First, the development brief history of the buffer overflow
1. Basic knowledge
(1) assembly language
(2) Anti-assembly principle and Intel Machine command coding system
(3) Debugger principle
(4) Abnormal treatment (SEH)
(5) Debugging technology
(6) WINDOWS API development
2, software vulnerability classification
Logical vulnerability: If the conditions are arguing.
Encoding vulnerability: such as buffer overflow vulnerabilities, formatted string vulnerabilities, etc.
3, buffer overflow vulnerability utilization history
In foreign countries, some people began to discuss overflow attacks in the early 1980s.
In 1989, Spafford submitted a analysis report of the technical details of the BSD version of the BSD version of the BSD version of the VAX machine, which has attracted some security people to pay attention to this research area, but only a few people Engaged in research work, for the public, there is no available information with academic value. Mudge from L0PHT Heavy Industries wrote an article on how to overflow vulnerabilities with libc / syslog buffer on BSDI.
However, the first article of truly educational significance was born in 1996, Aleph One published in Underground detailed in detail the stack structure in the Linux system and how to overflow the stack-based buffer. The contribution of ALEPH One is also given how to write a shell's Exploit method and give this code to the name of Shellcode, and this styling is used, although it has lost its original meaning. We now understand such methods - compile a simple C program that uses system calls, extract assembly code through the debugger, and modify this assembly code as needed. The code he gives can work correctly in X86 / Linux, SPARC / Solaris and Sparc / Sunos systems. Inspired by Aleph One, a large number of articles appear on the Internet to tell how to overflow and how to write a desired Exploit.
In 1997, Smith integrated articles provided how to write buffers overflowing Exploit more detailed guidelines in various UNIX variants. Smith also collected SHELLCODE under various processor architecture, including ALEPH One published and AIX and HPUX. He also talked about some security attributes of the * NIX operating system, such as SUID programs, Linux stack structure, and functionality, and discussed security programming, with some list of functional functions, and tell people how people Use some more secure code to replace them.
Dildog from "Cult of the Dead COW" in the Bugtrq mailing list, in the Bugtrq mailing list, described in detail how to use Windows overflow, this article's biggest contribution is to propose a method of using the stack pointer to complete the jump. The return address is fixed to the address, whether or in a dynamic link library in a program, the fixed address contains assembly instructions used to use the stack pointer to complete the jump. The method provided by Dildog avoids that the stack position is not fixed due to the difference between the process thread. Dildog also has another classic of the Tao of Windows Buffer overflows.
The collection of the United States is Dark Spyrit. In the 1999 Phrack 55, the instructions in Phrack 55 generally propose instructions in the system core DLL to complete the idea of control, and the overflow Exploit under Windows has advanced a substantive step. Litchfield created a simple shellcode for the Windows NT platform in 1999. He discussed in detail the process memory and stack structure of Windows NT, as well as the stack-based buffer overflow, and as an instance of Rasman.exe as an example of research, the assembly code for creating a local shell is given. The 1999 W00W00 Safety Group wrote a tutorial based on the heap-based buffer, and the opening: "The HEAP / BSS overflow is already quite common in today's applications, but there are very few reports." He noted that the protection method of the time, such as non-executable stack, and it is not possible to prevent a heap overflow. And give a lot of examples.
(The above information is from Xfocus)
4, buffer overflow vulnerability classification
(1) Stack overflow
Pile up
(2) Remote overflow
Local overflow
Second, the score of buffer spillage and cause
1, architecture
(1) Contradiction in efficiency and security proves that the higher the efficiency, the worse safety, the efficiency and safety of the program is inversely proportional.
(2) The stack can be executed
In the most popular X86 system, the stack can be executed
(3) subroutine call structure
When the function is called, the return address is saved in the stack, causing the unsafe factor when the function is called.
(4) Stack overflow stack grows down
2, program design
(1) C / C relatively free programming language uses the popularity of the UNIX system, the C language has once become a standard language for programming, from operating system to application software, 80% of C / C languages.
(2) Insensitive library function call, such as Strcpy, Strcat, Strncpy, STRNCAT
(3) Insufficient system calls in the operating system, such as VSPrintf, Widechartomultibyte, WSPrintf, etc. in Windows
(4) The quality and safety awareness of program designers are not enough, and the general programmers have no systematic security programming training. At the same time, there is no more scientific method for safe programming training.
Recommended: "Writing Secure Code"
Third, the buffer overflow vulnerability utilization
1, technical preparation
(1) assembly language
The assembly language is the basis for the utilization of buffer overflow vulnerabilities. The assembly language is closely related to the machine hardware system. The X86 system's instruction set is different from the SPARC machine's instruction set, which leads to different languages under these two systems; at the same time, assembly language It is also related to the standards of the operating system, such as the Intel's assembly language standard, and * NIX series uses AT & T's assembly language standard.
Since there are many programs released under Windows not public code, the analysis buffer overflow vulnerability is mostly involved in disassembly, which is to analyze its program algorithm, structures, and production through anti-assessment of the 2 credit Causes of vulnerabilities, etc. Specialized terminology: reverse engineering
Recommended disassembly tools: iDapro. The latest version 4.7.
http://www.datarescue.com/
IDA Pro is an interactive intelligence returns, working under Windows and * NIX systems. IDA Pro can analyze the parameters of the function, and also analyze the local variables used in the function, and even analyze the function call relationship. (2) Debugging technology
In the process of vulnerability debugging, it is necessary to perform real-time execution flow, the situation, and the like, and then other processing is performed according to the situation executed by the program.
Select a debugger according to your preferences or work. Softice, Windbg, OLLYDBG.VC6.0 comes with the debugger.
SoftICE is powerful, suitable for crack and analysis of the operating system, but it is not convenient to use, and meet is not friendly. Windbg is a systematic and application software debugging tool developed by Microsoft, short and fine, powerful, friendly interface, and systematic combination. OLLYDBG is an application debugging tool.
Breakpoint settings:
a breakpoint on the instruction
b Over the memory space
C break points on specific interruptions
D Set breakpoints on I / O
In a Windows environment, the most used is to set breakpoints on the API function call. It can be said that key technologies for vulnerabilities is to debug technology, and the focus of debugging technology is set up in breakpoints.
For example, 04011 Vulnerability Utilization, according to the analysis, we can know that the overflow vulnerability writes several strings to a log file, which speculates that it may call the createfile function and the WriteFile function.
For example, when using the Office Super Heavy Machold Overflow Vulnerability, we only know that there is a problem when copying the macadan, then you can consider the process of setting the Word file, create a file, and create a memory impression for the file, etc. After we can intercept the function call to create the file, we look for a macro name, and then set an internal saver on the macro name. When the program is copied to the macro name, it will be interrupted, and we have to find the purpose of the overflow point.
Of course, many professional organizations doing software security use their own debuggers, Windows offers user debugger interface for users to develop debuggers themselves. At the same time, debugging technology is also used for software vulnerability discovery.
(3) Windows structured exception handling SEH
SEH is a program error handling mechanism under Windows. Windows 95, Windows 98, and Windows 2000 (i.e., previous Windows NT) support a reliable exception handling method called structured abnormality, which involves collaboration with the operating system and has direct support in programming languages. For example, the Try {} catch {} grammar in C is compiled by SHE.
The SEH structure is a linked list, each node of the linked list represents an exception handler. The head of the linked list is located at FS: 0. Where fs is an exception processing segment register, FS: 0 is located at the 0x7fxxxxxx location, written.
Buy SEH:
Push Offset Errhandler
Push fs: [0]
MOV FS [0], ESP
2, the use of the stack overflow
Stack overflow is a relatively good buffer overflow vulnerability, and the stack overflows relatively universal.
The principle of the stack is to use the return address that the buffer overflow override function calls, and the function can be controlled when the function returns.
(1) Collect data and construct the program overflow
The first is to collect information. BugTraq and CVE's vulnerability list is a very useful database. Collect the most primitive data of people or organizations as much as possible when collecting information.
http://www.k-otik.com/bugtraq/
Http://www.cve.mitre.org/cgi-bin/cVename.cgi?name=can-2004-0892
Some vulnerabilities have no detailed vulnerability description, and this loophole is nothing to do with our current ability or the current capacity of the domestic security. Second, it is necessary to describe the loophole according to the vulnerability. Detailed analysis of vulnerability descriptions and other materials collected, reproduce vulnerabilities.
Pay attention to operating system types, patch versions, and software environments when reproducing vulnerabilities. For example, the system requires that Win2000 is still XP. The patch version is SP4 or less, and it is the version of the application software and the patch version.
Some language versions of the operating system do not clearly prompt the current operating system patch version, which is available to obtain the patch version of the current system through some other ways. For example, you can get relevant information through key files such as NTDLL.DLL, and modify the date, etc. In general, the file size of NTDLL.DLL will increase each after the upgrade patch.
(2) Analytical program overflow
The overflow of each vulnerability is different, and it can only be specifically analyzed. However, when analyzing overflows, pay attention to collecting related error messages, including the value of the EIP, and the reason for the error.
For example, when analyzing the Office macro spillover vulnerability, after the vulnerability, the program reports accesses the memory error - "0xAAAAA quotes memory 0xBbbbbbbb is not read", we can judge this information, and the program has overflow, and we analyze 0xaaaaaa, It can be found that this is an address space that it is impossible to have instructions, and then finds the binary value of 0xAaaaaa in the Word document (generally looks high by 3 bytes, because it is possible to jump to a complete directive in the overflow, execute After several instructions, the interrupt is generated. After finding it, it will be changed to other values, resorbed, if the value of the EIP is the value after the error report, then it can be determined that the return address of the overflow is.
Of course, the actual situation may be more complicated, only temporary solutions.
(3) Control program overflow and control the program process
Due to the uncertainty of the stack space, the address in the stack is different, so it cannot be redirected to the stack directly, but because the current ESP points to the stack space, and the space is controllable Region, so, after overflow, you can return to a "JMP ESP" or "Call ESP", then use the jump instruction to implement the position of the shellcode.
In general, the versatility of the stack is related to the universal address of the JMP ESP instruction. Many language versions of 2000 and XP have a universal JMP ESP address, but there is no found in the English version and Korean version. For these two language versions of the system, you can have targeted overflow.
Note that distinguishable overflows and non-useful overflows. Some vulnerabilities will access the variables that have been changed after overflow, which will cause the program that does not return the previous error and unavailable.
3, the utilization of the overflow
There are now more and more vulnerabilities now, and there is no fixed utilization method for pile over the vulnerability. It is more popular to use SEH to achieve the use of the stack overflow vulnerability.
The heap management structure is a two-way linked list. The structure is as follows:
// Insert a heap structure two-way chain table diagram
When the heap overflows, the heap management structure is covered. When the system is released or allocated again, it will generate an error, which is a pile over.
There are generally two ways to be overflow, one is used in the heap recovery, one is used in the next heap allocation.
Using:
MOV [EAX], ECX
MOV [ECX 4], EAX
Where EAX, and ECX values can be controlled. In this way, in fact, we can control any of the 4-byte values in the current system, using these 4 bytes for utilization.
With these 4 bytes, the export table of a common function can be rewritten, or the SEH's chain table node is rewritten, and the use of SEH is used. The more effective use method is to use SEH to use. The JPEG vulnerability belongs to a pile of overflow vulnerabilities. According to the analysis, it is possible to find that the JPEG environment with Word is fixed, that is, the SEH structure is fixed at the time of overflow, and ESI points to the original heap, we controllable location, so that the function of changing 4 bytes will be first The process function of the SHE is changed to a CALL [ESI 48] instruction. Because all registers are changed after entering an abnormality, the value of the original ESI is in [ESP 48].
Piles are more flexible, using a lot of methods, but it can be generally relatively small, and there is more restricted conditions.
Reference:
http://www.w00w00.org/files/articles/heaptut.txt
Fourth, how to write shellcode
1, write shellcode according to your needs
Write shellcode based on demand. For example, download Trojans, bind Trojans, return a shell, upload Trojan execution, etc.
2, write shelcode with Win32 assembly
Win32 assembly or C language is usually written in Win32 comparison. Writing shellcode is relatively simple using assembly language, and it is more easy to grasp the compiler of the compiler, and the compiler is generally respecting the source program and does not perform too much optimization.
First, shellocde involves a problem with a code self-located. When executed in the X86 system, the access to the data segment uses absolute addressing mode, that is, the data addresses when we write shellcode are used in other systems to be used.
Locate the location where the current shellcode is positioned by the following statement:
Call @f
@@:
POP EBX
Sub ebx, offset @B
Where offset @B is a address that has been cured when it is accessed, when accessing data, use: [EBX _TESTDATA]. Among them, TestData is also an address that is compiled.
Secondly, determine the Kernel32.dll address of the current system in Shellcode. Then go to the kernel32.dll export table to find the function address we need.
Many ways to position the Kernel32.dll address, the most effective one is to use the Teb / PEB positioning of the current process, and one is to search the process space yourself and find the starting address of the shellcode.
Wake the start address of kernel32.dll
Assume fs: Nothing
Mov Eax, FS: 30H
Mov Eax, [EAX 0CH]
MOV ESI, [EAX 1CH]
Lodsd
MOV EDX, [EAX 8h]; EDX is the address of kernel32.dll
Mov @HModule, EDX
Get getProcadDress and loadLibrary, getModuleHandle function addresses.
After obtaining the KERNEL32.DLL start address, the function address can be obtained by searching the method of searching the DLL export table.
SHELLCODE specific method reference example.
3, extract Shellcode from the program
After shellcode is written, you have to fill it out of the program. After encoding, you can finally use the overflower.
One thing to pay attention to here is that some vulnerabilities have special requirements for shellcode, such as do not have 0, and do not have 0xFF, and so on. At this time, you must first encode the shellcode into the code that meets the needs, and then write a decoder to the front of Shellcode. After overflow, perform the decoder first, decode the shellcode to become normal instructions, and then execute. 4. Precautions when writing SEHLLCODE
When writing shellcode, the stack space has been destroyed due to overflow, which must ensure that the stack space is aligned in 4 bytes, otherwise there will be inexplicable errors when calling some functions.
Secondly, there is enough space to reserve enough space for local variables used in Shellcode.
http://www.phrack.org/show.php?p=62&a=7
5. Detection of buffer overflow and how to prevent buffer from overflow
1. Email the buffer overflow from the hardware architecture
So far, there is no similar mechanism in the X86 Windows architecture to prevent buffer overflow.
2. Email the buffer overflow in software development
Write a secure code that reduces the possibility of buffer overflow during development. There are now some tools to detect whether there is a buffer overflow vulnerability in the program by analyzing the source code. For example: PSCAN, ITS4, etc. Where PSCAN's developer is called: David A.wheler, he is IDA (
http://www.ida.org/) Senior advisers specializing in software security.
After IDA was established in the 1940s, it is a mechanism that provides technical support for the US government, and is built by the Secretary of Defense at the time.
This analysis of the source code is conducted by a method of calling the matching call mode matching by an unsafe function.
3. Use IDS or other tool software to detect buffer overflow attacks
The method of detecting the buffer overflow through the process monitoring.
One way is to use the debug API function interface provided by Windows, write a self-desperation, use this debugger to monitor the process you need to detect, monitor its sensitive function call, then match a limited state automaton model, buffer Overflow is detected.
4, an extension topic - vulnerability discovery
Famous website:
http://www.phrack.org/
http://www.k-otik.com/bugtraq/
http://www.k-otik.com/bugtraq/
http://www.codeproject.com/
http://29a.host.sk/
