Exploits and gdb. Tutorial 5

Similar documents
2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Exercise 6: Buffer Overflow and return-into-libc Attacks

Writing Exploits. Nethemba s.r.o.

CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Return-orientated Programming

Università Ca Foscari Venezia

CS Bootcamp x86-64 Autumn 2015

String Oriented Programming Exploring Format String Attacks. Mathias Payer

The Geometry of Innocent Flesh on the Bone

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Function Call Convention

Program Exploitation Intro

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

CS 161 Computer Security

Is stack overflow still a problem?

Architecture-level Security Vulnerabilities

Shell Code For Beginners

Process Layout and Function Calls

Buffer Overflow Attack (AskCypert CLaaS)

buffer overflow exploitation

ANITA S SUPER AWESOME RECITATION SLIDES

Registers. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

W4118: PC Hardware and x86. Junfeng Yang

How Software Executes

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Advanced Buffer Overflow

Buffer Overflows Defending against arbitrary code insertion and execution

Memory Safety (cont d) Software Security

CS 161 Computer Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Assembly Language: Function Calls

CMPSC 497 Buffer Overflow Vulnerabilities

CS 270 Systems Programming. Debugging Tools. CS 270: Systems Programming. Instructor: Raphael Finkel

Outline. Memory Exploit

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Review addressing modes

Assembly Language: Function Calls" Goals of this Lecture"

From Over ow to Shell

Lab 10: Introduction to x86 Assembly

Credits and Disclaimers

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

ROP It Like It s Hot!

Biography. Background

Advanced Buffer Overflow

Machine Programming 3: Procedures

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Binghamton University. CS-220 Spring x86 Assembler. Computer Systems: Sections

Lecture 08 Control-flow Hijacking Defenses

Architecture-level Security Vulnerabilities. Julian Stecklina

Return Oriented Programming

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Practical Malware Analysis

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

18-600: Recitation #4 Exploits

Software Security: Buffer Overflow Attacks

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

CSE 127 Computer Security

Software Security II: Memory Errors - Attacks & Defenses

CSE 127 Computer Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Software Security: Buffer Overflow Defenses

CPS104 Recitation: Assembly Programming

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Basic Buffer Overflows

Smashing the Buffer. Miroslav Štampar

Secure Systems Engineering

x86 assembly CS449 Fall 2017

Credits and Disclaimers

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

How Software Executes

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Inject malicious code Call any library functions Modify the original code

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Buffer Overflow Vulnerability

18-600: Recitation #4 Exploits (Attack Lab)

Midterm 1 Review. Memory Safety & Web Attacks

Transcription:

Exploits and gdb Tutorial 5

Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb)

Buffer Vulnerabilities Basic Idea Overflow or underflow a buffer to corrupt the processes memory space. Injected data can be used redirect control flow. Overflow occurs when data is written beyond buffer; underflow, when before. Common causes are failure (or incorrect) bounds - numerical miscalculations - expectation of a null-terminated char sequence Implications Allows an adversary to corrupt other data on the stack (local vars, EBP, ret EIP) This could be leveraged to carry out other (malicious) computations

Buffer Vulnerabilities Overflow Example char buffer[buffer_sz]; int len = atoi(argv[2]); /* parse 2nd cmd-line arg to a integer */ memmove(buffer, argv[1], len); /* copy_memory(dest, src, size) */ /* if len > BUFFER_SZ, we write beyond the buffer into the stack frame */ Null-termination Example char buffer[buffer_sz]; strcpy(buffer, argv[1]); /* copy a null-terminated string (dst, src) */ /* if the first null bytes is located > BUFFER_SZ, we write beyond the buffer into the stack frame */

Buffer Vulnerabilities Mitigations Bounds checking - calculate and enforce bounds at runtime. Canaries - Append known values to the end of the buffer. Use them to indicate corruption. Tagging - Tag memory objects (allocations) so that underlying hardware/compiler support can detect buffer under/overflows

Code Injection Basic Idea Exploit a memory corruption vulnerability (E.g. buffer overrun), to inject shellcode into the PAS. Execution Flow Once you have injected code, you need to steer execution to the code (get the IP there) Stack Smashing An attack where you exploit a buffer overrun vulnerability to also corrupt the base-pointer and return-ip.

Code Injection Mitigations - Canaries (stack guard) - WX protection: Write XOR Execute - non-executable stack Further Readings Smashing The Stack For Fun And Profit http://phrack.org/issues/49/14.html Stackguard https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf

Integer Attacks Basic Idea Use vulnerabilities in the handling of numeric data to alter the flow of execution. Signedness Numeric primitive types can be signed or unsigned. 0x80000000 = 1000 0000 0000 0000 = 2147483648 (unsigned int) = -2147483648 (signed int) Look for scenarios where a signed number is used to calculate lengths. Truncation Putting a number larger than the max size of a data type will truncate the result. int a; long b = 0x0123456789ABCDEF; a = b;

Integer Attacks Signedness Example char buffer[buffer_sz]; int len = atoi(argv[2]); /* parse 2nd cmd-line arg to a integer */ if (len + BUFFER_SZ) memmove(buffer, argv[1], len); /* copy_memory(dest, src, size) */ /* if len < 0 AND len > BUFFER_SZ, we write beyond the buffer into the stack frame */ Mitigations - detect overflows explicitly - patch code so that the semantics match the developers expectations Further Reading http://phrack.org/issues/60/10.html

Advanced Attacks Return-to-libc Attack - Find snippets of ASM code ( gadgets ) in the libc libraries that can be stitched together to form the computation you wish to do (usually something malicious) - usually only a few instructions at the end of a function form a gadget Ex. xor eax, ebx add 3, eax ret - Corrupt the stack such that execution moves to the first code snippet and then returns from that snippet to the next snippet - bypasses WX protection (no code-injection no Write) - https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf (Whitepaper) Mitigation -detect entry into libc not at function start -make it hard to find the gadget offsets in memory - Address Space Layout Randomization (ASLR)

Advanced Attacks Return Oriented Programming (ROP) - generalization of return-to-libc - uses code snippets ( gadgets ) from the program itself, instead of libc https://cseweb.ucsd.edu/~hovav/dist/rop.pdf (Whitepaper) Mitigation - make it hard to find the gadget offsets in memory - Address Space Layout Randomization (ASLR)

Advanced Attacks Further Reading PHRACK Hacker e-zine. Not maintained regularly anymore, but still lot s of essential reading http://phrack.org International Journal of POC GTFO A friendly little journal for ladies and gentlemen of distinguished ability and taste in the field of computer security and the architecture of weird machines. https://www.alchemistowl.org/pocorgtfo/

GDB Commands r <arg1>... c b expr n ni s si f Run program Continue Set breakpoint next line (step-over) next instruction (step-over) step into step into instruction finish

GDB p expr d/fmt expr x/nfu expr bt bt full i i locals i r i args print display examine n: number of units to display f: display format (x=hex, d=decimal, i=instruction, ) u unit size (b=1, h=2, h=4, g=8 Bytes) Backtrace Backtrace and show function args inline information Show local variables in scope. Show registers of current stack frame Show function arguments.

GDB If you invoke gdb with the tui flag you can have a windowed view.

GDB ASM Syntax Move the immediate value 1 into the eax register. Intel Syntax mov eax, 1 AT&T (GAS) Syntax* movl $1, %eax *GDB uses GAS syntax.

GDB GAS Mnemonic Suffixes b = byte (8 bit) s = short (16 bit integer) or single (32-bit floating point) w = word (16 bit) l = long (32 bit integer or 64-bit floating point) q = quad (64 bit) t = ten bytes (80-bit floating point) If no suffix is specified, the operand size is inferred from the destination register operand Ex. mov %edi, (%rax) mov %rcx, %edx movl $0x20, %rdx

GDB Further Reading GDB Manual http://www.gnu.org/software/gdb/documentation/ Beej s Quick Guide to GDB https://beej.us/guide/bggdb/ Intel 64 and IA-32 Architectures Software Developer Manuals http://www.intel.com/content/www/us/en/processors/architectures-software-developermanuals.html AMD Developer Guides, Manuals & ISA Documents http://developer.amd.com/resources/documentation-articles/developer-guides-manuals/

GDB Exercises 1. Examine and step through the examples at: https://pages.cpsc.ucalgary.ca/~mbclark/tut/525/t4/src 2. Create simple C programs that demonstrate the vulnerabilities (buffer overflow, integer signedness). 3. Examine and step through the samples you generate to craft an exploit for them.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback