1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

Slides:



Advertisements
Similar presentations
The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Advertisements

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
Smashing the Stack for Fun and Profit
© 2014 Microsoft Corporation. All rights reserved.
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
DTIC Overview Mr. Al Astley Defense Technical Information Center Director, Information Science & Technology June 3, 2010 Approved for Public Release U.S.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.
© Carnegie Mellon University The CERT Insider Threat Center.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.
© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.
© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA A Cognitive Study of Incident Handling.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Talking Technology Transfer Christopher D. McKinney Director Office of Technology Transfer and Enterprise Development Lecturer Department of Electrical.
Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
© 2010 Carnegie Mellon University Team Software Process.
Conditions and Terms of Use
April 30, 2007 openSUSE.org Build Service a short introduction Moiz Kohari VP Engineering.
Digital Intuition Cluster, Smart Geometry 2013, Stylianos Dritsas, Mirco Becker, David Kosdruy, Juan Subercaseaux Setup Instructions Overview 1. License.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
IBIS-AMI and Direction Decisions
Using Joinup as a catalogue for interoperability solutions March 2014 PwC EU Services.
Mr. Gopi Nair Defense Technical Information Center Briefing at Board on Research Data and Information (BRDI) Meeting September 24, 2009 Approved for Public.
Carnegie Mellon Recitation: Bomb Lab 21 Sep 2015 Monil Shah, Shelton D’Souza.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Primer Briefing “Brand Name or Equal” Purchase Descriptions Ask a Professor - # Date:
Carnegie Mellon 1 Odds and Ends Intro to x86-64 Memory Layout.
Amit Malik SecurityXploded Research Group FireEye Labs.
National Alliance for Medical Image Computing Licensing in NAMIC 3 requirements from NCBC RFA (paraphrased)
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Author Software Engineering Institute
Chapter 2 Parts of a Computer System. 2.1 PC Hardware: Memory.
1 How to create a scheduled report from an Alma Analytics report Yoel Kortick Senior Librarian, Ex Libris.
© 2015 Carnegie Mellon University COCOMO 2015 November 17, 2015 Distribution Statement A: Approved for Public Release; Distribution is Unlimited Causal.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Government Contract Law – Post Award Shraddha Upadhyaya Contract Law Division U.S. Department of Commerce Office of General Counsel GSA Training Conference.
Architectural Design Architect Walk Copyright © Texas Education Agency, All rights reserved. 1.
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
RTAS 2014 Bounding Memory Interference Delay in COTS-based Multi-Core Systems Hyoseung Kim Dionisio de Niz Bj ӧ rn Andersson Mark Klein Onur Mutlu Raj.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Oracle Proprietary and Confidential. 1.
1 The related records and linking entry fields in Alma Yoel Kortick Senior Librarian.
Data Science: What It Is and How It Can Help Your Company
A Scorecard for Cyber Resilience: What We Have Observed
Secure Software Workforce Development Panel Session
RaboDirect Financial Health Barometer 2016
Instruction Set Architecture
Low Hanging Fruit Tastes Just as Good
David Svoboda & Aaron Ballman
Author Software Engineering Institute
CSCE 212 Computer Architecture
Michael Spiegel, Esq Timothy Shimeall, Ph.D.
Recitation: Attack Lab
Machine-Level Programming III: Procedures
Metrics-Focused Analysis of Network Flow Data
Recitation: Attack Lab
Automation in an XML Authoring Environment
Carnegie Mellon Machine-Level Programming III: Procedures : Introduction to Computer Systems October 22, 2015 Instructor: Rabi Mahapatra Authors:
Recitation: Attack Lab
Disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. Except for.
September Workshop and Advisory Board Meeting Presenter Affiliation
Dynamic Cyber Training with Moodle
Get To Know Your Compiler
Computer Architecture and System Programming Laboratory
Developing Useful Metrics
Presentation transcript:

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution REV CERT BFF: From Start to PoC Will Dormann

2 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Copyright Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at CERT ® is a registered mark of Carnegie Mellon University. DM

3 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Fuzzing Basics

4 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Mutational Fuzzing Mutation Fuzzer Microsoft Word

5 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The CERT BFF * It’s not you, it’s me

6 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The CERT Basic Fuzzing Framework * It’s not you, it’s me

7 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution How BFF Works 1.Pick with a seed file 2.Mangle the file 3.Launch target application 4.Look for crashes 5.Analyze crash 6.Repeat Do this blindly, but as as intelligently as possible

8 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF In Action

9 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Picking a Target

10 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Oracle Outside In “Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.”

11 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Uses Oracle Outside In? Microsoft Exchange Google Search Appliance Guidance Encase Forensics Access Data FTK Novell Groupwise Cisco Security Agent McAfee GroupShield Symantec Enterprise Vault IBM WebSphere …

12 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Fuzzing Oracle Outside In

13 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Investigating Results

14 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Checking Results with tools/drillresults.py

15 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Run tools/repro.py -e

16 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Matching Byte Pattern

17 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Matching Byte Pattern

18 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Confirming Control of RET

19 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Writing a PoC

20 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimize to string Standard minimization gives the minimally-different-from-seed-file test case. But which of those bytes are irrelevant to the crash? We want to know: Bytes required for processing (Structure) Bytes required to trigger crash (Vulnerability)

21 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Minimize-to-String Does Known good seedfile – does not cause crash Fuzzed file – causes crash, many changed bytes are not involved in the crash Minimized-to-string file – causes same crash, replaces non-structure bytes Fuzz Minimize-to-string insert shellcode here original byte fuzzed byte crash byte non-structure byte

22 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimization to String, Visualized

23 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Writing a Memory Corruption PoC Two pieces of information are required: 1.What bytes are under my control? 2.How do I get there?

24 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Crash

25 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimization-to-string

26 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Return to the Stack

27 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Shellcode

28 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Return to the Stack

29 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What’s Going On Here?

30 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution checksec.sh

31 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution checksec.sh

32 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Success!

33 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Return-Oriented Programming

34 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Bypassing NX NX (or DEP on Windows): Only memory pages marked as executable can be executed. Return-oriented programming: Chain together pieces of executable code to achieve your goal. Each piece is connected via a RETURN instruction (or equivalent)

35 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Does My Shellcode Need? Set RAX to 0x3B : execve() Set RDX to NULL Set RDI to pointer to “/bin/sh” Set RSI to pointer to pointer to “/bin/sh” Perform SYSCALL

36 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Gadgets With rp++

37 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Gadgets With rp++

38 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Tracing Into First Gadget

39 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Tracing Into First Gadget

40 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Gadget Success!

41 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Now to set RAX POP RAX should do it

42 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

43 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

44 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

45 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

46 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

47 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

48 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

49 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

50 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x : mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

51 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x : mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

52 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution 0x004032be: pop r13 ; ret ; (1 found) 0x : pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x : mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15 Success! In 4 gadgets we achieved our goal of setting RAX to an arbitrary value However: We clobber RSI We clobber RDI

53 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Properties of Gadgets What it achieves (e.g. populate a register) Collateral: What memory it must be able to read from What memory it must be able to write to

54 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Possibilities are Limitless Sure you can do this all by hand, with trial and error. Or: Q: Exploit Hardening Made Easy

55 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Putting All The Pieces Together

56 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Get Your Own BFF Mutational file fuzzing for Linux and OS X: Or FOE if Windows is your thing:

57 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Contact Information Presenter / Point of Contact Will Dormann Senior Vulnerability Analyst Twitter: CERT Coordination Center Twitter:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.