Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
ย
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability
1. System Hacking & Reverse Engineering
[Introduction to Vulnerability & Type of Vulnerability]
documented by h2spice
h2spice@gmail.com
2. Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
3. ๋ชฉ์ฐจ
์ปค๋ฆฌํ๋ผ ์๊ฐ
Track1 - Introduction to Vulnerability
Bugs
Crashes
Vulnerability
Exploitation
Defense Mechanism
Track2 - Type of Vulnerability
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
4. ์์คํ ํดํน / ๋ฆฌ๋ฒ์ฑ
Buffer Overflow
์ทจ์ฝ์ ์๋ฆฌ
Stack Overflow
Heap Overflow
Format String Bug
Heap Overflow
Use After Free
Overwriting RET
Overwriting SEH
์ต์คํ๋ก์(Win32/*NIX/ARM)
Egg Hunting
RTL
ROP
Heap Spraying
์ปค๋ฆฌํ๋ผ ์๊ฐ
์ทจ์ฝ์ / ์ ์ฑ์ฝ๋ ๋ถ์
์ ์ฑ์ฝ๋ ๋ถ์
Software on X86
๋ฒ๊ทธ ํํ
X86 ARM
Mobile
์ทจ์ฝ์ ๋ถ์
์์ค์ฝ๋ ๋ถ์
ํผ์ง
CVE-XXXX-XXXX
Exploit-DB
Inj3ct0r - 1337day
๋ฆฌ๋ฒ์ค ์์ง๋์ด๋ง
iOS
Android
Overwriting .dtors
Overwriting GOT
16. Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
17. What is the Buffer Overflow
C / C++ ์ปดํ์ผ๋ฌ๊ฐ ๋ฐฐ์ด์ ๊ฒฝ๊ณ๊ฒ์ฌ (Boundary Check)๋ฅผ ํ์ง ์์ ์ ์ธ๋ ํฌ๊ธฐ๋ณด๋ค
๋ ํฐ ๋ฐ์ดํฐ๋ฅผ ๊ธฐ๋กํจ์ผ๋ก์จ ๋ฐ์
์ด์์ฒด์ ๊ฐ ์คํ์ด๋ ํ ์์ญ์ ์์์ ๋ฐ์ดํฐ๋ฅผ ๊ธฐ๋ก / ์คํ์ ํ์ฉํจ์ผ๋ก์จ ๋ฐ์
high address
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
18. What is the Stack Overflow
์คํ ๋ฒํผ ์ค๋ฒํ๋ก์ฐ๋ ํ ๋น๋ ์ ์ ๋ฒํผ์ ํฌ๊ธฐ๋ณด๋ค ๋ ๋ง์ ๋ฐ์ดํฐ๊ฐ
๋ณต์ฌ๋์ด์ง ๋ ๋ฐ์ํฉ๋๋ค.
int main(int argc, char* argv[])
{
char buf[8];
strcpy(buf,argv[1]);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
19. Principle of Stack Overflow
char buf[8];
strcpy(buf,argv[1]);
argv[1] = โAAAAAAAโ
A A A A A A A 0
argv[1] = โAAAAAAAAAAAAโ
A A A A A A A A A A A A
// 8๋ฐ์ดํธ ๋ฒํผ ํ ๋น
// ๋ฒํผ ์ค๋ฒํ๋ก์ฐ ๋ฐ์ X
// ๋ฒํผ ์ค๋ฒํ๋ก์ฐ ๋ฐ์ O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
20. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
21. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
22. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
23. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
24. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
A A A A
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
25. What is the Heap Overflow
ํ ๋ฒํผ ์ค๋ฒํ๋ก์ฐ๋ ํ ๋น๋ ๋์ ๋ฒํผ์ ํฌ๊ธฐ๋ณด๋ค ๋ ๋ง์ ๋ฐ์ดํฐ๊ฐ ๋ณต
์ฌ๋์ด์ง ๋ ๋ฐ์ํฉ๋๋ค.
int main(int argc, char* argv[])
{
char *buf
buf = malloc(4);
memcpy(buf,argv[1],size);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
26. Principle of Heap Overflow
buf = malloc(4);
memcpy(buf,argv[1],sizeof(argv[1]));
argv[1] = โAAAโ
A A A 0
argv[1] = โAAAAAAAAAAAAโ
A A A A A A A A A A A A
// 4๋ฐ์ดํธ ๋ฒํผ ํ ๋น
// ๋ฒํผ ์ค๋ฒํ๋ก์ฐ ๋ฐ์ X
// ๋ฒํผ ์ค๋ฒํ๋ก์ฐ ๋ฐ์ O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
27. Heap Layout
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Prev_In
Use bit
28. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Prev_In
Use bit
29. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 Us0e bit
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
30. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
31. Heap Layout
Two chunks, of which the first is free for allocation
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
unused Chunk
FD (pointer to the next free chunk)
BK (pointer to the pref free chunk)
Unused
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Chunk1
0
32. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
33. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
34. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
A A A A
A A A A
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
35. What is the Integer Overflow
it occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
20000
30000
-15536
+
it is a negative number since it is interpreted as a sign bit
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
36. Example of the Integer Overflow
Output 1 -
The normal case
Output 2 -
Integer Overflow
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
signed int type1=NULL; /*signed type*/
signed int type2=NULL; /*unsigned type*/
unsigned int type3=999999999999999999; /*integer overflow*/
type1 = strlen(argv[1]);
if(argv[2]!=NULL)
{ /*due to some operations*/
type2=type3;
}
printf("type1 = %d n",type1);
printf("type2 = %dn",type2);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
37. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
signed int type1=NULL; /*signed type*/
signed int type2=NULL; /*unsigned type*/
unsigned int type3=999999999999999999; /*integer overflow*/
type1 = strlen(argv[1]);
if(argv[2]!=NULL)
{ /*due to some operations*/
type2=type3;
}
printf("type1 = %d n",type1);
printf("type2 = %dn",type2);
return 0;
}
Output 1 - The normal case
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
38. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
declare variable
(signed/unsigned type,
static buffer)
Output 1 - The normal case
39. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
get size of user input data
and then, print size
Output 1 - The normal case
40. Example of Integer Buffer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
check size of user input data
(code to prevent buffer overflow)
Output 1 - The normal case
41. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
Output 2 - Integer Overflow copy user input data to buffer
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
and then print user input data
Output 1 - The normal case
42. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
if variable signed type stored in big
data, will occur integing overflow
Output 1 - The normal case
43. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
because type2 it has been set
negative number, to bypass code that
prevent buffer overflow
Output 1 - The normal case
44. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
Output 1 - The normal case
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
as a result, occur stack buffer overflow
45. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free printf(buf);
46. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
์ฌ์ฉ์ ์ ๋ ฅ๊ฐ์ผ๋ก ํฌ๋งท์คํธ๋ง์ด ๋ค์ด์์๋ ๋ฐ์ (vulnerability
occurs when user input data is used as format string)
Collect Usage : printf(โ%sโ, argv[1]);
Dangerous Usage : printf(arvg[1]);
์์์ ๋ฉ๋ชจ๋ฆฌ๋ฅผ ์ฝ๊ณ ์ฐ๋๋ฐ ์ฌ์ฉํ ์ ์์ (can be used to
read & write arbitrary memory space)
์ ์ ๋ถ์ ๋๊ตฌ๋ฅผ ์ด์ฉํ์ฌ ํ์ง ๊ฐ๋ฅ(Can be detected by
Static Analysis Tools)
But still show up in many competition or software
47. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free Format String / Parameter Description
%d ์ ์ํ 10์ง์ ์์ (integer)
%f ์ค์ํ ์์ (float)
%lf ์ค์ํ ์์ (double)
%c ๋ฌธ์ ๊ฐ (char)
%s ๋ฌธ์ ์คํธ๋ง ((const)(unsigned) char *)
%u ์์ ์ ์ (10 ์ง์)
%o ์์ ์ ์ (8 ์ง์)
%x ์์ ์ ์ (16 ์ง์)
%s ๋ฌธ์์ด
%n * int (์ฐ์ธ ์ด ๋ฐ์ดํธ ์)
%hn %n์ ๋ฐ์ธ 2๋ฐ์ดํธ ๋จ์
48. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is
used as string
49. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %x
50. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is
used as string
when user input data is used
as Format String
51. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Whatโs the !!?!
52. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Whatโs the !!?!
53. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
โฆโฆโฆ
54. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
55. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
when argument of printf( ) is
used as format string โ%xโ
low address
ESP
56. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
Hey! where is argument
about Format string โ%xโ
57. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What happened to this ?
58. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What happened to this ?
we donโt have enough time
do as you usually do !
59. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
60. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
ESP printf( ) ํธ์ถ์ ์ธ์๊ฐ ์ธ์๋ค์ ์คํ์ ์ ์ฌ๋
low address
๋๋ฐ, printf(%x) ์คํ์ esp๋ printf( )์ ๋ค์ด๊ฐ ์ธ์๊ฐ์
๊ฐ๋ฅดํค๊ณ ์์ ๊ฒ์ ๋๋ค. ํ์ง๋ง %x์ ๋ง๋ ์ธ์๊ฐ ์์ ๊ฒฝ์ฐ, ์ปด
ํจํฐ๋ ๊ทธ๋ฅ esp+4 ์ง์ ์ ๊ฐ, strcpy์ ์ธ์๊ฐ์ค ํ๋๋ฅผ
16์ง์๋ก ์ถ๋ ฅํด๋ฒ๋ฆฌ๊ฒ๋ฉ๋๋ค.
61. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4
printf( ) ํธ์ถ์ ์ธ์๊ฐ ์ธ์๋ค์ ์คํ์ ์ ์ฌ๋
๋๋ฐ, printf(%x) ์คํ์ esp๋ printf( )์ ๋ค์ด๊ฐ ์ธ์๊ฐ์
๊ฐ๋ฅดํค๊ณ ์์ ๊ฒ์ ๋๋ค. ํ์ง๋ง %x์ ๋ง๋ ์ธ์๊ฐ ์์ ๊ฒฝ์ฐ, ์ปด
ํจํฐ๋ ๊ทธ๋ฅ esp+4 ์ง์ ์ ๊ฐ, strcpy์ ์ธ์๊ฐ์ค ํ๋๋ฅผ
16์ง์๋ก ์ถ๋ ฅํด๋ฒ๋ฆฌ๊ฒ๋ฉ๋๋ค.
62. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+16
ESP+12
ESP+8
ESP+4
63. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4
Point1. We can read the
arbitrary memory space
64. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %n
65. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
when argument of printf( ) is
used as format string โ%nโ
low address
ESP
66. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
โฆโฆโฆ
67. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
Whatโs the !!?!
68. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
Whatโs the !!?!
%n์ ๋๊ฐ์ง ๋์์ ํ๋๋ฐ
ํ๊ฐ์ง๋ ์ง๊ธ๊น์ง ์ถ๋ ฅ๋ ์๋ฆฌ์๋ฅผ ๊ตฌํ๊ณ , ๋๋ฒ์งธ๋
๋ค์ ์คํ์ ๋ด์ฉ์ ์ฃผ์๋ก ์ธ์ํ์ฌ ํด๋น ์ฃผ์์ ๋ฐฉ๊ธ ๊ณ์ฐํ
๊ฐ์ ๊ธฐ๋กํฉ๋๋ค.(%n writes the number of bytes printed
so far to the target address)
69. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
70. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
4๊ฐ์ ๋ฌธ์์ด (four strings)
Segmentation Fault / Crash Analysis
๋ฌธ์์ด์ ๊ธธ์ด? ( is it length of the string ?)
71. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
72. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
9๊ฐ์ ๋ฌธ์์ด (four strings)
Segmentation Fault / Crash Analysis
๋ฌธ์์ด์ ๊ธธ์ด? ( it is length of the string !)
73. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
74. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
75. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n์ ๋๊ฐ์ง ๋์์ ํ๋๋ฐ
ํ๊ฐ์ง๋ ์ง๊ธ๊น์ง ์ถ๋ ฅ๋ ์๋ฆฌ์๋ฅผ ๊ตฌํ๊ณ , ๋๋ฒ์งธ๋
๋ค์ ์คํ์ ๋ด์ฉ์ ์ฃผ์๋ก ์ธ์ํ์ฌ ํด๋น ์ฃผ์์ ๋ฐฉ๊ธ ๊ณ์ฐํ
๊ฐ์ ๊ธฐ๋กํฉ๋๋ค.(%n writes the number of bytes printed
so far to the target address)
76. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n์ ๋๊ฐ์ง ๋์์ ํ๋๋ฐ
ํ๊ฐ์ง๋ ์ง๊ธ๊น์ง ์ถ๋ ฅ๋ ์๋ฆฌ์๋ฅผ ๊ตฌํ๊ณ , ๋๋ฒ์งธ๋
๋ค์ ์คํ์ ๋ด์ฉ์ ์ฃผ์๋ก ์ธ์ํ์ฌ ํด๋น ์ฃผ์์ ๋ฐฉ๊ธ ๊ณ์ฐํ
๊ฐ์ ๊ธฐ๋กํฉ๋๋ค.(%n writes the number of bytes printed
so far to the target address)
77. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n์ ๋๊ฐ์ง ๋์์ ํ๋๋ฐ
ํ๊ฐ์ง๋ ์ง๊ธ๊น์ง ์ถ๋ ฅ๋ ์๋ฆฌ์๋ฅผ ๊ตฌํ๊ณ , ๋๋ฒ์งธ๋
๋ค์ ์คํ์ ๋ด์ฉ์ ์ฃผ์๋ก ์ธ์ํ์ฌ ํด๋น ์ฃผ์์ ๋ฐฉ๊ธ ๊ณ์ฐํ
๊ฐ์ ๊ธฐ๋กํฉ๋๋ค.(%n writes the number of bytes printed
so far to the target address)
Point2. We can write the
arbitrary memory space
78. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free What about it ?
What do you want me
to do ?
79. Track2. Type of Vuln How do we make use of this ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
๋ฒํผ ์ค๋ฒ ํ๋ก์ฐ์ ๊ฒฝ์ฐ Return Address ๋ฅผ ๋ฎ์ด์์ Control
Flow๋ฅผ ์กฐ์ํ ์ ์๋ค.
But ?
ํฌ๋งท์คํธ๋ง๋ Return Address ๋ฅผ ๋ฎ์ด์์ Control Flow๋ฅผ ์กฐ์
ํ ์ ์๋ค. (๋ฒ๊ฑฐ๋กญ๊ณ ๊ณจ์น์ํ๋ค)
ELF ๋ฐ์ด๋๋ฆฌ์ .Dtors ์ธ์ ์ ๋ฎ์ด์์ Control Flow๋ฅผ ์กฐ์ํ
์ ์๋ค.
GOT (Global Offset Table) ๋ฅผ ๋ฎ์ด์์ Control Flow๋ฅผ ์กฐ์ํ
์ ์๋ค.
80. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Itโs my prey
81. Track2. Type of Vuln What is the Use After Free ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free not occurs crash
but, there are vulnerability
๋ ผ๋ฆฌ์ ์ธ ์ทจ์ฝ์ (Logical Vulnerability)
ํ ๋น -> ์ฌ์ฉ -> ํด์ -> ์ฌ์ฉ
(Malloc -> Use -> Free -> Use)
ํฌ๋์ฌ๊ฐ ๋ฐ์ํ์ง ์์ (but not occurs crash)
82. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
83. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
84. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
85. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
86. What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx