SlideShare a Scribd company logo

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

โ€ข
โ€ข
sanghwan ahn
sanghwan ahn

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

Software
1 of 87
Download to read offline
System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
๋ชฉ์ฐจ ์ปค๋ฆฌํ˜๋Ÿผ ์†Œ๊ฐœ Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
์‹œ์Šคํ…œ ํ•ดํ‚น / ๋ฆฌ๋ฒ„์‹ฑ Buffer Overflow ์ทจ์•ฝ์  ์›๋ฆฌ Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH ์ต์Šคํ”Œ๋กœ์ž‡(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying ์ปค๋ฆฌํ˜๋Ÿผ ์†Œ๊ฐœ ์ทจ์•ฝ์  / ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ Software on X86 ๋ฒ„๊ทธ ํ—ŒํŒ… X86 ARM Mobile ์ทจ์•ฝ์  ๋ถ„์„ ์†Œ์Šค์ฝ”๋“œ ๋ถ„์„ ํผ์ง• CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day ๋ฆฌ๋ฒ„์Šค ์—”์ง€๋‹ˆ์–ด๋ง iOS Android Overwriting .dtors Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Bugs ์•Œ์ˆ˜์—†๋Š” ์—๋Ÿฌ ํ˜น์€ ์†Œํ”„ํŠธ์›จ์–ด ์„ค๊ณ„์ƒ์˜ ์‹ค์ˆ˜๋กœ๋ถ€ํ„ฐ ๋ฐœ์ƒ ์˜ˆ์ƒํ•˜์ง€ ๋ชปํ•œ ๋™์ž‘ ํ˜น์€ ๊ฒฐ๊ณผ๋ฅผ ์œ ๋ฐœ ๋ฒ„๊ทธ๋กœ ๋ถ€ํ„ฐ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ ๋ฒ„๊ทธ์˜ ์ข…๋ฅ˜ ๋…ผ๋ฆฌ์ ์ธ(Logical) ๋ฒ„๊ทธ ๋ฌธ๋ฒ•์ ์ธ(Syntax) ๋ฒ„๊ทธ ๋ฆฌ์†Œ์Šค (Resource) ๋ฒ„๊ทธ ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Crashes ์†Œํ”„ํŠธ์›จ์–ด ํฌ๋ž˜์‰ฌ ์ •์ƒ์ ์ด์ง€ ์•Š์€ ๋ช…๋ น์–ด ์‹คํ–‰ (Invalid instruction execution) ํŠน์ • ๊ถŒํ•œ์„ ํ•„์š”๋กœํ•˜๋Š” ๋ช…๋ ์–ด ์‹คํ–‰ (Privileged instruction execution) ์ •์ƒ์ ์ด์ง€ ์•Š์€ ๋ฉ”๋ชจ๋ฆฌ ์—ญ์ฐธ์กฐ (Dereference of invalid memory) ์šด์˜์ฒด์ œ/ ์ปค๋„ ํฌ๋ž˜์‰ฌ BSOD (Blue Screen of Death) ๋ณต๊ตฌ ๋ถˆ๊ฐ€๋Šฅํ•œ ํฌ๋ž˜์‰ฌ(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the vulnerability ? ์ •์˜ ( from Wikipedia) ์ปดํ“จํ„ฐ์˜ ํ•˜๋“œ์›จ์–ด ๋˜๋Š” ์†Œํ”„ํŠธ์›จ์–ด์˜ ๊ฒฐํ•จ์ด๋‚˜ ์ฒด๊ณ„ ์„ค๊ณ„ ์ƒ์˜ ํ—ˆ์ ์œผ๋กœ ์ธํ•ด ์‚ฌ์šฉ์ž(ํŠนํžˆ, ์•…์˜๋ฅผ ๊ฐ€์ง„ ๊ณต๊ฒฉ์ž)์—๊ฒŒ ํ—ˆ์šฉ๋œ ๊ถŒํ•œ ์ด์ƒ์˜ ๋™์ž‘์ด๋‚˜ ํ—ˆ์šฉ๋œ ๋ฒ”์œ„ ์ด์ƒ์˜ ์ •๋ณด ์—ด๋žŒ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•˜๋Š” ์•ฝ์  (eg. execution of arbitrary code , bypass security mitigation, etc) ์‚ฌ์šฉ์ž ๋ฐ ๊ด€๋ฆฌ์ž์˜ ๋ถ€์ฃผ์˜๋‚˜ ์‚ฌํšŒ๊ณตํ•™ ๊ธฐ๋ฒ•์— ์˜ํ•œ ์•ฝ์ ์„ ํฌํ•จํ•œ ์ •๋ณด ์ฒด๊ณ„์˜ ๋ชจ๋“  ์ •๋ณด ๋ณด์•ˆ์ƒ์˜ ์œ„ํ—˜ ์„ฑ ์•…์˜๋ฅผ ๊ฐ€์ง„ ๊ณต๊ฒฉ์ž๋Š” ์ด๋Ÿฌํ•œ ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ ๋Œ€์ƒ ์ปดํ“จํ„ฐ ๋˜๋Š” ์ •๋ณดํ™” ๊ธฐ๊ธฐ์—์„œ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋™์ž‘์„ ์ˆ˜ํ–‰ํ•˜๊ฑฐ๋‚˜, ํŠน์ • ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•œ๋‹ค. ๋ณด์•ˆ ์ทจ์•ฝ์„ฑ ๋˜๋Š” ์ทจ์•ฝ์„ฑ์œผ๋กœ ๋ถ€๋ฅด๊ธฐ๋„ ํ•œ๋‹ค. ์ทจ์•ฝ์ ์˜ ์˜ˆ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Stack, Heap, Integer) ํฌ๋งท์ŠคํŠธ๋ง (Format String) ๋„ ํฌ์ธํŠธ ์—ญ์ฐธ์กฐ (Null Pointer Dereference) ๋ฉ”๋ชจ๋ฆฌ ํ•ด์ œ ํ›„ ์‚ฌ์šฉ (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Type of vulnerability ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Buffer Overflow) ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Stack Overflow) ํž™ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Heap Overflow) ์ •์ˆ˜ํ˜• ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Integer Overflow) ํฌ๋งท ์ŠคํŠธ๋ง (Format String Bug) ๋„ ํฌ์ธํŠธ ์—ญ์ฐธ์กฐ (Null Pointer Dereference) ๋ฉ”๋ชจ๋ฆฌ ํ•ด์ œ ํ›„ ์‚ฌ์šฉ (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation ์†Œํ”„ํŠธ์›จ์–ด ๋‚ด ์˜ˆ์ƒํ•˜์ง€ ๋ชปํ•œ / ์˜๋„ํ•˜์ง€ ์•Š์€ ๋™์ž‘์— ์˜ํ•ด ๋ฐœ์ƒ ํ๋ฆ„ ์ œ์–ด (Control hijack) ์„œ๋น„์Šค ๊ฑฐ๋ถ€ (DOS: Denial-of-Service) ์ •๋ณด ์œ ์ถœ (Information Leakage) ์†Œํ”„ํŠธ์›จ์–ด ๋‚ด ํฌ๋ž˜์‰ฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ์ต์Šคํ”Œ๋กœ์ž‡(Exploitation) ๊ณต๊ฒฉ ์†Œํ”„ํŠธ์›จ์–ด์—์„œ ์ต์Šคํ”Œ๋กœ์ž‡ ๊ฐ€๋Šฅํ•œ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ๋ ๋•Œ, ์–ด๋–ค ๋ฒ„๊ทธ๋กœ ๋ถ€ํ„ฐ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ๋˜๋Š”์ง€ ํ™•์ธ (์ผ๋ฐ˜์ ์œผ๋กœ ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์œผ๋กœ ๋ถ€ํ„ฐ ํ๋ฆ„์ œ์–ด ๊ฐ€๋Šฅ) ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ์‚ฝ์ž…ํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์‚ฝ์ž…ํ•œ ์ž„์˜์˜ ์ฝ”๋“œ๋กœ ํ๋ฆ„ ์ œ์–ด Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation ์ผ๋ฐ˜์ ์ธ ๋ณดํ˜ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜(Common defense mechanisms) ๋ฌด์ž‘์œ„์„ฑ ์ฃผ์†Œ๊ณต๊ฐ„ ๋ฐฐ์น˜ ๋‚œ์ˆ˜ํ™” (ASLR: Address Space Layout Randomization) ๋ฐ์ดํ„ฐ ์‹คํ–‰ ๋ฐฉ์ง€ ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) ์Šคํƒ ์ฟ ํ‚ค / ๊นŒ๋‚˜๋ฆฌ (Stack Cookies/Canaries) ... ๋ณดํ˜ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜ ์šฐํšŒ (Bypass defense mechanisms) ๋ฌด์ž‘์œ„์„ฑ ์ฃผ์†Œ๊ณต๊ฐ„ ๋ฐฐ์น˜ ๋‚œ์ˆ˜ํ™• (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) ๋ฐ์ดํ„ฐ ์‹คํ–‰ ๋ฐฉ์ง€ (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) ์Šคํƒ ์ฟ ํ‚ค / ๊นŒ๋‚˜๋ฆฌ (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Buffer Overflow C / C++ ์ปดํŒŒ์ผ๋Ÿฌ๊ฐ€ ๋ฐฐ์—ด์˜ ๊ฒฝ๊ณ„๊ฒ€์‚ฌ (Boundary Check)๋ฅผ ํ•˜์ง€ ์•Š์•„ ์„ ์–ธ๋œ ํฌ๊ธฐ๋ณด๋‹ค ๋” ํฐ ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋กํ•จ์œผ๋กœ์จ ๋ฐœ์ƒ ์šด์˜์ฒด์ œ๊ฐ€ ์Šคํƒ์ด๋‚˜ ํž™ ์˜์—ญ์— ์ž„์˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ก / ์‹คํ–‰์„ ํ—ˆ์šฉํ•จ์œผ๋กœ์จ ๋ฐœ์ƒ high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Stack Overflow ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋Š” ํ• ๋‹น๋œ ์ •์  ๋ฒ„ํผ์˜ ํฌ๊ธฐ๋ณด๋‹ค ๋” ๋งŽ์€ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ณต์‚ฌ๋˜์–ด์งˆ ๋•Œ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = โ€œAAAAAAAโ€ A A A A A A A 0 argv[1] = โ€œAAAAAAAAAAAAโ€ A A A A A A A A A A A A // 8๋ฐ”์ดํŠธ ๋ฒ„ํผ ํ• ๋‹น // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ X // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
What is the Heap Overflow ํž™ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋Š” ํ• ๋‹น๋œ ๋™์  ๋ฒ„ํผ์˜ ํฌ๊ธฐ๋ณด๋‹ค ๋” ๋งŽ์€ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ณต ์‚ฌ๋˜์–ด์งˆ ๋•Œ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = โ€œAAAโ€ A A A 0 argv[1] = โ€œAAAAAAAAAAAAโ€ A A A A A A A A A A A A // 4๋ฐ”์ดํŠธ ๋ฒ„ํผ ํ• ๋‹น // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ X // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์œผ๋กœ ํฌ๋งท์ŠคํŠธ๋ง์ด ๋“ค์–ด์™”์„๋•Œ ๋ฐœ์ƒ (vulnerability occurs when user input data is used as format string) Collect Usage : printf(โ€œ%sโ€, argv[1]); Dangerous Usage : printf(arvg[1]); ์ž„์˜์˜ ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ์ฝ๊ณ  ์“ฐ๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Œ (can be used to read & write arbitrary memory space) ์ •์  ๋ถ„์„ ๋„๊ตฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ํƒ์ง€ ๊ฐ€๋Šฅ(Can be detected by Static Analysis Tools) But still show up in many competition or software
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d ์ •์ˆ˜ํ˜• 10์ง„์ˆ˜ ์ƒ์ˆ˜ (integer) %f ์‹ค์ˆ˜ํ˜• ์ƒ์ˆ˜ (float) %lf ์‹ค์ˆ˜ํ˜• ์ƒ์ˆ˜ (double) %c ๋ฌธ์ž ๊ฐ’ (char) %s ๋ฌธ์ž ์ŠคํŠธ๋ง ((const)(unsigned) char *) %u ์–‘์˜ ์ •์ˆ˜ (10 ์ง„์ˆ˜) %o ์–‘์˜ ์ •์ˆ˜ (8 ์ง„์ˆ˜) %x ์–‘์˜ ์ •์ˆ˜ (16 ์ง„์ˆ˜) %s ๋ฌธ์ž์—ด %n * int (์“ฐ์ธ ์ด ๋ฐ”์ดํŠธ ์ˆ˜) %hn %n์˜ ๋ฐ˜์ธ 2๋ฐ”์ดํŠธ ๋‹จ์œ„
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Whatโ€™s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Whatโ€™s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free โ€ฆโ€ฆโ€ฆ
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string โ€œ%xโ€ low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string โ€œ%xโ€
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we donโ€™t have enough time do as you usually do !
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) ํ˜ธ์ถœ์‹œ ์ธ์ž๊ฐ’ ์ธ์ž๋“ค์€ ์Šคํƒ์— ์ ์žฌ๋˜ low address ๋Š”๋ฐ, printf(%x) ์‹คํ–‰์‹œ esp๋Š” printf( )์— ๋“ค์–ด๊ฐˆ ์ธ์ž๊ฐ’์„ ๊ฐ€๋ฅดํ‚ค๊ณ  ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ %x์— ๋งž๋Š” ์ธ์ž๊ฐ€ ์—†์„ ๊ฒฝ์šฐ, ์ปด ํ“จํ„ฐ๋Š” ๊ทธ๋ƒฅ esp+4 ์ง€์ ์˜ ๊ฐ’, strcpy์˜ ์ธ์ž๊ฐ’์ค‘ ํ•˜๋‚˜๋ฅผ 16์ง„์ˆ˜๋กœ ์ถœ๋ ฅํ•ด๋ฒ„๋ฆฌ๊ฒŒ๋ฉ๋‹ˆ๋‹ค.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) ํ˜ธ์ถœ์‹œ ์ธ์ž๊ฐ’ ์ธ์ž๋“ค์€ ์Šคํƒ์— ์ ์žฌ๋˜ ๋Š”๋ฐ, printf(%x) ์‹คํ–‰์‹œ esp๋Š” printf( )์— ๋“ค์–ด๊ฐˆ ์ธ์ž๊ฐ’์„ ๊ฐ€๋ฅดํ‚ค๊ณ  ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ %x์— ๋งž๋Š” ์ธ์ž๊ฐ€ ์—†์„ ๊ฒฝ์šฐ, ์ปด ํ“จํ„ฐ๋Š” ๊ทธ๋ƒฅ esp+4 ์ง€์ ์˜ ๊ฐ’, strcpy์˜ ์ธ์ž๊ฐ’์ค‘ ํ•˜๋‚˜๋ฅผ 16์ง„์ˆ˜๋กœ ์ถœ๋ ฅํ•ด๋ฒ„๋ฆฌ๊ฒŒ๋ฉ๋‹ˆ๋‹ค.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string โ€œ%nโ€ low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP โ€ฆโ€ฆโ€ฆ
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Whatโ€™s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Whatโ€™s the !!?! %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4๊ฐœ์˜ ๋ฌธ์ž์—ด (four strings) Segmentation Fault / Crash Analysis ๋ฌธ์ž์—ด์˜ ๊ธธ์ด? ( is it length of the string ?)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9๊ฐœ์˜ ๋ฌธ์ž์—ด (four strings) Segmentation Fault / Crash Analysis ๋ฌธ์ž์—ด์˜ ๊ธธ์ด? ( it is length of the string !)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free ๋ฒ„ํผ ์˜ค๋ฒ„ ํ”Œ๋กœ์šฐ์˜ ๊ฒฝ์šฐ Return Address ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. But ? ํฌ๋งท์ŠคํŠธ๋ง๋„ Return Address ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ ํ•  ์ˆ˜ ์žˆ๋‹ค. (๋ฒˆ๊ฑฐ๋กญ๊ณ  ๊ณจ์น˜์•„ํ”„๋‹ค) ELF ๋ฐ”์ด๋„ˆ๋ฆฌ์˜ .Dtors ์„ธ์…˜์„ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. GOT (Global Offset Table) ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Itโ€™s my prey
Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability ๋…ผ๋ฆฌ์ ์ธ ์ทจ์•ฝ์  (Logical Vulnerability) ํ• ๋‹น -> ์‚ฌ์šฉ -> ํ•ด์ œ -> ์‚ฌ์šฉ (Malloc -> Use -> Free -> Use) ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒํ•˜์ง€ ์•Š์Œ (but not occurs crash)
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
Thank You :)

Recommended

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
ย 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
ย 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
ย 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
ย 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
ย 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
ย 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
ย 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
ย 

Recommended

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
ย 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
ย 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
ย 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
ย 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
ย 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
ย 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
ย 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
ย 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
ย 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
ย 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
ย 
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆžRISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆžMr. Vengineer
ย 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
ย 
Intel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸIntel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸMr. Vengineer
ย 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
ย 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
ย 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
ย 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharman|u - The Open Security Community
ย 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
ย 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
ย 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
ย 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabรณ
ย 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
ย 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
ย 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world! Hacks in Taiwan (HITCON)
ย 
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack FirmwareSimen Li
ย 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
ย 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
ย 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
ย 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
ย 

More Related Content

What's hot

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
ย 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
ย 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
ย 
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆžRISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆžMr. Vengineer
ย 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
ย 
Intel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸIntel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸMr. Vengineer
ย 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
ย 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
ย 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
ย 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
ย 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
ย 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
ย 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabรณ
ย 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
ย 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
ย 
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack FirmwareSimen Li
ย 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
ย 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
ย 

What's hot (20)

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
ย 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
ย 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
ย 
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆžRISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
RISC-V : Berkeley Boot Loader & Proxy Kernelใฎใ‚ฝใƒผใ‚นใ‚ณใƒผใƒ‰่งฃๆž
ย 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
ย 
Intel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸIntel Nervana Graph ใจใฏ๏ผŸ
Intel Nervana Graph ใจใฏ๏ผŸ
ย 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
ย 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
ย 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
ย 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
ย 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
ย 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
ย 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
ย 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
ย 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
ย 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
ย 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
ย 
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
[ZigBee ๅตŒๅ…ฅๅผ็ณป็ตฑ] ZigBee ๆ‡‰็”จๅฏฆไฝœ - ไฝฟ็”จ TI Z-Stack Firmware
ย 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course
ย 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
ย 

Viewers also liked

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
ย 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
ย 
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00Nhรณc Nhรณc
ย 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
ย 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
ย 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)phanleson
ย 
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...CODE BLUE
ย 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
ย 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
ย 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
ย 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media FormatsRussell Sanford
ย 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
ย 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
ย 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)Sam Bowne
ย 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
ย 

Viewers also liked (19)

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
ย 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
ย 
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00
kiแบฟn trรบc mรกy tรญnh vร  hแปฃp ngแปฏ Bร i 00
ย 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
ย 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
ย 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)
ย 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
ย 
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break โ€“ Breaking exploits with Processor trace and Practical cont...
ย 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
ย 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
ย 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
ย 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
ย 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
ย 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
ย 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
ย 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM Training
ย 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
ย 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
ย 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
ย 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflowEvgeni Tsonev
ย 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
ย 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
ย 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
ย 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09dhanya.sumeru
ย 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewToe Khaing
ย 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
ย 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
ย 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
ย 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
ย 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7Georgian Micsa
ย 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Idguest215c4e
ย 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
ย 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blindNikitaAndhale
ย 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docxaryan532920
ย 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
ย 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
ย 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability (20)

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
ย 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
ย 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
ย 
Control hijacking
Control hijackingControl hijacking
Control hijacking
ย 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09
ย 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
ย 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of View
ย 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
ย 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
ย 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
ย 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
ย 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7
ย 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
ย 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
ย 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
ย 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
ย 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
ย 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
ย 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
ย 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
ย 

Recently uploaded

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
ย 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
ย 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
ย 
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024StefanoLambiase
ย 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
ย 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
ย 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
ย 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
ย 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
ย 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
ย 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
ย 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
ย 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
ย 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessEnvertis Software Solutions
ย 
2.pdf Ejercicios de programaciรณn competitiva
2.pdf Ejercicios de programaciรณn competitiva2.pdf Ejercicios de programaciรณn competitiva
2.pdf Ejercicios de programaciรณn competitivaDiego Ivรกn Oliveros Acosta
ย 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
ย 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
ย 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
ย 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
ย 

Recently uploaded (20)

SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
ย 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
ย 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
ย 
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024
Dealing with Cultural Dispersion โ€” Stefano Lambiase โ€” ICSE-SEIS 2024
ย 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
ย 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
ย 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
ย 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
ย 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
ย 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
ย 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
ย 
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort ServiceHot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
ย 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
ย 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
ย 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
ย 
2.pdf Ejercicios de programaciรณn competitiva
2.pdf Ejercicios de programaciรณn competitiva2.pdf Ejercicios de programaciรณn competitiva
2.pdf Ejercicios de programaciรณn competitiva
ย 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
ย 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
ย 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
ย 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
ย 

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

  • 1. System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. ๋ชฉ์ฐจ ์ปค๋ฆฌํ˜๋Ÿผ ์†Œ๊ฐœ Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
  • 4. ์‹œ์Šคํ…œ ํ•ดํ‚น / ๋ฆฌ๋ฒ„์‹ฑ Buffer Overflow ์ทจ์•ฝ์  ์›๋ฆฌ Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH ์ต์Šคํ”Œ๋กœ์ž‡(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying ์ปค๋ฆฌํ˜๋Ÿผ ์†Œ๊ฐœ ์ทจ์•ฝ์  / ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ ์•…์„ฑ์ฝ”๋“œ ๋ถ„์„ Software on X86 ๋ฒ„๊ทธ ํ—ŒํŒ… X86 ARM Mobile ์ทจ์•ฝ์  ๋ถ„์„ ์†Œ์Šค์ฝ”๋“œ ๋ถ„์„ ํผ์ง• CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day ๋ฆฌ๋ฒ„์Šค ์—”์ง€๋‹ˆ์–ด๋ง iOS Android Overwriting .dtors Overwriting GOT
  • 5. Track1. Introduction to Vulnerability
  • 6. Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 7. About Bugs ์•Œ์ˆ˜์—†๋Š” ์—๋Ÿฌ ํ˜น์€ ์†Œํ”„ํŠธ์›จ์–ด ์„ค๊ณ„์ƒ์˜ ์‹ค์ˆ˜๋กœ๋ถ€ํ„ฐ ๋ฐœ์ƒ ์˜ˆ์ƒํ•˜์ง€ ๋ชปํ•œ ๋™์ž‘ ํ˜น์€ ๊ฒฐ๊ณผ๋ฅผ ์œ ๋ฐœ ๋ฒ„๊ทธ๋กœ ๋ถ€ํ„ฐ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ ๋ฒ„๊ทธ์˜ ์ข…๋ฅ˜ ๋…ผ๋ฆฌ์ ์ธ(Logical) ๋ฒ„๊ทธ ๋ฌธ๋ฒ•์ ์ธ(Syntax) ๋ฒ„๊ทธ ๋ฆฌ์†Œ์Šค (Resource) ๋ฒ„๊ทธ ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 8. About Crashes ์†Œํ”„ํŠธ์›จ์–ด ํฌ๋ž˜์‰ฌ ์ •์ƒ์ ์ด์ง€ ์•Š์€ ๋ช…๋ น์–ด ์‹คํ–‰ (Invalid instruction execution) ํŠน์ • ๊ถŒํ•œ์„ ํ•„์š”๋กœํ•˜๋Š” ๋ช…๋ ์–ด ์‹คํ–‰ (Privileged instruction execution) ์ •์ƒ์ ์ด์ง€ ์•Š์€ ๋ฉ”๋ชจ๋ฆฌ ์—ญ์ฐธ์กฐ (Dereference of invalid memory) ์šด์˜์ฒด์ œ/ ์ปค๋„ ํฌ๋ž˜์‰ฌ BSOD (Blue Screen of Death) ๋ณต๊ตฌ ๋ถˆ๊ฐ€๋Šฅํ•œ ํฌ๋ž˜์‰ฌ(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 9. What is the vulnerability ? ์ •์˜ ( from Wikipedia) ์ปดํ“จํ„ฐ์˜ ํ•˜๋“œ์›จ์–ด ๋˜๋Š” ์†Œํ”„ํŠธ์›จ์–ด์˜ ๊ฒฐํ•จ์ด๋‚˜ ์ฒด๊ณ„ ์„ค๊ณ„ ์ƒ์˜ ํ—ˆ์ ์œผ๋กœ ์ธํ•ด ์‚ฌ์šฉ์ž(ํŠนํžˆ, ์•…์˜๋ฅผ ๊ฐ€์ง„ ๊ณต๊ฒฉ์ž)์—๊ฒŒ ํ—ˆ์šฉ๋œ ๊ถŒํ•œ ์ด์ƒ์˜ ๋™์ž‘์ด๋‚˜ ํ—ˆ์šฉ๋œ ๋ฒ”์œ„ ์ด์ƒ์˜ ์ •๋ณด ์—ด๋žŒ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•˜๋Š” ์•ฝ์  (eg. execution of arbitrary code , bypass security mitigation, etc) ์‚ฌ์šฉ์ž ๋ฐ ๊ด€๋ฆฌ์ž์˜ ๋ถ€์ฃผ์˜๋‚˜ ์‚ฌํšŒ๊ณตํ•™ ๊ธฐ๋ฒ•์— ์˜ํ•œ ์•ฝ์ ์„ ํฌํ•จํ•œ ์ •๋ณด ์ฒด๊ณ„์˜ ๋ชจ๋“  ์ •๋ณด ๋ณด์•ˆ์ƒ์˜ ์œ„ํ—˜ ์„ฑ ์•…์˜๋ฅผ ๊ฐ€์ง„ ๊ณต๊ฒฉ์ž๋Š” ์ด๋Ÿฌํ•œ ์•ฝ์ ์„ ์ด์šฉํ•˜์—ฌ ๊ณต๊ฒฉ ๋Œ€์ƒ ์ปดํ“จํ„ฐ ๋˜๋Š” ์ •๋ณดํ™” ๊ธฐ๊ธฐ์—์„œ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋™์ž‘์„ ์ˆ˜ํ–‰ํ•˜๊ฑฐ๋‚˜, ํŠน์ • ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•œ๋‹ค. ๋ณด์•ˆ ์ทจ์•ฝ์„ฑ ๋˜๋Š” ์ทจ์•ฝ์„ฑ์œผ๋กœ ๋ถ€๋ฅด๊ธฐ๋„ ํ•œ๋‹ค. ์ทจ์•ฝ์ ์˜ ์˜ˆ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Stack, Heap, Integer) ํฌ๋งท์ŠคํŠธ๋ง (Format String) ๋„ ํฌ์ธํŠธ ์—ญ์ฐธ์กฐ (Null Pointer Dereference) ๋ฉ”๋ชจ๋ฆฌ ํ•ด์ œ ํ›„ ์‚ฌ์šฉ (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 10. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 11. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 12. Type of vulnerability ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Buffer Overflow) ์Šคํƒ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Stack Overflow) ํž™ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Heap Overflow) ์ •์ˆ˜ํ˜• ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ (Integer Overflow) ํฌ๋งท ์ŠคํŠธ๋ง (Format String Bug) ๋„ ํฌ์ธํŠธ ์—ญ์ฐธ์กฐ (Null Pointer Dereference) ๋ฉ”๋ชจ๋ฆฌ ํ•ด์ œ ํ›„ ์‚ฌ์šฉ (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 13. What is the exploitation ์†Œํ”„ํŠธ์›จ์–ด ๋‚ด ์˜ˆ์ƒํ•˜์ง€ ๋ชปํ•œ / ์˜๋„ํ•˜์ง€ ์•Š์€ ๋™์ž‘์— ์˜ํ•ด ๋ฐœ์ƒ ํ๋ฆ„ ์ œ์–ด (Control hijack) ์„œ๋น„์Šค ๊ฑฐ๋ถ€ (DOS: Denial-of-Service) ์ •๋ณด ์œ ์ถœ (Information Leakage) ์†Œํ”„ํŠธ์›จ์–ด ๋‚ด ํฌ๋ž˜์‰ฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ์ต์Šคํ”Œ๋กœ์ž‡(Exploitation) ๊ณต๊ฒฉ ์†Œํ”„ํŠธ์›จ์–ด์—์„œ ์ต์Šคํ”Œ๋กœ์ž‡ ๊ฐ€๋Šฅํ•œ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ๋ ๋•Œ, ์–ด๋–ค ๋ฒ„๊ทธ๋กœ ๋ถ€ํ„ฐ ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒ๋˜๋Š”์ง€ ํ™•์ธ (์ผ๋ฐ˜์ ์œผ๋กœ ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์œผ๋กœ ๋ถ€ํ„ฐ ํ๋ฆ„์ œ์–ด ๊ฐ€๋Šฅ) ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ์‚ฝ์ž…ํ•˜์—ฌ ๊ณต๊ฒฉ์ž๊ฐ€ ์‚ฝ์ž…ํ•œ ์ž„์˜์˜ ์ฝ”๋“œ๋กœ ํ๋ฆ„ ์ œ์–ด Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 14. What is the exploitation ์ผ๋ฐ˜์ ์ธ ๋ณดํ˜ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜(Common defense mechanisms) ๋ฌด์ž‘์œ„์„ฑ ์ฃผ์†Œ๊ณต๊ฐ„ ๋ฐฐ์น˜ ๋‚œ์ˆ˜ํ™” (ASLR: Address Space Layout Randomization) ๋ฐ์ดํ„ฐ ์‹คํ–‰ ๋ฐฉ์ง€ ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) ์Šคํƒ ์ฟ ํ‚ค / ๊นŒ๋‚˜๋ฆฌ (Stack Cookies/Canaries) ... ๋ณดํ˜ธ ๋ฉ”์ปค๋‹ˆ์ฆ˜ ์šฐํšŒ (Bypass defense mechanisms) ๋ฌด์ž‘์œ„์„ฑ ์ฃผ์†Œ๊ณต๊ฐ„ ๋ฐฐ์น˜ ๋‚œ์ˆ˜ํ™• (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) ๋ฐ์ดํ„ฐ ์‹คํ–‰ ๋ฐฉ์ง€ (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) ์Šคํƒ ์ฟ ํ‚ค / ๊นŒ๋‚˜๋ฆฌ (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 15. Track2. Type of Vulnerability
  • 16. Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 17. What is the Buffer Overflow C / C++ ์ปดํŒŒ์ผ๋Ÿฌ๊ฐ€ ๋ฐฐ์—ด์˜ ๊ฒฝ๊ณ„๊ฒ€์‚ฌ (Boundary Check)๋ฅผ ํ•˜์ง€ ์•Š์•„ ์„ ์–ธ๋œ ํฌ๊ธฐ๋ณด๋‹ค ๋” ํฐ ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋กํ•จ์œผ๋กœ์จ ๋ฐœ์ƒ ์šด์˜์ฒด์ œ๊ฐ€ ์Šคํƒ์ด๋‚˜ ํž™ ์˜์—ญ์— ์ž„์˜์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๊ธฐ๋ก / ์‹คํ–‰์„ ํ—ˆ์šฉํ•จ์œผ๋กœ์จ ๋ฐœ์ƒ high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 18. What is the Stack Overflow ์Šคํƒ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋Š” ํ• ๋‹น๋œ ์ •์  ๋ฒ„ํผ์˜ ํฌ๊ธฐ๋ณด๋‹ค ๋” ๋งŽ์€ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ณต์‚ฌ๋˜์–ด์งˆ ๋•Œ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 19. Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = โ€œAAAAAAAโ€ A A A A A A A 0 argv[1] = โ€œAAAAAAAAAAAAโ€ A A A A A A A A A A A A // 8๋ฐ”์ดํŠธ ๋ฒ„ํผ ํ• ๋‹น // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ X // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 20. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 21. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 22. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 23. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 24. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 25. What is the Heap Overflow ํž™ ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ๋Š” ํ• ๋‹น๋œ ๋™์  ๋ฒ„ํผ์˜ ํฌ๊ธฐ๋ณด๋‹ค ๋” ๋งŽ์€ ๋ฐ์ดํ„ฐ๊ฐ€ ๋ณต ์‚ฌ๋˜์–ด์งˆ ๋•Œ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 26. Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = โ€œAAAโ€ A A A 0 argv[1] = โ€œAAAAAAAAAAAAโ€ A A A A A A A A A A A A // 4๋ฐ”์ดํŠธ ๋ฒ„ํผ ํ• ๋‹น // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ X // ๋ฒ„ํผ ์˜ค๋ฒ„ํ”Œ๋กœ์šฐ ๋ฐœ์ƒ O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 27. Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 28. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 29. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
  • 30. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 31. Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
  • 32. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 33. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 34. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 35. What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 36. Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 37. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
  • 38. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
  • 39. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
  • 40. Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
  • 41. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
  • 42. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
  • 43. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
  • 44. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
  • 45. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
  • 46. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์œผ๋กœ ํฌ๋งท์ŠคํŠธ๋ง์ด ๋“ค์–ด์™”์„๋•Œ ๋ฐœ์ƒ (vulnerability occurs when user input data is used as format string) Collect Usage : printf(โ€œ%sโ€, argv[1]); Dangerous Usage : printf(arvg[1]); ์ž„์˜์˜ ๋ฉ”๋ชจ๋ฆฌ๋ฅผ ์ฝ๊ณ  ์“ฐ๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Œ (can be used to read & write arbitrary memory space) ์ •์  ๋ถ„์„ ๋„๊ตฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ํƒ์ง€ ๊ฐ€๋Šฅ(Can be detected by Static Analysis Tools) But still show up in many competition or software
  • 47. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d ์ •์ˆ˜ํ˜• 10์ง„์ˆ˜ ์ƒ์ˆ˜ (integer) %f ์‹ค์ˆ˜ํ˜• ์ƒ์ˆ˜ (float) %lf ์‹ค์ˆ˜ํ˜• ์ƒ์ˆ˜ (double) %c ๋ฌธ์ž ๊ฐ’ (char) %s ๋ฌธ์ž ์ŠคํŠธ๋ง ((const)(unsigned) char *) %u ์–‘์˜ ์ •์ˆ˜ (10 ์ง„์ˆ˜) %o ์–‘์˜ ์ •์ˆ˜ (8 ์ง„์ˆ˜) %x ์–‘์˜ ์ •์ˆ˜ (16 ์ง„์ˆ˜) %s ๋ฌธ์ž์—ด %n * int (์“ฐ์ธ ์ด ๋ฐ”์ดํŠธ ์ˆ˜) %hn %n์˜ ๋ฐ˜์ธ 2๋ฐ”์ดํŠธ ๋‹จ์œ„
  • 48. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
  • 49. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
  • 50. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
  • 51. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Whatโ€™s the !!?!
  • 52. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Whatโ€™s the !!?!
  • 53. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free โ€ฆโ€ฆโ€ฆ
  • 54. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
  • 55. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string โ€œ%xโ€ low address ESP
  • 56. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string โ€œ%xโ€
  • 57. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
  • 58. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we donโ€™t have enough time do as you usually do !
  • 59. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
  • 60. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) ํ˜ธ์ถœ์‹œ ์ธ์ž๊ฐ’ ์ธ์ž๋“ค์€ ์Šคํƒ์— ์ ์žฌ๋˜ low address ๋Š”๋ฐ, printf(%x) ์‹คํ–‰์‹œ esp๋Š” printf( )์— ๋“ค์–ด๊ฐˆ ์ธ์ž๊ฐ’์„ ๊ฐ€๋ฅดํ‚ค๊ณ  ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ %x์— ๋งž๋Š” ์ธ์ž๊ฐ€ ์—†์„ ๊ฒฝ์šฐ, ์ปด ํ“จํ„ฐ๋Š” ๊ทธ๋ƒฅ esp+4 ์ง€์ ์˜ ๊ฐ’, strcpy์˜ ์ธ์ž๊ฐ’์ค‘ ํ•˜๋‚˜๋ฅผ 16์ง„์ˆ˜๋กœ ์ถœ๋ ฅํ•ด๋ฒ„๋ฆฌ๊ฒŒ๋ฉ๋‹ˆ๋‹ค.
  • 61. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) ํ˜ธ์ถœ์‹œ ์ธ์ž๊ฐ’ ์ธ์ž๋“ค์€ ์Šคํƒ์— ์ ์žฌ๋˜ ๋Š”๋ฐ, printf(%x) ์‹คํ–‰์‹œ esp๋Š” printf( )์— ๋“ค์–ด๊ฐˆ ์ธ์ž๊ฐ’์„ ๊ฐ€๋ฅดํ‚ค๊ณ  ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. ํ•˜์ง€๋งŒ %x์— ๋งž๋Š” ์ธ์ž๊ฐ€ ์—†์„ ๊ฒฝ์šฐ, ์ปด ํ“จํ„ฐ๋Š” ๊ทธ๋ƒฅ esp+4 ์ง€์ ์˜ ๊ฐ’, strcpy์˜ ์ธ์ž๊ฐ’์ค‘ ํ•˜๋‚˜๋ฅผ 16์ง„์ˆ˜๋กœ ์ถœ๋ ฅํ•ด๋ฒ„๋ฆฌ๊ฒŒ๋ฉ๋‹ˆ๋‹ค.
  • 62. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
  • 63. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
  • 64. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
  • 65. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string โ€œ%nโ€ low address ESP
  • 66. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP โ€ฆโ€ฆโ€ฆ
  • 67. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Whatโ€™s the !!?!
  • 68. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Whatโ€™s the !!?! %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
  • 69. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 70. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4๊ฐœ์˜ ๋ฌธ์ž์—ด (four strings) Segmentation Fault / Crash Analysis ๋ฌธ์ž์—ด์˜ ๊ธธ์ด? ( is it length of the string ?)
  • 71. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 72. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9๊ฐœ์˜ ๋ฌธ์ž์—ด (four strings) Segmentation Fault / Crash Analysis ๋ฌธ์ž์—ด์˜ ๊ธธ์ด? ( it is length of the string !)
  • 73. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 74. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 75. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
  • 76. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address)
  • 77. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n์€ ๋‘๊ฐ€์ง€ ๋™์ž‘์„ ํ•˜๋Š”๋ฐ ํ•œ๊ฐ€์ง€๋Š” ์ง€๊ธˆ๊นŒ์ง€ ์ถœ๋ ฅ๋œ ์ž๋ฆฌ์ˆ˜๋ฅผ ๊ตฌํ•˜๊ณ , ๋‘๋ฒˆ์งธ๋Š” ๋‹ค์Œ ์Šคํƒ์˜ ๋‚ด์šฉ์„ ์ฃผ์†Œ๋กœ ์ธ์‹ํ•˜์—ฌ ํ•ด๋‹น ์ฃผ์†Œ์— ๋ฐฉ๊ธˆ ๊ณ„์‚ฐํ•œ ๊ฐ’์„ ๊ธฐ๋กํ•ฉ๋‹ˆ๋‹ค.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
  • 78. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
  • 79. Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free ๋ฒ„ํผ ์˜ค๋ฒ„ ํ”Œ๋กœ์šฐ์˜ ๊ฒฝ์šฐ Return Address ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. But ? ํฌ๋งท์ŠคํŠธ๋ง๋„ Return Address ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ ํ•  ์ˆ˜ ์žˆ๋‹ค. (๋ฒˆ๊ฑฐ๋กญ๊ณ  ๊ณจ์น˜์•„ํ”„๋‹ค) ELF ๋ฐ”์ด๋„ˆ๋ฆฌ์˜ .Dtors ์„ธ์…˜์„ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค. GOT (Global Offset Table) ๋ฅผ ๋ฎ์–ด์”Œ์›Œ Control Flow๋ฅผ ์กฐ์ž‘ํ•  ์ˆ˜ ์žˆ๋‹ค.
  • 80. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Itโ€™s my prey
  • 81. Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability ๋…ผ๋ฆฌ์ ์ธ ์ทจ์•ฝ์  (Logical Vulnerability) ํ• ๋‹น -> ์‚ฌ์šฉ -> ํ•ด์ œ -> ์‚ฌ์šฉ (Malloc -> Use -> Free -> Use) ํฌ๋ž˜์‰ฌ๊ฐ€ ๋ฐœ์ƒํ•˜์ง€ ์•Š์Œ (but not occurs crash)
  • 82. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 83. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 84. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 85. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 86. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx