Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution.

Published byBennett Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution."— Presentation transcript:

1 1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution REV-03.18.2016.0 CERT BFF: From Start to PoC Will Dormann

2 2 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Copyright Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721- 05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT ® is a registered mark of Carnegie Mellon University. DM-0003661

3 3 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Fuzzing Basics

4 4 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Mutational Fuzzing Mutation Fuzzer Microsoft Word

5 5 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The CERT BFF * It’s not you, it’s me

6 6 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The CERT Basic Fuzzing Framework * It’s not you, it’s me

7 7 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution How BFF Works 1.Pick with a seed file 2.Mangle the file 3.Launch target application 4.Look for crashes 5.Analyze crash 6.Repeat Do this blindly, but as as intelligently as possible

8 8 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF In Action

9 9 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Picking a Target

10 10 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Oracle Outside In “Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.” http://www.oracle.com/us/technologies/embedded/025613.htm

11 11 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Uses Oracle Outside In? Microsoft Exchange Google Search Appliance Guidance Encase Forensics Access Data FTK Novell Groupwise Cisco Security Agent McAfee GroupShield Symantec Enterprise Vault IBM WebSphere …

12 12 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Fuzzing Oracle Outside In

13 13 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Investigating Results

14 14 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Checking Results with tools/drillresults.py

15 15 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Run tools/repro.py -e

16 16 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Matching Byte Pattern

17 17 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Matching Byte Pattern

18 18 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Confirming Control of RET

19 19 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Writing a PoC

20 20 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimize to string Standard minimization gives the minimally-different-from-seed-file test case. But which of those bytes are irrelevant to the crash? We want to know: Bytes required for processing (Structure) Bytes required to trigger crash (Vulnerability)

21 21 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Minimize-to-String Does Known good seedfile – does not cause crash Fuzzed file – causes crash, many changed bytes are not involved in the crash Minimized-to-string file – causes same crash, replaces non-structure bytes Fuzz Minimize-to-string insert shellcode here original byte fuzzed byte crash byte non-structure byte

22 22 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimization to String, Visualized

23 23 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Writing a Memory Corruption PoC Two pieces of information are required: 1.What bytes are under my control? 2.How do I get there?

24 24 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Crash

25 25 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Minimization-to-string

26 26 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Return to the Stack

27 27 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Shellcode

28 28 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Return to the Stack

29 29 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What’s Going On Here?

30 30 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution checksec.sh

31 31 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution checksec.sh

32 32 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Success!

33 33 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution CERT BFF Return-Oriented Programming

34 34 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Bypassing NX NX (or DEP on Windows): Only memory pages marked as executable can be executed. Return-oriented programming: Chain together pieces of executable code to achieve your goal. Each piece is connected via a RETURN instruction (or equivalent)

35 35 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution What Does My Shellcode Need? Set RAX to 0x3B : execve() Set RDX to NULL Set RDI to pointer to “/bin/sh” Set RSI to pointer to pointer to “/bin/sh” Perform SYSCALL

36 36 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Gadgets With rp++

37 37 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Finding Gadgets With rp++

38 38 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Tracing Into First Gadget

39 39 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Tracing Into First Gadget

40 40 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Gadget Success!

41 41 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Now to set RAX POP RAX should do it

42 42 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

43 43 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

44 44 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

45 45 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

46 46 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

47 47 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

48 48 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

49 49 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

50 50 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x00402867: mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

51 51 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Never Give Up! 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x00402867: mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15

52 52 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution 0x004032be: pop r13 ; ret ; (1 found) 0x00403027: pop rbx ; ret ; (1 found) 0x0040e464: mov rdx, r13 ; mov rsi, r14 ; mov edi, r15d ; call qword [rbx] ; (1 found) 0x00402867: mov eax, edx ; ret ; (1 found) RAX RBX RCX RDX RSI RDI R13 R14 R15 Success! In 4 gadgets we achieved our goal of setting RAX to an arbitrary value However: We clobber RSI We clobber RDI

53 53 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Properties of Gadgets What it achieves (e.g. populate a register) Collateral: What memory it must be able to read from What memory it must be able to write to

54 54 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution The Possibilities are Limitless Sure you can do this all by hand, with trial and error. Or: Q: Exploit Hardening Made Easy https://users.ece.cmu.edu/~ejschwar/papers/usenix11.pdf

55 55 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Putting All The Pieces Together

56 56 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Get Your Own BFF Mutational file fuzzing for Linux and OS X: https://www.cert.org/vulnerability-analysis/tools/bff.cfm Or FOE if Windows is your thing: https://www.cert.org/vulnerability-analysis/tools/foe.cfm

57 57 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution Contact Information Presenter / Point of Contact Will Dormann Senior Vulnerability Analyst Email: wd@cert.orgwd@cert.org Twitter: @wdormann@wdormann CERT Coordination Center Email: cert@cert.orgcert@cert.org Twitter: @certcc@certcc

Download ppt "1 CERT BFF: From Start To PoC June 09, 2016 © 2016 Carnegie Mellon University This material has been approved for public release and unlimited distribution."

Similar presentations

The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
DTIC Overview Mr. Al Astley Defense Technical Information Center Director, Information Science & Technology June 3, 2010 Approved for Public Release U.S.

DTIC Overview Mr. Al Astley Defense Technical Information Center Director, Information Science & Technology June 3, 2010 Approved for Public Release U.S.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.

© 2013 Carnegie Mellon University Measuring Assurance Case Confidence using Baconian Probabilities Charles B. Weinstock John B. Goodenough Ari Z. Klein.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.
© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University QUELCE: Quantifying Uncertainty in Early Lifecycle Cost Estimation Presenters:Dave Zubrow PhD Bob Ferguson (SEMA) Date:November.
© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 A Cognitive Study of Incident Handling.

© 2015 Carnegie Mellon University Software Engineering Institute Carnegie Mellon University Pittsburgh, PA A Cognitive Study of Incident Handling.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Talking Technology Transfer Christopher D. McKinney Director Office of Technology Transfer and Enterprise Development Lecturer Department of Electrical.

Talking Technology Transfer Christopher D. McKinney Director Office of Technology Transfer and Enterprise Development Lecturer Department of Electrical.
Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.

Similar presentations

Ads by Google