-
Notifications
You must be signed in to change notification settings - Fork 0
/
bufferoverflow
367 lines (253 loc) · 6.37 KB
/
bufferoverflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
buffer overflow:::
what can we do with buffer overflow
data exfiltration
information corruption
program or os crash(denial of service)
why do buffer overflow:::
overflow or overrun
underflow or underrun
integer overflow
local denial of service
remote denial of service
flood of n/w,n/w access,vulnarablity
programs running with higer privalages have more capablilities::
open n/w ports
start commands shell
reconfigure system
add user account
arbitray code execution
information corruption
change in prog flow
operational instablity
abnormal termination
command(C&C,c2) and control
C&C c2
c2 used by malware and botnet
c2 malware
how do you keep buffers from overflowing
mitigation
safeguard
prgrammers
system adminstrator
find vuln. program,patch them ,remove
users
countermesures
inside process memory
process adress space
inside process memory:::
code->data->heap->stack
fixed and dynamic memory:::
stack and heap change size on memory assign
inside the stack::
stack overflow causes::
process crash
data leakage
arbitrary code exe
stack is meemory buffer
temp store data
data may be use now or used later
queue data structure
LIFO or FIFO
push(add) and pop(remove)
the stack pointer
stack pointer(SP)
stack frames:
stack in the code:::
pointers::
pointer is a data variable store a memory address.
stack pointer
frame pointer
base pointer
instruction pointer
instruction counter & program counter
register are didicated areas of cpu memory
morris worm
code red worm
NOP or NO-OP (no operation exe)
shellcode::
shell code can be any type of program
server(ftp,telnet,ssh,irc,http), monitor(sniffer,keylogger)
shellcode type::
port binding(bind shell)
n/w port open
reverse
open n/w connection
command exe code
file transfer
find socket
kernal space
multistage
process injection
system call proxy
Heap memory::
Heap chunk::
type of chunk
size of chunk
memory address of each chunk
memory address of next chunk
Heap overflow and overrun::
heap sprey::
function pointer::
SEH:structure execption handling::
code red worms
finding buffer overflow::
host based security system
network security admin
n/w intrusion and prevention system
malware::
code red
nimda
sasser
L10n
morris worms(1988)
fingered(tools)
code blue(malware)
code green(malware)
nimda(malware)
bolgimo(malware)
sql slammer(malware)
sasser(malware)
unix /lnux::
L10n worm
Ramen worm
Telnetd(X.C worm)
morm worms and malwares::::::::
stuxnet
duqu
falme
cryptolocker
zeus banking trojen
heartbleed
GNU Glibc
Vulnerablity Databases::
cve.mitre.org(website)
nvd.nist.gov(website)
cwe.mitre.org(website)
secuirtyfocus.com(website)
symantec.com(website)
mozila.org vulavlity (website)
exploit website::
exploit-db.com(website)
rapid7.com/db(website)
0day.today(website)
cxsecurity.com/exploit(website)
stadard gudiline recomeddation and rules
shared rules,method,pattern language
impl. how to implemet standard and policy
like a standard but not officaial
proven to the best solution of a problem
===================================
SEI cert coding standard(website)
www.securecoding.cert.org(website)
OWASP(open web applicatio and security project)
www.owasp.org(website)
===================================
owasp top 10 web app security flaws
mircosoft.com/sdl(website)
mircosoft.com/twc(website)
static code analysis::
safe and ussafe function in c languages
input sentizatio for validate incorrect data
binary code analysis::::
bytecodes analysis::
code analyssis
fxcop.net(microsoft visual studio)
clang static analyzer(c,c++,objective c)
infer(java,c ,objective c)
finbugs (java)
cppcheck(c++)
binary analysis tools
should i reverse engineer::
DMCA (website)(protect s/w assets from coping,but allow security research)
electornic frontier foundation(EFF.ORG)(website)
dmca topic on eff.org
automated code analysis:::
static code::not runninag as a program
dynamic code::running in a testing env.
source code compilers::
gun compiler(gcc.gnu.org(website))
clang(clang-analyzer.llvm.org)
microsoft visual studio ide code analysis tools
prefast
fxcop
statnd alone static analysis tools:
tools::
bufferoverflow testing tools::
ollyDbg(www.ollydbg.de)
IDA(interactive disassamble)-www.hex-rays.com(website)
spike(immunitysec.com(website))
metasploit(www.metasploit.com)
fuzztesting:::
resources.infosecinstitute.com(website)
reporting buffer overflows::
bug bounty(tools)
bug brokers
mitigating buffer overflow::
www.techexams.net(website)
kernel and firmware anti-BOF features
DEP -data execution prevention
ASLR-adderrss space layotu rnadomiazation
KASLR-kernal address space layout randomization
OS and kernal security configuratins
host based security monitoring software
n/w based secuity monitoring software
detectiv bufferoverflow::
external bufferoverflow detection:
nw intrusion detecion system::
snort(tools)
NIDS(tools)
Spunk.com(website)
local buffer overflow detection::
host layer defence
clamav.net(tools) antivirus opensource
ossec.github.io(tools) website
mircosoft enhance mitigation experience toolkit (EMAT)
window event viewer(tools)
of cookies and canaries
security cookie in return of fucntion change
enable compiler secuirty extension::
GCC stackGurar
Stack shield
microsoft visual studio buffer security check
preventing buffer overflow::
active prevention uses countermesures to detect and mitigate threats
NIPS,HIPS,Anti malware
OSI network model
tcp ip network model
intrustion prevention system
application firewall
proxies(inbound)
reverse proxies(outbound)
NIDS(n/w detect)
NIPS(prevention) snort
NIPS action:
Proxy::
proxy server are real time packet and session filter
help defin n/w security boundries
reverse proxy
load balancer exmaple of reverse proxy
decrypt http/ssl/TLS traffic
Squidproxy(tools)
squid-cache.org(website)
Application firewalls
deep packet inspectoin and traffic flow analysis
web application firewall
SCP
modsecurity.org(website)
open source web applicatoin firewall(tools)
NOP sleds are not present in good programmer
hidiing buffer overflow attacks
DEP:data execution prevention:::
openBSD(unix)
setting DEP in windows::
bcdedit.exe
DEP in unix
dmesg|grep NX
setting dep in ubuntu
gksudo gedit /etc/default/grub
Address space layout randomization::ASLR
SEHOP
(structure exeception handling override protection)
SAFESEH::
it is alternative protection machanism of SEHOP
EMET(enhance mititgation experiece toolkit):microsoft security feature configuration utitility for microsoft