Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science & Engineering Exploiting other vulnerabilities Overwriting the return address Collateral damage Collateral damage Other code injection targets Function pointers Stop the program from crashing early Local, global, on heap ‘Overwrite’ with same value, or another legal one ❧♦♥❣❥♠♣ buffers GOT (PLT) / import tables Minimize time between overwrite and use Exception handlers Indirect overwrites Non-sequential writes Change a data pointer used to access a code E.g. missing bounds check, corrupted pointer pointer Can be more flexible and targeted Easiest if there are few other uses E.g., a write-what-where primitve Common examples More likely needs an absolute location Frame pointer May have less control of value written C++ object vtable pointer
Unexpected-size writes Outline Classic code injection attacks Attacks don’t need to obey normal conventions Announcements intermission Overwrite one byte within a pointer Shellcode techniques Use mis-aligned word writes to isolate a byte Exploiting other vulnerabilities Note to early readers Outline Classic code injection attacks This is the section of the slides most likely to change Announcements intermission in the final version If class has already happened, make sure you have Shellcode techniques the latest slides for announcements Exploiting other vulnerabilities Basic definition Classic execve ✴❜✐♥✴s❤ Shellcode: attacker supplied instructions ❡①❡❝✈❡✭❢♥❛♠❡✱ ❛r❣✈✱ ❡♥✈♣✮ system call implementing malicious functionality Specialized syscall calling conventions Name comes from example of starting a shell Omit unneeded arguments Often requires attention to machine-language Doable in under 25 bytes for Linux/x86 encoding Avoiding zero bytes More restrictions No newlines Common requirement for shellcode in C string Only printable characters Analogy: broken 0 key on keyboard Only alphanumeric characters May occur in other parts of encoding as well “English Shellcode” (CCS’09)
Transformations Multi-stage approach Fold case, escapes, Latin1 to Unicode, etc. Initially executable portion unpacks rest from another format Invariant: unchanged by transformation Improves efficiency in restricted environments Pre-image: becomes shellcode only after transformation But self-modifying code has pitfalls NOP sleds Where to put shellcode? Goal: make the shellcode an easier target to hit In overflowed buffer, if big enough Anywhere else you can get it Long sequence of no-op instructions, real shellcode at the end Nice to have: predictable location x86: 0x90 0x90 0x90 0x90 0x90 . . . shellcode Convenient choice of Unix local exploits: Where to put shellcode? Code reuse Environment variables If can’t get your own shellcode, use existing code Classic example: s②st❡♠ implementation in C library “Return to libc” attack More variations on this later Outline Non-control data overwrite Classic code injection attacks Overwrite other security-sensitive data Announcements intermission No change to program control flow Shellcode techniques Set user ID to 0, set permissions to all, etc. Exploiting other vulnerabilities
Heap meta-data Heap meta-data Boundary tags similar to doubly-linked list Overwritten on heap overflow Arbitrary write triggered on ❢r❡❡ Simple version stopped by sanity checks Use after free Integer overflows Easiest to use: overflow in small (8-, 16-bit) value, or Write to new object overwrites old, or vice-versa only overflowed value used Key issue is what heap object is reused for 2GB write in 100 byte buffer Find some other way to make it stop Influence by controlling other heap operations Arbitrary single overwrite Use math to figure out overflowing value Null pointer dereference Format string attack Add offset to make a predictable pointer Attacker-controlled format: little interpreter On Windows, interesting address start low Step one: add extra integer specifiers, dump stack Allocate data on the zero page Already useful for information disclosure Most common in user-space to kernel attacks Read more dangerous than a write Format string attack layout Format string attack layout
Format string attack: overwrite Next time ✪♥ specifier: store number of chars written so far to pointer arg Defenses and counter-attacks Advance format arg pointer to other attacker-controlled data Control number of chars written with padding On x86, use unaligned stores to create pointer
Recommend
More recommend
