HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013
Table of contents HOWTO Basic Vulnerabilities and Reminders 1 their Exploitation Samuel Angebault Vulnerabilities 2 Reminders Buffer Overflow Vulnerabilities Off by One Security Out of bound Heap Overflow Format String Use after free Security 3 Canary DEP ASLR
Plan HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities 1 Reminders Security
Push & Pop HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security
Stack frame HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security
Function call HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Instruction Reminders Vulnerabilities call func Security Equivalent push %eip + 2 jmp func
Function return HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Instruction Vulnerabilities Security ret Equivalent pop %eip
Shared libraries HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • PIC (Position Independent Code) Security • Addresses in the library are relative • The libraries can be mapped anywhere in the address space • We can no longer exploit via static analysis
GOT PLT HOWTO Basic Vulnerabilities and their Exploitation • GOT (Global Offset Table) Samuel Angebault • PLT (Procedure Linkage Table) Reminders Vulnerabilities Security
GOT PLT HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Security
Plan HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities 2 Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Buffer Overflow HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • buffer allocated Buffer Overflow Off by One • not necessarily on the stack Out of bound Heap Overflow Format String • write more data than the size of the buffer Use after free Security • overriding data
Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Jumping somewhere else HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • controlling %eip Out of bound Heap Overflow • replacing the return address with another one Format String Use after free Security
Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Spawning a shell HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault • raw code • writing shellcode for the exploit Reminders Vulnerabilities • shell Buffer Overflow • reverse shell Off by One Out of bound • ... Heap Overflow Format String • filling the buffer with the shellcode Use after free Security • overriding return address to jump on your code • shellcode often has to respect constrains • no null byte • ascii • ...
Stack view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Code example HOWTO Basic Vulnerabilities and #include <stdio.h> 1 their Exploitation #include <string.h> 2 Samuel Angebault 3 static void success( void ) 4 Reminders { 5 Vulnerabilities puts("you jumped sucessfully"); 6 Buffer Overflow } 7 Off by One 8 Out of bound static void test( const char *input) Heap Overflow 9 Format String { 10 Use after free char buffer[40]; 11 Security strcpy(buffer, input); 12 } 13 14 int main( int argc, char *argv[]) 15 { 16 if (argc != 2) return 1; 17 test(argv[1]); 18 return 0; 19 } 20
The shellcode HOWTO Basic Vulnerabilities and their Exploitation C equivalent Samuel Angebault exceve("/bin/sh", 0, 0); Reminders Vulnerabilities Buffer Overflow add $0x42, %esp # moving stack pointer 1 Off by One Out of bound xor %eax,%eax # eax = 0 2 Heap Overflow # pushing "/bin//sh" onto the stack 3 Format String push %eax # push ’\0’ Use after free 4 push $0x68732f2f # hs// 5 Security push $0x6e69622f # nib/ 6 # setting registers for syscall 7 mov %esp,%ebx # ebx = filename 8 mov %eax,%ecx # ecx = NULL (argv) 9 mov %eax,%edx # edx = NULL (envp) 10 # putting syscall number in eax 11 mov $0xb,%al # eax = __NR_execve 11 12 int $0x80 # making syscall 13
ret2reg HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • one of the register contain the address we want Off by One Out of bound Heap Overflow • call on the content of the register Format String Use after free • no hardcoded address Security
ret2reg HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault %eax contains the address of the buffer (return value of Reminders strcpy) We can call the address at %eax to execute our Vulnerabilities shellcode Buffer Overflow Off by One searching call to %eax Out of bound Heap Overflow Format String Use after free $ objdump -D ./stack | grep -E "call +\*%eax" Security 8048396: ff d0 call *%eax 804841f: ff d0 call *%eax The return value can be one of those
ret2libc HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • call a function of the libc with the return address Out of bound Heap Overflow • setup the stack in order to call the function Format String Use after free Security
Stack View HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Off by One HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • coding error Off by One Out of bound • stepping one more time on a loop Heap Overflow Format String Use after free • read or write depending of the case Security
Example HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Code Buffer Overflow Off by One Out of bound char buffer[20]; Heap Overflow Format String for ( int i = 0; i <= 20; ++i) Use after free Security buffer[i] = getchar();
Out of bound HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow • error in bound checking Off by One Out of bound Heap Overflow • write what where Format String Use after free • read where Security
Write What Where HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Code Vulnerabilities Buffer Overflow void test( const char *input, int *array, int size) Off by One Out of bound { Heap Overflow int i = atoi(input) Format String Use after free if (i >= size) return ; Security array[i] = 0; }
Heap Overflow HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One • Depending on malloc implementation Out of bound Heap Overflow • Case dependent Format String Use after free Security
Heap view HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Reminders on printf HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Prototype Vulnerabilities Buffer Overflow Off by One int printf( const char *fmt, ...); Out of bound Heap Overflow Format String Use after free • *printf function take variadics parameters Security • all the parameters are push on the stack
exploiting printf HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities • coding error Buffer Overflow Off by One • %n write the number of bytes printed at the given Out of bound Heap Overflow address Format String Use after free • %hhn = 1 byte %hn = 2 bytes %n = 4 bytes Security • %08x write 4 bytes in hexadecimal
Format String HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault Reminders Vulnerabilities Buffer Overflow Off by One Out of bound Heap Overflow Format String Use after free Security
Recommend
More recommend
