Buffer Overflow and Steganography Determine the conditions for a buffer overflow

Question

Buffer Overflow and Steganography Determine the conditions for a buffer overflow to occur and use Steganography to demonstrate the manner to hide messages within a picture or other media. Given the program below: *include include void foo (int a, int b, int c) int tmp: a-2 int main (int argc, charaqvi]) int pass -0s char buffis): foo (3,4,5) printf("in Enter the password: n") gets (buff): if (stremp (buff, "testpilot")) prints ("in Wrong Password in): else printf ("in Correct Password n"): pass -1: if (pass) /* Nov. Give root or admin rights to user+/ printf (IAn Root privileges given to the user ")z return 0:

Explanation / Answer

DEP AND ASLR:

Address Space Layout Randomisation (ASLR) is an innovation used to help keep shellcode from being effective. It does this by haphazardly counterbalancing the area of modules and sure in-memory structures. Information Execution Prevention (DEP) keeps certain memory areas, e.g. the stack, from being executed. At the point when joined it turns out to be exceedingly hard to misuse vulnerabilities in applications utilizing shellcode or return-situated programming (ROP) procedures.

To begin with, we should take a gander at how a typical weakness may be abused. We'll avoid every one of the points of interest, however allows simply say we're utilizing a stack support flood defenselessness. We've stacked a major blob of 0x41414141 qualities into our payload, and eip has been set to 0x41414141, so we know it's exploitable. We've then gone and utilized a suitable apparatus (e.g. Metasploit's pattern_create.rb) to find the counterbalance of the esteem being stacked into eip. This is the begin counterbalance of our endeavor code. To confirm, we stack 0x41 preceding this counterbalance, 0x42424242 at the balance, and 0x43 after the balance.

In a non-ASLR and non-DEP process, the stack address is the same each time we run the procedure. We know precisely where it is in memory. Along these lines, how about we see what the stack looks like with the test information we depicted previously:

stack addr | esteem

- + -

000ff6a0 | 43434342

000ff6a4 | 43434342

000ff6a8 | 43434342

000ff6aa | 43434342

>000ff6b0 | 43434343 > esp focuses here

000ff6b4 | 43434344

000ff6b8 | 43434344

As should be obvious, esp focuses to 000ff6b0, which has been set to 0x42424242. The qualities before this are 0x41 and the qualities after are 0x43, as we said they ought to be. We currently realize that the location put away at 000ff6b0 will be bounced to. Along these lines, we set it to the location of some memory that we can control:

stack addr | esteem

- + -

000ff6a0 | 43434342

000ff6a4 | 43434342

000ff6a8 | 43434342

000ff6aa | 43434342

>000ff6b0 | 000ff6b4

000ff6b4 | cccccccc

000ff6b8 | 43434344

We've set the incentive at 000ff6b0 to such an extent that eip will be set to 000ff6b4 - the following balance in the stack. This will make 0xcc be executed, which is an int3 guidance. Since int3 is a product hinder breakpoint, it'll raise an exemption and the debugger will end. This enables us to check that the endeavor was fruitful.

> Break guidance special case - code 80000003 (first possibility)

[snip]

eip=000ff6b4

Presently we can supplant the memory at 000ff6b4 with shellcode, by changing our payload. This closes our adventure.

So as to keep these endeavors from being fruitful, Data Execution Prevention was produced. DEP powers certain structures, including the stack, to be set apart as non-executable. This is made more grounded by CPU bolster with the No-Execute (NX) bit, otherwise called the XD bit, EVP bit, or XN bit, which enables the CPU to implement execution rights at the equipment level. DEP was presented in Linux in 2004 (portion 2.6.8), and Microsoft presented it in 2004 as a feature of WinXP SP2. Apple included DEP bolster when they moved to the x86 engineering in 2006. With DEP empowered, our past endeavor won't work:

> Access infringement - code c0000005 (!!! additional opportunity !!!)

[snip]

eip=000ff6b4

This comes up short in light of the fact that the stack is set apart as non-executable, and we've attempted to execute it. To get around this, a strategy called Return-Oriented Programming (ROP) was created. This includes searching for little scraps of code, called ROP devices, in genuine modules inside the procedure. These devices comprise of at least one directions, trailed by an arrival. Anchoring these together with suitable qualities in the stack takes into consideration code to be executed.

To start with, how about we take a gander at how our stack looks at the present time:

stack addr | esteem

- + -

000ff6a0 | 43434342

000ff6a4 | 43434342

000ff6a8 | 43434342

000ff6aa | 43434342

>000ff6b0 | 000ff6b4

000ff6b4 | cccccccc

000ff6b8 | 43434344

We realize that we can't execute the code at 000ff6b4, so we need to locate some real code that we can use. Envision that our first errand is to get an incentive into the eax enroll. We look for a pop eax; ret blend some place in any module inside the procedure. Once we've discovered one, suppose at 00401f60, we put its location into the stack:

stack addr | esteem

- + -

000ff6a0 | 43434342

000ff6a4 | 43434342

000ff6a8 | 43434342

000ff6aa | 43434342

>000ff6b0 | 00401f60

000ff6b4 | cccccccc

000ff6b8 | 43434344

At the point when this shellcode is executed, we'll get an entrance infringement once more:

> Access infringement - code c0000005 (!!! additional opportunity !!!)

eax=cccccccc ebx=01020304 ecx=7abcdef0 edx=00000000 esi=7777f000 edi=0000f0f1

eip=43434344 esp=000ff6ba ebp=000ff6ff

The CPU has now done the accompanying:

Hopped to the pop eax guidance at 00401f60.

Popped cccccccc off the stack, into eax.

Executed the ret, popping 43434344 into eip.

Tossed an entrance infringement in light of the fact that 43434344 is anything but a legitimate memory address.

Presently, envision that, rather than 43434344, the incentive at 000ff6b8 was set to the location of another ROP contraption. This would imply that pop eax gets executed, at that point our next device. We can chain devices together like this. Our definitive objective is normally to discover the location of a memory security API, for example, VirtualProtect, and stamp the stack as executable. We'd then incorporate a last ROP contraption to complete a jmp esp equivilent guidance, and execute shellcode. We've effectively skirted DEP!

With a specific end goal to battle these traps, ASLR was created. ASLR includes arbitrarily balancing memory structures and module base delivers to make speculating the area of ROP devices and APIs exceptionally troublesome.

On Windows Vista and 7, ASLR randomizes the area of executables and DLLs in memory, and also the stack and piles. At the point when an executable is stacked into memory, Windows gets the processor's timestamp counter (TSC), shifts it by four spots, performs division mod 254, at that point includes 1. This number is then duplicated by 64KB, and the executable picture is stacked at this balance. This implies there are 256 conceivable areas for the executable. Since DLLs are partaken in memory crosswise over procedures, their balances are controlled by a framework wide predisposition esteem that is figured at boot. The esteem is registered as the TSC of the CPU when the MiInitializeRelocations work is first called, moved and veiled into a 8-bit esteem. This esteem is figured just once per boot.

At the point when DLLs are stacked, they go into a mutual memory locale somewhere in the range of 0x50000000 and 0x78000000. The primary DLL to be stacked is dependably ntdll.dll, which is stacked at 0x78000000 - inclination * 0x100000, where predisposition is the framework wide inclination esteem processed at boot. Since it is paltry to figure the balance of a module on the off chance that you know ntdll.dll's base location, the request in which modules are stacked is randomized as well.

At the point when strings are made, their stack base area is randomized. This is finished by discovering 32 fitting areas in memory, at that point picking one in view of the current TSC moved covered into a 5-bit esteem. Once the base location has been figured, another 9-bit esteem is gotten from the TSC to register the last stack base location. This gives a high hypothetical level of irregularity.

At last, the area of loads and stack assignments are randomized. This is figured as a 5-bit TSC-inferred esteem increased by 64KB, giving a conceivable pile scope of 00000000 to 001f0000.

At the point when these instruments are joined with DEP, we are kept from executing shellcode. This is on account of we can't execute the stack, however we likewise don't know where any of our ROP directions will be in memory. Certain traps should be possible with nop sleds to make a probabilistic endeavor, yet they are not so much fruitful and aren't constantly conceivable to make.

The best way to dependably sidestep DEP and ASLR is through a pointer spill. This is where an incentive on the stack, at a dependable area, may be utilized to find a usable capacity pointer or ROP contraption. When this is done, it is here and there conceivable to make a payload that dependably sidesteps both assurance instruments.

How they preventattacks in the system:

DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have ended up being imperative and powerful countermeasures against the kinds of endeavors that we find in the wild today. Obviously, any helpful relief innovation will draw in investigation, and over the previous year there has been an expanding measure of research and dialog regarding the matter of bypassing DEP and ASLR [1,2]. In this blog entry we needed to invest some energy talking about the adequacy of these alleviations by giving some setting to the detour systems that have been plot in assault explore. The key focuses that ought to be detracted from this blog entry are:

DEP and ASLR are intended to expand an assailant's endeavor advancement expenses and reduction their arrival on speculation.

The mix of DEP and ASLR is exceptionally compelling at breaking the sorts of endeavors we find in the wild today, however there are conditions where they can both be circumvent.

Adventures focusing on Microsoft and outsider vulnerabilities have been made that are equipped for bypassing DEP and ASLR with regards to programs and outsider applications.

We are at present not mindful of any remote adventures that are equipped for bypassing DEP and ASLR with regards to in-box Windows administrations and different other application areas.

Learning of potential detour strategies straightforwardly illuminates our future work to enhance the heartiness and flexibility of DEP, ASLR, and our other relief advancements.

DEP viability (without ASLR)

In a past blog entry arrangement we broadly expounded on what DEP is and how it works[part 1, section 2]. In outline, the reason for DEP is to keep aggressors from having the capacity to execute information as though it were code. This prevents an assailant from having the capacity to specifically execute code from the stack, pile, and other non-code memory locales. All things considered, misuse procedures like load showering (of shellcode) or returning into the stack are not instantly conceivable.

The adequacy of DEP relies on the aggressor not having the capacity to 1) use code that is as of now executable or 2) influence the assailant's information to wind up executable (and in this manner have all the earmarks of being code). On stages without ASLR (that is, adaptations of Windows before Windows Vista), usually direct for an aggressor to discover and use code that exists in modules (DLLs and EXEs) that have been stacked at unsurprising areas in the location space of a procedure. Return-arranged programming (ROP) is maybe the most broad case of how an assailant can utilize code from stacked modules instead of (or as a venturing stone to) their shellcode [3,1]. Notwithstanding stacked modules, certain offices, (for example, Just-In-Time compilers) can enable an assailant to create executable code with in part controlled substance which empowers them to insert shellcode in generally authentic guidance streams ("JIT spraying")[2].

The way that modules stack at unsurprising locations without ASLR likewise makes it conceivable to transform the assailant's information into executable code. There are an assortment of manners by which this can be expert, however the fundamental methodology is to utilize code from stacked modules to summon framework capacities like VirtualAlloc or VirtualProtect which can be utilized to influence the assailant's information to end up executable.

Synopsis: DEP breaks misuse procedures that assailants have generally depended upon, however DEP without ASLR isn't sufficiently strong to anticipate subjective code execution much of the time.

ASLR adequacy (without DEP)

Aggressors frequently make suppositions about the location space format of a procedure when building up an adventure. For instance, assailants will by and large accept that a module will be stacked at an anticipated location or that discernable/writable memory will exist at a particular location on all PCs. ASLR is intended to break these presumptions by making the location space format of a procedure obscure to an assailant who does not have nearby access to the machine. This keeps an aggressor from having the capacity to straightforwardly and dependably use code in stacked modules.

The adequacy of ASLR depends on the aggregate of the location space design staying obscure to the assailant. Now and again memory might be mapped at unsurprising locations crosswise over PCs in spite of ASLR. This can happen when DLLs or EXEs stack at unsurprising locations since they have not selected into ASLR by means of the/DYNAMICBASE linker signal. Before Internet Explorer 8.0 it was additionally workable for assailants to constrain certain sorts of .NET modules to stack at an anticipated location with regards to the browser[6]. Assailants can likewise utilize different location space showering procedures, (for example, load splashing or JIT splashing) to put code or information at an anticipated area in the location space.

In situations where the location space is at first unusual an assailant can endeavor to find the area of certain memory districts using a location space data divulgence or through animal forcing[5]. A location space data revelation happens when an aggressor can pressure an application into releasing at least one location, (for example, the location of a capacity inside a DLL). For instance, this can happen if an aggressor can overwrite the NUL eliminator of a string and after that power the application to peruse from the string and give the yield back to the assailant [4]. The demonstration of perusing from the string will result in neighboring memory being returned up until the point when a NUL eliminator is experienced. This is only one precedent; there are numerous different structures that location space data exposures can take.

Savage driving, then again, can enable an assailant to attempt their adventure different occasions against the majority of the conceivable tends to where valuable code or information may exist until the point when they succeed. Beast constraining assaults, while conceivable now and again, are generally not pragmatic while assaulting applications on Windows in light of the fact that an inaccurate figure will make the application end. Applications that might be subjected to beast constrain assaults, (for example, Windows administrations and Internet Explorer) for the most part utilize a restart approach that is intended to keep the procedure from naturally restarting after a specific number of accidents have happened. It is anyway imperative to take note of that there are a few conditions where animal power assaults can be done on Windows, for example, while focusing on an application where the defenseless code way is contained inside a catch-all special case square.

Certain kinds of vulnerabilities can likewise make it conceivable to sidestep ASLR utilizing what is alluded to as a fractional overwrite. This system depends on an aggressor having the capacity to overwrite the low request bits of a location (which are not subject to randomization by ASLR) without bothering the higher request bits (which are randomized by ASLR).

Outline: ASLR breaks an assailant's presumptions about where code and information are situated in the location space of a procedure. ASLR can be avoided if the assailant can anticipate, find, or control the area of certain memory districts (especially DLL mappings). The nonattendance of DEP can enable an assailant to utilize load showering to put code at an anticipated area in the location space.

DEP+ASLR adequacy

In the past segments we depicted the adequacy of DEP and ASLR in confinement from each other. In actuality, DEP and ASLR are intended to be utilized in mix on Windows Vista and past. Both of these alleviations are empowered with regards to essential applications like Internet Explorer 8, Microsoft Office 2010, and in-box administrations and applications that ship with the OS. This implies assailants hoping to abuse vulnerabilities in these situations should beat the two obstructions (notwithstanding various different alleviations).

The DEP+ASLR sidestep procedures that are as of now being investigated in assault look into have fundamentally centered around distinguishing and refining strategies for bypassing ASLR. When ASLR has been skirted it is commonly direct to sidestep DEP utilizing set up systems, for example, return-arranged programming. Right now there have been various adventures which have shown that it is conceivable practically speaking to sidestep the blend of DEP+ASLR with regards to certain application areas, (for example, programs and outsider applications). These adventures have avoided ASLR using unsurprising DLL mappings, address space data exposures, or JIT showering and have skirted DEP using return-arranged programming (or some less difficult variation thereof) or JIT splashing. As a rule these adventures have depended on unsurprising mappings caused by DLLs that ship with outsider segments or by JIT assemblage capacities incorporated into non-default program modules. This implies these adventures will come up short if the required parts are not introduced.

Despite the fact that endeavors have been composed which are fit for bypassing the blend of DEP+ASLR, most by far of adventures that have been composed to date don't have such abilities and rather entirely target applications and stages that don't empower these alleviations. This certifies our position that DEP+ASLR are solid countermeasures for the sorts of assaults that we find in the wild today regardless of shortcomings in their present executions.

Outline: DEP+ASLR are best when utilized in a mix; be that as it may, their consolidated adequacy is intensely commanded by the viability of ASLR. Adventures have been produced that can sidestep DEP+ASLR with regards to programs and outsider applications. In any case, by far most of the endeavors written to date don't endeavor to sidestep the blend of DEP+ASLR

Sorry, I couldn't make all the questions in time so please post the remaining questions as a new post. Please comment below for any further queries regarding my answer

Related Questions

Navigate

• Browse (All)
• Browse B
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.