howto
play

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities - PowerPoint PPT Presentation

Nov 24, 2022 •392 likes •969 views

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

  1. HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013

  2. Table of contents HOWTO Basic Vulnerabilities and Reminders 1 their Exploitation Samuel Angebault Vulnerabilities 2 Reminders Buffer Overflow Vulnerabilities Off by One Security Out of bound Heap Overflow Format String Use after free Security 3 Canary DEP ASLR

  3. Plan HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities 1 Reminders Security

  4. Push & Pop HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

  5. Stack frame HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

  6. Function call HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Instruction Reminders Vulnerabilities call func Security Equivalent push %eip + 2 jmp func

  7. Function return HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Instruction Vulnerabilities Security ret Equivalent pop %eip

  8. Shared libraries HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • PIC (Position Independent Code) Security • Addresses in the library are relative • The libraries can be mapped anywhere in the address space • We can no longer exploit via static analysis

  9. GOT PLT HOWTO Basic Vulnerabilities and their Exploitation • GOT (Global Offset Table) Samuel Angebault • PLT (Procedure Linkage Table) Reminders Vulnerabilities Security

  10. GOT PLT HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security

  11. Plan HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities 2 Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  12. Buffer Overflow HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • buffer allocated Buffer Overflow Off by One • not necessarily on the stack Out of bound Heap Overflow Format String • write more data than the size of the buffer Use after free Security • overriding data

  13. Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  14. Jumping somewhere else HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • controlling %eip Out of bound Heap Overflow • replacing the return address with another one Format String Use after free Security

  15. Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  16. Spawning a shell HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault • raw code • writing shellcode for the exploit Reminders Vulnerabilities • shell Buffer Overflow • reverse shell Off by One Out of bound • ... Heap Overflow Format String • filling the buffer with the shellcode Use after free Security • overriding return address to jump on your code • shellcode often has to respect constrains • no null byte • ascii • ...

  17. Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  18. Code example HOWTO Basic Vulnerabilities and #include <stdio.h> 1 their Exploitation #include <string.h> 2 Samuel Angebault 3 static void success( void ) 4 Reminders { 5 Vulnerabilities puts("you jumped sucessfully"); 6 Buffer Overflow } 7 Off by One 8 Out of bound static void test( const char *input) Heap Overflow 9 Format String { 10 Use after free char buffer[40]; 11 Security strcpy(buffer, input); 12 } 13 14 int main( int argc, char *argv[]) 15 { 16 if (argc != 2) return 1; 17 test(argv[1]); 18 return 0; 19 } 20

  19. The shellcode HOWTO Basic Vulnerabilities and their Exploitation C equivalent Samuel Angebault exceve("/bin/sh", 0, 0); Reminders Vulnerabilities Buffer Overflow add $0x42, %esp # moving stack pointer 1 Off by One Out of bound xor %eax,%eax # eax = 0 2 Heap Overflow # pushing "/bin//sh" onto the stack 3 Format String push %eax # push ’\0’ Use after free 4 push $0x68732f2f # hs// 5 Security push $0x6e69622f # nib/ 6 # setting registers for syscall 7 mov %esp,%ebx # ebx = filename 8 mov %eax,%ecx # ecx = NULL (argv) 9 mov %eax,%edx # edx = NULL (envp) 10 # putting syscall number in eax 11 mov $0xb,%al # eax = __NR_execve 11 12 int $0x80 # making syscall 13

  20. ret2reg HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • one of the register contain the address we want Off by One Out of bound Heap Overflow • call on the content of the register Format String Use after free • no hardcoded address Security

  21. ret2reg HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault %eax contains the address of the buffer (return value of Reminders strcpy) We can call the address at %eax to execute our Vulnerabilities shellcode Buffer Overflow Off by One searching call to %eax Out of bound Heap Overflow Format String Use after free $ objdump -D ./stack | grep -E "call +\*%eax" Security 8048396: ff d0 call *%eax 804841f: ff d0 call *%eax The return value can be one of those

  22. ret2libc HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • call a function of the libc with the return address Out of bound Heap Overflow • setup the stack in order to call the function Format String Use after free Security

  23. Stack View HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  24. Off by One HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • coding error Off by One Out of bound • stepping one more time on a loop Heap Overflow Format String Use after free • read or write depending of the case Security

  25. Example HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Code Buffer Overflow Off by One Out of bound char buffer[20]; Heap Overflow Format String for ( int i = 0; i <= 20; ++i) Use after free Security buffer[i] = getchar();

  26. Out of bound HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • error in bound checking Off by One Out of bound Heap Overflow • write what where Format String Use after free • read where Security

  27. Write What Where HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Code Vulnerabilities Buffer Overflow void test( const char *input, int *array, int size) Off by One Out of bound { Heap Overflow int i = atoi(input) Format String Use after free if (i >= size) return ; Security array[i] = 0; }

  28. Heap Overflow HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • Depending on malloc implementation Out of bound Heap Overflow • Case dependent Format String Use after free Security

  29. Heap view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

  30. Reminders on printf HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Prototype Vulnerabilities Buffer Overflow Off by One int printf( const char *fmt, ...); Out of bound Heap Overflow Format String Use after free • *printf function take variadics parameters Security • all the parameters are push on the stack

  31. exploiting printf HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • coding error Buffer Overflow Off by One • %n write the number of bytes printed at the given Out of bound Heap Overflow address Format String Use after free • %hhn = 1 byte %hn = 2 bytes %n = 4 bytes Security • %08x write 4 bytes in hexadecimal

  32. Format String HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACCU2014 My ACCU 2014 talk on HOWTO The Brain was based on two articles - HOWTO

ACCU2014 My ACCU 2014 talk on HOWTO The Brain was based on two articles - HOWTO

ACCU2014 My ACCU 2014 talk on HOWTO The Brain was based on two articles - HOWTO The Brain and Mental Health Presentation. Those two articles are provided here. They were based on a number of efforts regarding mental

240 views • 12 slides
The Role of Data and Analysis in Human Trafficking Initiatives October 16, 2019 2:00PM

The Role of Data and Analysis in Human Trafficking Initiatives October 16, 2019 2:00PM

The Role of Data and Analysis in Human Trafficking Initiatives October 16, 2019 2:00PM 3:30PM EDT Sabrina Fernandez Program Manager International Association of Chiefs of Police (IACP) Webinar Howto Webinar Howto Webinar Howto

662 views • 38 slides
HOWTO AI FOR GOOD ARE ADS, GAMES, AND GANS REALLY THE BEST WE CAN DO? A PATH (TOO) WELL

HOWTO AI FOR GOOD ARE ADS, GAMES, AND GANS REALLY THE BEST WE CAN DO? A PATH (TOO) WELL

Julien Cornebise, Ph.D. 2019/03/21 - NVIDIA GTC HOWTO AI FOR GOOD ARE ADS, GAMES, AND GANS REALLY THE BEST WE CAN DO? A PATH (TOO) WELL TRODDEN 30 years of ICT4D Many fiascos One Laptop Per Child Telecentres

411 views • 26 slides
HowToKB: Mining HowTo Knowledge from Online Communities Cuong Chu, Niket Tandon , Gerhard Weikum

HowToKB: Mining HowTo Knowledge from Online Communities Cuong Chu, Niket Tandon , Gerhard Weikum

HowToKB: Mining HowTo Knowledge from Online Communities Cuong Chu, Niket Tandon , Gerhard Weikum MPI Saarbruecken Allen Institute for AI MPI Saarbruecken task frame : How to paint a wall HowToKB: Mining HowTo Knowledge from Online

415 views • 37 slides
BOX: HowTo Zip Tie Like a Pro JellyBox Build: 10_Quadruple (link directly to Zip Tie Tips t=0)

BOX: HowTo Zip Tie Like a Pro JellyBox Build: 10_Quadruple (link directly to Zip Tie Tips t=0)

BOX: HowTo Zip Tie Like a Pro JellyBox Build: 10_Quadruple (link directly to Zip Tie Tips t=0) Let's look at how to use zip ties to their full potential. _________________________________________________________________ Title: Tip: Zip Tie

206 views • 3 slides
Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS

Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS

Tutorial: Howto setup a Remote Test Lab (not only) within the AGL CI Infrastructure ALS Jun 2017 Jan-Simon Mller Introduction Name: Jan-Simon Mller Email: jsmoeller@linuxfoundation.org IRC: dl9pf , #automotive on

472 views • 33 slides
Belt Tension JellyBox HowTo: Belt Tension In this video, we set up the correct belt tension on X

Belt Tension JellyBox HowTo: Belt Tension In this video, we set up the correct belt tension on X

Belt Tension JellyBox HowTo: Belt Tension In this video, we set up the correct belt tension on X and Y axes. Belt Tension? If the belts are too loose, they may skip steps or even slip off idlers. You may also observe more 'ringing' artifacts

250 views • 4 slides
#join Top JellyBox HowTo: 23_Top In this video, we finish the box with the TOP acrylic piece.

#join Top JellyBox HowTo: 23_Top In this video, we finish the box with the TOP acrylic piece.

#join Top JellyBox HowTo: 23_Top In this video, we finish the box with the TOP acrylic piece. _________________________________________________________________ You'll Need: Top acrylic piece (1) Short smooth rods (2) Skate bearings (4)

280 views • 4 slides
HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into

HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into

HowTo: Calculate Evaluation Curves in Presentation Load all measurements you want to use into Presentation and display all curves for which you want to calculate the standard deviation (in order to load them into memory). Then, in the Control

280 views • 5 slides
#electro heatsinks JellyBox HowTo: 24_Heat Sinks In this video, we add heatsinks to the motor

#electro heatsinks JellyBox HowTo: 24_Heat Sinks In this video, we add heatsinks to the motor

#electro heatsinks JellyBox HowTo: 24_Heat Sinks In this video, we add heatsinks to the motor drivers to keep them cooler. The heatsinks are not needed for JellyBox operation, but they prolong the component drivers' life expectancy.

154 views • 3 slides
MICROSOFT EXCHANGE SERVER 2016 (ON-PREMISES) http://howto.odkud.com MANAGEMENT TOOLS

MICROSOFT EXCHANGE SERVER 2016 (ON-PREMISES) http://howto.odkud.com MANAGEMENT TOOLS

MICROSOFT EXCHANGE SERVER 2016 (ON-PREMISES) http://howto.odkud.com MANAGEMENT TOOLS Exchange admin center (EAC) https://&lt;ServerFQDN&gt;/ ecp Exchange Management Shell (based on Microsoft Windows PowerShell) RDP, Rest-API

550 views • 18 slides
HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 -

1 HOWTO: Boot an OS By Camille Lecuyer LSE Week - July 17 2013 2 PRESENTATION EPITA 2014 - GISTRE Not LSE team 3 SUMMARY BIOS UEFI Boot a Linux kernel Boot a Multiboot compliant kernel 4 BIOS 5 OVERVIEW Basic

788 views • 48 slides
Test Extruder (E) Motor JellyBox HowTo: Test Extruder (E) Motor In this video, we test if the

Test Extruder (E) Motor JellyBox HowTo: Test Extruder (E) Motor In this video, we test if the

Test Extruder (E) Motor JellyBox HowTo: Test Extruder (E) Motor In this video, we test if the extruder motor is spinning. _________________________________________________________________ Title: Preheating the Nozzle Page 1 The JellyBox has

470 views • 4 slides
Power Up and Fans Check JellyBox HowTo: Power Up and Fans Check In this video, we turn the

Power Up and Fans Check JellyBox HowTo: Power Up and Fans Check In this video, we turn the

Power Up and Fans Check JellyBox HowTo: Power Up and Fans Check In this video, we turn the JellyBOX on for the 1st time for real, make sure all is A-OK, and also check the hotend and filament fans.

535 views • 4 slides
Database Management Systems (DBMS) Prof. Pfaff. Lafayette College February 19, 2018 Prof.

Database Management Systems (DBMS) Prof. Pfaff. Lafayette College February 19, 2018 Prof.

Database Management Systems (DBMS) Prof. Pfaff. Lafayette College February 19, 2018 Prof. Pfaff. DBMS Howto Model-View-Controller (MVC) Model Updates Manipulates View Controller Sees Sees Uses User Prof. Pfaff. DBMS Howto

361 views • 17 slides
First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010

First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010

First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010 Makara acquired In 2011 merged into OpenShift project May 2012 Open Sourced GitHub, blogs, howto's, quickstarts, webinars

651 views • 32 slides
1: Software Development and .NET An approach to building software Overview Programming in

1: Software Development and .NET An approach to building software Overview Programming in

1: Software Development and .NET An approach to building software Overview Programming in software development Life-Cycles for software development Object-orientation and modelling Requirements analysis and specification

520 views • 25 slides
The European Spallation Source John Womersley, Director General February 2017 Neutrons are

The European Spallation Source John Womersley, Director General February 2017 Neutrons are

The European Spallation Source John Womersley, Director General February 2017 Neutrons are special Electrically neutral - deeply penetrating ... except for some isotopes Nuclear interaction : cross section depending on isotope (not

974 views • 32 slides
Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org

Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org

Introduction &amp; Recap Runtime Adaptation Implementation &amp; Tests Conclusions Runtime GUI Adaptation in Dynamic Software Product Lines Dean Kramer deankramer@acm.org University of West London/Middlesex University FOSD 2014

529 views • 24 slides
Assignment 5 Software and Web Security March 26 rd , 2014 Initial state RAX 0x????????????????

Assignment 5 Software and Web Security March 26 rd , 2014 Initial state RAX 0x????????????????

Assignment 5 Software and Web Security March 26 rd , 2014 Initial state RAX 0x???????????????? RBX 0x???????????????? RDX 0x???????????????? RDI RSI stack RSP xor %rdx, %rdx RAX 0x???????????????? RBX 0x???????????????? RDX

836 views • 40 slides
Computational Models of Discourse: Introduction to Discourse: Coherence and Cohesion, Lexical

Computational Models of Discourse: Introduction to Discourse: Coherence and Cohesion, Lexical

Computational Models of Discourse: Introduction to Discourse: Coherence and Cohesion, Lexical Chains Caroline Sporleder Universit at des Saarlandes Sommersemester 2009 29.04.2009 Caroline Sporleder csporled@coli.uni-sb.de Computational

1.33k views • 95 slides
Energy Infrastructure Package Regulation on guidelines for trans-European energy infrastructure

Energy Infrastructure Package Regulation on guidelines for trans-European energy infrastructure

Energy Infrastructure Package Regulation on guidelines for trans-European energy infrastructure &amp; Connecting Europe Facility European Commission DG Energy Internal Market I: Networks and Regional initiatives CONTENT Do we need more

528 views • 21 slides
Realistic noise simulation in LArSoft Andrea Scarpelli (CNRS/APC) Outline 3x1x1 noise patterns

Realistic noise simulation in LArSoft Andrea Scarpelli (CNRS/APC) Outline 3x1x1 noise patterns

Realistic noise simulation in LArSoft Andrea Scarpelli (CNRS/APC) Outline 3x1x1 noise patterns Simulation strategy Results Summary of the model FFT MODEL CREATION FFT based on 3x1x1 729-0 noise run (the pedestal reference for this

382 views • 6 slides
On the Noisy Gradient Descent that Generalizes as SGD Jingfeng Wu , Wenqing Hu, Haoyi Xiong, Jun

On the Noisy Gradient Descent that Generalizes as SGD Jingfeng Wu , Wenqing Hu, Haoyi Xiong, Jun

On the Noisy Gradient Descent that Generalizes as SGD Jingfeng Wu , Wenqing Hu, Haoyi Xiong, Jun Huan, Vladimir Braverman, Zhanxing Zhu Johns Hopkins University, Missouri University of Science and Technology, Baidu Research, Styling AI, Peking

672 views • 12 slides

More recommend