Smashing the Stack loW→ What happens if 222 buffer overflows? Program returns"to A SP wrong location buffer A crash is likely overflow←e.NOT! overflow SP high b - SP 26 復里大软件学院 LiT
26 LiJT Smashing the Stack high → • What happens if buffer overflows? : : buffer a b ← ret… low → ← SP ← SP ← SP ← SP ret • Program “returns ” to wrong location NOT! ??? • A crash is likely overflow overflow
Smashing the Stack loW→ Trudy has a better idea Code injection Trudy can run SP evil code code of her choosing ret E SP SP high→ ab SP 27 復里大软件学院 LiT
27 LiJT Smashing the Stack high → • Trudy has a better idea … : : a b ← SP ← SP ← SP ← SP ret low → • Code injection • Trudy can run code of her choosing! evil code ret
Smashing the Stack Trudy may not know NOP Address of evil code Location of ret on stack NOP Solutions evil code Precede evil code with ret NOP landing pad ret t ret Insert lots of new ret ret 28 復里大软件学院 LiT
28 LiJT Smashing the Stack • Trudy may not know – Address of evil code – Location of ret on stack • Solutions – Precede evil code with NOP “landing pad ” – Insert lots of new ret evil code : : : : ret ret : NOP NOP : ret ← ret
e Stack Smashing Summary a buffer overflow must exist in the code Not all buffer overflows are exploitable Things must line up just right If exploitable, attacker can inject code Trial and error likely required Lots of help available online Smashing the Stack for Fun and Profit, Aleph One Also heap overflow, integer overflow, etc Stack smashing is" attack of the decade 復里大软件学院 LiT
29 LiJT Stack Smashing Summary • A buffer overflow must exist in the code • Not all buffer overflows are exploitable – Things must line up just right • If exploitable, attacker can inject code • Trial and error likely required – Lots of help available online – Smashing the Stack for Fun and Profit, Aleph One • Also heap overflow, integer overflow, etc. • Stack smashing is “attack of the decade
Stack Smashing EXample Program asks for a serial number that the attacker does not know Attacker does not have source code Attacker does have the executable(exe) C:\Command Prompt \Documents and Settings \Administrator\Desktop\programs \sre\Re lease >bo Enter Serial Number iwe工 C: \Documents and Settings \Administrator\Desktop\programs \sre\Re lease Program quits on incorrect serial number 復里大软件学院 LiT
30 LiJT Stack Smashing Example • Program asks for a serial number that the attacker does not know • Attacker does not have source code • Attacker does have the executable (exe) • Program quits on incorrect serial number