安全编程之缓冲区溢出

单击此处编辑母版标题样式,*,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,安全编程之缓冲区溢出,内容,缓冲区溢出初步,(,标准栈溢出,),总结,&,提问,深入了解缓冲区溢出,总结,&,提问,安全编程防止缓冲区溢出,(,一些实例,),拓展,:,非,x86,平台上的缓冲区溢出,总结,&,提问,History,1988:Robert Morris Internet Worms,BSD,fingerd,buffer overflow Vulnerability,http:/www.,securityfocus,.com/bid/2/,1996:Smashing The Stack for Fun and Profit,Aleph One,1999:w00w00 on heap/,bss,overflow,2001:free(),2002:Integer overflow,Kernel Buffer overflow,Misc,shellcode,worm,pushl,$68732f,sh,0,pushl,$6e69622f/bin,movl,sp,r10,pushl,$0,pushl,$0,pushl,r10,pushl,$3,movl,sp,ap,chmk,$3b,Why we learn it?,Black Hat&White Hat,Inform the vendor before expose the,vul,.,No exploit in the advisory,Concept code always,Write the exploit yourself in your hacking,Security base knowledge,Deep into your world,Secure programming,A simple sample,#include,#include,void,foo,(const char*input),char stack10;,strcpy,(stack,input);,void bar(),printf,(,nAh,I,ve,been hacked!n);,void main(,int,argc,char*,argv,),foo,(,argv,1);,main:,pushl,%,ebp,movl,%,esp,%,ebp,subl,$8,%,esp,addl,$-12,%,esp,movl,12(%,ebp,),%,eax,addl,$4,%,eax,movl,(%,eax,),%,edx,pushl,%,edx,call,foo,addl,$16,%,esp,.L4:,leave,ret,foo,:,pushl,%,ebp,movl,%,esp,%,ebp,subl,$24,%,esp,addl,$-8,%,esp,movl,8(%,ebp,),%,eax,pushl,%,eax,leal,-12(%,ebp,),%,eax,pushl,%,eax,call,strcpy,addl,$16,%,esp,.L2:,leave,ret,How the program works,call,Pushes Instruction Pointer(and Code Segment for far calls)onto stack and loads Instruction Pointer with the address of proc-name.Code continues with execution at CS:IP.,ret,Transfers control from a procedure back to the instruction address saved on the stack.n bytes is an optional number of bytes to release.Far returns pop the IP followed by the CS,while near returns pop only the IP register.,strcpy,copy a string without boundary check,Activation record(stack based),Frame pointer,Stack pointer,Return address,Grow downwards,buffer,Grow upwards,How to exploit it,Cover the return address with your,shellcode,address.,When the,foo,return,it will execute your,shellcode,.,Shellcode,?It may be the,var,function which print“I,ve,been hacked”on the screen.,En,lets continue,Shellcode,Binary code(Machine code),The CPU can execute it directly.,Generally,it return a shell like bash$,or bind a shell with a special TCP/UDP port,Please refer to for details,Summary,Buffer grows upwards while the stack grows downwards.(buffer may overwrite the activation record),Protect the activation record.,String functions in lib do not check the array boundary.,Safe string functions like,strncpy,The,shellcode,executes on stack.,Non-executable stack,Question&Answers,Next:Inside the buffer overflow,Inside the processs address space,Linux on x86,0 x00000000-0 x08000000,NULL Pointer,0 x08000000-0 x40000000,Data Segment,Text Segment,0 x40000000-,Library code,-0 xc0000000,Heap,Stack,Where is the buffer,Stack(the sample above,local variables),0 xbfffffff downwards,Heap,char*,buf,=,malloc,(BUF_LEN);,char*,buf,=new charBUF_LEN;,0 x4xxxxxxx upwards,BSS(,uninitialized,data),staic,char,buf,BUF_LEN;,static char*,buf,;,buf,=“/etc/,passwd,”;,0 x08xxxxxx upwards,Initialized data,char,buf,BUF_LEN=1;,0 x08xxxxxx upwards,Data we will overwrite,Stack,Data on stack,Activation Record,Heap,Data on heap,The management block of,malloc,or new,BSS&Initialized data,Function pointer,GCC implement(sections in elf binary),Section Name,Start Address,Flags,.text,0 x08048350,AX,.data,0 x080494e8,WA,.,dtors,0 x08049500,WA,.got,0 x08049508,WA,.,bss,0 x080495cc,WA,A(,alloc,)X(execute)W(write),the address above may,different with different binary,GOT&DTORS,GOT(Global Offset Table),Relocation,DTORS,Support destructor function in c+,Buffer overflows in real-life,General stack overflow,Heap/BSS overflow,Double Free(2001 1),Reentered signal(),Off by one errors,Integer overflow(2002 1),Misuse of pointer(always in loop),Off by one problems,middleman-1.2 and prior off-by-one bug,Code,/*,strncpy,which always NULL terminates,*/,char*s_,strncpy,(char*d,char*s,size_t,len,),char*,dest,=d;,for(;,len,&(*,dest,=*s);s+,dest,+,len,-);,*,dest,=0;,return d;,The buffer which user supplied may overwrite the frame pointer(,ebp,).,Integer Overflow,Integer Overflow,0 xfffffff+1=?,0 x9000000*2 =?,0 x0 1=?,signed problem,unsigned and signed,0 xfffffffc=-4,%d%u,Integer Overflow,int,num,i;,object_t*,objs,;,num=get_user_num();,if(!(,objs,=(object_t*),malloc,(num*,sizeof,(object_t),perror,(“,malloc,”);,exit(,errno,);,for(i=0;i num;i+),objs,i=get_user_object();,signed and unsigned,int,http_init(),char*,buf,buf21024,*t2,*t3;,int,n;,#,ifndef,SILENCE,printf,(Content-type:text/html;,charset,=%snnn,CHARSET);,printf,(n);,printf,(n,CHARSET);,#,endif,n=,atoi,(,getsenv,(CONTENT_LENGTH);,if(n5000000)n=5000000;,buf,=,calloc,(n+1,1);,if(,buf,=0)http_fatal(memory overflow);,fread,(,buf,1,n,stdin,);,Errors in Looping,while(cp,reqend,&,isspace,(*cp)cp+;if(cp=,reqend,|*cp=,),buf,0=0;*data=,buf,;if(cp,reqend,)cp+;,reqpt,=cp;return v;if(*cp=)cp+;,tp,=,buf,;while(cp,reqend,&,isspace,(*cp)cp+;while(cp,reqend,&