Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

Similar documents
CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

The Geometry of Innocent Flesh on the Bone

Shell Code For Beginners

CS 5460/6460 Operating Systems

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CS 537 Lecture 2 - Processes

Function Call Convention

Buffer Overflow Attack

CS 537 Lecture 2 Computer Architecture and Operating Systems. OS Tasks

Return-orientated Programming

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Università Ca Foscari Venezia

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

OpenBSD Remote Exploit

buffer overflow exploitation

Mechanisms for entering the system

ISA564 SECURITY LAB. Shellcode. George Mason University

Practical Malware Analysis

CSC 405 Computer Security Shellcode

Ausgewählte Betriebssysteme. Anatomy of a system call

Memory Models. Registers

Protecting Against Unexpected System Calls

Program Exploitation Intro

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Exercise 6: Buffer Overflow and return-into-libc Attacks

Assembly Language: Function Calls" Goals of this Lecture"

Processes (Intro) Yannis Smaragdakis, U. Athens

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

System Calls. A contract between processes and the operating system. Michael E. Locasto. Department of Computer Science UofC CPSC 457

Assembly Language: Function Calls" Goals of this Lecture"

Is stack overflow still a problem?

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Assembly Language: Function Calls

Protection and System Calls. Otto J. Anshus

From Over ow to Shell

Biography. Background

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Rootkits n Stuff

EECE.3170: Microprocessor Systems Design I Summer 2017 Homework 4 Solution

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

3. Process Management in xv6

Intel Architecture. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

CPS104 Recitation: Assembly Programming

SOEN228, Winter Revision 1.2 Date: October 25,

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Objectives. Chapter 2: Operating-System Structures. 2.1 Operating System Services

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

X86 Stack Calling Function POV

Return Oriented Programming

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

Exploits and gdb. Tutorial 5

CVE EXPLOIT USING 108 BYTES AND DOWNLOADING A FILE WITH YOUR UNLIMITED CODE BY VALTHEK

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

CSC369 Lecture 2. Larry Zhang

16.317: Microprocessor Systems Design I Fall 2014

Assembly Language Lab # 9

Introduction to the Process David E. Culler CS162 Operating Systems and Systems Programming Lecture 2 Sept 3, 2014

CSC369 Lecture 2. Larry Zhang, September 21, 2015

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Return oriented programming

20: Exploits and Containment

Shellcode Analysis. Chapter 19

x86 assembly CS449 Fall 2017

About unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

Operating System Architecture. CS3026 Operating Systems Lecture 03

ICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Register Allocation, iii. Bringing in functions & using spilling & coalescing

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

CSE 153 Design of Operating Systems Fall 18

Secure Systems Engineering

Lab 10: Introduction to x86 Assembly

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

NetWare Kernel Stack Overflow Exploitation.

Operating Systems. Part 8. Operating Systems. What is an operating system? Interact with Applications. Vector Tables. The master software

+ Overview. Projects: Developing an OS Kernel for x86. ! Handling Intel Processor Exceptions: the Interrupt Descriptor Table (IDT)

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

18-600: Recitation #4 Exploits (Attack Lab)

Hack.lu October 18-20, 2007 Kirchberg, Luxembourg. Zombie2.0. Fernando Russ Diego Tiscornia

Transcription:

Syscall Proxying Maximiliano Cáceres maximiliano.caceres@corest.com Caesars Palace, Las Vegas, NV, USA July 31st, 2002

Agenda General Concepts Syscall Proxying A first implementation Optimizing for size The real world: applications

General Concepts

A Process Interacts with Resources Process Operating System A file in disk The screen A networking card

Syscalls System calls (aka syscalls ) Operating system services Lowest layer of communication between a user mode process and the kernel

The System Services Layer The UNIX Way The Windows Way Homogeneous mechanism for calling any syscall by number Native API undocumented and unsupported Arguments passed through the stack or registers Minimum number of system services Direct mapping between syscall and libc wrapper High number of system level services (about 1000) Win32 API calls implement a lot of functionality around these services

Our Windows Syscalls Keep things simple ANY function in ANY dynamic library available to a user mode process

Syscall Proxying

The Process Context A process uses resources to accomplish a goal These resources define a context on which the process runs The specific resource instances The kind of access to these resources

A process reading data from a file

Two Layers Syscall stub / client Syscall server Nexus between process and system services Converts syscall argument to a common format (marshaling) Sends requests to the syscall server Marshals return values Handles requests from the syscall client Converts arguments in request to native convention Calls the specified syscall Sends back a response to the client

A process reading data from a file, using these two layers

Separating Client from Server Reader Process Remote system services Syscall stub Syscall server Network layer Network link Network layer

Syscall Proxying in Action

Changing Context Separating client from server The process accesses remote resources (a file) The process uses the privileges of the remote server The process doesn t now anything about remote execution No modifications on the original program Same inner logic

A first implementation

Implementing Syscall Proxying The RPC Model Client / server Remote calls are handled by both a client stub and a server stub Perfect match!

The RPC Model

Benefits and Shortcomings of the RPC Model Benefits Interoperability between different platforms Almost any procedure call can be converted to RPC Shortcomings Both client and server symmetrically duplicate data conversion to a common data interchange format

Optimizing for size

The UNIX Syscall Mechanism Homogeneous way of passing arguments Integers Pointers to integers Pointers to buffers Pointers to structs Simple calling mechanism Software interrupt Trap Far call

Fat Client, Thin Server Client code directly converts from the client system s calling convention to the server s (no intermediate common format) The server takes advantage of the generic mechanism for calling syscalls The client is completely dependent on the server s platform

Marshaling Arguments Client code creates a request representing the stack state in the server just before invoking the syscall Integers are trivially packed Pointers to buffers or structures are relocated inside the same request buffer using the server s stack pointer

Marshaling arguments for open()

Linux syscalls Invoking a syscall in Linux Load EAX with syscall number Load arguments in EBX, ECX, EDX, ESI and EDI (syscalls with more than 5 arguments push the rest on the stack) Call software interrupt 0x80 (int $0x80) Return value in EAX

Debugging open() Breakpoint 1, 0x08050f60 in libc_open () (gdb) x/20i $eip < libc_open>: push %ebx 0x8050f61 < libc_open+1>: mov 0x10(%esp,1),%edx 0x8050f65 < libc_open+5>: mov 0xc(%esp,1),%ecx 0x8050f69 < libc_open+9>: mov 0x8(%esp,1),%ebx 0x8050f6d < libc_open+13>: mov $0x5,%eax 0x8050f72 < libc_open+18>: int $0x80 0x8050f74 < libc_open+20>: pop %ebx 0x8050f75 < libc_open+21>: cmp $0xfffff001,%eax 0x8050f7a < libc_open+26>: jae 0x8056f50 < syscall_error> 0x8050f80 < libc_open+32>: ret

A simple Linux server Pseudocode for a simple linux server channel = set_up_communication() channel.send(esp) while channel.has_data() do request = channel.read() copy request in stack pop registers int 0x80 push eax channel.send(stack)

A simple syscall server in Linux (1) Read request straight into the stack read_request: mov fd, %ebx mov buflen, %edx movl $3,%eax # NR_read mov %esp,%ecx # buff int $0x80

A simple syscall server in Linux (2) Invoke the desired syscall do_request: pop %eax pop %ebx pop %ecx pop %edx pop %esi pop %edi int $0x80 The request previously stored in ESP is the stack needed by the syscall PLUS buffers

A simple syscall server in Linux (3) Coding a simple syscall server for Linux can be done It takes about a hundred bytes long (without optimizing)

What about Windows? Windows syscalls any function in any dynamic library available to a user mode process. Common mechanism

The Windows Syscall Server (1) Windows server Call any function in its process address space (already loaded) In particular Call LoadLibrary to load a new DLL Call GetProcAddress to obtain the address of a specific function

The Windows Syscall Server (2) Pseudocode for a sample Windows server channel = set_up_communication() channel.send(esp) channel.send(address of LoadLibrary) channel.send(address of GetProcAddress) while channel.has_data() do request = channel.read() copy request in stack pop ebx call [ebx] push eax channel.send(stack)

The Real World: applications

Exploiting Code Injection Vulnerabilities Allow an attacker to execute arbitrary code in the target system Buffer overflows User supplied format strings Attack method Injection: attack specific Payload: what to execute once control is gained Shell code: code that spawns a shell

The Privilege Escalation Phase Successful attack against a host. Use the compromised host as vantage point ( pivoting ) Attacker profile switch: from external to internal Exploit webs of trust Possibly more privileged position in the target system s network To be able to pivot, the auditor needs his tools available at the vantage point

Redefining the word shellcode Supply thin syscall server as attack payload Benefits Transparent pivoting Local privilege escalation No shell? Who cares!

Conclusions

Conclusions Powerful technique when staging attacks against code injection vulnerabilities Turns the compromised host into a new attack vantage point Useful when shell code customization is needed Framework for developing new penetration testing tools Raises the value of the tools

Questions?

Thank You! Maximiliano Cáceres maximiliano.caceres@corest.com

CORE Syscall SECURITY Proxying TECHNOLOGIES Simulating Remote Offices Execution Worldwide Headquarters 44 Wall Street 12th Floor New York, NY 10005 USA Ph: (212) 461-2345 Fax: (212) 461-2346 info.usa@corest.com Florida 141 2º cuerpo 7º piso (C1005AAC) Buenos Aires Tel/Fax: (54 11) 4878-CORE (2673) info.argentina@corest.com Rua do Rócio 288 7º andar Vila Olímpia São Paulo SP CEP 04552-000 Brazil Tel: (55 11) 3054-2535 Fax: (55 11) 3054-2534 info.brazil@corest.com www.corest.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback