1. Countermeasures 0x610~0x650 2014. 12. 4 Seokmyung Hong

2. Countermeasures There are some ways to strengthen security One of them likes as follow New Vulnerability discovered New type of worm appear that target the vulnerability Patch the vulnerability

3. Countermeasures Countermeasures can be separated into two groups Detect the attack Protect vulnerability

4. Detect the attack The sooner an intrusion is detected, the sooner it can be dealt with and the more likely it can be contained If administrator detect the intrusion, he can handle the situation like kill the connection or process So the exploits that administrator already knows are not so dangerous

5. How we can detect the attack look for attack patterns in log files, network packets, or even program memory After detecting, hacker can be kicked out from system So, for the attacker, invisibility is important To stay hidden, there are some ways like remove the evidence or mimic valid ones

6. System Deamon Most remote targets will be a server program These programs are usually system daemons sshd, syslogd, etc A daemon is a program that runs in the background and detaches from the controlling terminal in a certain way

7. Crash Course in signals Signals provide a method of interprocess communication in Unix When a process receives a signal, its flow of execution is interrupted by the operating system to call a signal handler Custom signal handlers can be registered using the signal() function

8. signal_example.c We can see how signal used

9. signal_example.c Also some specific signals can be sent to process using kill command

10. Tinyweb Daemon Tinyweb Daemon has some differences with Tinyweb program writes its output to a log file with timestamps listens for the terminate (SIGTERM) signal so it can shut down cleanly when it’s killed

11. tinywebd.c

13. now tiny webserver is running as daemon

14. tinywebd Exploit Tool We cannot debug daemon in previous method

15. tinywebd Exploit Tool We have to follow child processes, not parent.

16. a

17. buffer start: 0xbffff5b0 RET: 0xbffff7cc offset = 540bytes

18. using port-binding shell code, attacker get root privilege

19. xtool_tinywebd.sh make tool that using same exploit method

20. Log Files One of the two most obvious signs of intrusion is the log file Even though the attacker’s exploits were successful, the log file keeps a painfully obvious record that something is up

21. tinywebd Log File Of course in this case, after the attacker gains a root shell, he can just edit the log file since it’s on the same system send to printer for hard copy, or another secure server to prevent delete the logs

22. Blend In with the Crowd Log files has many valid entires, but exploit log is very stick out If attacker cannot delete this log, then mimic the valid log for hide in crowd recv_line() function in tinywebd.c has vulnerability for this Using \r\b as the delimiter(other standard string functions use a null byte for this)

23. xtool_tinywebd_stealth.sh because of \r\n, tinywebd logs this action like the log made by valid action not log after \r\n

24. Overlooking the Obvious Even if log files seem like normal, if service do not operate normally, administrator knows that there are something problem So skilled hacker can not only crack open a program to exploit it, he also put the program back together again and keep it running

25. One Step at a Time Since it can take hours just to track down where the error occurred, it’s usually better to break a complex exploit down into smaller parts The first step should be figuring out how to put the tinyweb daemon back together after exploiting it Since the tinyweb daemon redirects standard out to /dev/null, writing to standard out isn’t a reliable marker for shellcode One simple way to prove the shellcode ran is to create a file

26. create the file using shellcode For testing if shellcode works or not, using shellcode includes codes for create file

27. Putting Things Back Together Again We need to repair any damages caused by the overwrite or shellcode, and then jump execution back into the connection accepting loop in main() To repair damages, We need to assess how much damage is done by the exploit using assembly instruction int3, which is literally a debugging breakpoint

28. In main() of tinyweb EBP is 0x68 bytes larger than ESP So we can restore the value for EBP by adding 0x68 to ESP at the end of shellcode

29. mark_restore.s This shellcode will restore the tinyweb daemon’s execution Tinyweb daemon doesn’t know that something happened

30. Shellcode and tinywebd both successfully worked

31. Child Laborers Use this technique to silently spawn a root shell We want our shellcode to fork and the child process to serve up the root shell, while the parent process restores tinywebd’s execution

32. loopback_shell_restore.s several instructions are added to the start of loopback_shell.s First, the fork syscall is made, and the return value is put in the EAX register The next few instructions test to see if EAX is zero If EAX is zero, we jump to child_process to spawn the shell Otherwise, we’re in the parent process, so the shellcode restores execution into tinywebd

33. loopback_shell_restore.s

34. Now we can get root privilege and run normally tinywebd