A Dozen Years of Shellphish. Journey to the Cyber Grand Challenge

Size: px

Start display at page:

Download "A Dozen Years of Shellphish. Journey to the Cyber Grand Challenge"

Joanna Wilson
5 years ago
Views:

1 A Dozen Years of Shellphish Journey to the Cyber Grand Challenge 1

2 Zardus rhelmot 2

3 HEX on the beach 3

4 4

5 5

6 :-( 6

7 # of Shellphish players (cumulative)

8 # of Defcons won (cumulative)

9 # of CTFs organized (cumulative) ictf + BKP ictf

10 Wealth! 23 29???

11 11

12 12

13 analyze pwn patch 13

14 analyze pwn patch 14

15 - Linux-inspired environment, with only 7 syscalls transmit / receive / fdwait ( select) allocate / deallocate random terminate - No need to model the POSIX API! - Otherwise real(istic) programs. 15

16 analyze pwn patch 16

17 - No filesystem -> no flag? - CGC Quals: crash == exploit - CGC Finals: two types of exploits 1. "overwrite": set a register to X, crash at Y 2. "read": leak the data at address X 17

18 analyze pwn patch 18

19 int main() { return 0; } fails functionality checks... signal(sigsegv, exit) no signal handling! inline QEMU-based CFI? performance penalties... 19

20 # of Cyber Grand Challenges Announced (cumulative) DARPA announces the CGC

21 2013 1s Sh t c el om lph m ish it s to ign th s e up CR! S! or gist ed ra Ev tion en D Sc t 1 ea or dl ed in e Ev en t2 Sc Re s! l a d n 2 C G C Qu 2016! ity S CR san e in h t f o o t s it ek m e m w o 3 c 21

22 22

23 23

24 The Shellphish CRS 24

25 Vulnerable Binaries Challenges Ot he r tea Patch scores Game traffic Other teams patches CRS ms Exploits Scoring Patches 25

26 symbolic execution driller fuzzing?????? Secret Sauce??? CRS 26

27 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" 27

28 Fuzzing 28

29 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" Let's fuzz it! 1 "You lose!" 593 "You lose!" 183 "You lose!" 4 "You lose!" 498 "You lose!" 42 "You win!" 29

30 x = int(input()) if x >= 10: if x^2 == : print "You win!" else: print "You lose!" else: print "You lose!" Let's fuzz it! 1 "You lose!" 593 "You lose!" 183 "You lose!" 4 "You lose!" 498 "You lose!" 42 "You lose!" 3 "You lose!". 57 "You lose!" 30

31 Fuzzing... - Very fast! - Very effective! - Unable to deal with certain situations: - magic numbers - hashes - specific identifiers 31

32 Symbolic Execution 32

33 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" State A Variables x =??? Constraints

34 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" State A Variables x =??? Constraints State AA State AB Variables Variables x =??? x =??? Constraints Constraints x < 10 x >= 10 34

35 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" State AA State AB Variables Variables x =??? x =??? Constraints Constraints x < 10 x >= 10 35

36 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" State AA State AB Variables Variables x =??? x =??? Constraints Constraints x < 10 x >= 10 State ABB State ABA Variables Variables x =??? x =??? Constraints Constraints x >= 10 x >= 1 x >= 10 x < 1 36

37 x = int(input()) if x >= 10: if x < 1: print "You win!" else: print "You lose!" else: print "You lose!" State ABA Variables x =??? Constraints x >= 10 x < 1 Concretized ABA Variables x = 99 37

38 x = int(input()) if x >= 10: if x^2 == : print "You win!" else: print "You lose!" else: print "You lose!" State ABA Variables x =??? Constraints x >= 10 x^2 = Concretized ABA Variables x =

39 Symbolic Execution... - Good for dealing with certain situations: - magic numbers - (simple) hashes - specific identifiers 39

40 40

41 - Making binary analysis techniques usable! - Open-source: (star it!) - Written in Python! - installable with pip install angr - interactive shell (using ipython) - GUI - Architecture independent x86, amd64, mips, mips64, arm, aarch64, ppc, ppc64 ELF, CGC, PE

42 Binary Loader Static Analysis Routines User Interface angr Symbolic Execution Engine Code (IR) Lifter Constraint Solver 42

43 Symbolic Execution... - Has some problems! - very slow - constraint solving (np-complete!) - path explosion 43

44 The Future 44

45 - Fuzzing + Symbolic Execution = Symbolically Guided Fuzzing Fu zzi ng Sy mb oli ce xe cu tio n - Appearing at NDSS 2016: Driller: Augmenting Fuzzing Through Selective Symbolic Execution 45

46 Arbitrary memory accesses Controllable stack pointer Controllable instruction pointer CGC Qualifiers Goal: CRASH CGC Finals Goal: EXPLOIT (but for an exploit, we first need a crash!) 46

47 47

48 Grub: Back to 28 vulnerability Pressing backspace 28 times on the grub username prompt can get you a rescue shell 48

49 cur_len:-28 get_username stack frame return address function arguments buf buf-28 caller function stack frame username buffer... get_username stack frame grub_memset... 49

50 ???????? Somehow, jumping to : is completely exploitable Way beyond the scope of this demo 50

The correct path to the exploit goes around this loop 28 times, each of which has to follow a specific path The universe will grow old and die before naive symbolic execution finds this bug

51 The correct path to the exploit goes around this loop 28 times, each of which has to follow a specific path The universe will grow old and die before naive symbolic execution finds this bug Demonstration: this doesn t work, really! A technique (implemented by angr) called veritesting1 solves this problem in some cases by merging states when their instruction pointers converge, but in this case the complexity generated is too much for the constraint solver

52 Symbolic execution is powerful Symbolic execution is stupid You are incredibly weak You are very clever Use angr to unlock your true potential 52

53 Manual examination of the state explosion tells you: Where the wasted computational power is going How to be more efficient The naive approach is doing lots of weird things like entering letters and then deleting them again and again, or pressing the home key several times in a row, which don t produce any interesting new states to analyze. You can fix this! 53

54 Final demonstration Finding the bug 54

References: this presentation: https://goo.gl/mi5ubv angr: https://github.

55 References: this presentation: angr: 55

56 Whitehat CTF - crypto4 if (prefilter(input)) error("please CHECK AGAIN!") else puts("input OK") do_lots_of_crazy_crypto(input, result) if (strcmp(result, "growfish") == 0) printf("flag: %s\n", ) else puts("input IS NOT GOOD ENOUGH.")

Cyber Grand Shellphish POC 2016

Cyber Grand Shellphish POC 2016 HEX on the beach Shellphish? Founded in 2004 Oldest? Capture the Flag team around Semi-successful Won DEFCON CTF 2005 Qualified for DEFCON CTF every year but 2007 or so