pop pop ret…

Download pop pop ret…

Post on 31-Jan-2016




0 download

Embed Size (px)


pop pop ret…. A session on getting your sploit to exploit. What’s the master plan again?. Introduction (a repeat of earlier concepts and intro to the tools). Vulnerabilities. Vectors. ** YOU ARE HERE ** Payloads. Putting them together. - PowerPoint PPT Presentation


  • pop pop retA session on getting your sploit to exploit.

    jhind is a monster | DATE, 2007 | EMBARQ CORPORATION | PRIVATE & CONFIDENTIAL | PAGE *

  • Whats the master plan again?Introduction (a repeat of earlier concepts and intro to the tools).Vulnerabilities. Vectors. ** YOU ARE HERE **Payloads.Putting them together.And maybe a lab if and only if requested.Maybe a session on defensive techniques if and only if requested.

  • So, what was a vulnerability?A flaw in programming that allows us to do something we shouldnt be able to.Most of these involve allowing us to overwrite memory addresses the OS uses.

    Vulnerabilities are BUGS!

  • Whats a Vector ?The process of overwriting something in memory, left vulnerable by the vulnerability, that will allow us to run arbitrary code.Arbitrary code, aka the payload or possibly shellcode.

    At a technical level, we need to get our instructions in the CPU register EIP (32 bit).EIP is the next instruction to get executed

  • Whats our exploit methodology?Find the vulnerability.Figure out what kind of vulnerability it is.How do we create those conditions?Figure out the vector. What structures can we overwrite to gain control?

    Write/steal/copy/buy our payload.

  • Review of Security bugs in generalDoSEasy example: pointing to invalid memory addressing can crash an applicationSanitizationProgrammer forgets to clean out infomoration.SQL injection is actually a sanitization issue.Real life example: Netscreen dhcp buffer filled with admins web passwd.Information LeakLets user get information they arent supposed to have.Directory traversalReal life: CVE-2006-1056 allowed registers leaking between processesOh yea, and Memory Overwrite bugs!Why we have jobsUsually the most powerful

  • Memory Overwrites, aka buffer overflowsDangerous functionsStrcpy(dst,src);

    Strcpy doesnt impose any limit on the amount of data copied, so we can flood dst and reach OS structures.

    Could be on stack or heap. The vectors will be very VERY different.

  • Memory OverwritesDangerous functions format stringsCame about in 1999char someBuffer[256];Printf(someBuffer);Should have been printf(%s,someBuffer);Real life examples: wu-ftpd, Linux rpc.statd, Apache + PHP3Includes sprintf, vprintf, fprintf, etc. as well as syslog, warn, vwarn

  • Format Strings common manipulators%s -> print a string%d -> print a integer%x -> print a hexadecimal%n -> WRITES MEMORY%hn -> writes 1/2 # of bytes written

  • Dangerous Bugs Integer issuesInteger overflows (and underflows)If we have unsigned short i = 32767 and I add 1 to that whats the result?

  • Dangerous Bugs Integer issuesSo, you can smack an integer around so what?Int arrayOfIntegers[50];int I = userInput();While( i < 49){arrayOfIntegers[i] = array[i]; i++; }Whats wrong with this?

  • Dangerous Bugs Integer issuesSo, you can smack an integer around so what? Part Duece (thats poker lingo for 2)Int *arrayOfIntegers;arrayOfIntegers=malloc(userVariable *sizeof(int));

  • Dangerous Bugs Dangerous Loops

    Char someBuffer[10];Int i = 0;// hacker sets X to some value greater than 9While( i < X ){ Memcpy(someBuffer[i], someSrc[i], 1); }

  • Dangerous Bugs Race ConditionsWhen programs fight over resources.

    Process A creates a file, has a thread that puts data in it and another thread that reads it.Process B also reads the file, if we can make process B negatively manipulate the file BETWEEN process As reading and writing threads then perhaps we can take advantage of it.Usually done with semaphores or other shared mem.No demo, to hard.

  • And how were we finding vulns ?If we were looking at a million lines of dis.asm then wed go insane and never find anything.Those of us in this room will rely on vulnerability releases, patches, fault injection and Fuzzers.

    Vuln release: If we were looking at one function where we KNEW there was a vulnerability then its possible. Patch: Assembly compare.Fuzzer: throws tons of values and lengths at a program to see if it can get it to crash. If it crashes, then we look at the function that crashed.

  • Okay, end reviewLets talk about vectors

  • Okay Lets start on Vectors lets do something trivial first#include #include int badFunction(char argv[]){ int someInt; char someArray[128]; /* someArray is of small space but */ strcpy( someArray, argv); /* no limit is placed on the copy into it */ someInt = atoi(someArray); return someInt;}int main(int argc, char *argv[]){ int meaninglessVariable; meaninglessVariable = badFunction(argv[1]); printf("%d \n", meaninglessVariable);return 0;}

  • What is the goal?To get something of ours in EIP.EIP is a cpu register (32 bit, not 64. Buy me a 64 bit system and Ill be glad to explore that)

    Extended Instruction Pointer it stores the NEXT instruction to be executed.

    If we can get our instructions in EIP, its running our instructions.

  • What does the stack look like?

    Some Array[128]


    Return Address

    The return address is used to return execution flow to to the Operating System.

    By overflowing this array with information we can reach the end of the stack and overwrite the return address.

  • But, thats pretty limitedRequires executable stackRequires simple addressing (what if our call stack changed?)Requires non-randomized addressingVery, very inflexibleNot portable (might work on one flavor but not another)

  • So, lets look at return-to-libc or ret2libc first.Used to get around non-executable stacks.

    Technique Like the basic buffer overflow we are going to alter the return address.But not to anything on the stack, instead we will return into a system function.How about libc is the standard C library, it is linked to all C programs.How about system() ?System(/bin/sh); // ??

  • Diagram of ret2libc

  • So, how does it avoid the non-executable stack?Where is the code that executes ?What is the payload or shellcode ?

  • Recap further explanationWhats the real problem here?A program has to load .sos or .dlls to run prepared functions.We can use the functions in these libraries by changing pointers to point to them.We can get arbitrary code to run in this manner In our example we ran /bin/sh because its really clear and easy.BUT, for example on a windows box, if kernel32.dll was loaded we could have createthread(). Our shellcode would be the options and process code necessary to get it to run.

  • Ret2libc On WindowsApplies to Windows and Linux, but on WindowsUsing stdcall* multiple functions can be chained together in windows ret2libc calls.At one time, could be used to disable software DEP** and run shellcode.Ponder loading libs for a momentThinking about activeX ?

    *win api, similar to cdecl** software DEP probably doesnt do what you think it does

  • Function Pointer OverwritesLets start with the basics what is a pointer ?A pointer is a programming language data type whose value refers directly to another value stored elsewhere in the computer memory using its address. (source: wikipedia)What does it mean to reference and dereference a pointer ?

    So, What is a function pointer ?A pointer that when dereferenced invokes a function passing it zero or more arguments just like a normal function.

  • Guess how it works as a vector then?If we can overflow some value or buffer and overwrite the function pointers address, then the next time the function pointer is called, control can transfer to the attackers code.

    So, function pointer FP points to memory address REALFUNCTION.Somewhere in the program we insert our shellcode into memory at memory address SHELLCODEMEM.We overwrite the value of FP to point to the memory address SHELLCODEMEM instead.When FP is called, it points, and SHELLCODEMEM is called.

  • Overwriting Pointers cont.So, think about thisWhat if I overwrite a pointer to point to a pointer.Overwrite once to point to an arbitrary location, overwrite a second time to change that location.

    What does **pointer; // reference?Or in .asm if arg+0 is a pointerMov edx [ebp + arg_0]Mov eax [edx]Mov edx [eax]Etc etc

  • Wow, thats cool. What are the pros and consEverything depends on the program (mostly true with all vectors)Can be either stack or heap (note: it would require executable stack or heap).Couldnt we also overwrite a function pointer and point it to system like a ret2libc? Yes, its a good workaround for non-exec stack.Alternatively, we could point it to a table

  • Lets look at using linking tables nextCTOR, DTORs, GOT, PLTAre all linking tables in ELF. Think about how a program works when it calls a function. The function is housed in the OS libs, how does the program get to the function code?

    Linking (pointing) memory addresses!

    If we can overwrite those then we can run arbitrary code.

  • ELF PLT and GOT diagram

  • GOT overwritesGlobal Offset TablePart of an ELF executableStores the absolute location of a function (which is in the OS)Gets populated at run time by the trldReal time linker (aka, _dl_runtime_resolve )Not populated in advance, literally at run time. FYI - This is known as lazy resolution.

  • ELF PLT and GOT diagram

  • What happens if we overwrite the ?GOT points toActual code to be run via memory addresses.PLT points toGOT addresses, which are links to actual library functions.Read only

  • Lets walk through a demo

    I learned this from the c0ntex demo (like everyone else).Demo is his, but if fits so nicely into ours

    BSD notes