Database buffer Overflow Vulnerability principle (stack)

Background

In the database system, many security vulnerabilities have been found, which are more serious and more harmful: buffer overflow and SQL injection 2 kinds.

SQL injection relies heavily on structured query languages, each with a slightly different database, and the most important threat to SQL injection exploits is the right to be raised, or a background maintainer or hacker to gain DBA authority. It should be noted that the SQL injection is not the application of SQL injection, but the database itself injection vulnerability, which is more dangerous than the application system injection vulnerability, for the existence of SQL injection vulnerability, The main reason is that the parameters of the system or user function provided in the database are not strict and the execution of the statement is defective. SQL injection vulnerabilities are not the focus of this article, but are discussed in other articles published by An Huaqin and the database Security lab.

For buffer overflow vulnerability, the risk is higher, because through buffer overflow vulnerability can not only endanger the database, but also control the operating system, the database server as a springboard, control the entire intranet system. Buffer overflow vulnerability, not only in the database system, but also in the operating system of related applications, but for the database to provide a large number of external access, firewalls, IPs and other traditions can not be banned, these attacks hidden in the database communication protocol, with greater concealment, it is difficult to prevent.

The implementation of the buffer overflow attack not only needs injecting point (injection point), but also relies on the program call mechanism of the operating system to implement; Now the operating system is stepping up defense, but attackers are always able to find ways to break This kind of breakthrough mainly relies on the shellcode writing. Buffer overflow is essentially because the operating system cannot differentiate between data and instructions, and executes the data as an instruction, resulting in unpredictable results. The An Huaqin and database Security Labs will be based on Windows XP in this article, using code to provide a schematic introduction to how buffer overflows can be leveraged to better discuss their precautionary principles in the future.

Buffer overflow

Buffer overflow simply said, is the large data into a small buffer, but not to deposit data to determine the boundary, resulting in a small buffer burst. The large data pollutes the memory near the small buffer. Contaminated memory can lead to a variety of results, such as changing program flow, capturing the operating system, and preventing access. All of the discussion below is done on Windows XP.

Buffer overflows can be divided into three main types: static data overflow, stack overflow, and heap overflow. There are three different sources of overflow from the memory structure of win, and the memory of win can be divided into two layers: physical memory and virtual memory. What we see in general is just the virtual memory of Windows. Under XP, Windows allocates 4G of memory to all processes, regardless of how big the physical memory is, and Windows divides 4G memory into code areas, data areas, heaps, and stacks. The data area stores the global variables of the process. If you use this data for a buffer overflow then it is called a static data overflow. Also using the stack and heap areas for buffer overflow is called stack overflow and heap overflow. static data Overflow Although the technical difficulty is low but the flexibility and the scope of use is low, so this article does not introduce. Heap overflow is relatively complex and will be introduced in other articles. This article describes a stack overflow under windows and wants to know how the stack overflow under Windows is exploited, first understanding the stack structure under Windows.

Stack structure

To make it clear that the stack structure under Windows is straightforward. We construct a piece of code to see. This code will complete 3 tasks

1. Show the structure of win next stack

2. Demo buffer overflow change function control flow

3. Demo buffer overflow overwrite return address (hijacking function)

The following program contains a main function, main, and a second child function, Re_choose. The Re_choose function is used to compare the input string obtained from the main function with the stored string Liusicheng. Returns 0 if the input string is the same as the stored string. If inconsistent, it may return 1 or-1. At the same time, a buffer overflow point strcpy (buffer,input) is created. Input has 1024 of the space, and buffer has only 44 space. A buffer overflow is raised as long as input exceeds 44. The main function takes the Re_choose return value if it returns 1 or-1. If you return 0, go to else. Will overflow with buffers to return 1 or-1 also go to else.

#include <stdio.h>

#include <string.h>

#define Ture_password "Liusicheng"

int Re_choose (char *input)

{

int result;

Char buffer[44];

result = strcmp (Input,ture_password);

strcpy (Buffer,input); Buffer injection Point

return result;

}

void Main ()

{

int choose=0;

Char input[1024];

scanf ("%s", input);

Choose=re_choose (input);

if (choose = = 1 | | choose = =-1)

{

printf ("error\n");

}

Else

{

printf ("ture\n");

}

}

Compile the release version of the above code and put it in IDA Pro to get the anti-compile code. Is the process structure of the main function. Clearly see the entire control flow of the main function and the stack of the main function from building to destroying the whole process. The stack is primarily used on function calls. A number of system functions are called at the beginning of a process invocation, where the address of a large number of functions is fixed (only related to the operating system version), and these fixed functions become the platform for subsequent jumps. This article does not cover these functions first. Jump directly to the main function to begin the introduction. The structure of the stack is 4 bytes to one layer. If more than 4 bytes. stored in multiples of 4 integers. Less than 4 bytes are stored in 4 bytes. The main operation of the stack is only 2 push and pop. Push is to press the contents of the register into the stack, and the pop is to release the contents of the stack. EBP is the bottom of the current stack frame, and ESP is the stack top of the current stack frame. (Note that because the stacks are executed sequentially, there is only one stack top and one bottom at a time.) But the bottom of the stack is generally not the stack of the entire system stack, but only the bottom of the current stack frame). The structure of the stack adopts the principle of first-out, backward-out. So when you create a stack, you follow these steps:

1. Press the pointer of the stack bottom of the previous stack frame into the current stack to save it (push EBP). This step is actually 2 steps: The first step is pressed into the return address, and the second step is pressed into the EBP when the previous stack frame.

2. Move the stack bottom of the previous stack frame to the top of the stack frame (mov ebp,esp). From this stack the bottom of the stack is determined and no changes will occur. The top ESP in the stack is always changing.

3, then assign the local function (subesp,404h). The 2 variables in this program are 4 bytes and one is 1024 bytes. Plus, it's just a 0x404 byte. Need to move the top of the stack 0x404. Note that the direction of the stack is the opposite of memory. Data into memory is written from a low address to a high address, while the stack is written from a high address to a low address. It is this structure that gives the opportunity for subsequent data to be overwritten. The value of the top of the stack is adjusted as the data on the stack is ready.

650) this.width=650; "title=" 20150126-1.jpg "src=" http://s3.51cto.com/wyfs02/M00/5A/28/wKioL1T4EarzM_ G0aaewc3exza8013.jpg "alt=" Wkiol1t4earzm_g0aaewc3exza8013.jpg "/>

Note: Medium var_404= -404h, str1= -400h

The same stack revocation when the basic can be based on the reverse operation of the stack. First, the stack bottom value is covered by the top of the stack (mov esp,ebp). Then the stack pops the value of the current EBP (pop ebp). Then jump to the return address (RETN) of the last function stored in the EIP and go back to the previous stack frame (in the previous function) to delete the return address line (add ESP 4). To this stack is completely revoked. At this point a stack has been completed from the establishment to the undo process. In addition to our concern about the creation and extinction of a stack, we are more concerned about how the stack passes the return values and parameters. Is Re_choose's disassembly diagram: A clear explanation of how the arguments and return values are passed in the stack.

650) this.width=650; "title=" 20150126-2.jpg "src=" http://s3.51cto.com/wyfs02/M02/5A/28/ Wkiol1t4edlhonr-aadtwkvsunk278.jpg "alt=" Wkiol1t4edlhonr-aadtwkvsunk278.jpg "/>

Note in var_4=-4, str1 = 8

The main function starts with callsub_401000, creating the stack frame of the sub-function re_choose, starting with the same stack creation process as main. Until the implementation to MOV EAX,[EBP+STR1], this sentence is the most concerned about the transfer of arguments. It is the bottom of the stack (EBP) that is fixed in the stack. Use the bottom of the stack for coordinates to move 8 bytes to the high memory value. Take the input that exists in main. The incoming re_choose is placed in the EAX register for calculation. The same mechanism looks at the second half of the Re_choose (mov eax,[ebp+var_4]) from the bottom of the stack to the low address offset 4 bytes of content. In the presence of EAX, main puts the EAX value in the ebp-404 (MOV [ebp+var_404],eax) address for subsequent judgment. The basic structure of the stack has already been described in the basic operation. The source of stack buffer overflow is closely related to the structure of stack itself. It is because the data in the stack is first deposited in the memory high address, and then into the memory low address. So given the opportunity to enter, once the stack originally allocated to the length of the original memory will be directly covered in the address of the data or instructions. This leads to unpredictable results.

As to whether the parameters of the function are passed from left to right or right to left (the local variable int A, a or b), the Restore stack balance when the function returns is to make the parent function or the sub function. This section is related to the function calling convention, and the main calling conventions are divided into, _cdecl, _fastcall, and _stdcall. The general vs default is consistent with the _stdcall and Windows APIs. StdCall rule requirements: The parameters are pressed from right to left. (int A, b first). When the function exits, it cleans up the parameters in the stack itself. (It is often seen in the figure that a parameter is not immediately followed by the Add ESP 4.)

The principle of stack overflow utilization

Because the data in the stack is stored in the opposite direction of the memory, it is very easy to get the data behind it. Eventually change the program. The result of the change is divided into 2 types: 1 Change the program logic, bypassing some judgments to make certain restrictions invalid. 2. The direct hijack program runs the attacker's attack code.

1. Change the program logic, or the above example. In the above example, if Liusicheng this preset password is a bank password, after the password check can obtain the password protection sensitive information. Then the attacker would want to pass the password check, either enter the correct password, or change the program flow (enter the wrong password but still be able to walk back to the right branch). To achieve this, we look for the address of the next choose (The return value of Re_choose), and see Re_choose's figure that the local variable space is 0x30, which is 48 bytes. In the low address should be used to overflow the buffer at the bottom of the 4 bytes closest should be the address of the result, that is, the address of the Choose value. The address of result is 0012fb6c (because input is qwe so the return value is 1) The value is 1, at which time the password verification is not over. The 0012f840 of the address is the string buffer. Buffer will be copied into the input value. Buffer is stored in the 657771 (win is the small endian byte order, so all is the inverse is qwe). Here, if you want to pass the password verification, you need to modify the value of the 0012fb6c. In addition to entering the correct password, you can also try to enter an too long input, let input buffer buffer when the data is overrun, the overflow value is overwritten with the value of 0012fb6c, the value is modified to the desired 0 (0 is the password Authentication).

650) this.width=650; "title=" 20150126-3.jpg "src=" http://s3.51cto.com/wyfs02/M02/5A/2C/ Wkiom1t4ep7ai3i3aadjchvsmd4660.jpg "alt=" Wkiom1t4ep7ai3i3aadjchvsmd4660.jpg "/>

Buffer takes 44 bytes, which means that input needs to enter at least 44 bytes to fill the buffer, and then the bytes entered will overwrite result. Modify the value of the Choose to change the program flow. Since this is the end of the string there will be a null so let's enter 44 W to fill buffer and squeeze null into result to overwrite the original 1.

Input 43 x W

650) this.width=650; "title=" 20150126-4.jpg "src=" http://s3.51cto.com/wyfs02/M01/5A/28/wKioL1T4EjrzeEgPAACVdwrF_ Zs444.jpg "alt=" Wkiol1t4ejrzeegpaacvdwrf_zs444.jpg "/>

No buffer overflow 12fb6c has not been modified

Enter 44 W to reach buffer overflow

650) this.width=650; "title=" 20150126-5.jpg "src=" http://s3.51cto.com/wyfs02/M01/5A/28/ Wkiol1t4enlgv6vuaacskxpxzha068.jpg "alt=" Wkiol1t4enlgv6vuaacskxpxzha068.jpg "/>

The 12fb6c is changed from 1 to 0 by the Terminator null overwrite. Eventually jump to the slip pass through the password verification. Complete the steps to bypass the password check. This is the most basic use of buffer overflows. In fact, Method 2 is only a step further on the basis of Method 1.

650) this.width=650; "title=" 20150126-6.jpg "src=" http://s3.51cto.com/wyfs02/M00/5A/2C/ Wkiom1t4eyoi54plaacvjiu3bky184.jpg "alt=" Wkiom1t4eyoi54plaacvjiu3bky184.jpg "/>

2. The direct hijack program runs the attacker's attack code. Since some key variables can be overwritten by a buffer overflow, the function flow is changed. If you continue to overflow then there is the ability to override the function return address. Change the function return address to the place where the attacker needs to return. This program can be designed to save a script in buffer, and then fill in the buffer with W script to return address in the middle of the vacancy. Finally, the first address of the buffer is overwritten to the function return address. When the function returns, it returns to the initial address of buffer and executes the script stored in buffer.

To achieve this goal, first determine the address returned by the function and the address of buffer. The address of the buffer is given in front of the image to see the address returned by the function. That is, we need to overwrite our information from the overflow point buffer to the function return address. function return address at 12fb74buffer The initial address is 12FB40, we need to overwrite these 56 bytes.

650) this.width=650; "title=" 20150126-7.jpg "src=" http://s3.51cto.com/wyfs02/M01/5A/2C/ Wkiom1t4eanjjdrfaabzsh2et3s869.jpg "alt=" Wkiom1t4eanjjdrfaabzsh2et3s869.jpg "/>

Constructs a shellcode (introduces Shellcode no longer within the scope of this article) + populates the data +0012fb40. This way, when the function occurs RETN, it does not jump to 0041064, but instead jumps to the set 0012FB40. The shellcode stored in 0012FB40 is followed by step. This completes the entire overflow process, the method of hijacking the entire program through buffer overflow, in addition to this direct override return value address, there is also overwrite seh.

SEH

SEH is an important data structure for exception handling mechanisms under Windows (C + + 's _try exception handling is essentially the invocation of SEH). Ensure that Windows gives the function or system a call back once a variety of error actions occur. The SEH structure is very complex, and here only the parts related to buffer overflow are mentioned. Each SEH contains two DWORD pointers: The SEH list pointer and the exception handler handle, with a total of 8 bytes stored in the stack. When a thread is initialized, 1 SEH is automatically installed to the stack as the default exception handling for the thread. If the program calls an exception handling mechanism such as-try (). The compiler is the one that installs 1 Seh to the current function stack to handle exceptions. Multiple SEH can exist in the stack at the same time. Seh throughout the stack forms a one-way list across the stack through the linked list pointer. When an exception occurs, the operating system interrupts the program, followed by the entire SEH list to see if there is an SEH that can handle the exception. If the program loading SEH can not process, it will go to the system level of SEH, by him out of the error window, forcing the shutdown program.

SEH exists in the stack, so the stack buffer overflow has the opportunity to overwrite Seh. As with the overwrite return address, if the function entry after overwriting the exception is modified to the ingress of buffer above, then it is possible to fill the data +buffer address by shellcode+. To achieve the purpose of the attack, but note that it is necessary to trigger an exception in the fill data to ensure that SEH is triggered.

The main principle of buffer overflow at this point in Windows has been introduced. An Huaqin and the database Security lab will continue to share the topic of stack buffer overflow in the next article with a buffer vulnerability on the oracle10g.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1617670

Database buffer Overflow Vulnerability principle (stack)