overflow-basic

typical buffer overflow pattern

  • cause program to write past the end of a buffer
  • that somehow causes different code to run
  • (usually code the attacker wrote)

why buffer overflows?

  • for a long time, most common vulnerability
  • common results in arbitrary code execution
  • related to other memory-management vulnerabilities
    • which usually also result in arbitrary code execution

network worms and overflows

  • worms that connect to vulnerable servers:
  • Morris worm included some buffer overflow exploits
    • Morris worm: first self-replicating malware
    • in mail servers, user info servers
  • 2001: Code Red worm that spread to web servers (running Microsoft IIS)

overflows without servers

  • bugs dealing with corrupt files:
  • Adobe Flash (web browser plugin)
  • PDF readers
  • web browser JavaScript engines
  • image viewers
  • movie viewers
  • decompression programs

simpler overflow

int giveQuiz() {
    int score = 0;
    char buffer[100];
    for (int i = 0; i < NUM_QUESTIONS; ++i) {
        gets(buffer);
        if (checkAnswer(buffer, &questions[i])) {
            score += 1;
        }
    }
    return score;
}

going out of bounds of buffer might modify score

simpler overflow: stack

the stack has (value at highest address first): return address for giveQuiz, 4-byte score (initially 0); 100-byte buffer; return address for gets

after 103 as are input, the buffer contains 100 of the a's, and the score contains the bytes (in hex) 61 61 61 00.

exercise: stack layout

GradeAssignment:
  pushq   %rbp
  pushq   %rbx
  xorl    %ebx, %ebx
  subq    $72, %rsp
  leaq    8(%rsp), %rbp
for_loop:
  movq    %rbp, %rdi
  call    gets
  movl    %ebx, %esi
  movq    %rbp, %rdi
  call    GradeAnswer
  leaq    24(%rsp), %rdi
  movl    %eax, (%rdi,%rbx,4)
  incq    %rbx
  cmpq    $10, %rbx
  jne     for_loop
  call    Process
  ...
int GradeAssignment(FILE *in) {
  int scores[10]; char buffer[16];
  for (int i = 0; i < 10; ++i) {
    gets(buffer);
    scores[i] =
        GradeAnswer(buffer, i);
  }
  Process(scores);
}

how many bytes after buffer[0] is first byte of scores[0]?

16

exercise: overflow?

GradeAssignment:
  pushq   %rbp
  pushq   %rbx
  xorl    %ebx, %ebx
  subq    $72, %rsp
  leaq    8(%rsp), %rbp
for_loop:
  movq    %rbp, %rdi
  call    gets
  movl    %ebx, %esi
  movq    %rbp, %rdi
  call    GradeAnswer
  leaq    24(%rsp), %rdi
  movl    %eax, (%rdi,%rbx,4)
  incq    %rbx
  cmpq    $10, %rbx
  jne     for_loop
  call    Process
  ...
int GradeAssignment(FILE *in) {
  int scores[10]; char buffer[16];
  for (int i = 0; i < 10; ++i) {
    gets(buffer);
    scores[i] =
        GradeAnswer(buffer, i);
  }
  Process(scores);
}

if input into buffer is 50 copies of the character ‘1’, then scores[0] will be ___?

0x31313131