aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development - - PowerPoint PPT Presentation

Ein Blick in die Hexenküche der Exploit Entwickler

aka “Der Hacker und die 7 Geißlein”

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2

https://www.bee-itsecurity.at // Page 3 27/03/2018 // Exploit Development for Dummies

#whoami

27/03/2018 // Exploit Development for Dummies

Florian Bogner

IT Security Expert aka “Professional Hacker” Speaker and Trainer Bug Bounty Hunter

https://www.bee-itsecurity.at // Page 4

More than 50 vulnerabilities reported to:

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 5

Who?

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 6

Nation states / APT Hacking other countries for “self defense” and “peace” e.g. NSA, Russia, … Money Creating exploits for APT Threat Actors Here’s the big money: Up to 1.5 million USD! e.g. Zerodium Fun / Learning You have to start somewhere, right? From simply buffer

• verflows to really

complex tutorials available Advanced Pentests / Red Teaming Attacks e.g. to check the security of a self- developed application.

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 7

Douche Bags Inc

We make bags!

Information Gathering Identify Target Search for Vulnerabilities Win! Weaponize Vulnerability Attack

Our Plan

https://www.bee-itsecurity.at // Page 8 27/03/2018 // Exploit Development for Dummies

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Page 9 27/03/2018 // Exploit Development for Dummies

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 10

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 11

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 12

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 13

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 14

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 15

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 16 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Stack frame for Main Stack “grows” from higher to lower addresses 100 10 Program

void main() { /* Application logic */ }

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 17 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack frame for Main Stack frame for Load Stack “grows” from higher to lower addresses 100 10 Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ return; }

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 18 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack frame for Main Stack frame for Load Stack “grows” from higher to lower addresses 100 10 Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ return; }

What happens if load_from() returns more than 10 characters?

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 19 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack frame for Main Stack frame for Load Stack “grows” from higher to lower addresses 100 10 Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ return; }

What happens if load_from() returns more than 10 characters? A stack overflow

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 20 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack frame for Main Stack frame for Load Stack “grows” from higher to lower addresses 100 10 Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ return; }

The attacker now controls the execution flow! Return address

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 21

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Seite 22 27/03/2018 // Exploit Development for Dummies

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Seite 23 27/03/2018 // Exploit Development for Dummies

Fuzzing

https://www.bee-itsecurity.at // Page 24 27/03/2018 // Exploit Development for Dummies

Irfan View Image File Processing Display

Normal flow

Irfan View Image File Processing Error / Vulnerability

With Fuzzing

Live Demo:

Fuzzing with BFF

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Seite 26 27/03/2018 // Exploit Development for Dummies

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Page 27 27/03/2018 // Exploit Development for Dummies

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 28 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack “grows” from higher to lower addresses 100 10 Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strcpy(tmp_buffer, load_from(the_file)); /* More application logic */ return; }

The attacker now controls the execution flow! Return address

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 29 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack “grows” from higher to lower addresses 100 10 Return address Image Image content Shellcode Continue execution with our Shellcode

Live Demo:

Weaponize 1/2!

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 31 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack “grows” from higher to lower addresses 100 10 Return address Image Image content Shellcode Continue execution with our Shellcode

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 32 27/03/2018 // Exploit Development for Dummies

Stack Parameters for Main() Return address Main’s local variables Parameters for Load() Return address Load’s local variables Stack “grows” from higher to lower addresses 100 10 Return address Image Image content Shellcode Continue execution with our Shellcode

Magic

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 33 27/03/2018 // Exploit Development for Dummies

Return address Image Image content Shellcode Doesn’t work! Image is a memory mapped file

Return address Stack POP POP RET

What is a Stack Overflow?

https://www.bee-itsecurity.at // Page 34 27/03/2018 // Exploit Development for Dummies

Image Image content Shellcode 004D0BA9

Live Demo:

Weaponize 2/2!

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Seite 36 27/03/2018 // Exploit Development for Dummies

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Page 37 27/03/2018 // Exploit Development for Dummies

Final Demo:

The Victim’s PoV

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Page 39 27/03/2018 // Exploit Development for Dummies

Information Gathering Identify Target Search for Vulnerabilities Win! Attack Weaponize Vulnerability

Our Plan

https://www.bee-itsecurity.at // Page 40 27/03/2018 // Exploit Development for Dummies

Mitigations

Learning from the Past

Return address Stack POP POP RET

Mitigations

https://www.bee-itsecurity.at // Page 42 27/03/2018 // Exploit Development for Dummies

Image Image content Shellcode

Return address

Mitigation: Secure Coding

https://www.bee-itsecurity.at // Page 43 27/03/2018 // Exploit Development for Dummies

Program

void main(const char *the_file) { const char *bitmap = load_file(the_file); /* More application logic */ } const char* load_file(const char *the_file) { char tmp_buffer[10]; strncpy(tmp_buffer, load_from(the_file), sizeof(tmp_buffer) ); /* More application logic */ return; }

Return address POP POP RET

Mitigation: ASLR

https://www.bee-itsecurity.at // Page 44 27/03/2018 // Exploit Development for Dummies

Return address Stack POP POP RET

Mitigations: DEP

https://www.bee-itsecurity.at // Page 45 27/03/2018 // Exploit Development for Dummies

Image Image content Shellcode

rwx

27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 46

https://www.bee-itsecurity.at // Seite 47 27/03/2018 // Exploit Development for Dummies

QUESTIONS?

Bee IT Security Consulting e.U.

Nibelungenstraße 37, A-3123 Schweinern

Florian Bogner

Information Security Expert +43 660 123 9 454 florian@bee-itsecurity.at https://www.bee-itsecurity.at