Smashing the stack in 2010

Many years have passed since the AlephOne article. This is true and fortunately we have a lot of papers dealing with buffer overflows and all its related issues in these 14 years. For example recently Peter Van Eeckhoutte has written the famous “exploit writing tutorials” that covers all aspects to exploit a Windows systems, considering also the countermeasures introduced from XP SP2. On the other side we are observing all the new tecniques introduced to circumvent these kind of protections, see for example the last Black Hat USA in which Dino Dai Zovi explains return-oriented exploitation techniques to bypass DEP or the last Black Hat DC where Dionysus Blazakis has presented his innovative talk “Interpreter exploitation: pointer interfence and JIT spraying” to defeat ASLR and DEP. Speaking about linux systems all the underground groups have written at least one tutorial or how-to explaining the secrets of this kind of memory corruption vulnerabilities, of course the best ones are on Phrack Megazine. Googling I have become aware of a problem, in fact reading all these documents it is hard to find tutorials/papers in which

  • it is covered the BOF issue in Linux and Windows from A to Z
  • its countermeasures are described in detail

this is my humble opinion, maybe this kind of paper exists and i’m too lame using google :)

After this boring introduction, sorry for my poor english, it’s time to understand what means “Smashing the stack in 2010″. The project is born to pass Computer Security exam at the Politecnico di Torino and the idea behind this report is quite simple: study and document buffer overflows protections recently introduced in compilers and OS like GNU/Linux and Windows (eventually 7) following these steps:

  • background: read papers and test sample code
  • understand why exploits in Aleph One paper do not work with new OS
  • try, if it is possible, to trick the countermeasures
  • document the results with practical examples

I with my classmate Andrea Cugliari have tried to write a step by step guide covering in an unique paper all the aspects related to buffer overflows and their protection mechanisms both in Windows and Linux OS.

Thanks to Giovanni, our tutor, to his preciuos advices about coding and latex!

Now let’s look at the toc:

Introduction and Theoretical Background
1 Theoretical Background
1.1 Processes and memory layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Registers, Pointers and Assembler . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Stack layout in x86 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Function call and termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Buffer Overflow issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.6 Shellcodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

II Hands on Linux

2 Setup Testbed environment 21
3 Linux buffer overflow 101 22
3.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 How to spawn a Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3 Polite exit from a process: exit system call . . . . . . . . . . . . . . . . . . . . . 30
3.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Protections against buffer overflow…………………………….35
4.1 Programmers protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2 System default protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.1 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . 36

4.2.2 Stack Execute Invalidation (NX bit) . . . . . . . . . . . . . . . . . . . . 39
4.3 Compiler and linker protections . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.1 StackShield (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.3.2 StackGuard (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.3.3 Stack Smashing Protector – ProPolice (Default installed) . . . . . . . . . 43
4.3.4 Run time checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.4 Protections in a practical scenario . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.5 Combined Tricks in a future scenario . . . . . . . . . . . . . . . . . . . . . . . . 45
III Hands on Windows 47

5 Setup Testbed environment 47
6 Windows buffer overflow 101 48
6.1 How to change the flow of execution . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.2 How to spawn a shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.3 ExitProcess system call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.4 Write an exploit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7 Protections against buffer overflow …………………………….  60
7.1 Buffer Security Check – /GS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
7.2 /SafeSEH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
7.2.1  /GS & /SafeSEH possible tricks . . . . . . . . . . . . . . . . . . . . . . . 63
7.3 Address Space Layout Randomization (ASLR) . . . . . . . . . . . . . . . . . . . 64
7.3.1 Address Space Layout Randomization (ASLR) possible tricks . . . . . . 66
7.4 Data Execution Prevention (DEP) . . . . . . . . . . . . . . . . . . . . . . . . . 66
7.4.1 Data Execution Prevention (DEP) possible tricks . . . . . . . . . . . . . 68
7.5 Runtime Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
7.7 Today, tomorrow, the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

In order to read the full paper:  Smashing the stack in 2010 (old version please read the post: http://5d4a.wordpress.com/2010/10/13/my-smashing-improved/ , anyway to download the new report: Smahing the stack in 2010 (improved)).

feel free to contact me to point out errors or to send me a feedback.

Happy hacking,

emdel

About these ads

Tags: , , , ,

26 responses to “Smashing the stack in 2010”

  1. gain says :

    interesting… I’ll print it and read on holidays… :)
    wants to read the AlephOne article too, but can’t find it…
    can you link it to me, please?

  2. rat says :

    good work mate ;]

  3. nobody1 says :

    good work !

    might want to add this link to your collection :

    http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/

    • 5d4a says :

      Hi nobody1! Thanks for the feedback as soon as possibile I’ll recompile the tex file i’ll update the bibliography :) Please notice that at the beginning of this post i’ve cited “the famous exploit writing tutorials” written by Peter.

      Best regards,

      emdel

  4. M3h says :

    Awesome Paper! another awesome feed has been added to sickurity

  5. Emmanuel says :

    Hi all,

    In fact, you can deactivate the ASLR without administrator’s rights just for one process to try to exploit your own vulnerabilities.

    For example, this command start a shell in which you can run any process (except setuid processes) without ASLR: setarch `uname -m` –addr-no-randomize /bin/sh

    Or, for short: setarch `uname -m` -R /bin/sh

    This is extremely useful to experiment things.

  6. Mr A says :

    Hi there! Thanks a lot for sharing your knowledge and finding! I would really love to read your article. While trying to download it by clicking on the link you provided to download the article, it says I’m forbidden to retrieve the document. Did I miss out anything while trying to download the article? How can I get the article? Thanks!

  7. chal61 says :

    Nice paper, you did a good work!

  8. billy12 says :

    Thank you very much.It’s just an awesome piece of information for someone not so well qualified, like me.Great effort!

  9. cody says :

    bro 5d4a … I like to read the paper so much and also interested too but I can’t get any of your link for the main paper of “Smashing the stack in 2010″..please give me an updated link.

  10. Hacking Laboratory says :

    Can I simply just say what a comfort to find someone that truly knows what they’re discussing on the net. You definitely understand how to bring an issue to light and make it important. A lot more people really need to read this and understand this side of your story. I was surprised that you are not more popular since you definitely have the gift.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: