The Shellcoder's Handbook:

Transcription

1 The Shellcoder's Handbook: Discovering and Exploiting Security Holes Jack Koziol, Dave Aitel, David Litchfield, Chris Anley, Sinan "noir" Eren, Neel Mehta, Riley Hassell WILEY Wiley Publishing, Inc.

2 Contents About the Authors Credits Acknowledgments Part 1 Introduction to Exploitation: Linux on x86 1 Chapter 1 Before You Begin 3 Basic Concepts 3 Memory Management 4 Assembly 6 Registers 7 Recognizing C++ Code Constructs in Assembly 8 Conclusion 10 Chapter 2 Stack Overflows 11 Buffers 12 The Stack 13 Functions and the Stack 15 Overflowing Buffers on the Stack 18 Controlling EIP 20 Using an Exploit to Get Root Privileges 22 The Address Problem 24 The NOP Method 27 Defeating a Non-Executable Stack 29 Return to libc 30 Conclusion 33 v vii xi xiii

3 xiv Contents Chapter 3 Shellcode 35 Understanding System Calls 36 Writing Shellcode for the exit() Syscall 38 Injectable Shellcode 42 Spawning a Shell 44 Conclusion 53 Chapter 4 Introduction to Format String Bugs 55 Prerequisites 55 What Is a Format String? 56 What Is a Format String Bug? 57 Format String Exploits 62 Crashing Services 63 Information Leakage 64 Controlling Execution for Exploitation 69 Why Did This Happen? 79 Format String Technique Roundup 79 Conclusion 82 Chapter 5 Introduction to Heap Overflows 83 What Is a Heap? 84 How a Heap Works 85 Finding Heap Overflows 86 Basic Heap Overflows 87 Intermediate Heap Overflows 93 Advanced Heap Overflow Exploitation 99 What to Overwrite 100 Conclusion 101 Part 2 Exploiting More Platforms: Windows, Solaris, andtru Chapter 6 The Wild World of Windows 105 How Does Windows Differ from Linux? 105 Win32 API and PE-COFF 106 Heaps 108 Threading 109 The Genius and Idiocy of the Distributed Common Object Model and DCE-RPC HO Recon 112 Exploitation 114 Tokens and Impersonation 114 Exception Handling under Win Debugging Windows 118 Bugs in Win Writing Windows Shellcode 119 A Hacker 's Guide to the Win32 API 119 A Windows Family Tree from the Hacker's Perspective 120 Conclusion 121

4 Contents xv Chapter 7 Chapter 8 Windows Shellcode Syntax and Filters Setting Up Parsing the PEB Heapoverflow.c Analysis Searching with Windows Exception Handling Popping a Shell Why You Should Never Pop a Shell on Windows Conclusion Windows Overflows Stack-Based Buffer Overflows Frame-Based Exception Handlers Abusing Frame-Based Exception Handling on Windows 2003 Server Abusing an Existine Handler Find a block of code in an address not associated with a module that will get us back to our buffer 158 Find a block of code in the address space of a module that does not have a Load Configuration Directory 159 A Final Note about Frame-Based Handler Overwrites 160 Stack Protection and Windows 2003 Server 161 Heap-Based Buffer Overflows 167 The Process Heap 167 Dynamic Heaps 167 Working with the Heap 168 How the Heap Works 168 Exploiting Heap-Based Overflows 172 Overwrite Pointer to RtlEnterCriticalSection in the PEB 172 Overwrite Pointer to First Vectored Handler at 77FC Overwrite Pointer to Unhandled Exception Filter 178 Overwrite Pointer to Exception Handler in Thread Environment Block 184 Repairing the Heap 185 Other Aspects of Heap-Based Overflows 187 COM Objects and the Heap 187 Overflowing Logic Program Control Data 188 Wrapping Up the Heap 188 Other Overflows 188.data section overflows 188 TEB/PEB Overflows 190 Exploiting Buffer Overflows and Non-Executable Stacks 191 Conclusion 196

5 xvi Contents Chapter 9 Overcoming Filters 197 Writing Exploits for Use with an Alphanumeric Filter 197 Writing Exploits for Use with a Unicode Filter 201 What Is Unicode? 202 Converting from ASCII to Unicode 202 Exploiting Unicode-Based Vulnerabilities 203 The Available Instruction Set in Unicode Exploits 204 The Venetian Method 205 An ASCII Venetian Implementation 207 Decoder and Decoding 210 The Decoder Code 211 Getting a Fix on the Buffer Address 212 Conclusion 213 Chapter 10 Introduction to Solaris Exploitation 215 Introduction to the SPARC Architecture 216 Registers and Register Windows 216 The Delay Slot 219 Synthetic Instructions 219 Solaris/SPARC Shellcode Basics 220 Self-Location Determination and SPARC Shellcode 220 Simple SPARC exec Shellcode 221 Useful System Calls on Solaris 222 NOP and Padding Instructions 222 Solaris/SPARC Stack Frame Introduction 223 Stack-Based Overflow Methodologies 224 Arbitrary Size Overflow 224 Register Windows and Stack Overflow Complications 225 Other Complicating Factors 225 Possible Solutions 225 Off-By-One Stack Overflow Vulnerabilities 226 Shellcode Locations 227 Stack Overflow Exploitation In Action 228 The Vulnerable Program 228 The Exploit 230 Heap-Based Overflows on Solaris/SPARC 233 Solaris System V Heap Introduction 234 Heap Tree Structure 234 Basic Exploit Methodology (t_delete) 254 Standard Heap Overflow Limitations 257 Targets for Overwrite 258 The Bottom Chunk 259 Small Chunk Corruption 260 Other Heap-Related Vulnerabilities 261 Off-by-One Overflows 261 Double Free Vulnerabilities 261 Arbitrary Free Vulnerabilities 262

6 Contents xvii Heap Overflow Example 262 The Vulnerable Program 262 Other Solaris Exploitation Techniques 266 Static Data Overflows 267 Bypassing the Non-Executable Stack Protection 267 Conclusion 268 Chapter 11 Advanced Solaris Exploitation 269 Single Stepping the Dynamic Linker 271 Various Style Tricks for Solaris SPARC Heap Overflows 286 Advanced Solaris/SPARC Shellcode 288 Conclusion 300 Chapter 12 HP Tru64 Unix Exploitation 301 The Alpha Architecture 302 Alpha Registers 302 Instruction Set 303 Calling Conventions 305 Retrieving the Program Counter (GetPC) 306 System Call Invocation 308 XOR Decoder for Shellcode 308.end main setuid + execve Shellcode 310 Code the setuid(o) + execve("/bin/sh",...) systemcalls 310 Compile the Assembly Code and Extract the Main Function 311 Encode the Extracted opcodes with the XOR Key 312 Plug the Encoded Code into the XOR Decoder 313 Compile and Extract the Final Shellcode 314 Connect-Back Shellcode 316 Find-Socket Shellcode 317 Bind-Socket Shellcode 319 Stack Overflow Exploitation 320 Defeating the Non-Executable Stack 321 Exploiting rpc.ttdbserver 322 Conclusion 330 Part 3 Vulnerability Discovery 331 Chapter 13 Establishing a Working Environment 333 What You Need for Reference 334 What You Need for Code 334 gcc 334 gdb 335 NASM 335 WinDbg 335 OllyDbg 335 SoftICE 335 Visual C Python 336

7 xviii Contents What You Need for Investigation 336 Useful Custom Scripts/Tools 336 An Offset Finder 336 Generic Fuzzers 337 The Debug Trick 337 All Platforms 338 Unix 338 ltrace 339 strace 339 fstat (BSD) 339 tcpdump 339 Ethereal 339 Windows 339 IDA Pro Disassembler 340 What You Need to Know 340 Paper Archives 343 Optimizing Shellcode Development 343 Plan the Exploit 343 Write the Shellcode in Inline Assembler 344 Maintain a Shellcode Library 345 Make It Continue Nicely 346 Make the Exploit Stable 347 Make It Steal the Connection 347 Conclusion 348 Chapter 14 Fault Injection 349 Design Overview 350 Input Generation 351 Manual Generation 352 Automated Generation 352 Live Capture 353 "Fuzz" Generation 353 Fault Injection 354 Modification Engines 354 Delimiting Logic 355 Getting around Input Sanitization 357 Fault Delivery 358 Nagel Algorithm 359 Timing 359 Heuristics 359 Stateless versus State-Based Protocols 360 Fault Monitoring 360 Using a Debugger 360 FaultMon 361 Putting It Together 361 Conclusion 362

8 Contents xix Chapter 15 Chapter 16 The Art of Fuzzing General Theory of Fuzzing Statte Analysis versus Fuzzing Fuzzing Is Scalable Weaknesses in Fuzzers Modeling Arbitrary Network Protocols Other Fuzzer Possibilities Bit Flipping Modifying Open Source Programs Fuzzing with Dynamic Analysis SPIKE What Is a Spike? Why Use the SPIKE Data Structure to Model Network Protocols? Various Programs Included with SPIKE SPIKE Example: dtlogin Other Fuzzers Conclusion Source Code Auditing: Finding Vulnerabilities in C-Based Languages Tools Cscope Ctags Editors Cbrowser Automated Source Code Analysis Tools Methodology Top-Down (Specific) Approach Bottom-Up Approach Selective Approach Vulnerability Classes Generic Logic Errors (Almost) Extinct Bug Classes Format Strings Generic Incorrect Bounds-Checking Loop Constructs Off-by-One Vulnerabilities Non-Null Termination Issues Skipping Null-Termination Issues Signed Comparison Vulnerabilities Integer-Related Vulnerabilities Different-Sized Integer Conversions Double Free Vulnerabilities Out-of-Scope Memory Usage Vulnerabilities Uninitialized Variable Usage

9 Contents Use After Free Vulnerabilities 401 Multithreaded Issues and Re-Entrant Safe Code 402 Beyond Recognition: A Real Vulnerability versus a Bug 402 Conclusion 403 Chapter 17 Instrumented Investigation: A Manual Approach 405 Philosophy 405 Oracle extproc Overflow 406 Common Architectural Failures 410 Problems Happen at Boundaries 410 A Process Calling into an External Process on the Same Host 410 A Process Calling into an External, Dynamically Loaded Library 410 A Process Calling into a Function on a Remote Host 411 Problems Happen When Data Is Translated 411 Problems Cluster in Areas of Asymmetry 413 Problems Occur When Authentication and Authorization Are Confused 414 Problems Occur in the Dumbest Places 414 Bypassing Input Validation and Attack Detection 415 Stripping Bad Data 415 Using Alternate Encodings 415 Using File-Handling Features 416 Required String Is Present in Path 416 Prohibited String Not Present in Path 417 Incorrect Behavior Based on File Extension 417 Evading Attack Signatures 419 Defeating Length Limitations 419 Sea Monkey Data 419 Harmful Truncation Severing Escape Characters 420 Multiple Attempts 421 Context-Free Length Limits 421 Windows 2000 SNMP DOS 421 Finding DOS Attacks 422 SQL-UDP 423 Conclusion 424 Chapter 18 Tracing for Vulnerabilities 427 Overview 428 A Vulnerable Program 429 Component Design 431 Process Injection 432 Machine-Code Analysis 432 Function Hooking 436 Data Collection 439

10 Contents xxi Building VulnTrace 440 VTInject 440 VulnTrace.dll 443 Using VulnTrace 445 Advanced Techniques 448 Fingerprint Systems 448 More Vulnerability Classes 449 Conclusion 450 Chapter 19 Binary Auditing: Hacking Closed Source Software 451 Binary versus Source-Code Auditing: The Obvious Differences 452 IDA Pro The Tool of the Trade 452 Features: A Quick Crash Course 453 Debugging Symbols 454 Binary Auditing Introduction 454 Stack Frames 454 Traditional BP-Based Stack Frames 455 Functions without a Frame Pointer 455 Non-Traditional BP-Based Stack Frames 456 Calling Conventions 456 The C Calling Convention 457 The Stdcall Calling Convention 457 Compiler-Generated Code 458 Function Layouts 458 If Statements 458 For and While Loops 459 Switch Statements 460 memcpy-like Code Constructs 462 strlen-like Code Constructs 462 C++ Code Constructs 463 The this Pointer 463 Reconstructing Class Definitions 464 vtables 465 Quick but Useful Tidbits 465 Manual Binary Analysis 466 Quick Examination of Library Calls 466 Suspicious Loops and Write Instructions 466 Higher-Level Understanding and Logic Bugs 467 Graphical Analysis of Binaries 468 Manual Decompilation 468 Binary Vulnerability Examples 468 Microsoft SQL Server Bugs 469 LSD's RPC-DCOM Vulnerability 469 IIS WebDAV Vulnerability 470 Conclusion 472

11 xxii Contents Part 4 Advanced Materials 473 Chapter 20 Alternative Payload Strategies 475 Modifying the Program 476 The SQL Server 3-Byte Patch 477 The MySQL 1-Bit Patch 481 OpenSSH RS A Authentication Patch 483 Other Runtime Patching Ideas 484 GPG Randomness Patch 485 Upload and Run (or Proglet Server) 486 Syscall Proxies 486 Problems with Syscall Proxies 489 Conclusion 498 Chapter 21 Writing Exploits that Work in the Wild 499 Factors in Unreliability 499 Magic Numbers 499 Versioning 500 Shellcode Problems 501 Network Related 501 Privilege Related 501 Configuration Related 502 Host IDS Related 502 Thread Related 502 Countermeasures 503 Preparation 504 Brüte Forcing 504 Local Exploits 505 OS/Application Fingerprinting 505 Information Leaks 507 Conclusion 508 Chapter 22 Attacking Database Software 509 Network Layer Attacks 510 Application Layer Attacks 520 Running Operating System Commands 521 Microsoft SQL Server 521 Oracle 522 IBM DB2 523 Exploiting Overruns at the SQL Level 525 SQL Functions 526 Using the CHR/CHAR Function 526 Conclusion 528 Chapter 23 Kernel Overflows 529 Kernel Vulnerability Types 529 Oday Kernel Vulnerabilities 538 OpenBSD exec_ibcs2_coff_prep_zmagic() Stack Overflow 538 The Vulnerability 540

12 Contents xxiii Solaris vfs_getvfssw() Loadable Kernel Module Traversal Vulnerability The sysfs() System Call The mount() System Call Conclusion Chapter 24 Exploiting Kernel Vulnerabilities The exec_ibcs2_coff_prep_zmagic() Vulnerability Calculating Offsets and Breakpoints Overwriting the Return Address and Redirecting Execution Locating the Process Descriptor (or the Proc Structure) Stack Lookup sysctl() Syscall Kernel Mode Payload Creation p_cred and u_cred Breaking chroot Returning Back from Kernel Payload Return to User Mode: iret Technique Return to Kernel Code: sidt Technique and _kernel_text Search Getting root (uid=0) Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit Crafting the Exploit The Kernel Module to Load Getting root (uid=0) Conclusion Index 581