Gabe Kanzelmeyer
CS 450
4/14/10
 What
 How
 The
is buffer overflow?
memory is processed and the stack
threat
 Stack
overrun attack
 Dangers
 Prevention
A
buffer (array/string) that holds data
 Buffer
stored in memory (finite)
 Example.
• char buffer[10] (sets aside buffer[0] – buffer[9])
• Consider: buffer[10] = ‘A’;
• What will happen?
 Compiler
detects out of bounds
 Consider:
• buffer[i] = ‘A’;
 What
happens then?
 Depends, cant
execution.
identify problem until
First two only effect the
user.
Malicious programmer
focuses
on accessing the second
two .

Text – program code

Data – global data


Stack and Heap – allocate
at run-time
Stack - stores function
arguments, local
variables, values of
selected registers
 When
a procedure is called, the return
address for function call, is put into the stack
 Key
importance for attacker
 Overwrite
the return address stored on the
stack, upon termination of the procedure, it
would be loaded into the EIP register
(instruction counter), potentially allowing
any overflow code to be executed.

void f(int a, int b)
{
char buf[10];
}
void main()
{
f(1, 2);
}
 How
to recognize where an attack may
occur?
• Return address on stack
• Data on stack
With this in mind lets consider the
following…
#include
char *code =
"AAAABBBBCCCCDDD";
//including the character '\0‘
//size = 16 bytes
void main()
{
char buf[8];
strcpy(buf, code);
}
-Frame address
-Return address
-overwritten
Modified return
address is pushed
into instruction
counter
 1. Discovering
a code, which is
vulnerable to a buffer overflow.
 2. Determining
the number of bytes to be
long enough to overwrite the return
address.
 3. Calculating
the address to point the
alternate code.
 4. Writing
the code to be executed.
 5. Linking
everything together and testing
#include
#define BUF_LEN 40
void main(int argc, char **argv)
{
char buf[BUF_LEN];
if (argv > 1)
{
printf(„\buffer length: %d\nparameter
length: %d”, BUF_LEN, strlen(argv[1]) );
}
}
strcpy(buf, argv[1]);
 Consider:
• victim.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA
If access violation error
Try:
•
victim.exe AAAABBBBCCCCDDDDEEEEFFFFGGGG………
 If
successful, error message:
• “The instruction at “0x4b4b4b4b” referenced
memory at “0x4b4b4b4b”. The memory could
not be read.
• 0x4b is ASCII“K”
• Return address has been overwritten with KKKK
 From
here you can do whatever you want
• Inject shell code to gain “super user” access
• Inject address to malicious code
• Use vulnerable system to exploit Denial of
service attack
 Poor
programming practices
 Text/string
• strcpy()
• strcat()
• sprintf()
• gets()
• Etc…
manipulation functions
 Library
based defenses
• Re-implemented unsafe functions (Libsafe)
• Detects illegitimate code on the stack
(SecureWave)
Compiler based runtime boundaries