About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte 

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Smashing the Stack for Fun and Profit

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

Review: Software Security David Brumley Carnegie Mellon University.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

Stack buffer overflow

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Computer Security Buffer Overflow lab Eu-Jin Goh.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Buffer Overflow Maddikayala, jagadish. CSCI 5931 Web Security Prof. T. Andrew Yang Monday Feb. 23.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Syscall Proxying   Simulating Remote Execution Maximiliano Cáceres  Caesars Palace, Las Vegas, NV, USA · July 31st, 2002.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium

Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.

Buffer overflow and stack smashing attacks Principles of application software security.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

Lessons learned writing exploits LESSONS LEARNED WRITING EXPLOITS Gerardo Richarte  Iván Arce 

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Arrays, Strings, and Memory. Command Line Arguments #include int main(int argc, char *argv[]) { int i; printf("Arg# Contents\n"); for (i = 0; i < argc;

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

CSE 333 – SECTION 2 Memory Management. Questions, Comments, Concerns Do you have any? Exercises going ok? Lectures make sense? Homework 1 – START EARLY!

“Success consists of going from failure to failure without loss of enthusiasm.” Winston Churchill.

Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented.

CSC 482/582: Computer Security

Heap Overflow Attacks.

Content Coverity Static Analysis Use cases of Coverity Examples

Exploiting & Defense Day 1 Recap

Introduction to Information Security

Buffer Overflow By Collin Donaldson.

Introduction to Information Security

IS 2150 / TEL 2810 Introduction to Security

Introduction to Information Security

CSC 495/583 Topics of Software Security Stack Overflows (2)

Objective Explain basic fuzzing with concrete coding example

SEED Workshop Buffer Overflow Lab

Advanced Buffer Overflow: Pointer subterfuge

Software Security Lesson Introduction

Understanding Program Address Space

CSC 495/583 Topics of Software Security Format String Bug (2) & Heap

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.

Introduction to Static Analyzer

Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou University of Central Florida.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

FIGURE Illustration of Stack Buffer Overflow

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.

Week 3: Format String Vulnerability

Presentation transcript:

About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte 

About Exploits Writing Outline  Basics  Turning bugs into primitives  Turning primitives into exploits  Conclusions Outline

About Exploits Writing Basics

About Exploits Writing Basics  Argot  Execution flow Basics  Security bugs  Invalid assumptions

About Exploits Writing Turning bugs into primitives buggy software Exploit primitives consumer logic primitives provider r w adapt

About Exploits Writing Turning bugs into primitives writing Stack based buffer overflow: int main(int argv, char **argc) { char buf[80]; strcpy(buf,argc[1]); } buf80 bytes frame pointer main’s args return address 4 bytes multiple stack frame overwrite primitive jump primitive write-anything-somewhere primitive

About Exploits Writing Stack based complex buffer overflow: int main(int argv, char **argc) { char *pbuf=malloc(strlen(argc[2])+1); char buf[80]; strcpy(buf,argc[1]); strcpy(pbuf,argc[2]); exit(0); } write-anything-anywhere primitive buf80 bytes frame pointer main’s args return address 4 bytes pbuf4 bytes multiple stack frame overwrite primitive Turning bugs into primitives writing

About Exploits Writing GOT Heap based buffer overflow (free bug) : int main(int argv, char **argc) { char buf=malloc(84), buf2=malloc(84); strcpy(buf,argc[1]); free(buf2); } mirrored 4 bytes write-anything-anywhere primitive buf88 bytes fdbk buf288 bytes szfdbk sz Turning bugs into primitives writing sz

About Exploits Writing msg80 bytes 1234 frame pointer 4 bytes printf’s ret addr4 bytes aaaa %x %n &msg4 bytes Format string bug: int main(int argv, char **argc) { char msg[80]; strcpy(msg, argc[1]); printf(msg,1234); } 4 bytes write-anything-anywhere Primitive GOT./example aaaa%x%n./example aaaa----bbbb----cccc%.4223d%n%… write-anything-anywhere primitive Turning bugs into primitives writing

About Exploits Writing Other writing bugs: mirrored 4 bytes write-anything-anywhere: Double free() Corrupted heap + malloc() Double fclose() single stack frame overwrite: Negative length on bcopy() / memcopy() Stack based buffer overflow in PA-RISC other: Array overflows Turning bugs into primitives writing

About Exploits Writing format string: int main(int argv, char **argc) { printf(argc[1]); } stack reading primitive Turning bugs into primitives reading frame pointer main’s args return address 4 bytes printf's arg4 bytes printf's ret addr4 bytes./example %08x|%08x|%08x|...

About Exploits Writing msg80 bytes 1234 frame pointer 4 bytes printf’s ret addr4 bytes aaaa %x %n &msg4 bytes Format string bug: int main(int argv, char **argc) { char msg[80]; strcpy(msg, argc[1]); printf(msg,1234); } write-anything-anywhere primitive./example aaaa%x%n Turning bugs into primitives writing %s./example aaaa%x%s read-anywhere primitive Turning bugs into primitives reading

About Exploits Writing Unterminated string: int main(int argv, char **argc) { char buf[80]; strcnpy(buf,argc[1],sizeof buf); printf(“%s”, buf); } buf80 bytes frame pointer main’s args return address 4 bytes stack or heap reading primitive Turning bugs into primitives reading

About Exploits Writing Fixed size write(): int main(int argv, char **argc) { char buf[80]; strlcpy(buf, argc[1], sizeof buf); write(1, buf, sizeof buf); } buf80 bytes frame pointer main’s args return address 4 bytes stack or heap reading primitive Turning bugs into primitives reading

About Exploits Writing Other primitives: restart the target application (crash) consume in-process memory pre-forking vs. post-forking daemons consume system memory consume processor usage consume network bandwith consume file system / file access signal dispatching (divert execution flow) Turning bugs into primitives other

About Exploits Writing Questions ?

About Exploits Writing transforming primitives: write --> jump write --> read write --> crash jump --> crash jump --> read jump --> processor usage / any other? signal --> crash signal --> write write + signal --> jump read --> crash crash --> signal (SIGSEGV) --> etc... Turning bugs into primitives transforming

About Exploits Writing class Exploit: def _write(self, addr, data):... def isWritable(self, addr): self._write(self, addr, '1234') return self.targetCrashed() Turning bugs into primitives transforming write-->read binary search.text.data B000 CRASH NO CRASH class Exploit: def _write(self, addr, data):... def isWritable(self, addr): self._write(self, addr, '1234') return self.targetCrashed() def get_textTop(self): addr= 0x delta= 0x while delta: addr += delta if self.isWritable(addr): addr -= delta delta >>= 1 return addr+4

About Exploits Writing Turning bugs into primitives transforming jump-->read class Exploit: def _jump(self, addr, data):... def _read_codeAddr(self): self._jump(0x )... {... printf(“Magic Number: %d\n”,mn);... } mov-4(%ebp),%eax push%eax apush0x fcallprintf...

About Exploits Writing Questions ?

About Exploits Writing Questions ? Ideas ?

About Exploits Writing Turning primitives into exploits buggy software Exploit primitives consumer logic primitives provider r w adapt

About Exploits Writing Turning primitives into exploits write+jump class Exploit: def _write(self, addr, data):... def maxToWrite(self): return 1000 def _jump(self, addr):... def tryAttack(self): if len(code) > self.maxToWrite(): raise “shellcode is too big” self._write(0x , code) self._jump(0x )

About Exploits Writing Turning primitives into exploits write def tryAttack(self, addr): addr = self.get_stackTop()-self.maxToWrite() while not self.done(): padd = self.maxToWrite() - len(code) code_addr = addr + padd buf = string(code_addr)*(padd/4) buf = buf + code addr –= padd self._write(addr, buf) code class Exploit: def _write(self, addr, data):... def maxToWrite(self): return 1000 addr = self.get_textTop() self._write(addr, buf) addr += padd code_addr...

About Exploits Writing Turning primitives into exploits read + write class Exploit: def _write(self, addr, data):... def _read(self, addr, len):... def tryAttack(self): if self._read(0x ,3) != 'ELF': raise “ELF not found” addr = self.find_GOT(“exit”) self._write(addr, string(addr+4)+code) code_addr code

About Exploits Writing Turning primitives into exploits stack-read class Exploit: def _stackRead(self):... def tryAttack(self): stack = self._stackRead() fp = stack.longAt(BUFSIZE) code_addr = fp – BUFSIZE – 3*4 self._writeSomewhere(code) self._jump(code_addr)... buf80 bytes frame pointer main’s args return address 4 bytes

About Exploits Writing Questions ?

About Exploits Writing Questions ? Ideas ?

About Exploits Writing Extra  Higher level language for exploits  Data inference Extra  Natural evolution of security bugs  Modeling the vulnerable program

About Exploits Writing Thank You!  Gerardo Richarte 

About Exploits Writing CORE SECURITY TECHNOLOGIES · Offices Worldwide Rua do Rócio 288 | 7º andar Vila Olímpia | São Paulo | SP CEP | Brazil Tel: (55 11) Fax: (55 11) Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires Tel/Fax: (54 11) 4878-CORE (2673) Headquarters 44 Wall Street | 12th Floor New York, NY | USA Ph: (212) Fax: (212)