Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development on Linux x86 Systems Author: Nadeem Douba
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 2 Introductions Nadeem Douba (GWAPT, GPEN) Founder and Principal of Red Canari, Inc. Specialize in: Application Security (Web, Desktop, etc.) Open Source Intelligence Enjoys: Hacking all the things! Some of my work: Sploitego & Canari Framework (DEFCON 2012) Python Micro Proxy (Internet Archive) All my other projects: https://github.com/allfro
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 3 Today s Agenda Our Topic: Buffer Overflows Brief Introductions to: CPU & Memory x86 Assembly (32- bit only) Linux x86 ABI Our Exploit Development Toolkit Labs Classic Buffer Overflow Defeating Non- executable Stacks Defeating Address Layout Randomization Defeating Stack Canaries Next Steps
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 4 What is a Buffer Overflow? In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. - Wikipedia This can be used for: Remote/local code execution Denial of Service Etc. This course will focus on stack- based buffer overflow vulnerabilities.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 5 What is a stack? The stack is a Last In First Out (LIFO) data structure. It s tightly coupled with three registers in the CPU. It is one of the ways programs allocate temporary storage space during execution. More on it later First let s introduce you to your target.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 6 The Bit Basic unit of information in computing can be either 1 or 0 Data is stored using a series of bits (i.e. 0001 0011 0011 0111, etc.). How does it work? For example, 1010 1010 binary = 170 decimal = AA hex 1*2 7 + 0*2 6 + 1*2 5 + 0*2 4 + 1*2 3 + 0*2 2 + 1*2 1 + 0*2 0
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 7 Standard units of data Double-Word (32 bits) Word (16 bits) Byte (8 bits) Nibble (4 bits)
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 8 Simplifying binary Hexadecimal or base 16: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F Each hexadecimal digit represents a nibble (4- bits) Which means, you need two hexadecimal digits to represent a byte (i.e. FFh, 0x01, etc.) Memory addresses, integers, etc. are usually represented in hexadecimal (i.e. 0xdeadbeef) in your debugger Don t panic! This is just another way of expressing a number J
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 9 Characters & Strings in C A character is usually one byte and can be represented numerically A = 41h = 65 = 0100 0001b Corresponding C type: char A string is a series of characters terminated by a null character hello = { h, e, l, l, o, \0 }; or hello = { 68h, 65h, 6Ch, 6Ch, 6Fh, 00h }; Corresponding C type: char *
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 10 ASCII Table
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 11 Integers Can be double- words, words, and bytes Their corresponding C types are: unsigned int or signed int, unsigned short int or signed short int, unsigned char byte or signed char byte, Respectively. You can think of virtual memory addresses as unsigned int s
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 12 A Brief Introduction
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 13 (Physical) Random Access Memory Fast storage space for instructions & data Byte- addressable Memory addresses are 36- bits wide in x86.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 14 Virtual Memory Physical memory is managed directly by the operating system Address 0xdeadbeef: Data J The operating system abstracts memory to processes. Each program thinks it has 4 gigabytes of addressable memory From 0x00000000 to 0xffffffff Higher Addresses 0xdeadbeee: 0xdeadbeed: 0xdeadbeec: 0xdeadbeeb: 0xdeadbeea: 0xdeadbee9: 0xdeadbee8: I H G F E D C Virtual memory addresses are double- words (32- bits) 0xdeadbee7: 0xdeadbee6: B A
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 15 Virtual Memory 4- byte Aligned Higher Addresses Address: +0 +1 +2 +3 0xdeadbf04: o l! 00h 0xdeadbf00: e c o 0xdeadbefc: s a r 0xdeadbef8: o b a r 0xdeadbef4: o 00h f o 0xdeadbef0: h e l l 0xdeadbeec: efh beh adh deh = 0xdeadbeef 0xdeadbee8: 01h 02h 03h 04h = 0x04030201 0xdeadbee4: E F G H 0xdeadbee0: A B C D
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 16 How integers are stored in RAM Double word, word integers are stored in Little- endian format Least significant byte is stored in the lower address Most significant byte is stored in the higher address IMPORTANT: This does not apply to strings! Reference: http://en.wikipedia.org/wiki/endianness
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 17 Why is Little Endian Important We need to know how to write memory addresses/ integer values to memory. For example, 0xdeadbeef stored in memory would be \xef\xbe\xad\xde How did we get that? 1. Break your double word into bytes: 0xdeadbeef => 0xde, 0xad, 0xbe, 0xef 2. Reverse the order: 0xef, 0xbe, 0xad, 0xde or \xef\xbe\xad\xde in string format
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 18 x86 CPU: Registers General Index & Pointer Segment Indicator EAX EBX ECX EDX ESI EDI EBP EIP ESP CS DS ES FS GS SS EFLAGS
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 19 x86 CPU: Registers General Index & Pointer Segment Indicator EAX EBX ECX EDX ESI EDI EBP EIP ESP CS DS ES FS GS SS EFLAGS
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 20 x86 Index & Pointer Registers EIP: Extended Instruction Pointer Points to (or holds the address of) the next instruction EBP: Extended Base Pointer Points to the bottom of the stack ESP: Extended Stack Pointer Points to the top of the stack
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 21 What is a pointer? Higher Addresses Address: +0 +1 +2 +3 0xdeadbf04: o l! 00h 0xdeadbf00: e c o 0xdeadbefc: s a r 0xdeadbef8: o b a r 0xdeadbef4: o 00h f o 0xdeadbef0: h e l l 0xdeadbeec: e0h beh adh deh = 0xdeadbee0 0xdeadbee8: 01h 02h 03h 04h = 0x04030201 0xdeadbee4: E F G 00h 0xdeadbee0: A B C D
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 22 What is the stack? Last In, First Out (LIFO) Used for storage of local variables and parameters. Usually 4- byte aligned Two common operations: push: Put a value on the stack pop: Remove a value from the stack EBP points to the bottom of the stack ESP points to the top of the stack 0x13 0x10 0x0C 0x08 0x04 0x00 DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF DE AD BE EF push(0xefbeadde) pop() Lower Addresses
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 23 Stack & EIP Coupling When the CPU is instructed to call a function: The address of the next instruction in the original thread of execution is pushed on the stack When the CPU is instructed to return from a function The address located at the top of the stack (pointed to by ESP) is popped into EIP
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 24 call Example - Before Scenario Stack Before Execution Processor State: EIP = 0804 8006 EBP = FFFF 0023 ESP = FFFF 001C Address FFFF 0020 FFFF 001C FFFF 0018 Contents DEAD BEEF DEAD BEEF DEAD BEEF EBP ESP Function foo() at address 0x08048337 FFFF 0014 FFFF 0010 FFFF 000C DEAD BEEF DEAD BEEF DEAD BEEF Code: 0x8048006: call _foo; 0x804800B: nop; FFFF 0008 FFFF 0004 FFFF 0000 DEAD BEEF DEAD BEEF DEAD BEEF
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 25 call Example - After Scenario Stack After Execution Processor State: EIP = 0804 8337 EBP = FFFF 0023 ESP = FFFF 0018 Function foo() at address 0x08048337 Code: 0x8048006: call _foo; 0x804800B: nop; Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF 0018 0B80 0408 FFFF 0014 DEAD BEEF FFFF 0010 DEAD BEEF FFFF 000C DEAD BEEF FFFF 0008 DEAD BEEF FFFF 0004 DEAD BEEF FFFF 0000 DEAD BEEF EBP ESP
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 26 ret Example - Before Scenario Stack Before Execution Processor State: EIP = 0804 8337 EBP = FFFF 0023 ESP = FFFF 0018 Executing first instruction at foo() Code: 0x08048337: ret; Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF 0018 0B80 0408 FFFF 0014 DEAD BEEF FFFF 0010 DEAD BEEF FFFF 000C DEAD BEEF FFFF 0008 DEAD BEEF FFFF 0004 DEAD BEEF FFFF 0000 DEAD BEEF EBP ESP
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 27 ret Example - After Scenario Stack After Execution Processor State: EIP = 0804 800B EBP = FFFF 0023 ESP = FFFF 001C Address Contents FFFF 0020 DEAD BEEF FFFF 001C DEAD BEEF FFFF 0018 0B80 0408 FFFF 0014 DEAD BEEF EBP ESP Executing first instruction at foo() Code: 0x08048337: ret; FFFF 0010 FFFF 000C FFFF 0008 FFFF 0004 FFFF 0000 DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF DEAD BEEF
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 28 x86 Linux ABI A Brief Introduction
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 29 x86 Linux ABI Application Binary Interface (ABI): Interface between two program modules (i.e. libraries, OS, etc.) Defines: Executable and Linkable Format (ELF) Function calling convention/sequence (CDECL) And more Based on System V Release 4 (SRV4) specification - circa 1999 See: http://www.sco.com/developers/devspecs/abi386-4.pdf
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 30 Executable and Linkable Format (ELF) Standard file format for Linux executables, shared objects, core dumps, etc. Broken into sections and segments Mini lab: sh$ readelf -S /bin/ ls
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 31 GNU C standard library Reference: http://en.wikipedia.org/wiki/gnu_c_library
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 32 Glibc Interesting Functions execve(char *command, char *argv[], char *envp[]) command: is a string which contains the name of the executable you want to execute. argv: is a null terminated array of strings containing the arguments to pass to the program. envp: is a null terminated array of strings containing the environment variable to pass to the program. system(char *command) command: is a string which contains the name of the executable you want to execute. mprotect(void *addr, size_t len, int prot) addr: is a page- aligned memory address (multiples of 0x1000). len: is the length of the memory region you wish to change permissions for starting from addr. prot: is the permission you wish to set for that memory region (0=PROT_NONE, 1=PROT_READ, 2=PROT_WRITE, 4=PROT_EXEC).
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 33 ELF at Runtime Memory Layout Reference: http://duartes.org/gustavo/blog/post/anatomy- of- a- program- in- memory/
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 34 x86 Linux Function Calling Sequence Linux uses a standard called cdecl (C declaration) The agreement: 1. The caller pushes arguments on the stack from left to right (or reverse order). 2. The callee is responsible for backing up registers prior to manipulating their values 3. The callee returns its result in register EAX 4. The caller is responsible for cleaning up the arguments from the stack Functions allocate storage for local variables/buffers on the stack
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 35 What does cdecl look like in Assembly? C Code int callee(int, int, int); int caller(void) { int ret; ret = callee(1, 2, 3); ret += 5; return ret; } Assembly Code caller: push ebp mov ebp, esp sub esp, 4 push 3 push 2 push 1 call callee add eax, 5 mov [ebp - 4], eax add esp, 16 pop ebp ret ; end of caller
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 36 But GCC C Code int callee(int, int, int); int caller(void) { int ret; ret = callee(1, 2, 3); ret += 5; return ret; } Assembly Code caller: push ebp mov ebp, esp sub esp, 16 mov [esp + 8], 1 mov [esp + 4], 2 mov [esp], 3 call callee add eax, 5 mov esp, ebp leave ; mov esp, ebp ; pop ebp ret ; end of caller
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 37 Linux x86 Stack Frame Memory range between where EBP and ESP point to. Previous stack frame Local variables can be referenced relative to EBP or ESP. Current stack frame Reference: http://unixwiz.net/techtips/win32- callconv- asm.html
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 38 Remember our definition of buffer overflows? Assume local var #1 (LV1) was a four byte character array. What would happen if we copied 12 bytes of data into LV1?
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 39 Classic Buffer Overflow Lab Smashing the Stack
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 40 Let s run this C code in our head. C Code: int main( int argc, char *argv[] ) { } char buf[4]; strcpy(buf, argv[1]); Execution: sh$./a.out EEEEFFFFGGGG Higher Addresses Address: 0 1 2 3 old EBP fcn param #n fcn param #2 fcn param #1 old EIP 03 08 04 08 old EBP local var #1 B0 B1 B2 B3 local var #2
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 41 Let s run this C code in our head. C Code: int main( int argc, char *argv[] ) { } char buf[4] = ABCD ; strcpy(buf, argv[1]); Result: sh$./a.out EEEEFFFFGGGG Segmentation Fault sh$ Higher Addresses Address: 0 1 2 3 old EBP fcn param #n fcn param #2 fcn param #1 00 old EIP G G G G old EBP F F F F local var #1 E E E E local var #2
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 42 What happened? We overwrote old EIP on the stack with 0x47474747 or GGGG When main returned, EIP was set to 0x47474747 an invalid memory address Memory region may not be executable or accessible because of permissions May not contain valid instructions Etc. Since 0x47474747 is an invalid memory address the program crashes with a Segmentation fault
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 43 How do we exploit this? Instead of just crashing the application, let s try to execute code! We can control EIP by writing over old EIP on the stack with a valid address. We can also write instructions on the stack.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 44 Unreliable Remote Code Execution Let s overwrite old EIP with a hard- coded return address. Address: 0 1 2 3 0xbfff0120 0xbfff011C Let s append a int 3 CPU instruction to the end of our buffer. Result: sh$./a.out $ EEEEFFFF \x10\x01\xff\xbf\xcd\x03 Trace/breakpoint trap sh$ Higher Addresses 0xbfff0118 0xbfff0114 0xbfff0110 CD 03 00 old EIP 10 01 FF BF old EBP F F F F local var #1 E E E E local var #2
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 45 What happened this time? We overwrote old EIP on the stack with address 0xbfff0110 - the address just above old EIP When main returned, EIP was set to 0xbfff0110 Our int 3 CPU instruction is located At address 0xbfff0110 The CPU executes our instruction (breakpoint) which emits the Trace/breakpoint trap message In other words, we ve got code execution!
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 46 Now let s try this in real life! Open your terminal Navigate to ~/labs/lab1 Type gdb./lab1 If all is well you should get a peda-gdb$ prompt. Now follow along.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 47
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 48 Places to Learn WeChall (www.wechall.net) has a list of a lot of online gaming/exploitable servers OTW (www.overthewire.org) is largerly focused on linux- based vulnerabilities great learning resource Phrack Magazine (www.phrack.org) is fantastic if you don t mind reading ASCII articles.
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 49 Thank You! Questions?