Buffer Overflows with Content

  • Published on
    14-Feb-2017

  • View
    216

  • Download
    0

Transcript

1Buffer Overflows with Content2A Process Stack3Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users to a system Establishing a trust relationship between the victim machine and the attackers machine4Example - AMD Buffer OverflowPort 2222 is a rootshell left by the AMD exploit5Detecting Buffer Overflows by Protocol Signatures Protocol Signature Look for anomalous traffic, such as remote traffic targeted at facilities that should not be accessible to a remote user. e.g. a remote user trying to connect to the Portmapperprocess Payload Signature No-OP instructions to pad the exploit code Script signatures Abnormal user data and responses6IMAP Buffer Overflow7IMAP Buffer Overflow Cont8IMAP Buffer Overflow Cont9IMAP Buffer Overflow Cont ls aecho + + > /.rhosts10NO-OP Hex Code Based on Processor Type11Script Signatures NO-OP Overflow12Script Signatures NO-OP Overflow Cont13Script Signatures NO-OP Overflow Cont This frame shows a large number of hex 90s followed by some machine code, some ASCII strings, and a literal command /bin/sh -c14Abnormal ResponsesFTP Authentication Buffer Overflow FTPD exploitThe password supplied in response to the FTPD prompt is suspiciously large15Defending Against Buffer Overflows strcpy and strncpy Introduce bounds checking into C programs Stack-based buffer overflow - CPU executes code that is resident on the stack Only code in the code space can be executed16Fragmentation17Fragmentation Attackers can use fragmentation to mask their probes and exploits Fragment offset is specified as a quantity of 8-byte chunk The size of all legal nonterminal fragments must be multiples of 8 bytes Any fragmented packets with a byte size divisible by 8, except for the last one18Boink AttackIP stack has no concept of negative mathAvailability DoS19Teardrop Attack20evilPing.21evilPing22Modified Ping of Death23Modified Ping of Death24CGI ScanThe attacker is running a script that attempts a number of Web server exploits, such as /cgi-bin/rwwwshell.pl25CGI Scan Cont26PHF AttackCVE-1999-006727Some Example CGI CVE Entries CVE-1999-0068 CGI PHP mylog script allows an attacker to read any file on the target server. CVE-1999-0467 The Webcom CGI Guestbook programs wguest.exe and rguest.exe allow a remote attacker to read arbitrary files using the "template" parameter CVE-1999-0509 Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. 28SGI IRIX Object Server CVE-2000-0245 A vulnerability in an SGI IRIX object server daemon Allow remote attackers to create user accounts Port 5135: the SGI object server Scan one to goodguy-a.com yields nothing29SGI Object Server Cont The scan to goodguy-b.com is a bust30SGI Object Server Cont The start of the bad guy The user zippy is addedBuffer Overflows with ContentA Process StackBuffer OverflowExample - AMD Buffer OverflowDetecting Buffer Overflows by Protocol SignaturesIMAP Buffer OverflowIMAP Buffer Overflow ContIMAP Buffer Overflow ContIMAP Buffer Overflow ContNO-OP Hex Code Based on Processor TypeScript Signatures NO-OP OverflowScript Signatures NO-OP Overflow ContScript Signatures NO-OP Overflow ContAbnormal ResponsesDefending Against Buffer OverflowsFragmentationFragmentationBoink AttackTeardrop AttackevilPingevilPingModified Ping of DeathModified Ping of Death CGI ScanCGI Scan ContPHF AttackSome Example CGI CVE EntriesSGI IRIX Object ServerSGI Object Server ContSGI Object Server Cont