http://5d4a.wordpress.com/2010/08/02/sm ... k-in-2010/
Many years have passed since the AlephOne article. This is true and fortunately we have a lot of papers dealing with buffer overflows and all its related issues in these 14 years. For example recently Peter Van Eeckhoutte has written the famous “exploit writing tutorials” that covers all aspects to exploit a Windows systems, considering also the countermeasures introduced from XP SP2. On the other side we are observing all the new tecniques introduced to circumvent these kind of protections, see for example the last Black Hat USA in which Dino Dai Zovi explains return-oriented exploitation techniques to bypass DEP or the last Black Hat DC where Dionysus Blazakis has presented his innovative talk “Interpreter exploitation: pointer interfence and JIT spraying” to defeat ASLR and DEP. Speaking about linux systems all the underground groups have written at least one tutorial or how-to explaining the secrets of this kind of memory corruption vulnerabilities, of course the best ones are on Phrack Megazine. Googling I have become aware of a problem, in fact reading all these documents it is hard to find tutorials/papers in which
* it is covered the BOF issue in Linux and Windows from A to Z
* its countermeasures are described in detail
this is my humble opinion, maybe this kind of paper exists and i’m too lame using google :)
After this boring introduction, sorry for my poor english, it’s time to understand what means “Smashing the stack in 2010″. The project is born to pass Computer Security exam at the Politecnico di Torino and the idea behind this report is quite simple: study and document buffer overflows protections recently introduced in compilers and OS like GNU/Linux and Windows (eventually 7) following these steps:
* background: read papers and test sample code
* understand why exploits in Aleph One paper do not work with new OS
* try, if it is possible, to trick the countermeasures
* document the results with practical examples
I with my classmate Andrea Cugliari have tried to write a step by step guide covering in an unique paper all the aspects related to buffer overflows and their protection mechanisms both in Windows and Linux OS.
Thanks to Giovanni, our tutor, to his preciuos advices about coding and latex!
Now let’s look at the toc:
Introduction and Theoretical Background
1 Theoretical Background
1.1 Processes and memory layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Registers, Pointers and Assembler . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Stack layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Function call and termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Buffer Overflow issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.6 Shellcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
II Hands on Linux
2 Setup Testbed environment 21
3 Linux buffer overflow 101 22
3.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 How to spawn a Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3 Polite exit from a process: exit system call . . . . . . . . . . . . . . . . . . . . . 30
3.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Protections against buffer overflow…………………………….35
4.1 Programmers protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2 System default protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.1 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . 36
4.2.2 Stack Execute Invalidation (NX bit) . . . . . . . . . . . . . . . . . . . . 39
4.3 Compiler and linker protections . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 StackShield (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.2 StackGuard (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.3 Stack Smashing Protector – ProPolice (Default installed) . . . . . . . . . 43
4.3.4 Run time checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.4 Protections in a practical scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.5 Combined Tricks in a future scenario . . . . . . . . . . . . . . . . . . . . . . . . 45
III Hands on Windows 47
5 Setup Testbed environment 47
6 Windows buffer overflow 101 48
6.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.2 How to spawn a shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3 ExitProcess system call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7 Protections against buffer overflow ……………………………. 60
7.1 Buffer Security Check – /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.2 /SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2.1 /GS & /SafeSEH possible tricks . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . . . . . 64
7.3.1 Address Space Layout Randomization (ASLR) possible tricks . . . . . . 66
7.4 Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.4.1 Data Execution Prevention (DEP) possible tricks . . . . . . . . . . . . . 68
7.5 Runtime Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.7 Today, tomorrow, the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Many years have passed since the AlephOne article. This is true and fortunately we have a lot of papers dealing with buffer overflows and all its related issues in these 14 years. For example recently Peter Van Eeckhoutte has written the famous “exploit writing tutorials” that covers all aspects to exploit a Windows systems, considering also the countermeasures introduced from XP SP2. On the other side we are observing all the new tecniques introduced to circumvent these kind of protections, see for example the last Black Hat USA in which Dino Dai Zovi explains return-oriented exploitation techniques to bypass DEP or the last Black Hat DC where Dionysus Blazakis has presented his innovative talk “Interpreter exploitation: pointer interfence and JIT spraying” to defeat ASLR and DEP. Speaking about linux systems all the underground groups have written at least one tutorial or how-to explaining the secrets of this kind of memory corruption vulnerabilities, of course the best ones are on Phrack Megazine. Googling I have become aware of a problem, in fact reading all these documents it is hard to find tutorials/papers in which
* it is covered the BOF issue in Linux and Windows from A to Z
* its countermeasures are described in detail
this is my humble opinion, maybe this kind of paper exists and i’m too lame using google :)
After this boring introduction, sorry for my poor english, it’s time to understand what means “Smashing the stack in 2010″. The project is born to pass Computer Security exam at the Politecnico di Torino and the idea behind this report is quite simple: study and document buffer overflows protections recently introduced in compilers and OS like GNU/Linux and Windows (eventually 7) following these steps:
* background: read papers and test sample code
* understand why exploits in Aleph One paper do not work with new OS
* try, if it is possible, to trick the countermeasures
* document the results with practical examples
I with my classmate Andrea Cugliari have tried to write a step by step guide covering in an unique paper all the aspects related to buffer overflows and their protection mechanisms both in Windows and Linux OS.
Thanks to Giovanni, our tutor, to his preciuos advices about coding and latex!
Now let’s look at the toc:
Introduction and Theoretical Background
1 Theoretical Background
1.1 Processes and memory layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Registers, Pointers and Assembler . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Stack layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Function call and termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Buffer Overflow issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.6 Shellcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
II Hands on Linux
2 Setup Testbed environment 21
3 Linux buffer overflow 101 22
3.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 How to spawn a Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3 Polite exit from a process: exit system call . . . . . . . . . . . . . . . . . . . . . 30
3.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Protections against buffer overflow…………………………….35
4.1 Programmers protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2 System default protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
4.2.1 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . 36
4.2.2 Stack Execute Invalidation (NX bit) . . . . . . . . . . . . . . . . . . . . 39
4.3 Compiler and linker protections . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 StackShield (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.2 StackGuard (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.3 Stack Smashing Protector – ProPolice (Default installed) . . . . . . . . . 43
4.3.4 Run time checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.4 Protections in a practical scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.5 Combined Tricks in a future scenario . . . . . . . . . . . . . . . . . . . . . . . . 45
III Hands on Windows 47
5 Setup Testbed environment 47
6 Windows buffer overflow 101 48
6.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.2 How to spawn a shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3 ExitProcess system call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7 Protections against buffer overflow ……………………………. 60
7.1 Buffer Security Check – /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.2 /SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2.1 /GS & /SafeSEH possible tricks . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . . . . . 64
7.3.1 Address Space Layout Randomization (ASLR) possible tricks . . . . . . 66
7.4 Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.4.1 Data Execution Prevention (DEP) possible tricks . . . . . . . . . . . . . 68
7.5 Runtime Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.7 Today, tomorrow, the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
