lec08 remote exploit
play

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia - PowerPoint PPT Presentation

Sep 13, 2023 •260 likes •596 views

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17 (24 hours)! Due: form your team and submit your CTF challenge by Nov 13! Due: Lab07 is out and its due on Nov 2 (two weeks!) NSA

  1. 1 Lec08: Remote Exploit Taesoo Kim

  2. 2 Scoreboard

  3. 3 Administrivia • In-class CTF on Nov 16-17 (24 hours)! • Due: form your team and submit your CTF challenge by Nov 13! • Due: Lab07 is out and its due on Nov 2 (two weeks!) • NSA Codebreaker Challenge → Due: Nov 29

  4. 4 Best Write-ups for Lab05 libbase gkamuzora3, stong moving-target nhicks6, sfriedfertig fmtstr-digging riya, burak fmtstr-read fmtstr-write brainfxxk fd-const stong, palai fmtstr-heap seulbae, riya profile palai, burak mini-sudo palai, stong

  5. 5 Discussion: Lab05 • What’s the most “annoying” bug or challenge? • What’s the most “interesting” bug or challenge? • So, DEP and ASLR are not so effective?

  6. 6 Discussion: libbase • What do you learn from ./check? $ ./check stack : 0xff930aa0 system(): 0xf7521c50 printf(): 0xf7536670 $ ./check stack : 0xff930250 system(): 0xf755dc50 printf(): 0xf7572670

  7. 7 Discussion: libbase

  8. 8 Discussion: moving-target • What’s “check-aslr.sh” and pie.c? • How many times should we try to exploit?

  9. 9 Discussion: moving-target

  10. 10 Discussion: fmtstr-*? • fmtstr-read/write/digging are relatviely easy

  11. 11 How to Prevent fmtstr-*?

  12. 12 How to Prevent fmtstr-*? 1. Non-POSIX compliant (e.g., Windows) • Discarding %n • Limiting width (e.g., “%.512x” in XP, “%.622496x” in 2000) 2. Dynamic: enabling FORTIFY in gcc (e.g., Ubuntu) 3. Static: code annotation (e.g., Linux)

  13. 13 FORTIFY (-D_FORTIFY_SOURCE=2) • Ensuring that all positional arguments are used • e.g., %2$d is not ok without %1$d • Ensuring that fmtstr is in the read-only region (when %n) • e.g., “%n” should not be in a writable region $ ./fortify-yes %2$d *** invalid %N$ use detected *** $ ./fortify-yes %n *** %n in writable segment detected ***

  14. 14 Discussion: brainfxxk

  15. 15 Discussion: brainfxxk

  16. 16 Discussion: fd-const • What’s the bug? • How to exploit?

  17. 17 Discussion: profile • What’s program about? • What’s the bug?

  18. 18 Discussion: profile

  19. 19 Discussion: profile

  20. 20 Discussion: profile

  21. 21 Discussion: mini-sudo (CVE-2012-0809) • What is ‘ -D9’ for?

  22. 22 Discussion: mini-sudo (CVE-2012-0809) void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); }

  23. 23 CVE-2013-1848: Linux ext3 void ext3_msg(struct super_block *sb, const char *prefix, const char *fmt, ...) { struct va_format vaf; va_list args; va_start(args, fmt); vaf.fmt = fmt; vaf.va = &args; printk("%sEXT3-fs (%s): %pV\n", prefix, sb→s_id, &vaf); va_end(args); }

  24. 24 CVE-2013-1848: Linux ext3 // @get_sb_block() ext3_msg(sb, "error: invalid sb specification: %s", *data); // @ext3_blkdev_get() ext3_msg(sb, "error: failed to open journal device %s: %ld", __bdevname(dev, b), PTR_ERR(bdev));

  25. 25 Take-outs from DEP/ASLR? • Do you think DEP/ASLR make attackers’ life more difficult? • Is still possible to exploit? why? • Although we can’t place shellcode into stack/heap, we can still hijack the control flow of a program in many interesting ways

  26. 26 Discussion: Modern Exploit on ASLR (PIE) • Leak (or infer) code pointers (so map into library or code) • Construct ROP (today’s topic) • (although there are a few proposals, such as CFI, to mitigate ROPs)

  27. 27 Today’s Tutorial • About the in-class CTF challenge • In-class tutorial: • Socket programming in Python • Your first remote exploit!

  28. 28 About: In-class CTF • In-class CTF on Nov 16-17 (24 hours), starting in the class! • 3-4 persons as a team • Award prizes! • Submit your CTF challenge by Nov 13!

  29. 29 About: Docker Template/Sample $ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README

  30. 30 Remote Challenges • Use techniques learned from Lab01-Lab07 • But targeting the remote server (e.g., online services)!

  31. 31 Lab07: Remote Challenges

  32. 32 DEMO: about how remote challenges work • nc • exploit.py

  33. 33 In-class Tutorial • Step1: nc • Step2: brute force attack • Step3: guessing attack $ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia No class on Oct 28 If you are interested in, check out EKOPARTY CTF 2016 Due: Lab08 is out and its due on Nov 3 (two weeks!)

530 views • 21 slides
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1()

587 views • 23 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides
Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your troubleshooting needs ! On Premises Available on cloud Feature Highlights Advanced remote desktop sharing Voice, video and text chat Remote

222 views • 11 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting opportunity: with just a few tweaks to your homelife and routine, your productivity and personal well-being can be maximized. This document

324 views • 6 slides
TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit isapieceofsoftware,achunkof data,orsequenceofcommandsthattake

398 views • 24 slides
DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA)

DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA)

DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA) Basic Rules Remote Connection AKE RA Encoding Rules 2 Remote Access Basic Rules Source devices may permit remote access to content

326 views • 15 slides
COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS

COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS

COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS A remote internship is a class of internship where you do not have to be physically present in the office or site while doing the internship. You

151 views • 13 slides
COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

REMOTE COLLECTION COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 Possibility of connecting in one line with low multidecks LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07

1k views • 82 slides
Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t

Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t

Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t i d o n e a f t h e l e c t u r e ! t e r a r e o n s 1 Remote Access Modern computing requires the use of a variety of resources located on

652 views • 44 slides
Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call?

Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call?

Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call? Executing a procedure in an application running on a remote server Transport Protocol and Serialization are abstracted away to work

309 views • 20 slides
Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or

Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or

Toward the KRW conjecture Cubic Formula Lower Bounds via Communication Complexity Irit Dinur Or Meir Irit Dinur, Or Meir Toward the KRW conjecture Formulas (de-Morgan) Formulas are circuits with fan-out 1 . Cannot store intermediate results.

982 views • 97 slides
HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed

HP Fortify Scanner Setup CSIF computer's should have the scanner already installed Command is sourceanalyzer Problems which sourceanalyzer == <path>/HP_Fortify/HP_Fortify_SCA_and_Apps_<ver

358 views • 15 slides
Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n

Techniques Used for Optimizing 3D Techniques Used for Optimizing 3D Geovisualization of Terez n n Geovisualization of Terez Memorial Memorial Karel Jedli ka, Vclav ada, Radek Fiala, Pavel Hjek, Karel Jane ka, Jan Jeek, Jan

453 views • 20 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman

Minemu: Protecting buggy binaries from memory corruption attacks Erik Bosman <erik@minemu.org> Programming Languages type-safe vs. not type-safe Programming Languages type-safe vs. not type-safe Java Python Ruby Javascript

1.22k views • 111 slides
Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity Unforeseen Consequences Software Security Today The line between secure/insecure is

624 views • 48 slides
The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate

The Power of Collaboration Among CCAs Presented by: Chris Sentieri Center for Climate Protection Webinar February 13, 2019 a division of Blue Strike Environmental Chris Sentieri Senior Manager- EcoShift Consulting, a division of Blue

65 views • 6 slides
Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the

Survival of the Weakest: Why the West Rules with Salvatore Modica 1 Introduction Why did the industrial revolution take place in the West and not, say, China? As many theories as there are authors The consensus if there is one

498 views • 21 slides

More recommend