INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION

Similar documents
WRITING YOUR FIRST EXPLOIT LECTURE NOTES

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Exploit Development. License. Contents. General notes about the labs. General notes about the labs. Preparation. Introduction to exploit development

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Remote Buffer Overflow Exploits

Shellcode Analysis. Chapter 19

Assignment 4 Buffer Overflows

CS 161 Computer Security

Advanced Buffer Overflow

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CS 161 Computer Security

Writing your first windows exploit in less than one hour

Advanced Buffer Overflow

20: Exploits and Containment

Project 4: Application Security

Is stack overflow still a problem?

Exercise 6: Buffer Overflow and return-into-libc Attacks

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Stack overflow exploitation

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

MSRPC Heap Overflow Part II

CMSC 414 Computer and Network Security

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Lecture 4 September Required reading materials for this class

Practical Malware Analysis

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

buffer overflow exploitation

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Black Box Debugging of Embedded Systems

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Exploiting the MSRPC Heap Overflow Part I

Buffer-Overflow Attacks on the Stack

CS155: Computer Security Spring Project #1

Representation of Information

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Analysis of MS Multiple Excel Vulnerabilities

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES

Secure Programming I. Steven M. Bellovin September 28,

Penetration Testing with Kali Linux

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Post exploitation techniques on OSX and Iphone. Vincenzo Iozzo

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

CSE 361S Intro to Systems Software Lab Assignment #4

Buffer-Overflow Attacks on the Stack

CS 161 Computer Security

CONTENTS IN DETAIL. FOREWORD by HD Moore ACKNOWLEDGMENTS INTRODUCTION 1 THE ABSOLUTE BASICS OF PENETRATION TESTING 1 2 METASPLOIT BASICS 7

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CSCI0330 Intro Computer Systems Doeppner. Lab 02 - Tools Lab. Due: Sunday, September 23, 2018 at 6:00 PM. 1 Introduction 0.

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Malware

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Università Ca Foscari Venezia

Basic Buffer Overflows

Win32 Stack BufferOverFlow Real Life Vuln-Dev Process

Biography. Background

Buffer overflow background

Autodesk AutoCAD DWG-AC1021 Heap Corruption

In-Memory Fuzzing in JAVA

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Heaps of Heap-based Memory Attacks

ISA 564, Laboratory I: Buffer Overflows

Project 1 Notes and Demo

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Lecture 08 Control-flow Hijacking Defenses

APPM 2460 Matlab Basics

Writing Exploits. Nethemba s.r.o.

GDB Tutorial. A Walkthrough with Examples. CMSC Spring Last modified March 22, GDB Tutorial

Buffer Overflow Attack (AskCypert CLaaS)

Memory Safety (cont d) Software Security

Fastbin_dup into stack exploitation

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Return oriented programming

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Creating User-Friendly Exploits

Introduction. Overview and Getting Started. CS 161 Computer Security Lab 1 Buffer Overflows v.01 Due Date: September 17, 2012 by 11:59pm

Reversing. Time to get with the program

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Exercises 6 - Virtual vs. Physical Memory, Cache

INSIDE THE ULTIMA ONLINE CLIENT - INSERTING A SLEEP

Vivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Project 4: Application Security

Homework 4 CS161 Computer Security, Spring 2008 Assigned 4/14/08 Due 4/21/08

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

Chapter 1 Getting Started

Return-orientated Programming

System Security Class Notes 09/23/2013

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

ROP It Like It s Hot!

CS61 Section Solutions 3

Outline. Format string attack layout. Null pointer dereference

INFORMATION SECURITY - PRACTICAL ASSESSMENT - TP3 - CRYPTOGRAPHY AND APPLICATIONS. GRENOBLE INP ENSIMAG

Transcription:

INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION GRENOBLE INP ENSIMAG http://www.ensimag.fr COMPUTER SCIENCE 3RD YEAR IF-MMIS - 1ST SEMESTER, 2011 Lecturers: Fabien Duchene - Karim Hossen firstname.lastname [ at ] imag.fr NOTE: Practical assessment regarding the course we had on Thu. 22th, September 2011 and regarding the chapter 1.1. They are due for Tuesday 27th, September 2011 23pm59. This practical assessment will give you some methods used by security professionals to exploit vulnerabilities. This is an introduction to such exploitation techniques. The second part will then focus on x86 binary exploitation. functionalities, you will have to exploit two vulnerabilities. After a brief exploration of the debugger Goals: Inspect a program thanks to a debugger (in that case the Immunity Debugger) Obtain a basic knowledge in buffer exploitation 1 Requirements: hypervisor and virtual machine image Download the hypervisor for your platform from http://www.virtualbox.org/wiki/downloads Install it on your laptop Download the virtual machine image from http://car-online.fr/en/files// import it into VirtualBox (follow the instructions at https://ensiwiki.ensimag.fr/index.php/ VirtualBox-) save a snapshot of the virtual machine (in its turned off state) launch the virtual machine log-on using those credentials (username / password): user / user (for -2011-2012-TP1-application exploitation.7z) or user / empty password (for TP1 - Exploitation.ova) 2 Binary exploitation 2.1 Let us discover the Immunity Debugger Launch the debugger

2 Open ex0.exe and eventually make the CPU view visible. Check the window title to see if you are in the ex0.exe module. If not, open the view executable modules, and choose ex0.exe. 1. (a) Describe in few lines the content of each 5 part of the CPU view (b) One instruction is selected, what is it and how it is generally called? (c) Where does the debugger find his address? 2. (a) Lets run the program (F9 keyboard shortcut). What just happened? (Hint : status bar) (b) What is the purpose of the first instructions block at the beginning of the program? Is that block our main function? 3. (a) Now we want to set a breakpoint. Use Right click > Search for > All intermodular call > printf to find the printf. The main function, for little program without a lot of libraries is often located few instructions after the entry point. Alternatively you also can scroll down till you see the printf call. At which address is the printf located? (b) Set the breakpoint (F2), restart and run the program (Ctrl+F2). The program is now stopped at the printf. How many arguments a printf function is supposed to have? (c) Locate and describe them on the stack part of the CPU view. (d) A debugger has a control on the control flow of a program it has loaded. It also is able to manage the data flow. Now let us modify the text to be printed. Find two ways to modify the text which will be printed and briefly describe them. Use at least one of these methods to change the text. (e) It is also possible to run the program step-by-step using Step into (F7) and Step over (F8) function. What is the difference between these functions? 4. Step over until the instruction at the address 0x00401340. What is this instruction? What is its purpose? Resume the execution of the program by pressing F9 and let it terminated. You are now sufficiently familiar with that debugger to perform the very next sections. 2.2 Bin100 - It is sometimes too small In order to help you for your first exploitation, we did provide you some few hints regarding the vulnerability you will exploit for this exercise. It is a classic simple - and unfortunately still possible in several today softwares - stack overflow assuming that DEP and ASLR are not activated. This is the perfect example your always have been dreaming of to exploit! 2.2.1 Controlling the flow 5. (a) Briefly remember ( 4 lines) what is a stack-based overflow and how can we exploit it. (b) Run the program (standalone, without the debugger attached) and play with it. Explain what is the purpose of that executable. (c) Open (in text editor) the script sendstring.py. What is the use of it? With the script, trigger an overflow. What happened when the overflow occured?

3 6. Now, we need more detailed information/impact about the overflow on the program. Run Immunity Debugger, open ex1.exe and run it. Trigger the overflow. The program will throw an exception and the debugger will catch it. Now the execution is paused at the instruction that triggered that overflow. (a) What is that instruction? (b) Describe the purpose of that instruction and why an overflow could happen here. (c) Now, have a look the registers which partly describe the state of the program (because the memory state is also important). What do you notice? What is the purpose of that (these) register(s) on which you just noticed something? (d) What is the content of that register? Change the string you send to the program, and restart it and see if the content of the register have changed. We seem to control the register. What does it mean? (e) To have a stable control on that register, we should know how many bytes we must send to overwrite the register. Some people already thought about it and produced 2 small and useful ruby scripts : pattern create and pattern offset These scripts are available in Metasploit. Open the system console of Metasploit. 1 >ruby t o o l s \ p a t t e r n c r e a t e. rb Usage : p a t t e r n c r e a t e. rb length [ set a ] [ set b ] [ set c ] (f) By reading and testing these two scripts, describe in what extend they could be useful. (g) Using pattern offset, how many bytes are necessary before overwriting the register? Let s call this value OFFSET EIP. We will have to send something following this format [padding][value of register] with size([padding]) = OFFSET EIP Test with aaaaa...aaaaabcd and check with the debugger if there is an attempt to execute instruction at the address ABCD (h) Now we really control the control flow because we almost be able to put any value in this register. Explain why the word almost is used in the previous sentence? 2.2.2 Controlling the flow to our code To prove that we control the control flow, you should be able to execute arbitrary codes. This code will be in the string that you send to the program. Codes are in string?? Don t forget that there are no type notions here, your string will be in memory, and a string is set of bytes like instructions. This kind of code is called shellcode because, most of time we use it to have a shell (terminal) on the victim system. There are a lot of shellcodes, to do a lot of things, show a messagebox, run an executable, download and execute something... We will use the simple messagebox shellcode. Technics to write a shellcode are out of the scope of this practical assesment, we will use Metasploit to generate one for us. Thanks to it :) Open the Metasploit system console. We use the S option to display a summary (or help). > ruby msfpayload windows/ messagebox S 2 Name : Windows MessageBox Module : payload / windows/ messagebox 4 Version : 13403 l a t f o r m : Windows 6 Arch : x86 Needs Admin : No 8 Total size : 270 Rank : Normal 10...

4 7. (a) What are the options we have for the message box? Metasploit can output the shellcode with different format, R for raw, C, P for Perl... As we use Python, we can take the C format which is closed to Python. This is an example : >ruby msfpayload windows/ messagebox EXITFUNC=p r o c e s s ICON=INFORMATION TEXT= Blabla TITLE= H e l l o C 2... OK, we have our shellcode, in C format. Now we have to redirect the control flow to our shellcode. Our shellcode will be located in memory because it will be in the string you send to the program. Copy your shellcode at the beginning of the string. Now, we can consider the string as a payload, so call it payload. Your payload should follow this format above [shellcode][padding][value of register] with size([shellcode][padding]) = OFFSET EIP From now, we will use the script exploit.py to send the string. Set padding to : \x90 xoffset EIP Set jmp to : abcd Set shellcode to : your shellcode previously generated 8. (a) Send your payload to the program under the debugger, it will stop at the exception. Locate your shellcode. Where is it? (b) Jumping to a fix address in the stack could be problematic, because the two first bytes of stack address can change. Look the register. Do you find something interesting? Why? So we need to jump to the address in this register. Let find a jmp esp instruction. Open the view executable modules. What we can find in this view? (don t answer executable modules :)) Choose the module kernel32.dll, go to the CPU view. You should see the instruction of kernel32.dll. (c) Now, we will use the debugger to find a jmp esp. Right click in the instruction panel > Search for > Command : jmp esp What is the address of the jmp esp? Now, you should have a good payload following this format : [shellcode][padding][@jmp esp] 2.2.3 Encoding the shellcode 9. (a) Test your previously created payload. Does it works?... ok. Let us find the problem. Use the debugger to locate your shellcode in the stack. Compare it from the original shellcode. (b) The beginning of the shellcode is correctly copied but there is an error after few bytes. What bytes was not copied successfully? In fact, the program can modify some byte of the strings and most of time its special character like \r, \n and space. Of course, there is a technic to bypass these modifications. We just need to avoid this character in our shellcode :) For that, there are encoders which encode the shellcode in a format which doesn t have chosen characters. And again, its module is available in Metasploit. To use it, you will send the raw shellcode to the encoder and tell him to output C again and removing some characters. The command become : > 2 ruby msfpayload windows/ messagebox EXITFUNC=p r o c e s s ICON=INFORMATION TEXT= Blabla TITLE= H e l l o R ruby msfencode a x86 b \ x00 \ x0a \ x0d t c Now retry your payload. If it work : \o/

5 2.2.4 With DEP? 10. Active DEP and test your payload again. It should work. What?? Indeed, you just activated a thing called by Microsoft Software DEP. it is a good memory protection mechanism but not the real DEP. 2.2.5 With DEP 11. To active the real DEP, you have to modify the configuration of the virtual machine to enable the PAE mode (cf. course) Now test your payload again. It should lead to an application crash, with a message from windows. That s the real DEP. Well done for those who successfully finished this part. It is however is not yet the end :) 2.3 Bin200 - Where are my parameters?! For your second exploitation, you have to exploit a vulnerability in the format string. 2.3.1 Reminders 12. (a) Briefly describe what a format string vulnerability is and compare it to stack based buffer overflow. Which one is the most powerful? Why? (b) Locate the vulnerable function and start playing with its parameters Print the content of the first 40 bytes on the stack. Why the printed result doesn t have 80 bytes exactly? Use the debugger to check. 2.3.2 Control WHERE you want to write (ECX) Let s call the string the content of input.txt. In order to exploit, we first need to reach the end of our string. From now, we will use the script exploit.py to build the input.txt. Set address to : abcd => This is where we will write. We use abcd because we don t yet where to write. Set write to : %x => Use to print (%x) the address or write (%n) to the address Set moves to : %x *30 => Use to moves on the stack (30*4 bytes) We know that %x read 4 bytes, but if we want to control where we are on the stack accurately, we need something else to move at the byte scale. This is the goal of the padding value. 13. (a) Now play with the number of moves until you recognize the address. Remember you are printing bytes in hexadecimal and in Little-endian. Remember after hexadecimal stuff, you should see the abcd string of course. (We put it in the printf) (b) How abcd should be printed? Let s call it AABBCCDD You should see :...AABBCCDDabcd... AABBCCDD will be replaced later by the address to overwrite. Now replace the write by an %n and check in the debugger if there is an attempt to write at the address AABBCCDD. Now we control where we want to write. You can replace AABBCCDD by something else to check. Note the value of EAX register, we will need it in the next part.

6 2.3.3 Control WHAT you write (EAX register) 14. (a) Remember what the function of %n in printf is The register EAX is used to store this number. Let s call EAX the value of EAX register. We will need to write 1000 (3e8 in hexadecimal) at the address of target to pass the test. We just have to write 3e8-EAX bytes before the %n. (b) We can put a lot of padding in the string to do that. Why it is not a good way? (c) Use the printf reference to find how we can print a lot of bytes using a short string (Think simple) Set write to : %x, we are still testing, no need to write. Set value to : %#x replacing the # by the result of 3e8-EAX But the length of the string have changed again, we need to adjust the padding or moves. Set moves to : 32 Set padding to : m, m or another character except \x00 You should see :...64636261abcd... again. Now we are ready to exploit! 2.3.4 Exploitation 15. (a) What is the address of the target variable? (b) There is a null byte in it and we use fgets. Is it a problem? Why? Replace the address (abcd) by target address in little-endian with this syntax \ x6c \ x f f \ x22 Remember that since the new address contains 1 character less than abcd, we need to increment that value by 1. You should see Well done! :)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback