Exploits and gdb. Tutorial 5

Transcription

1 Exploits and gdb Tutorial 5

2 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb)

3 Buffer Vulnerabilities Basic Idea Overflow or underflow a buffer to corrupt the processes memory space. Injected data can be used redirect control flow. Overflow occurs when data is written beyond buffer; underflow, when before. Common causes are failure (or incorrect) bounds - numerical miscalculations - expectation of a null-terminated char sequence Implications Allows an adversary to corrupt other data on the stack (local vars, EBP, ret EIP) This could be leveraged to carry out other (malicious) computations

4 Buffer Vulnerabilities Overflow Example char buffer[buffer_sz]; int len = atoi(argv[2]); /* parse 2nd cmd-line arg to a integer */ memmove(buffer, argv[1], len); /* copy_memory(dest, src, size) */ /* if len > BUFFER_SZ, we write beyond the buffer into the stack frame */ Null-termination Example char buffer[buffer_sz]; strcpy(buffer, argv[1]); /* copy a null-terminated string (dst, src) */ /* if the first null bytes is located > BUFFER_SZ, we write beyond the buffer into the stack frame */

5 Buffer Vulnerabilities Mitigations Bounds checking - calculate and enforce bounds at runtime. Canaries - Append known values to the end of the buffer. Use them to indicate corruption. Tagging - Tag memory objects (allocations) so that underlying hardware/compiler support can detect buffer under/overflows

6 Code Injection Basic Idea Exploit a memory corruption vulnerability (E.g. buffer overrun), to inject shellcode into the PAS. Execution Flow Once you have injected code, you need to steer execution to the code (get the IP there) Stack Smashing An attack where you exploit a buffer overrun vulnerability to also corrupt the base-pointer and return-ip.

7 Code Injection Mitigations - Canaries (stack guard) - WX protection: Write XOR Execute - non-executable stack Further Readings Smashing The Stack For Fun And Profit Stackguard

8 Integer Attacks Basic Idea Use vulnerabilities in the handling of numeric data to alter the flow of execution. Signedness Numeric primitive types can be signed or unsigned. 0x = = (unsigned int) = (signed int) Look for scenarios where a signed number is used to calculate lengths. Truncation Putting a number larger than the max size of a data type will truncate the result. int a; long b = 0x ABCDEF; a = b;

9 Integer Attacks Signedness Example char buffer[buffer_sz]; int len = atoi(argv[2]); /* parse 2nd cmd-line arg to a integer */ if (len + BUFFER_SZ) memmove(buffer, argv[1], len); /* copy_memory(dest, src, size) */ /* if len < 0 AND len > BUFFER_SZ, we write beyond the buffer into the stack frame */ Mitigations - detect overflows explicitly - patch code so that the semantics match the developers expectations Further Reading

10 Advanced Attacks Return-to-libc Attack - Find snippets of ASM code ( gadgets ) in the libc libraries that can be stitched together to form the computation you wish to do (usually something malicious) - usually only a few instructions at the end of a function form a gadget Ex. xor eax, ebx add 3, eax ret - Corrupt the stack such that execution moves to the first code snippet and then returns from that snippet to the next snippet - bypasses WX protection (no code-injection no Write) - (Whitepaper) Mitigation -detect entry into libc not at function start -make it hard to find the gadget offsets in memory - Address Space Layout Randomization (ASLR)

11 Advanced Attacks Return Oriented Programming (ROP) - generalization of return-to-libc - uses code snippets ( gadgets ) from the program itself, instead of libc (Whitepaper) Mitigation - make it hard to find the gadget offsets in memory - Address Space Layout Randomization (ASLR)

12 Advanced Attacks Further Reading PHRACK Hacker e-zine. Not maintained regularly anymore, but still lot s of essential reading International Journal of POC GTFO A friendly little journal for ladies and gentlemen of distinguished ability and taste in the field of computer security and the architecture of weird machines.

13 GDB Commands r <arg1>... c b expr n ni s si f Run program Continue Set breakpoint next line (step-over) next instruction (step-over) step into step into instruction finish

14 GDB p expr d/fmt expr x/nfu expr bt bt full i i locals i r i args print display examine n: number of units to display f: display format (x=hex, d=decimal, i=instruction, ) u unit size (b=1, h=2, h=4, g=8 Bytes) Backtrace Backtrace and show function args inline information Show local variables in scope. Show registers of current stack frame Show function arguments.

15 GDB If you invoke gdb with the tui flag you can have a windowed view.

16 GDB ASM Syntax Move the immediate value 1 into the eax register. Intel Syntax mov eax, 1 AT&T (GAS) Syntax* movl $1, %eax *GDB uses GAS syntax.

17 GDB GAS Mnemonic Suffixes b = byte (8 bit) s = short (16 bit integer) or single (32-bit floating point) w = word (16 bit) l = long (32 bit integer or 64-bit floating point) q = quad (64 bit) t = ten bytes (80-bit floating point) If no suffix is specified, the operand size is inferred from the destination register operand Ex. mov %edi, (%rax) mov %rcx, %edx movl $0x20, %rdx

18 GDB Further Reading GDB Manual Beej s Quick Guide to GDB Intel 64 and IA-32 Architectures Software Developer Manuals AMD Developer Guides, Manuals & ISA Documents

19 GDB Exercises 1. Examine and step through the examples at: 2. Create simple C programs that demonstrate the vulnerabilities (buffer overflow, integer signedness). 3. Examine and step through the samples you generate to craft an exploit for them.