x04\\x08\\n} |
280 \code{AAAAAAAABBBB\\x2c\\x85\\x04\\x08\\n} |
275 |
282 |
276 \noindent The address at the end happens to be the one for the |
283 \noindent The address at the end happens to be the one for the |
277 function \pcode{welcome()}. This means even with this input |
284 function \pcode{welcome()}. This means even with this input |
278 (where the login name and password clearly do not match) the |
285 (where the login name and password clearly do not match) the |
279 program will still print out \pcode{Welcome}. The only |
286 program will still print out \pcode{Welcome}. The only |
280 information we need for this attack is to know where the |
287 information we need for this attack to work is to know where |
281 function \pcode{welcome()} starts in memory. This information |
288 the function \pcode{welcome()} starts in memory. This |
282 can be easily obtained by starting the program inside the |
289 information can be easily obtained by starting the program |
283 debugger and disassembling this function. |
290 inside the debugger and disassembling this function. |
284 |
291 |
285 \begin{lstlisting}[numbers=none,language={[x86masm]Assembler}, |
292 \begin{lstlisting}[numbers=none,language={[x86masm]Assembler}, |
286 morekeywords={movl,movw}] |
293 morekeywords={movl,movw}] |
287 $ gdb C2 |
294 $ gdb C2 |
288 GNU gdb (GDB) 7.2-ubuntu |
295 GNU gdb (GDB) 7.2-ubuntu |
324 \subsection*{Paylods} |
331 \subsection*{Paylods} |
325 |
332 |
326 Unfortunately, much more harm can be caused by buffer overflow |
333 Unfortunately, much more harm can be caused by buffer overflow |
327 attacks. This is achieved by injecting code that will be run |
334 attacks. This is achieved by injecting code that will be run |
328 once the return address is appropriately modified. Typically |
335 once the return address is appropriately modified. Typically |
329 the code that will be injected is for running a shell. This |
336 the code that will be injected starts a shell. This gives the |
330 gives the attacker the ability to run programs on the target |
337 attacker the ability to run programs on the target machine and |
331 machine and have a good look around, provided the attacked |
338 to have a good look around, provided the attacked process was not |
332 process was not already running as root.\footnote{In that case |
339 already running as root.\footnote{In that case the attacker |
333 the attacker would do already congratulate him or herself to |
340 would already congratulate him or herself to another |
334 another computer under full control.} In order to be send as |
341 computer under full control.} In order to be send as part of |
335 part of the string that is overflowing the buffer, we need the |
342 the string that is overflowing the buffer, we need the code to |
336 code to be represented as a sequence of characters. For |
343 be represented as a sequence of characters. For example |
337 example |
|
338 |
344 |
339 \lstinputlisting[language=C,numbers=none]{../progs/o1.c} |
345 \lstinputlisting[language=C,numbers=none]{../progs/o1.c} |
340 |
346 |
341 \noindent These characters represent the machine code for |
347 \noindent These characters represent the machine code for |
342 opening a shell. It seems obtaining such a string requires |
348 opening a shell. It seems obtaining such a string requires |
343 higher-education in the architecture of the target system. But |
349 higher-education in the architecture of the target system. But |
344 it is actually relatively simple: First there are many such |
350 it is actually relatively simple: First there are many such |
345 string ready-made---just a quick Google query away. Second, |
351 string ready-made---just a quick Google query away. Second, |
346 tools like the debugger can help us again. We can just write |
352 tools like the debugger can help us again. We can just write |
347 the code we want in C, for example this would be the program |
353 the code we want in C, for example this would be the program |
348 for starting a shell |
354 for starting a shell: |
349 |
355 |
350 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} |
356 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} |
351 |
357 |
352 \noindent Once compiled, we can use the debugger to obtain |
358 \noindent Once compiled, we can use the debugger to obtain |
353 the machine code, or even the ready-made encoding as character |
359 the machine code, or even the ready-made encoding as character |
359 Unfortunately the ``vanilla'' output from the debugger for the |
365 Unfortunately the ``vanilla'' output from the debugger for the |
360 shell-program above will contain such zero bytes. So a |
366 shell-program above will contain such zero bytes. So a |
361 post-processing phase is needed to rewrite the machine code in |
367 post-processing phase is needed to rewrite the machine code in |
362 a way that it does not contain any zero bytes. This is like |
368 a way that it does not contain any zero bytes. This is like |
363 some works of literature that have been written so that the |
369 some works of literature that have been written so that the |
364 letter 'i', for example, is avoided. For rewriting the machine |
370 letter e, for example, is avoided. The technical term for such |
365 code, you might need to use clever tricks like |
371 a literature work is \emph{lipogram}.\footnote{The most |
|
372 famous example of a lipogram is a 50,000 words novel titled |
|
373 Gadsby, see \url{https://archive.org/details/Gadsby}.} For |
|
374 rewriting the machine code, you might need to use clever |
|
375 tricks like |
366 |
376 |
367 \begin{lstlisting}[numbers=none,language={[x86masm]Assembler}] |
377 \begin{lstlisting}[numbers=none,language={[x86masm]Assembler}] |
368 xor %eax, %eax |
378 xor %eax, %eax |
369 \end{lstlisting} |
379 \end{lstlisting} |
370 |
380 |
371 \noindent This instruction does not contain any zero byte when |
381 \noindent This instruction does not contain any zero-byte when |
372 encoded, but produces a zero byte on the stack when run. |
382 encoded as string, but produces a zero-byte on the stack when |
373 |
383 run. |
374 Having removed the zero bytes we can craft the string that |
384 |
375 will be send to the target computer. It is typically of the |
385 Having removed the zero-bytes we can craft the string that |
376 form |
386 will be send to the target computer. This of course requires |
377 |
387 that the buffer we are trying to attack can at least contain |
378 \begin{center} |
388 the shellcode we want to run. But as you can see this is only |
379 \begin{tikzpicture}[scale=0.7] |
389 47 bytes, which is a very low bar to jump over. More |
|
390 formidable is the choice of finding the right address to jump |
|
391 to. The string is typically of the form |
|
392 |
|
393 \begin{center} |
|
394 \begin{tikzpicture}[scale=0.6] |
380 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
395 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
381 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
396 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
382 \draw (0,2.5) node {\large\tt shell code}; |
397 \draw (0,2.5) node {\large\tt shell code}; |
383 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
398 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
384 \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- |
399 \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- |
386 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
401 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
387 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
402 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
388 \end{tikzpicture} |
403 \end{tikzpicture} |
389 \end{center} |
404 \end{center} |
390 |
405 |
391 \noindent This of course requires that the buffer we are |
406 \noindent where we need to be very precise with the address |
392 trying to attack can at least contain the shellcode we want to |
407 with which we will overwrite the buffer. It has to be |
393 run. But as you can see this is only 47 bytes, which is a very |
408 precisely the first byte of the shellcode. While this is easy |
394 low bar to jump over. More formidable is the choice of finding |
409 with the help of a debugger (as seen before), we typically |
395 the right address to jump to. As indicated in the picture we |
410 cannot run anything, including a debugger, on the machine yet |
396 need to be very precise with the address with which we will |
411 we target. And the address is very specific to the setup of |
397 overwrite the buffer. It has to be precisely the first byte of |
412 the target machine. One way of finding out what the right |
398 the shellcode. While this is easy with the help of a debugger |
413 address is is to try out one by one every possible |
399 (as seen before), we typically cannot run anything on the |
414 address until we get lucky. With the large memories available |
400 machine yet we target. And the address is very specific to the |
415 today, however, the odds are long. And if we try out too many |
401 setup of the target machine. One way of finding out what the |
416 possible candidates too quickly, we might be detected by the |
402 right address is is to try out one by one until we get lucky. |
417 system administrator of the target system. |
403 With the large memories available today, however, the odds are |
|
404 long. And if we try out too many possible candidates too |
|
405 quickly, we might be detected by the system administrator of |
|
406 the target system. |
|
407 |
418 |
408 We can improve our odds considerably by following a clever |
419 We can improve our odds considerably by following a clever |
409 trick. Instead of adding the shellcode at the beginning of the |
420 trick. Instead of adding the shellcode at the beginning of the |
410 string, we should add it at the end, just before we overflow |
421 string, we should add it at the end, just before we overflow |
411 the buffer, for example |
422 the buffer, for example |
412 |
423 |
413 \begin{center} |
424 \begin{center} |
414 \begin{tikzpicture}[scale=0.7] |
425 \begin{tikzpicture}[scale=0.6] |
|
426 \draw[gray!50,fill=gray!50] (-2,0.3) rectangle (2,3); |
415 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
427 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
416 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
428 \draw[line width=1mm] (-2,0.3) -- (2,0.3); |
417 \draw (0,2.5) node {\large\tt shell code}; |
429 \draw[line width=1mm] (-2,-0.7) -- (2,-0.7); |
|
430 \draw (0,-0.2) node {\large\tt shell code}; |
418 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
431 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
419 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
432 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
420 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
433 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
421 \end{tikzpicture} |
434 \end{tikzpicture} |
422 \end{center} |
435 \end{center} |
423 |
436 |
424 \noindent Then we can fill up the gray part of the string with |
437 \noindent Then we can fill up the gray part of the string with |
425 a \pcode{NOP} operation. The code for this operation is |
438 \pcode{NOP} operations. The code for this operation is |
426 \code{\\0x90}. It is available on every architecture and its |
439 \code{\\0x90}. It is available on every architecture and its |
427 purpose it to to nothing apart from waiting a small amount of |
440 purpose in a CPU is to do nothing apart from waiting a small |
428 time. If we now use an address that lets us jump to any |
441 amount of time. If we now use an address that lets us jump to |
429 address in the gray area we are done. The target machine will |
442 any address in the gray area we are done. The target machine |
430 execute these \pcode{NOP} operations until it reaches the |
443 will execute these \pcode{NOP} operations until it reaches the |
431 shellcode. A moment of thought can convince you that this |
444 shellcode. A moment of thought can convince you that this |
432 trick can hugely improve our odds of finding the right |
445 trick can hugely improve our odds of finding the right |
433 address---depending on the size of the buffer, it might |
446 address---depending on the size of the buffer, it might only |
434 only take a few tries to get the shellcode to run. |
447 take a few tries to get the shellcode to run. And then |
|
448 we are in. The code for such an attack is show in |
|
449 Figure~\ref{overflow}. |
|
450 |
|
451 \begin{figure}[p] |
|
452 \lstinputlisting[language=C]{../progs/overflow.c} |
|
453 \caption{Overwriting a buffer with a paylod.\label{overflow}} |
|
454 \end{figure} |
435 |
455 |
436 \bigskip\bigskip |
456 \bigskip\bigskip |
437 \subsubsection*{A Crash-Course for GDB} |
457 \subsubsection*{A Crash-Course for GDB} |
438 |
458 |
439 \begin{itemize} |
459 \begin{itemize} |