Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Similar documents
Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Instruction Set Architectures

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

Assembly Language Each statement in an assembly language program consists of four parts or fields.

Registers. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth

Buffer Overflow Attack (AskCypert CLaaS)

Function Call Convention

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Credits and Disclaimers

CS Bootcamp x86-64 Autumn 2015

Buffer Overflow Attack

Machine-Level Prog. V Miscellaneous Topics

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Instruction Set Architecture (ISA) Data Types

U23 - Binary Exploitation

How Software Executes

Lecture 4 CIS 341: COMPILERS

Sungkyunkwan University

Buffer overflow background

MACHINE-LEVEL PROGRAMMING I: BASICS

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Instruction Set Architectures

The von Neumann Machine

18-600: Recitation #4 Exploits

ANITA S SUPER AWESOME RECITATION SLIDES

The x86 Architecture

Machine-Level Prog. V Miscellaneous Topics

RISC I from Berkeley. 44k Transistors 1Mhz 77mm^2

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux


Return Oriented Programming

The von Neumann Machine

Binghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

Buffer Overflow. An Introduction

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Assembly I: Basic Operations. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Computer Processors. Part 2. Components of a Processor. Execution Unit The ALU. Execution Unit. The Brains of the Box. Processors. Execution Unit (EU)

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Reverse Engineering II: Basics. Gergely Erdélyi Senior Antivirus Researcher

x86 assembly CS449 Fall 2017

Buffer-Overflow Attacks on the Stack

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Today: Machine Programming I: Basics

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Buffer-Overflow Attacks on the Stack

Buffer overflows. Specific topics:

Machine Program: Procedure. Zhaoguo Wang

6/20/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:

Machine-Level Programming V: Buffer overflow

buffer overflow exploitation

Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Instruction Set Architectures

x86 Programming I CSE 351 Winter

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

18-600: Recitation #4 Exploits (Attack Lab)

6/17/2011. Introduction. Chapter Objectives Upon completion of this chapter, you will be able to:

Carnegie Mellon. 5 th Lecture, Jan. 31, Instructors: Todd C. Mowry & Anthony Rowe

20: Exploits and Containment

Buffer Overflows Defending against arbitrary code insertion and execution

Chapter 2: The Microprocessor and its Architecture

Meet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : TODAY!! 5-6 pm Where : 3rd Floor Atrium, CIT

Reverse Engineering II: The Basics

Program Exploitation Intro

CSC 405 Computer Security Stack Canaries & ASLR

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

Is stack overflow still a problem?

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CSC 252: Computer Organization Spring 2018: Lecture 9

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Lecture (02) The Microprocessor and Its Architecture By: Dr. Ahmed ElShafee

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Basic Buffer Overflows

Lecture 08 Control-flow Hijacking Defenses

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

Lab 10: Introduction to x86 Assembly

Smashing the Buffer. Miroslav Štampar

Exploits and gdb. Tutorial 5

Function Calls and Stack

Today: Machine Programming I: Basics. Machine Level Programming I: Basics. Intel x86 Processors. Intel x86 Evolution: Milestones

Machine/Assembler Language Putting It All Together

Machine- Level Programming V: Advanced Topics

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Intel Architecture. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

EEM336 Microprocessors I. Addressing Modes

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Exercise 6: Buffer Overflow and return-into-libc Attacks

From Over ow to Shell

CS241 Computer Organization Spring 2015 IA

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Transcription:

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Rochester Security Summit 2014 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net

Ralph Durkee Background Founder of Durkee Consulting since 1996 Founder of Rochester OWASP since 2004 Founder & Past President of Rochester ISSA Chapter Application Penetration Tester, Security Trainer, Incident Handler and Auditor Application Security, development, auditing, PCI compliance, penetration testing and consulting CIS (Center for Internet Security) development of benchmark security standards Apache, Linux, BIND DNS, OpenLDAP, FreeRadius, Unix, FreeBSD 2

Agenda What is Ethical Hacking, and Why is it Important? Stack Overflows - What and How Demo 0 - Finding a Buffer Overflow The Intel Linux Stack Details Demo 1 - Finding the Return Pointer Demo 2 - Overwriting the Return Pointer Introduction to Shell Code Demo 3 Full Exploit with Shell Code 3

Definition: Ethical Hacking Hacking Manipulating things to do stuff beyond or contrary to what was intended by the designer or implementer. Ethical Hacking Using hacking and attack techniques to find and exploit vulnerabilities for the purpose of improving security with the following: Permission of the owners In a professional and safe as possible manner Respecting privacy and property 4

Why Ethical Hacking? How Does Ethical Hacking Help? Why is it Important? Deeper Understanding of Vulnerabilities Deeper Understanding of Prevention Measures Understanding the Real Risk. Refuting Bogus Security Vendor Claims. Motivates Remediation! 5

Buffer Overflow Background Data Overruns Past End of the Buffer Buffers are allocated from Heap Dynamically allocated buffers free()/malloc() or New/Delete or other Stack local variables and function arguments Exploitation of Heap & Stack Overflows differs, as they have very different structures Our Focus Stack Overflows 6

Stack Overflows History 1988 Morris Worm Unix Finger 2003 SQL Slammer Worm MS SQL & MSDE 2003 Blaster Worm DCOM RPC 2010 Apple ios Char String decoder Aug 2013 Apache Santuario Impact: Remote Code Execution 7

Finding Buffer Overflows Review the source code, if Available Search for dangerous functions strcpy(3), strcat(3), sprintf(3), vsprintf(3) gets(3) Better to use strncpy(3), strncat(3), snprintf(3), vsnprintf(3) fgets(3) scanf(3), the *scand(3) if format length not limited getopt(3), strtok(3) and others. 8

Finding Buffer Overflows (2) What if you don't have source code? Search the binary executable with strings(1) debugger such as gdb or IDA, OllyDbg Metasploit msfelfscan & msfpescan Search for register usage and patterns 9

0 Finding Buffer Overflows (3) Fuzzing or Cramming Input Generates long repeating patterns attempting to overflow a buffer Wait for application crash or core dump Examine Registers, (especially the Instruction Pointer) Look for signs of the Fuzzed Data in the registers 10

1 Demo 0 Finding a Buffer Overflow 11

2 GNU / Linux Stack Overflow Defenses GNU GCC Stack Protector -fstack-protector -fstack-protector-strong -fstack-protector-all Fortify Source -D_FORTIFY_SOURCE=1 -D_FORTIFY_SOURCE=2 Non-executable Stack -Wl,-z,noexecstack Address Randomization ASLR sysctl kernel.randomize_va_space = 0 or 1 or 2 Good Programming 12

3 Stack Overflows Example 1 Sample Code Stack Overflow 13

4 The Stack with func1() Low mem Addr STACK High Mem Addr Pop values stack grows via push func1( ) key func1( ) buf[128] Stack Frame Pointer Rtn Addr [ Back to main() ] func1 arg cp func1() Stack Frame main() Stack Fram 14

5 The Stack with func1() Overflow of buf[128] Low mem Addr STACK High Mem Addr Pop values func1( ) key stack grows via push func1( ) Stack Rtn Addr func1 buf[128] Frame [ Back to arg Pointer String is too long to main() fit and ] overflows cp func1() Stack Frame main() Stack Fram 15

6 So What's Accomplished? func1() Stack frame Filled buf[128] Overwrote Stack Frame Pointer Overwrote the Return Address Modify Values of Arguments main() Stack Frame More of the same? Think like a Hacker: How is this useful? 16

7 Intel x86 * Registers 16 bit 32 Bit 64 Bit Description AX EAX RAX Accumulator BX EBX RBX Base Index (for arrays) CX ECX RCX Counter (for loops) DX EDX RDX Data / General SP ESP RSP Stack Pointer (top) BP EBP RBP Stack Base Pointer (current) SI ESI RSI Source Index (String ops) DI EDI RDI Destination Index (String ops) IP EIP RIP Instruction Pointer 17

8 Stack/Heap Platform Differences Meta Data Structure Details for Stack and Heap vary significantly Different platforms: Windows Different from Linux Releases: Different for Windows versions or Linux Distros Usage: C++ new/delete has different heap from the C malloc/free Compiler: Even different based on compiler used and compiler options used. 18

9 How to Write a Stack Overflow Exploit 1. Find input that causes a stack overflow 2. Find the data location that overwrites the return address 3. Write or borrow the Shell code payload for the exploit, and include it in the input 4. Find the approximate address where the payload lands 5. Overwrite return pointer with the correct address 6. Document, Report and Bask in the Glory! :-) 19

0 2. Finding the Return Pointer What portion of the malicious input overwrite the return pointer? Techniques: Input a repeating Pattern like: AAAAAAAAAABBBBBBBBBCCCCCCCCDDDDD DDDDDEEEEEEEEEE Exploit in gdb and Check the EIP/RIP value. Then use a differentiating pattern like: ABCEDFGHIJABCEDFGHIJABCEDFGHIJABCEDF GHIJABCEDFGHIJ. Intersection of the pattern determines the location. 20

1 Demo 2 - Finding the Return Pointer 21

2 Demo 3 - Overwriting the Return Pointer 22

3 Shell Code Introduction Shell Code = payload (what do you want to do?) A common exploit is to execute a shell Other options: Add Admin user account Connect to a network port, and read commands Listen on network for commands Reset an admin password What ever is useful for an attack 23

4 Shell Code Short Cut Quick Approach, write a shell function shell() { execve("/bin/bash",null,null); } Disassemble the function (gdb) disassemble shell Dump of assembler code for function shell: 0x0804842c <+0>: push %ebp 0x0804842d <+1>: mov %esp,%ebp 0x0804842f <+3>: sub $0x18,%esp 0x08048432 <+6>: movl $0x0,0x8(%esp) 0x0804843a <+14>: movl $0x0,0x4(%esp) 0x08048442 <+22>: movl $0x8048526,(%esp) 0x08048449 <+29>: call 0x8048350 <execve@plt> 24

5 Shell Code Requirements Shell code requirements Written in Assembler Specific Operating System (Mac. Windows, Linux, Unix) Specific to the Hardware (x86, x86_64, Sparc, RISC etc) Must fit into the vulnerable buffer space Often can't contain zero bytes Must have position independent code 25

6 Exploit & Shell Code Resources Where to get Shell Code www.exploit-db.com/shellcode/ Metasploit www.securityfocus.com Google http://www.rapid7.com/db/ Others 26

7 Demo 5 Full Exploit 27

8 Summary: Hands-On Ethical Hacking - Stack Overflows Ethical Hacking Always with Permission & Stay in Scope Understanding how it works leads to understanding how it breaks Experimentation and Failure are essential Hacking = Learning Test all assumptions Have Fun! Don't boast or get a big ego. 28

Thank You! Ralph Durkee info@rd1.net

0 Resources - Non-Profit Groups & Events OWASP Rochester Chapter Information https://www.owasp.org/rochester Rochester Security Summit htttps://rochestersecurity.org/ 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback