Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia - - PowerPoint PPT Presentation

lec08 remote exploit
SMART_READER_LITE
LIVE PREVIEW

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia - - PowerPoint PPT Presentation

Sep 13, 2023 260 likes •597 views

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17 (24 hours)! Due: form your team and submit your CTF challenge by Nov 13! Due: Lab07 is out and its due on Nov 2 (two weeks!) NSA

slide-1
SLIDE 1

Lec08: Remote Exploit

Taesoo Kim

1

slide-2
SLIDE 2

Scoreboard

2

slide-3
SLIDE 3

Administrivia

  • In-class CTF on Nov 16-17 (24 hours)!
  • Due: form your team and submit your CTF challenge by Nov 13!
  • Due: Lab07 is out and its due on Nov 2 (two weeks!)
  • NSA Codebreaker Challenge → Due: Nov 29

3

slide-4
SLIDE 4

Best Write-ups for Lab05

libbase gkamuzora3, stong moving-target nhicks6, sfriedfertig fmtstr-digging riya, burak fmtstr-read fmtstr-write brainfxxk fd-const stong, palai fmtstr-heap seulbae, riya profile palai, burak mini-sudo palai, stong 4

slide-5
SLIDE 5

Discussion: Lab05

  • What’s the most “annoying” bug or challenge?
  • What’s the most “interesting” bug or challenge?
  • So, DEP and ASLR are not so effective?

5

slide-6
SLIDE 6

Discussion: libbase

  • What do you learn from ./check?

$ ./check stack : 0xff930aa0 system(): 0xf7521c50 printf(): 0xf7536670 $ ./check stack : 0xff930250 system(): 0xf755dc50 printf(): 0xf7572670 6

slide-7
SLIDE 7

Discussion: libbase

7

slide-8
SLIDE 8

Discussion: moving-target

  • What’s “check-aslr.sh” and pie.c?
  • How many times should we try to exploit?

8

slide-9
SLIDE 9

Discussion: moving-target

9

slide-10
SLIDE 10

Discussion: fmtstr-*?

  • fmtstr-read/write/digging are relatviely easy

10

slide-11
SLIDE 11

How to Prevent fmtstr-*?

11

slide-12
SLIDE 12

How to Prevent fmtstr-*?

  • 1. Non-POSIX compliant (e.g., Windows)
  • Discarding %n
  • Limiting width (e.g., “%.512x” in XP, “%.622496x” in 2000)
  • 2. Dynamic: enabling FORTIFY in gcc (e.g., Ubuntu)
  • 3. Static: code annotation (e.g., Linux)

12

slide-13
SLIDE 13

FORTIFY (-D_FORTIFY_SOURCE=2)

  • Ensuring that all positional arguments are used
  • e.g., %2$d is not ok without %1$d
  • Ensuring that fmtstr is in the read-only region (when %n)
  • e.g., “%n” should not be in a writable region

$ ./fortify-yes %2$d *** invalid %N$ use detected *** $ ./fortify-yes %n *** %n in writable segment detected *** 13

slide-14
SLIDE 14

Discussion: brainfxxk

14

slide-15
SLIDE 15

Discussion: brainfxxk

15

slide-16
SLIDE 16

Discussion: fd-const

  • What’s the bug?
  • How to exploit?

16

slide-17
SLIDE 17

Discussion: profile

  • What’s program about?
  • What’s the bug?

17

slide-18
SLIDE 18

Discussion: profile

18

slide-19
SLIDE 19

Discussion: profile

19

slide-20
SLIDE 20

Discussion: profile

20

slide-21
SLIDE 21

Discussion: mini-sudo (CVE-2012-0809)

  • What is ‘
  • D9’ for?

21

slide-22
SLIDE 22

Discussion: mini-sudo (CVE-2012-0809)

void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); } 22

slide-23
SLIDE 23

CVE-2013-1848: Linux ext3

void ext3_msg(struct super_block *sb, const char *prefix, const char *fmt, ...) { struct va_format vaf; va_list args; va_start(args, fmt); vaf.fmt = fmt; vaf.va = &args; printk("%sEXT3-fs (%s): %pV\n", prefix, sb→s_id, &vaf); va_end(args); } 23

slide-24
SLIDE 24

CVE-2013-1848: Linux ext3

// @get_sb_block() ext3_msg(sb, "error: invalid sb specification: %s", *data); // @ext3_blkdev_get() ext3_msg(sb, "error: failed to open journal device %s: %ld", __bdevname(dev, b), PTR_ERR(bdev)); 24

slide-25
SLIDE 25

Take-outs from DEP/ASLR?

  • Do you think DEP/ASLR make attackers’ life more difficult?
  • Is still possible to exploit? why?
  • Although we can’t place shellcode into stack/heap, we can still hijack the

control flow of a program in many interesting ways

25

slide-26
SLIDE 26

Discussion: Modern Exploit on ASLR (PIE)

  • Leak (or infer) code pointers (so map into library or code)
  • Construct ROP (today’s topic)
  • (although there are a few proposals, such as CFI, to mitigate ROPs)

26

slide-27
SLIDE 27

Today’s Tutorial

  • About the in-class CTF challenge
  • In-class tutorial:
  • Socket programming in Python
  • Your first remote exploit!

27

slide-28
SLIDE 28

About: In-class CTF

  • In-class CTF on Nov 16-17 (24 hours), starting in the class!
  • 3-4 persons as a team
  • Award prizes!
  • Submit your CTF challenge by Nov 13!

28

slide-29
SLIDE 29

About: Docker Template/Sample

$ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README 29

slide-30
SLIDE 30

Remote Challenges

  • Use techniques learned from Lab01-Lab07
  • But targeting the remote server (e.g., online services)!

30

slide-31
SLIDE 31

Lab07: Remote Challenges

31

slide-32
SLIDE 32

DEMO: about how remote challenges work

  • nc
  • exploit.py

32

slide-33
SLIDE 33

In-class Tutorial

  • Step1: nc
  • Step2: brute force attack
  • Step3: guessing attack

$ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README 33