lec08 remote exploit
play

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia - PowerPoint PPT Presentation

Sep 13, 2023 •260 likes •596 views

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 Administrivia In-class CTF on Nov 16-17 (24 hours)! Due: form your team and submit your CTF challenge by Nov 13! Due: Lab07 is out and its due on Nov 2 (two weeks!) NSA

  1. 1 Lec08: Remote Exploit Taesoo Kim

  2. 2 Scoreboard

  3. 3 Administrivia • In-class CTF on Nov 16-17 (24 hours)! • Due: form your team and submit your CTF challenge by Nov 13! • Due: Lab07 is out and its due on Nov 2 (two weeks!) • NSA Codebreaker Challenge → Due: Nov 29

  4. 4 Best Write-ups for Lab05 libbase gkamuzora3, stong moving-target nhicks6, sfriedfertig fmtstr-digging riya, burak fmtstr-read fmtstr-write brainfxxk fd-const stong, palai fmtstr-heap seulbae, riya profile palai, burak mini-sudo palai, stong

  5. 5 Discussion: Lab05 • What’s the most “annoying” bug or challenge? • What’s the most “interesting” bug or challenge? • So, DEP and ASLR are not so effective?

  6. 6 Discussion: libbase • What do you learn from ./check? $ ./check stack : 0xff930aa0 system(): 0xf7521c50 printf(): 0xf7536670 $ ./check stack : 0xff930250 system(): 0xf755dc50 printf(): 0xf7572670

  7. 7 Discussion: libbase

  8. 8 Discussion: moving-target • What’s “check-aslr.sh” and pie.c? • How many times should we try to exploit?

  9. 9 Discussion: moving-target

  10. 10 Discussion: fmtstr-*? • fmtstr-read/write/digging are relatviely easy

  11. 11 How to Prevent fmtstr-*?

  12. 12 How to Prevent fmtstr-*? 1. Non-POSIX compliant (e.g., Windows) • Discarding %n • Limiting width (e.g., “%.512x” in XP, “%.622496x” in 2000) 2. Dynamic: enabling FORTIFY in gcc (e.g., Ubuntu) 3. Static: code annotation (e.g., Linux)

  13. 13 FORTIFY (-D_FORTIFY_SOURCE=2) • Ensuring that all positional arguments are used • e.g., %2$d is not ok without %1$d • Ensuring that fmtstr is in the read-only region (when %n) • e.g., “%n” should not be in a writable region $ ./fortify-yes %2$d *** invalid %N$ use detected *** $ ./fortify-yes %n *** %n in writable segment detected ***

  14. 14 Discussion: brainfxxk

  15. 15 Discussion: brainfxxk

  16. 16 Discussion: fd-const • What’s the bug? • How to exploit?

  17. 17 Discussion: profile • What’s program about? • What’s the bug?

  18. 18 Discussion: profile

  19. 19 Discussion: profile

  20. 20 Discussion: profile

  21. 21 Discussion: mini-sudo (CVE-2012-0809) • What is ‘ -D9’ for?

  22. 22 Discussion: mini-sudo (CVE-2012-0809) void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; /* Backet fmt with program name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); }

  23. 23 CVE-2013-1848: Linux ext3 void ext3_msg(struct super_block *sb, const char *prefix, const char *fmt, ...) { struct va_format vaf; va_list args; va_start(args, fmt); vaf.fmt = fmt; vaf.va = &args; printk("%sEXT3-fs (%s): %pV\n", prefix, sb→s_id, &vaf); va_end(args); }

  24. 24 CVE-2013-1848: Linux ext3 // @get_sb_block() ext3_msg(sb, "error: invalid sb specification: %s", *data); // @ext3_blkdev_get() ext3_msg(sb, "error: failed to open journal device %s: %ld", __bdevname(dev, b), PTR_ERR(bdev));

  25. 25 Take-outs from DEP/ASLR? • Do you think DEP/ASLR make attackers’ life more difficult? • Is still possible to exploit? why? • Although we can’t place shellcode into stack/heap, we can still hijack the control flow of a program in many interesting ways

  26. 26 Discussion: Modern Exploit on ASLR (PIE) • Leak (or infer) code pointers (so map into library or code) • Construct ROP (today’s topic) • (although there are a few proposals, such as CFI, to mitigate ROPs)

  27. 27 Today’s Tutorial • About the in-class CTF challenge • In-class tutorial: • Socket programming in Python • Your first remote exploit!

  28. 28 About: In-class CTF • In-class CTF on Nov 16-17 (24 hours), starting in the class! • 3-4 persons as a team • Award prizes! • Submit your CTF challenge by Nov 13!

  29. 29 About: Docker Template/Sample $ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README

  30. 30 Remote Challenges • Use techniques learned from Lab01-Lab07 • But targeting the remote server (e.g., online services)!

  31. 31 Lab07: Remote Challenges

  32. 32 DEMO: about how remote challenges work • nc • exploit.py

  33. 33 In-class Tutorial • Step1: nc • Step2: brute force attack • Step3: guessing attack $ ssh lab07@computron.gtisc.gatech.edu -p 9007 $ ssh lab07@cyclonus.gtisc.gatech.edu -p 9007 Password: lab07 $ cd tut-remote $ cat README

Recommend

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia

1 Lec08: Remote Exploit Taesoo Kim 2 Scoreboard 3 NSA Codebreaker Challenges 4 Administrivia No class on Oct 28 If you are interested in, check out EKOPARTY CTF 2016 Due: Lab08 is out and its due on Nov 3 (two weeks!)

530 views • 21 slides
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1()

587 views • 23 slides
Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are

Zero Exploit Tolerance By Jamie Butler and Cody Pierce Confidential and Proprietary Who we are The exploit problem Modern software vulnerabilities Hardware-assisted exploit Agenda prevention Prior research

674 views • 45 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley

Q: Exploit Hardening Made Easy Edward J. Schwartz, Thanassis Avgerinos, and David Brumley Carnegie Mellon University 8/15/2011 1 Downloading Exploits I found a Exploit control flow hijack exploit online! Evil Ed Windows 7 8/15/2011 2

837 views • 58 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides
Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your

Remote Access Plus Enterprise Remote Access Sofuware - Product Overview Covers all your troubleshooting needs ! On Premises Available on cloud Feature Highlights Advanced remote desktop sharing Voice, video and text chat Remote

222 views • 11 slides
Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction

Automatic Exploit Generation an Odyssey Sophia DAntoine CanSecWest 2016 Introduction Programs have become increasingly difficult to exploit larger, changing surface area mitigations more bytes to siphon through 10/22/2015

652 views • 46 slides
Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting

Remote Working Toolkit Remote Work Best Practices Remote work provides a unique & exciting opportunity: with just a few tweaks to your homelife and routine, your productivity and personal well-being can be maximized. This document

324 views • 6 slides
TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit

TheReleaseofProofofConcept CodeintotheWild An exploit isapieceofsoftware,achunkof data,orsequenceofcommandsthattake

398 views • 24 slides
DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA)

DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA)

DTCP + Remote Access Proposal for Discussion with 3S October 28, 2009 1 Remote Access (RA) Basic Rules Remote Connection AKE RA Encoding Rules 2 Remote Access Basic Rules Source devices may permit remote access to content

326 views • 15 slides
COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS

COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS

COLLARTS SOURCING REMOTE INTERNSHIPS WHAT IS A REMOTE INTERNSHIP? COLLARTS REMOTE INTERNSHIPS A remote internship is a class of internship where you do not have to be physically present in the office or site while doing the internship. You

151 views • 13 slides
COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06

REMOTE COLLECTION COUNTERS REMOTE LDL-xxx-06/26 LNL-xxx-27 LGL-xxx-27 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 LDL-xxx-06 Possibility of connecting in one line with low multidecks LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07 LDL-xxx-07

1k views • 82 slides
Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue

Heap Models For Exploit Systems IEEE Security and Privacy LangSec Workshop 2015 Julien Vanegue Bloomberg L.P. New York, USA. May 24, 2015 Big picture : The Automated Exploitation Grand Challenge A Security Exploit is a program taking

451 views • 23 slides
Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t

Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t

Remote Access and SSH a t t e n t i i g r e e n ! P a y t o t e x t o n n T h e s e c o r r e c t i d o n e a f t h e l e c t u r e ! t e r a r e o n s 1 Remote Access Modern computing requires the use of a variety of resources located on

652 views • 44 slides
Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call?

Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call?

Remote Procedure Calls Dan Savel, dxs221 EECS 338, Spring 2011 What is a Remote Procedure Call? Executing a procedure in an application running on a remote server Transport Protocol and Serialization are abstracted away to work

309 views • 20 slides
Transparent ROP Exploit Mitigation using Indirect Branch Tracing

Transparent ROP Exploit Mitigation using Indirect Branch Tracing

Transparent ROP Exploit Mitigation using Indirect Branch Tracing Alexandros Perrakis Manolis Karabinakis Stelios Ninidakis Vulnerabilities Buffer overflow

342 views • 30 slides
Virtual Learning St. John the Baptist School Remote Learning vs. Virtual Learning Remote

Virtual Learning St. John the Baptist School Remote Learning vs. Virtual Learning Remote

Virtual Learning St. John the Baptist School Remote Learning vs. Virtual Learning Remote Learning Virtual Learning - Entire class is remote - Some of the class is in person and - Some live instruction and recorded some is remote lessons

374 views • 11 slides
(g)RPC - Remote Procedure Call February 13, 2019 Remote Procedure Call (RPC) a form of

(g)RPC - Remote Procedure Call February 13, 2019 Remote Procedure Call (RPC) a form of

(g)RPC - Remote Procedure Call February 13, 2019 Remote Procedure Call (RPC) a form of inter-process communication RPC - Protocols XML-RPC xmlrpc2 (CRAN), XMLRPC (omegahat) JSON-RPC https://www.jsonrpc.org/ gRPC open

341 views • 8 slides
One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit

One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit

Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020 One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers Outline - Research Scope - Optical Die Inspection - Security Concept -

936 views • 58 slides
Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote

Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote

Chapter 15: Distributed Communication Sockets Remote Procedure Calls (RPCs) Remote Method Invocation (RMI) CORBA Object Registration Silberschatz, Galvin, and Gagne 1999 Applied Operating System Concepts Sockets

461 views • 21 slides
From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of

From x-ray crystallography to electron microscopy and back -- how best to exploit the continuum of structure-determination methods now available Scripps EM course, November 14, 2007 What aspects of contemporary x-ray crystallography have made

609 views • 33 slides
How to Exploit a Heterogeneous Cluster of Computers (Asymptotically) Optimally Arnold L.

How to Exploit a Heterogeneous Cluster of Computers (Asymptotically) Optimally Arnold L.

How to Exploit a Heterogeneous Cluster of Computers (Asymptotically) Optimally Arnold L. Rosenberg Electrical & Computer Engineering Colorado State University Fort Collins, CO 80523, USA rsnbrg@colostate.edu Joint work with Micah

927 views • 60 slides
Playing with FHIR IR How to Exploit the EHR Mark L Braunstein, MD Professor of the Practice

Playing with FHIR IR How to Exploit the EHR Mark L Braunstein, MD Professor of the Practice

Playing with FHIR IR How to Exploit the EHR Mark L Braunstein, MD Professor of the Practice School of Interactive Computing Georgia Institute of Technology Visiting Research Fellow E-Health Centre, CSIRO Variable Results Australia ranks

1.13k views • 67 slides

More recommend