Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016
|
|
- Kellie Garrett
- 5 years ago
- Views:
Transcription
1 Playing God With Format String Attacks Bsides Jax 2016 Travis Phillips 10/22/2016
2 So Why This Talk? Been experimenting with them over the last year Found them simple in theory; difficult in practice. Found them to be quite powerful! Figured I would give a high level view. Show a few examples of it in action. Release a tool to help exploit them.
3 So What is a Format String? It is a string with formatter characters in it that certain formatter functions will work with manipulate. The most common one you will see is printf(), but others might be sprintf, snprintf, kprintf
4 Example Program with printf()
5 Printf() Usage
6 Example Program with printf()
7 Running the Example Program
8 So What Causes A Format String Attack? Going back to our example, The first parameter was a format string where you can put format character codes.
9 So What Causes A Format String Attack? A format string attack occurs when that format string parameter is passed user controlled data. This enables an attacker to place formatter characters and the function will use them assuming values on the stack where all parameters as well.
10 Moral of the Story... DON'T PUT USER CONTROLLED DATA HERE!
11 What's the Worst That Can Happen? Side effects may Include: Reading data off the stack. Leaked stack pointers, return addresses, stack canaries, environment variable pointers. Say farewell to your ASLR and stack protection. Reading "string data" from pointers on the stack. Note: string data is data that stops at a null byte Read binary data from any valid address on the stack. Read those environment variables.
12 What's the Worst That Can Happen? Side effects may Include: Reading arbitrary data from user specified memory addresses. In some cases, you can dump a the binary and libraries. Find ROP Gadgets made easy! Arbitrary writing of data to user specified memory addresses. In some cases, RCE is possible!!! You should always treat it as such.
13 In Some Cases? Yes, in some case. It's like a XSS Exploit The level of danger is contextual to how and where it happens. I will cover various exploit conditions and what they can yield.
14 Before We Begin... Let's Cover some basic formatters: %d print value as a number. %x print value as a hexadecimal number %s treat value as a pointer and print the string at that address.
15 Before We Begin... Widths can be specified between the % and letter. Examples with 0xdeadbeef: %x: yields [deadbeef] %10x: yields [ deadbeef] It will pad with spaces or a zero you specify at the start of it. Example with 0xdeadbeef: %012x: yields [0000deadbeef]
16 Example: printfvuln.c
17 Example: printfvuln.c
18 Fun with Parameters! Some c libs format strings support parameters! Parameters are used by putting a number followed by a dollar sign ($) between the % and the formatter code Example: %6$x would grab the 6th DWORD on the stack. These can be padded with zeros in front. More on this in next example.
19 Example: printfvuln.c - Looped! Dumping a stack by hand is a pain, and we are lazy... We can: Dump the stack hex values a loop. Dump the strings using a loop to determine interesting pointers. Remember the zero padding on parameters? Always try to keep the format string the same length if you want to keep the stack consistent.
20 Loop Dumping Hex for i in { }; do DATA=$(./printfVuln % $i\$x); echo -e " [$i] $DATA"; done
21 Loop Dumping Strings for i in { }; do DATA=$(./printfVuln % $i\$s); echo -e " [$i] $DATA"; done
22 Linking Things Together Environmental Variables can be found and and their addresses located using this. ASLR can be seen...
23 But ASLR Isn't A Deal Breaker It's only 12 bits of randomness in this case...
24 In a game of skill, brute force sometimes wins too... Defeating ASLR?
25 PoC I=$(expr 0 + 0); DATA="deadbeef"; while [ $DATA!= "ffb12fdc" ]; do DATA=$ (./printfvuln %094\$x); i=$(expr $i + 1); echo -e "$i => $DATA"; done i=$(expr 0 + 0); DATA="deadbeef"; while [ $DATA!= "ffb12fdc" ]; do DATA=$ (./printfvuln %094\$x); i=$(expr $i + 1); done; echo -e "\033[32;1m [*] Found in $i...\033[0m"
26 PoC
27 Reading from Random Addresses We saw our string on the stack. We can access those as pointers, via parameters. Super easy if our string is on the stack. just make sure the address will line up with a stack DWORD.
28 Example: printfstackbased
29 Example: printfstackbased First find where your string starts on the stack... Our's starts at parameter 4 Remember: A = 0x41, B = 0x42, C = 0x43, D = 0x44
30 Example: printfstackbased Next, Figure out what you want to read, I will opt for GOT addresses. I will opt for GOT of printf and memset.
31 Example: printfstackbased Place those addresses in the format string and dump them as strings. DATA=$(./printfStackBased $(perl -e 'print "\x98\x97\x04\x08\xa4\x97\x04\x08_%4\$s_ %5\$s";')); PRINTF=$(echo $DATA cut -d _ -f 2 cut -b -4); MEMSET=$(echo $DATA cut -d _ -f 3 cut -b -4); echo $PRINTF$MEMSET xxd -i
32 Example: printfstackbased Two pointers to libc functions dumped... Libc-database to determine libc library. You can now calculate the address to any other libc functions such as read(), system(), or mprotect().
33 The Fun Part: Writing Data! An excellent form of memory corruption! What is known as a Write Anything Anywhere primative. Stack canaries usually don't matter. Side step them entirely. Overwrite the GOT entry for stack_chk_fail() to your shellcode or trigger for your ROP chain.
34 Introducing the %n Formatter Used to write the number of bytes written by the format string function to a memory address. The address written to can be specified by a parameter. the size of this is usually 4 bytes, but can be limited. To two bytes with %hn. Or one byte with %hhn. These overflow back to zero.
35 Example: backdoor.c
36 How Do We Control What Gets Written? The %n parameter prints the number of bytes written. As shown earlier we can use a size parameter to control the size of the printed value. If you can calculate the number of bytes written, you can control the data written. Each write counts the bytes total, not per each write.
37 Example: Backdoor.c Find the parameter to our string. In our case it is at 4 again.
38 Example: Backdoor.c We know where we want to write, the address is given to us. If we just use a %n we can see 5 bytes. Number of bytes printed (4 byte address + 1 byte for the _, %n won't print anything)
39 Example: Backdoor.c We can include other formatters with size specifiers to pad the number of bytes written.
40 To calculate by hand. This Is A Pain... So I made a tool for this when it is stack based.
41 format_string_generator.py
42 format_string_generator.py
43 format_string_generator.py
44 And It Works Pretty Well...
45 Example: Backdoor.c No DEP Without DEP enabled, Shellcode execution is easy to do with our tool. Write a payload to somewhere in BSS section. Overwrite a function call GOT that gets triggered after the bug. In this case, printf() gets called again to print information about test, we can hijack that.
46 Example: Backdoor.c No DEP What you need: Exploit: Find the GOT address for printf() A place to write your payload such as.bss Write your payload. Overwrite the GOT to point your payload. Enjoy the hijacked execution flow.
47 Example: Backdoor.c No DEP Finding GOT Address
48 Example: Backdoor.c No DEP Find palace for payload
49 Example: Backdoor.c No DEP Create Exploit using tool
50 Example: Backdoor.c No DEP Run it! {Snip Snip}
51 That Was Cool! But setup and not likely real world... However use your imagination, this could alter data structures that may control your user permissions.
52 So About That RCE With DEP? The best place in my opinion is when you: Can keep running the exploit over and over. Are at least 3 functions deep. Example: main() => SetSocket() => HandleClient()
53 Why 3 Functions Deep? Stack arrangement is awesome! You have an EBP that points to another EBP Modify to point to addresses on the stack. Just after those would be return addresses.
54 Why Keep Running It? Modify values on the stack and use them on the next run. This let's you solve null byte issues. Allows several Memory leaks. Allows launching exploit in stages. Leak stack & GOT pointers. Find addresses of other libc functions like mprotect() or system(). Build your payload or ROP chain and write it. Trigger your payload or ROP chain.
55 What If We Can Only Run It Once? Attempt an exploit that enables more than one run or pulling external data in. Brute force the addresses and skip the leaks.
56 Example: CSAW Contacts Decent compiler security ASLR + DEP + Stack canary Had a printf bug Also from other write ups, had a heap overflow. Wasn't really needed, printf worked fine.
57 Example: CSAW Contacts Running
58 Example: CSAW Contacts The printf Bug
59 Example: CSAW Contacts The printf Bug
60 Building the Exploit Foundation Interaction Functions Create, Delete, and Display Contacts Pointer Manipulation Functions Get and set stack pointers using parameters and EBPs
61 Building the Exploit Foundation Leaker Function for pwntools DynELF() class Just take an address, write it to the stack, then access it as a string. Write-Anything-Anywhere primative Function. Since we have DEP present we will probably want to setup a rop chain.
62 Building a system(/bin/bash) ROP exploit. Use the leaker function to leak system(). Write /bin/bash to.bss section Write a rop chain to call system() with the /bin/bash string over the existing stack return address. Trigger it by calling the exit menu function.
63 Building a Raw Payload Exploit. Leak address of read() and mprotect(). Write a ropchain: Mprotect.bss as RWX Read payload into.bss RET to payload Trigger the ROP chain. Send the payload. Watch the fireworks
64 Downloads Slides, Source Code, Challenge Binary, and exploit scripts will be on wiki.jaxhax.org Download 'em and play around.
65 Recap Format string bugs shouldn't be taken lightly. reading, writing, and RCE are all pretty serious. Null bytes in address can be a pain in some cases. ASLR can sometimes be a hassle, but bruteforce sometimes works.
66 Recap DEP is usually the bigger challenge. If its not enabled, exploitation is a cake walk, so always check! Homework: overthewire.org => behemoth3 It's a format string bug. Everything here is what you need to know. Now go pwn it!
67 Q&A Time!? Travis Phillips Website: wiki.jaxhax.org
Software Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationBypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.
Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.be (May 2010) Introduction : For this first tutorial,
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationBypassing SEHOP. Stéfan Le Berre Damien Cauquil
Bypassing SEHOP Stéfan Le Berre s.leberre@sysdream.com Damien Cauquil d.cauquil@sysdream.com Table of contents 0. Introduction...3 1. SEHOP specifications (short version)...3 2. Dealing with SEHOP when
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationStitching numbers Generating ROP payloads from in memory numbers
Stitching numbers Generating ROP payloads from in memory numbers Alex Moneger Security Engineer 10 th of August 2014 Who am I?! Work for Cisco Systems! Security engineer in the Cloud Web Security Business
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationVulnerability Analysis I:
Vulnerability Analysis I: Exploit Hardening Made Easy Surgically Returning to Randomized Lib(c) Mitchell Adair September 9 th, 2011 Outline 1 Background 2 Surgically Returning to Randomized lib(c) 3 Exploit
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationHW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005
HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities 1 Motivation DUE 12/18/2005 Memory corruption vulnerabilities to change program execution flow
More informationHacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University
Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University Hacking 101 Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh
More informationCS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities
CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationThe Stack, Free Store, and Global Namespace
Pointers This tutorial is my attempt at clarifying pointers for anyone still confused about them. Pointers are notoriously hard to grasp, so I thought I'd take a shot at explaining them. The more information
More informationOn Compilers, Memory Errors and Control-Flow Integrity
On Compilers, Memory Errors and Control-Flow Integrity Advanced Compiler Design SS 2015 Antonio Hüseyin Barresi Zürich, 27.5.2015 CVE-2012-0158 is a buffer overflow Vulnerability in the ListView / TreeView
More informationINTRODUCTION TO EXPLOIT DEVELOPMENT
INTRODUCTION TO EXPLOIT DEVELOPMENT Nathan Ritchey and Michael Tucker Who Am I (Nathan Ritchey) Have Bachelors in Computer Science Member of CSG Working on Masters with focus on Information Assurance Some
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationChangelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part
1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems
More informationMSRPC Heap Overflow Part II
MSRPC Heap Overflow Part II Dave Aitel So a new approach is needed. As with any heap overflow, you get to chose a where and a what value, subject to certain constraints. If you chose a what value that
More informationCMSC 414 Computer and Network Security
CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun
More informationPayload Already Inside: Data re-use for ROP Exploits
Payload Already Inside: Data re-use for ROP Exploits Long Le longld at vnsecurity.net Thanh Nguyen rd at vnsecurity.net 1 HITB2010KUL DEEPSEC Agenda Introduction Recap on stack overflow & mitigations Multistage
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationGet the (Spider)monkey off your back
Get the (Spider)monkey off your back Exploiting Firefox through the Javascript engine by eboda and bkth from phoenhex Who are we? Security enthusiasts who dabble in vulnerability research on their free
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationStack Overflow. Faculty Workshop on Cyber Security May 23, 2012
Stack Overflow Faculty Workshop on Cyber Security May 23, 2012 Goals Learn to hack into computer systems using buffer overflow Steal sensitive data Crash computer programs Lay waste to systems throughout
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More informationJacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013
Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013 Welcome Back! A Quick Recap of the Last Presentation: Overview of web technologies. What it is. How it works. Why it s attractive
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationDefending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science
Defending Computer Networks Lecture 4: Exploit Defenses Stuart Staniford Adjunct Professor of Computer Science Logis;cs Course is now official Expect an email from Stephanie Meik with your PIN Need to
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationBEGINNER PHP Table of Contents
Table of Contents 4 5 6 7 8 9 0 Introduction Getting Setup Your first PHP webpage Working with text Talking to the user Comparison & If statements If & Else Cleaning up the game Remembering values Finishing
More informationMemory Corruption: Why Protection is Hard. Mathias Payer, Purdue University
Memory Corruption: Why Protection is Hard Mathias Payer, Purdue University http://hexhive.github.io 1 Software is unsafe and insecure Low-level languages (C/C++) trade type safety and memory safety for
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationWeek 5, continued. This is CS50. Harvard University. Fall Cheng Gong
This is CS50. Harvard University. Fall 2014. Cheng Gong Table of Contents News... 1 Buffer Overflow... 1 Malloc... 6 Linked Lists... 7 Searching... 13 Inserting... 16 Removing... 19 News Good news everyone!
More informationBuffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform David Litchfield [davidl@ngssoftware.com] 30 th September 2005 An NGSSoftware Insight Security
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationINFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION
INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION GRENOBLE INP ENSIMAG http://www.ensimag.fr COMPUTER SCIENCE 3RD YEAR IF-MMIS - 1ST SEMESTER, 2011 Lecturers: Fabien Duchene -
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More information6.858 Lecture 3. char *p = malloc(256); char *q = p + 256; char ch = *q; //Does this raise an exception? //Hint: How big is the baggy bound for p?
Baggy bounds continued: Example code (assume that slot_size=16) 6.858 Lecture 3 char *p = malloc(44); //Note that the nearest power of 2 (i.e., //64 bytes) are allocated. So, there are //64/(slot_size)
More informationExploiting the MSRPC Heap Overflow Part I
Exploiting the MSRPC Heap Overflow Part I Dave Aitel Sep 11, 2003 Illustration 1Polyphemus Moth This little documentary chronicles the last moments of another beautiful moth, stuck somewhere between the
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationSoftware Security: Defenses
Software Security: Defenses 1 Magic Numbers & Exploitation Exploits can often be very brittle You see this on your Project 1: Your./egg will not work on someone else s VM because the memory layout is different
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationLec06: DEP and ASLR. Taesoo Kim
1 Lec06: DEP and ASLR Taesoo Kim Scoreboard 2 NSA Codebreaker Challenges 3 4 Administrivia Congrats!! We've completed the half of labs! Due: Lab06 is out and its due on Oct 5 at midnight NSA Codebreaker
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More information