INTRODUCTION TO EXPLOIT DEVELOPMENT

Similar documents
Lecture 08 Control-flow Hijacking Defenses

Writing Exploits. Nethemba s.r.o.

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Advanced Buffer Overflow

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Smashing the Buffer. Miroslav Štampar

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Advanced Buffer Overflow

Buffer Overflows Defending against arbitrary code insertion and execution

Software Security II: Memory Errors - Attacks & Defenses

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Writing your first windows exploit in less than one hour

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Return-orientated Programming

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CMPSC 497 Buffer Overflow Vulnerabilities

Stack overflow exploitation

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Software Security: Buffer Overflow Defenses

CMSC 414 Computer and Network Security

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Basic Buffer Overflows

Offensive Security My First Buffer Overflow: Tutorial

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

buffer overflow exploitation

(Early) Memory Corruption Attacks

Outline. Memory Exploit

Software Security: Buffer Overflow Attacks

Practical Malware Analysis

20: Exploits and Containment

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

CS 161 Computer Security

Buffer overflow background

From Over ow to Shell

Università Ca Foscari Venezia

Software Security: Buffer Overflow Attacks (continued)

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

Sample slides and handout

Title: SEH Overwrites Simplified. Date: October 29 th Author: Aelphaeis Mangarae

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Software Security: Buffer Overflow Defenses and Miscellaneous

18-600: Recitation #4 Exploits

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Selected background on ARM registers, stack layout, and calling convention

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Remote Buffer Overflow Exploits

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Shellcode Analysis. Chapter 19

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

WRITING YOUR FIRST EXPLOIT LECTURE NOTES

SoK: Eternal War in Memory

Q: Exploit Hardening Made Easy

Exploits and gdb. Tutorial 5

Biography. Background

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSE 127 Computer Security

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform

Control Hijacking Attacks

CSE 127 Computer Security

CSE 127 Computer Security

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Inject malicious code Call any library functions Modify the original code

18-600: Recitation #4 Exploits (Attack Lab)

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Memory Safety (cont d) Software Security

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

Memory corruption countermeasures

Function Call Convention

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Runtime Defenses against Memory Corruption

Foundations of Network and Computer Security

ht IE exploit analysis

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Lecture 10 Code Reuse

Buffer Overflow and Protection Technology. Department of Computer Science,

Lecture 4 September Required reading materials for this class

CS 161 Computer Security

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Bypassing Browser Memory Protections

unrop: Creating Correct Backtrace from Core Dumps with Stack Pivoting Yuchen Ying (Under the direction of Kang Li) Abstract

Computer Security Course. Midterm Review

CS527 Software Security

Transcription:

INTRODUCTION TO EXPLOIT DEVELOPMENT Nathan Ritchey and Michael Tucker

Who Am I (Nathan Ritchey) Have Bachelors in Computer Science Member of CSG Working on Masters with focus on Information Assurance Some Interests

Who Am I (Michael Tucker) Graduate from UTD Member of CSG and the CTF team Vulnerability analysis for Raytheon

Definitions Reverse Engineering Vulnerability Analysis Exploitation

Reverse Engineering (RE) A systematic methodology for analyzing the design of an existing device or system, either as an approach to study the design or as a prerequisite for re-design.

Vulnerability Analysis (VA) Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.

Exploitation An exploit (from the verb to exploit, in the meaning of using something to one s own advantage) is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial-of-service attack. - Wikipedia

What s the Difference? Reverse Engineering The act of figuring out the design and implementation of the system. Vulnerability Analysis The act of finding flaws and weaknesses in any part of said system. Exploitation Development The act of turning said vulnerability into an actual means of compromising the system s confidentiality, integrity, and/or availability. Hacking Utilization of the exploit.

The Payoff Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability. -livehacking.com

Legality It s alright to develop, but seek legal expertise to implement. Are you connected to the internet? Are you accessing a remote system? Do you have permission to access that system? Look at How to Disclose or Sell an Exploit Without Getting in Trouble by Jim Denaro

Illegal Examples Sony PlayStation 3 Target Heartland Home Depot Adobe

Pinball on Windows XP First hands-on example Reverse Engineer the Pinball game Conduct Vulnerability Analysis Exploit the Pinball Game

More In Depth Example Exploitation Memory Corruption Buffer Overflow Shell Code NOP Sled

What is Memory Corruption Memory corruption is one of the most intractable class of programming errors, for two reasons: The source of the memory corruption and its manifestation may be far apart, making it hard to correlate the cause and the effect.

Memory Corruption Code Injection Where do we inject the malicious code? How should we generate malicious code (Shellcode)? How should we redirect execution flow?

Memory Corruption Redirection of execution flow In x86, one way is to control a register called EIP, also known as the instruction pointer register. This register is how the x86 architecture knows which instruction to run next. EIP, however, is not directly controlled by the user. But how does one control EIP? With a vulnerability of course!

Buffer Overflows Any instance where a program writes beyond the end of the allocated memory for any buffer. A perfect example can be shown with strcpy() stack overflow. gets() and read() are other examples

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } The Stack 0x00000000 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } 1st Step: Mark controlled input The Stack 0x00000000 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } 2nd Step: Mark Vulnerable code The Stack 0x00000000 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } Last Step: Analyze! ESP -> EBP -> The Stack 0x00000000 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 Saved EIP argv[1] 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 MyVar[100] Saved EBP Saved EIP argv[1] 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA\n Saved EBP Saved EIP argv[1] Case 1: Input A ten times 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAA(EBP) Saved EIP argv[1] Case 2: Input A 103 times 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAA(EBP) AAA\n(EIP) argv[1] Case 3: Input A 107 times 0xFFFFFFF

Stack Overflow #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAA(EBP) AAA\n(EIP) argv[1] EIP Control: But now what? 0xFFFFFFF

Stack Overflow Hands-on Desktop/Simple/Stack 2(White Box) Desktop/Simple/Stack 1(Black Box) How much harder is it to do without source code? Can you think of other ways to get control?

Shell Code(Code Injection) Machine code used as the payload in the exploitation of a software bug. While in a program flow, shell code becomes its natural continuation. Example

Shell Code #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> Change: Put Shell Code in place of A s The Stack 0x00000000 Shell Code calc.exe (EBP) (EIP) argv[1] 0xFFFFFFF

Shell Code #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> Change: Put padding to still cause overflow The Stack 0x00000000 Shell Code calc.exe AAAA AAAA(EBP) AAA\n(EIP) argv[1] 0xFFFFFFF

Shell Code #include <string.h> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { do_something(argv[1]); } ESP -> EBP -> Modify: Change EIP to where the Shell Code is The Stack 0x00000000 Shell Code calc.exe AAAA AAAA(EBP) Shell Code Location(EIP) argv[1] 0xFFFFFFF

Shell Code #include <string.h> ESP -> void do_something(char *Buffer) { char MyVar[100]; strcpy(myvar,buffer); } int main (int argc, char **argv) { EBP -> do_something(argv[1]); } Problem!: Why won t this work? The Stack 0x00000000 Shell Code calc.exe AAAA AAAA(EBP) Shell Code Location(EIP) argv[1] 0xFFFFFFF

Stack Armor Windows has a native defense that adds 0x00 to the front addresses in the stack. Strcpy, will stop on any 0x00 that is comes across because it is considered end of string. This prevents us from just pointing to our shell code! Now what?

Gadgets Gadgets are pieces of code borrowed from the loaded program image or libraries to circumvent the defenses. Used heavily in Return to libc and ROP/JOP So all we need is a simple gadget to get us back to our Shell Code!

Gadgets A simple gadget that we can use is jmp esp Also known as a Return to register. This gadget allows us to go to the top of the stack, where our shell code just happens to be located. So what we must do is find where a jmp esp is and then have EIP pointed there. How do we find such a gadget though? Mona.py from the Immunity Debugger can help us here!!mona jmp r esp

Shell Code with Gadget ESP -> Change: Modify EIP to gadget Possibilities: Found from mona.py jmp esp call esp push esp ; ret(rop) EBP -> The Stack 0x00000000 Shell Code calc.exe AAAA AAAA(EBP) Gadget Location(EIP) argv[1] 0xFFFFFFF

Shell Code with Gadget Success! ESP -> Defeat: The stack armor was defeated using the gadget! Pwn!: The shell code is then executed EBP -> The Stack 0x00000000 Shell Code calc.exe AAAA AAAA(EBP) Gadget Location(EIP) argv[1] 0xFFFFFFF

Shell Code Hands-on Desktop/Advanced/abo1.exe Using your new knowledge of buffer overflows, shell code, and gadgets get calc.exe to run by controlling abo1.exe One thing to note is not all of the addresses mona.py finds are usable, why? How could we improve reliability of our exploits?

NOP Sled Easy to jump to the wrong address where shell code is located. The Address can change per system! NOP ( no operation ) helps with this issue Can jump anywhere in NOP Sled and just slide into the malicious shell code. In x86 this is 0x90

NOP Sled ESP -> Change: Add 0x90 before and after shell code Finalized exploit, with reliability! EBP -> The Stack 0x00000000 \x90\x90\x90\x90 Shell Code calc.exe \x90\x90\x90\x90 \x90\x90\x90\x90(ebp) Gadget Location(EIP) argv[1] 0xFFFFFFF

Preventing Stack Overflow Stack Guard(Stack cookies) Stack Shield ProPolice DEP(W XOR X) ASLR

Easy RM to MP3 Converter Going to use knowledge of buffer overflows in a practical example. Goals: 1. Figure out what files the converter can take 2. Crash the Converter using malicious input within the files you ve scoped. 3. Take control and execute the calc.exe shell code! ~Hints~ 1. Sometimes not all gadgets will work. 2. Mona.py/Immunity is your friend, use it!

The Game of Defenses So what does one do when there are so many defenses in place? Defeat them one at a time of course! Sadly we do not have enough time to show how to defeat all defenses, but at least there s time for one more.

Stack Cookie Stack cookies are a defense in which in the case that a buffer overflow were to occur, the canary would trip a function call into preventing the vulnerability from happening. In other words, it s like a trip-wire mechanism.

Stack Cookie ESP -> Change: Now there s a cookie in the stack. What happens if we try to overflow MyVar again? EBP -> The Stack 0x00000000 MyVar[100] \x01\x02\x03\x04(cookie) (EBP) (EIP) argv[1] 0xFFFFFFF

Stack Cookie Uh Oh!: We did our buffer overflow, but the cookie also got overwritten. ESP -> EBP -> Failed: The stack cookie will now cause the program to exit. The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAA(cookie) AAAA(EBP) AAAA(EIP) argv[1] 0xFFFFFFF

Stack Cookie By-Pass So now what? The cookie has foiled our malicious plans of running calculator! Well it just so happens that there s not only one way to control the flow of code in a program.

SEH, Exception Handlers It just so happens that below us in the stack are exception handler chains. Exception handlers are special subroutines called into execution when exceptions occur during the state of the program. Some examples would be division by zero or out of memory conditions.

Exception Handler Chain The Stack Pointer to next SEH record *Pointer to Exception Handler Pointer to next SEH record *Pointer to Exception Handler 0xFFFFFFFF Default exception handler Exception Handler1 Exception Handler2 MSVCRT! exhandler

Exception Handler Chain So what is our goal? Well it just so happens that if you control *SEH, you once again control the flow of the program(eip). But how does one do that? With a vulnerability of course! The Stack nseh *SEH nseh *SEH 0xFFFFFFFF *EH Exception Handler1 Exception Handler2 MSVCRT! exhandler

Stack Cookie By-Pass Change: Now let s add the chain to the stack. Let s continue our vulnerability by continuing the overflow even further than before. ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAA(cookie) AAAA(EBP) AAAA(EIP) argv[1] nseh *SEH Exception Handler

Stack Cookie By-Pass Flow Hijack: We now control the SEH s pointer! Using this we can now use a gadget to get back to Shell Code. ESP -> EBP -> The Stack 0x00000000 AAAAAAAAAA AAAAAAAAAA AAAA(cookie) AAAA(EBP) AAAA(EIP) AAAA AAAA Let s modify our exploit a bit. AAAA(nSEH) AAAA(SEH)????

Stack Cookie By-Pass Change: We moved the shell code down below our SEH chain. ESP -> The Stack 0x00000000 \x90\x90\x90 \x90\x90\x90\x90(cookie) \x90\x90\x90\x90(ebp) \x90\x90\x90\x90(eip) So what kind of gadget do we want in this case? Well Pop Pop Ret will do! EBP -> AAAA(argv[1]) AAAA(nSEH) Gadget location(seh) Calc.exe Pop reg Pop reg ret

Stack Cookie By-Pass Using pop pop ret will let us move back to the nseh in the stack. ESP -> The Stack 0x00000000 \x90\x90\x90 \x90\x90\x90\x90(cookie) If it just so happens that if we replace nseh with jmp 0x6 We then get to hop exactly six places foward, and run calc.exe! EBP -> \x90\x90\x90\x90(ebp) \x90\x90\x90\x90(eip) AAAA(argv[1]) Jmp 0x6(nSEH) Gadget location(seh) Calc.exe Pop reg Pop reg ret

Final Exploit ESP -> EBP -> The Stack 0x00000000 \x90\x90\x90 \x90\x90\x90\x90(cookie) \x90\x90\x90\x90(ebp) \x90\x90\x90\x90(eip) \x90\x90\x90\x90(argv[1]) \xeb\x06\x90\x90(nseh) Gadget location(seh) \x90\x90\x90\x90 Calc.exe Pop reg Pop reg ret

DVD X Player 5.5 Pro Stack Cookie and Armor? Oh my! Can you get around it? ~Hints~ 1. For an Exception handler to trigger you must cause an exception in the first place. 2. Mona.py has a command that may help in this case!

Questions?

Mona.py cheat sheet Mona s Help command:!mona help Create a pattern:!mona pattern_create <size>!mona pattern_create 512 Find offset in pattern:!mona pattern_offset <hex>!mona pattern_offset 41314132, finds the offset in the pattern of A1A2 Find all jump based gadgets(jmp esp, push esp retrn):!mona jmp r esp, finds all jump gadgets for the register esp. Find all seh gadgets(pop pop retn):!mona seh

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback