Shellcode Analysis. Chapter 19

Similar documents
Reversing the Inception APT malware

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Smashing the Buffer. Miroslav Štampar

TABLE OF CONTENT 1. Abstract: Terminology Introduction Basic Shellcoding Solving The Addressing Problem Hash API

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Università Ca Foscari Venezia

CSE 509: Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Return-orientated Programming

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Flare-On 5: Challenge 7 Solution WorldOfWarcraft.exe

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Vivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc

INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer Overflows Defending against arbitrary code insertion and execution

A Binary Rewriting Defense against Stack based Buffer Overflow Attacks

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

20: Exploits and Containment

Writing your first windows exploit in less than one hour

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Autodesk AutoCAD DWG-AC1021 Heap Corruption

Language Security. Lecture 40

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Intro to Cracking and Unpacking. Nathan Rittenhouse

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Shellzer: a tool for the dynamic analysis of malicious shellcode

Hacking Windows CE.

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

WRITING YOUR FIRST EXPLOIT LECTURE NOTES

INTRODUCTION TO EXPLOIT DEVELOPMENT

Is stack overflow still a problem?

Architecture-level Security Vulnerabilities

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Outline. Memory Exploit

Buffer Overflow Attacks

Part II Let s make it real

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Function Call Convention

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Applying Return Oriented and Jump Oriented Programming Exploitation Techniques with Heap Spraying

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Control Hijacking Attacks

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

buffer overflow exploitation

Advanced Buffer Overflow

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Practical Malware Analysis

Module 8: Atmega32 Stack & Subroutine. Stack Pointer Subroutine Call function

Bypassing Browser Memory Protections

Buffer Overflow Attack (AskCypert CLaaS)

Lab 2: Buffer Overflows

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

=> What's Stack Overflow? stack gets overflowed when too much memory is used for stack calling, resulting app crash, and this crash can be used!

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Inject malicious code Call any library functions Modify the original code

Flare- On 4: Challenge 6 Solution payload.dll

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Finding Xori Malware Analysis Triage with Automated Disassembly. Amanda Rousseau Rich Seymour

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Sandwiches for everyone

ECE 471 Embedded Systems Lecture 22

Software Security: Buffer Overflow Defenses

ISA564 SECURITY LAB. Shellcode. George Mason University

Buffer overflows & friends CS642: Computer Security

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

Architecture-level Security Vulnerabilities. Julian Stecklina

Vulnerabilities in C/C++ programs Part I

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

A program execution is memory safe so long as memory access errors never occur:

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Static Analysis I PAOLO PALUMBO, F-SECURE CORPORATION

Program Exploitation Intro

spoonm skape Beyond EIP

Analysis of Buffer Overflow Attacks

CSE 127 Computer Security

The Geometry of Innocent Flesh on the Bone

Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]

Buffer overflow background

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Transcription:

Shellcode Analysis Chapter 19

What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred as self-contained executable codes IDAPro can load the shellcode binary but no automatic analysis is available since no executable file format that describes the content

Position-Independent Code No hard-coded addresses shellcode Table 19-1, p. 408 call/jmp are position independent calculate target addresses by adding an offset mov accessing global memory location is not position independent/mov accessing addresses with an offset is position independent Shellcode no hard-coded memory addresses All branches and jumps relative Code can be placed anywhere in memory and still function as intended Essential in exploit code and shellcode being injected from a remote location since addresses are not known

Identifying Execution Location Shellcode may need to find out its execution location dereference base pointer x86 does not provide EIP-relative access to embedded data as it does for control-flow instructions Must load EIP into general purpose register Problem: mov %eax, %eip not allowed Two methods call/pop call pushes EIP of next instruction onto stack, pop retrieves it (Listing 19-1, p. 410)

Example JMP-CALL-POP Jmp to the shellcode Dynamically figure our the memory address Of Hello Word no hard coded address After call, the next instruction address will Be pushed to stack Inside call, pop this address on stack to EDI

Manual Symbol Resolution Shellcode need to resolve external symbols Shellcode can not use Windows loader to ensure libraries are in process memory - Find symbols by itself Must dynamically locate functions such as LoadLibraryA and GetProcAddress (both located in kernel32.dll) Finding kernel32.dll in memory Undocumented structure traversal (Figure 19-1, Listing 19-4, p. 414, 415) From Windows 2000 through Vista, kernel32.dll follows ntdll.dll (second place InInitializationOrderLinks) Windows 7/10 change this so need to confirm using UNICODE_STRING_FullDllName

Locate kernel32.dll Begins with TEB-> FS segment register offset 0x30 -> Offset 0xC within PEB -> linked list traversal Windows 2000-Vista, Kernel32.dll follows ntdll.dll; changed after windows 7.

Parsing PE Export Data After base address is found for kernel32.dll, Parsing PE Export Data in kernel32.dll for exported symbols. Addresses of exported calls in header (relative virtual addresses in IMAGE_EXPORT_DIRECTORY ) AddressOfFunctions, AddressOfNames, AddressOfNameOrdinals arrays (Figure 19-2, p. 417) To make shellcode compact, hashes of function names used to compare 32-bit rotate-right-additive hash (Listing 19-5, 19-6, p. 418-419) calculates a 32-bit hash value

Shellcode Encoding Shellcode must embed in the program before exploit occurs/or passed to exploit Exploit unsafe string function: strcpy, strcat they do not set maximum length (buffer overflow) Shellcode must look like valid data, no NULL bytes in the middle if using strcpy/strcat (ends with NULL), which will terminate buffer overflow pre-maturely Encode the payload to pass the filter (makes analysis more difficult)

Buffer Overflow Attacks Return address stored on stack Attackers want to overwrite the return address with another malicious address redirect to shellcode Attackers have to deal with two unknowns: 1. What is the distance between the overflown buffer and the return address slot? attackers have to make guesses about the displacement 2. What is the actual address of the shellcode? Shellcode is in the buffer, part of the data Attackers have to make guesses of the shellcode address use NOP sleds to increase hitting probability

NOP Sleds NOP no operation does nothing Long sequence of NOPs preceding shellcode Allows exploit to increase likelihood of hits by giving a range of addresses that will result in shellcode executing To avoid detection, can repeat increment/decrement of registers.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback