from over ow to shell from over ow to shell
play

From Overow to Shell From Overow to Shell An Introduction to - PowerPoint PPT Presentation

Mar 15, 2024 •331 likes •619 views

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Caf, February 2019 Carl Svensson @ Foo Caf, February 2019 1 / 28 1 / 28 Background

  1. From Over�ow to Shell From Over�ow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Café, February 2019 Carl Svensson @ Foo Café, February 2019 1 / 28 1 / 28

  2. Background Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com Twitter: @zetatwo 2 / 28

  3. Background Agenda 1. Background 2. Stack based exploitation 3. Protections and bypasses 4. Heap based explotation 5. Next steps 3 / 28

  4. Background Who are you? Programmer Security interested Low-level language C, C++ Basic OS 4 / 28

  5. Background What is an exploit? Unintended behaviour State machine Initial state Reachable state Invalid state Exploit Invalid state "Dangerous" subset Vulnerability Unintended transition (bug) Leading to an exploit 5 / 28

  6. Background A note on data Bits, groups of bits nibble, byte, word, dword, qword Integer, text, code, addresses 65 66 67 68, "ABCD", inc ecx; inc edx; inc ebx; inc esp, 0x44434241 Same data, different operation Context Endianess, little vs big Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11 6 / 28

  7. Background Where are we? Physics Circuits Machine code <-- You are here Assembler Low-level code: C, Rust Mid-level code: Java, C# High-level code: Python, JS 7 / 28

  8. Background x86 architecture 101 x86 basics Virtual memory Stack, heap, code 8 / 28

  9. Background x86 architecture 101 x86 basics Virtual memory Stack, heap, code General purpose EAX, EBX, ECX, EDX Special purpose EIP, EBP, ESP 9 / 28

  10. Background Calling convention x86 basics Architecture specific x86, 32 bit 0xDEADBEEF eip+5 ... 0xDEADBEEF eip args in reverse order f(a,b) push push call f base pointer 10 / 28

  11. Background Calling convention x86 basics Architecture specific x86, 32 bit call 0xDEADBEEF = push eip; jmp 0xDEADBEEF ret = pop eip args in reverse order base pointer 11 / 28

  12. Background Stack bu�er over�ow x86 basics Unchecked write Overwrite adjacent memory Stack Exploitation Overwrite return address () { local1; buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] [AAAABBBBCCCCDDDD][EEEE][FFFF][GGGG]\0... Program received signal SIGSEGV, Segmentation fault. 0x47474747 example1 () 12 / 28

  13. Background Shellcode x86 basics Code that launches a shell One of the general goals Stack Exploitation %eax,%eax %eax $0x68732f2f ; "//sh" $0x6e69622f ; "/bin", "/bin//sh" mov %esp,%ebx %eax %ebx mov %esp,%ecx mov $0xb,%al ; execve $0x80 ; "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 13 / 28

  14. Background Stack bu�er over�ow (-96) x86 basics Unchecked write Overwrite adjacent memory Stack Exploitation Overwrite return address With shellcode address () { local1; buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0xbffffdb4]\0... $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 14 / 28

  15. Background Shellcode placement x86 basics Shellcode can be placed anywhere Stack Exploitation () { local1; buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0]31C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 15 / 28

  16. Background Shellcode placement x86 basics Shellcode can be placed anywhere Don't need exact location Stack Exploitation NOP creates margin nop = 0x90 () { local1; buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0] 90909090909090909031C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 16 / 28

  17. Background Protection: ASLR (-01) x86 basics Base of stack random Code still static Stack Exploitation Location unkown Gadget 0x4000104A: esp [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0x????????: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0x4000104A] $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 17 / 28

  18. Background Protection: NX/DEP (-97) x86 basics Random stack, static code Stack not executable, unkown location Stack Exploitation Gadgets Return-oriented programming 0x4000104A: 0x4000106A: ... ... eax ebx ecx [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0x????????: [AAAA...DDDD][EEEE][FFFF][0x4000104A][0xDEADBEEF][0x4000106A][0xCAFEBABE][0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D 18 / 28

  19. Background Protection: StackGuard (-98) x86 basics Prevent the overflow Canary, secret value Stack Exploitation Controlled crash () { () { push_stack_cookie(); // Compiler local1; local1; buf[12]; buf[12]; fgets(buf); } fgets(buf); check_stack_cookie(); // Compiler } SECRET = 0xfe481ac9 [buf (16 bytes)][local1 (4 bytes)][SECRET][saved bp (4 bytes)][ret address (4 bytes)] [AAAA...DDDD][EEEE][FFFF][GGGG][0x4000104A] 0x464646466 != 0xfe481ac9 : ./a.out terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc-2.27.so (__fortify_fail+0x48) Aborted* 19 / 28

  20. Background Other topics x86 basics Format string vulnerability GOT, PLT Stack Exploitation Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 20 / 28

  21. Background Format string vulnerability x86 basics int printf ( char * format, ... ); Stack Exploitation printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable Variable number of arguments Controlled by format string EBP+4*(i+1) Read direct: %x Read indirect: %s Write: %n Copy: %0*x Skip: %4$08x 21 / 28

  22. Background Base pointer overwrite x86 basics Fake stack Control local variables Stack Exploitation Absolute overwrite Partial overwrite 22 / 28

  23. Background Other topics x86 basics Format string vulnerability GOT, PLT Stack Exploitation Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 23 / 28

  24. Background A refresher on memory x86 basics Physical Virtual Stack Exploitation Pages Memory allocator libc (malloc/free) Heap exploitation other custom 24 / 28

  25. Background Heap corruption: application layer x86 basics Heap overflow Use after free Stack Exploitation Type confusion Heap exploitation 25 / 28

  26. Background Heap corruption: memory allocator x86 basics Re-linking Double free Stack Exploitation Heap exploitation 26 / 28

  27. Background Want try it out? x86 basics Capture the Flag, CTF https://ctftime.org Stack Exploitation https://capturetheflag.withgoogle.com Wargames https://picoctf.com Heap exploitation http://pwnable.kr https://overthewire.org YouTube Next steps LiveOverflow Gynvael Coldwind MurmusCTF ZetaTwo Tools python + pwntools gdb + pwndbg radare2, IDA, binary ninja Educational https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap 27 / 28

  28. Questions? Questions? 28 / 28 28 / 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command line interpreter, of an operating system. The shell is often considered a simple domain-specific programming language . Typical operations

802 views • 15 slides
Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation: http://www.gnu.org/software/bash/manual/bashref.html Bash is an acronym for Bourne - Again SHell. The Bourne shell is the traditional

947 views • 37 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU 3 Shell CSCE 625 TAMU 4 Shell CSCE 625 TAMU Pay attention to this: https://www.youtube.com/watch?v=vJG698U2Mvo 5 Shell

352 views • 8 slides
Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line arguments For loops Conditionals Shell customization Environment variables Aliases Shells A Unix shell is a command-line interpreter

475 views • 18 slides
Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of basic UNIX TM pipelines of commands about shell scripts some new commands variables parameters and shift command substitution

515 views • 35 slides
Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts Using Quotes Reading Data Arithmetic On Shell Environment and subshells Passing Arguments Parameter substitution

826 views • 65 slides
Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution Was part of OS kernel initially, now a normal program The shell interface looks like this: $ _ Prompt Keyboard cursor Unix shell $ cat

474 views • 22 slides
Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with high-level languages The turtle library Scripts &amp; Dependency Management Parsing command line options A small application Conclusion Shell

537 views • 27 slides
Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your default shell %chsh USERNAME /bin/bash More in the CS help page http://www.cs.purdue.edu/resources/facilities/oracle/cs.sxhtml Note te :

92 views • 5 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell Locally Remote Host Directory Structure Moving around the directories Displaying File Contents Compiling and Running a Python Program

198 views • 19 slides
REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell Eco-marathon 02 Introduction 03 Technical Aspects 04 Technical Budget 05 Sponsorships 06 Multi-Disciplinary Team 07 Off Track Awards 08 Exposure

234 views • 20 slides
The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive command interpreter A high level language (scripting) Interface to the OS Provides support for key OS ideas Isolation Concurrency

522 views • 22 slides
Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016 Chad Holliday Chairman Royal Dutch Shell plc Royal Dutch Shell | May 24, 2016 Definitions &amp; The New Lens Scenarios are part of an ongoing

197 views • 19 slides
CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework http://www.mathcs.richmond.edu/~blawson/cmsc240 Read: Syllabus Chapters 1, 2, 3 of C++ Primer Plus Tutorial: Unix Tutorial for Beginners (Intro, Tutorial 1,

1.18k views • 46 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

426 views • 29 slides
Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat

Trends in Open Source Security FOSDEM 2013 Florian Weimer fweimer@redhat.com Red Hat Product Security Team 2013-02-02 Overview Vulnerability tracking Tool-chain hardening Distribution-wide defect analysis 2 TRENDS IN OPEN

462 views • 31 slides
Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output

Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output

Strings 1 Sharif University of Technology Department of Computer Engineering Input and Output Lecture 4 Introduction Until now We have seen strings in printf Our old definition: string is a set of char between

489 views • 34 slides
THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost

THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost

THE C PROGRAMMING LANGUAGE WHY LEARN C? Compared to other high-level languages Maps almost directly into hardware instructions making code potentially more efficient Provides minimal set of abstractions compared to other HLLs HLLs

783 views • 50 slides
Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang

Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang

. . Compressing Strings of the Kernel Wolfram Sang Consultant 21.8.2014, LinuxCon14 Wolfram Sang (wsa@the-dreams.de) Compressing Strings of the Kernel 21.8.2014, LinuxCon14 1 / 36 The origin: CEWG project 1 kernel debug messages.

909 views • 44 slides

More recommend