CSC 2400 Computer Systems Stack Buffer Overflow Attacks
CSC 2400: Computer Systems Stack Buffer Overflow Attacks
Summary • Invoking a function o. CALL: call the function o. RET: return from the instruction • Stack Frame for a function call includes o. Function arguments o. Return address o. Local variables o. Saved registers • Base pointer EBP o. Fixed reference point in the Stack Frame o. Useful for referencing arguments and local variables
Function Calls • main calls add 3 o. Push arguments on the stack o. Push return address on stack o. Jump to add 3 o. Allocate local variables on stack, save registers, etc. Return Address int add 3(int a, int b, int c) { int d; } d = a + b + c; return d; int main() { int sum, avg; sum = add 3(3, 4, 5); avg = sum / 3; return avg } • Returning to main Stack Frame for add 3 o. Clear the stack frame for add 3 o. Pop return address from stack ESP Return Address 3 4 5 Stack Frame for main
Computer Malware q Stack buffer overflow attacks: • Low • Address buffer Saved EBP valid address Return Address New Return Address • Overflowed • region Malicious code • High • Address q • Normal stack • Buffer Overflow Attack Heap buffer overflow are also common (overwrite pointer addresses)
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] Old EBP Return Address (0 x 08048424)
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] 0 x 31 0 x 32 0 x 33 0 x 00 Old EBP Return Address (0 x 08048424) Before gets After gets
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] Old EBP Return Address (0 x 08048424) Before gets 0 x 31 0 x 00 0 x 32 0 x 33 0 x 34 . . . Return Address (0 x 08048424) After gets
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] Old EBP Return Address (0 x 08048424) Before gets 0 x 31 0 x 32 0 x 33 0 x 34 0 x 35 0 x 36 0 x 37 0 x 00 Return Address (0 x 08048424) After gets
0 EBP-4 EBP buf[0] 0 x 31 0 x 32 0 x 33 0 x 34 Old EBP 0 x 30 Return Address (0 x 08048424) 0 x 35 0 x 36 0 x 37 0 x 38 buf[1] buf[2] buf[3] 0 x 00 Before gets After gets
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] 0 x 31 0 x 32 0 x 33 Old EBP 0 x 0000 Return Address (0 x 08048472) 0 x 38373635 0 x 00 Before gets After gets 0 x 34
0 EBP-4 EBP buf[0] buf[1] buf[2] buf[3] 0 x 00 Old EBP Some valid address Return Address (0 x 08048472) Address of Fire Before gets After gets 0 x 00
- Slides: 11