A buffer overflow occurs when a program or process tries to store more data than it was intended for. Buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code.
3. Buffer Overflow
Technique to force execution of malicious code
with unauthorized privileges
– launch a command shell
– search local disk or network for sensitive data
– register with command and control network as a
zombie
Can be applied both locally and remotely
Attack technique is independent of machine
architecture and operating system
Can be tricky to execute, but extremely effective
4. Layout Of Stack
Grows from high-end address to low-end address
(buffer grows from low-end address to high-end
address);
Return Address- When a function returns, the
instructions pointed by it will be executed;
Stack Frame pointer(esp)- is used to reference to local
variables and function parameters.
5. Layout of the Virtual Space of a Process
The
layout of
the
virtual
space of
a
process
in Linux
6. Example
low-end
address
esp
int cal(int a, int b)
{
int c;
c = a + b;
return c;
}
int main ()
{
int d;
d = cal(1, 2);
printf("%dn", d);
return;
}
c
ebp
previous ebp
retaddr(0x0804822)
a(1)
b(2)
Stack
high-end
address
7.
8.
9.
10. Shell code
Shellcode is defined as a set of instructions which is
injected and then is executed by an exploited program;
Shellcode is used to directly manipulate registers and
the function of a program;
Most of shellcodes use system call to do malicious
behaviors;
System calls is a set of functions which allow you to
access operating system-specific functions such as
getting input, producing output, exiting a process;
11.
12.
13. How to prevent stack buffer
overflow?
Stack Guard
In a stack , a canary word is placed after return address
whenever a function is called;
The canary will be checked before the function returns. If
value of canary is changed , then it indicates an malicious
behavior.
Local Variables
Lower address
Old Base Pointer
Canary Value
ReturnAddres
Arguments
Higher address
Unix Stack Frame