lecture 6 - exploiting. shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · i design with...
TRANSCRIPT
![Page 1: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/1.jpg)
Lecture 6Exploiting. Shellcodes
Computer and Network SecurityNovember 5, 2018
Computer Science and Engineering Department
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 1/36
![Page 2: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/2.jpg)
Outline
Vulnerabilities and Exploits
Runtime Exploiting
Shellcode
Trigerring and Placing Shellcodes
Conclusion
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 2/36
![Page 3: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/3.jpg)
Bugs and Vulnerabilities
I bugs: misbehaving sofware
I vulnerability: misbehaviour that can benefit an attacker
I exploiting: turning a vulnerability into an advantage for theattacker
I auditing: analyzing an application to determine itsvulnerabilities
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 3/36
![Page 4: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/4.jpg)
Why Bugs and Vulnerabilities?
I developer carelessness or ignorance
I poor development process
I poor design
I platform (hardware, OS, libraries) issues
I lack of resources
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 4/36
![Page 5: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/5.jpg)
Preventing Vulnerabilities
I development process: defensive programming, code review,code audit
I design with security in mind
I audit systems, penetration testing
I security-centered training
I invest resources
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 5/36
![Page 6: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/6.jpg)
Security Attacks
I eavesdropping, impersonating
I password breaking
I denial of service
I exploiting
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 6/36
![Page 7: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/7.jpg)
Exploiting
I exploiting vulnerabilities
I focus is controlling the system (root account)
I an intermediary step is gaining shell access to user
I privilege escalation
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 7/36
![Page 8: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/8.jpg)
Why Exploiting?
I money
I fame
I challenge
I fun
I political, ideological
I find security holes and fix them (ethical hacking)
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 8/36
![Page 9: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/9.jpg)
Detect/Prevent Exploiting
I monitoring
I update software
I stay connected
I in-depth security
I honeypots
I state of mind: “it will happen”
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 9/36
![Page 10: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/10.jpg)
Types of Exploits
I local exploit
I remote exploit
I user space exploit
I kernel space exploit
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 10/36
![Page 11: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/11.jpg)
Outline
Vulnerabilities and Exploits
Runtime Exploiting
Shellcode
Trigerring and Placing Shellcodes
Conclusion
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 11/36
![Page 12: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/12.jpg)
Runtime Application Exploiting
I find vulnerability in process runtime: memory, use of resources
I alter normal execution pattern
I aim for: getting a shell, getting access to resources,information leak, crash application, denial of service
I usually tamper with process memory and bad ways of memorymanagement
I special focus on string management functions, input/output,pointers
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 12/36
![Page 13: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/13.jpg)
Runtime Exploit Components
I preparatory phase
I shellcode
I triggering phase
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 13/36
![Page 14: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/14.jpg)
Types of Runtime Application Vulnerabilities
I buffer overflow (on stack or heap)
I integer overflow
I race conditions
I string formatting
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 14/36
![Page 15: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/15.jpg)
Buffer Overflow
I write beyond buffer limits
I stack-based overflow: overwrite variable, return address orfunction pointer
I heap overflow: corrupt dynamically allocated memory
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 15/36
![Page 16: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/16.jpg)
Outline
Vulnerabilities and Exploits
Runtime Exploiting
Shellcode
Trigerring and Placing Shellcodes
Conclusion
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 16/36
![Page 17: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/17.jpg)
Shellcode
I sequence of machine level instructions
I stored in memory at a convenient address
I executed when requested by jumping at the start address
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 17/36
![Page 18: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/18.jpg)
Shellcode Objectives
I typically the goal is to create a shell (if possible, with rootprivilege)
I may be any useful binary code execution, such as starting aclient socket, or reading or writing a file, or sending a file overthe network
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 18/36
![Page 19: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/19.jpg)
Shellcode Samples
I http://www.shell-storm.org/shellcode/
I hexadecimal form for exec-ing a shell process
I also dubbed payload
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 19/36
![Page 20: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/20.jpg)
Shellcode Types
I spawn shell using execve syscall
I use setresuid to restore root privileges (for setuid-enabledprograms)
I port-binding shellcode: create listener socket, acceptconnections, duplicate file descriptors and spawn shell
I connect-back shellcode: create client socket and connect toremote listener socket (accesible and controled by attacker),duplicate file descriptors and spawn shell
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 20/36
![Page 21: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/21.jpg)
Creating a Shellcode
I may be done in C but it is recommended to do it in assemblyI allows shorter shellcodesI complete control over the end result (binary machine code)
I need to use syscalls for execve, setresuid, dup2 and others
I need to place the /bin/sh string in memory (or other strings)and pass it as argument to syscall
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 21/36
![Page 22: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/22.jpg)
Using Syscalls in Linux on x86
I eax stores the syscall numberI ebx, ecx, edx, esi, edi store syscall argumentsI use int 0x80 to issue syscallI syscall numbers in /usr/include/asm/unistd_32.h
setresuid(0, 0, 0) & exit(1)
1 # Fill eax, ebx, ecx and edx with zeros.
2 xor %eax, %eax
3 xor %ebx, %ebx
4 xor %ecx, %ecx
5 xor %edx, %edx
6 mov $164, %al # Put 164 (setresuid syscall no) in eax.
7 int $0x80 # Issue syscall: setresuid(0, 0, 0).
1 xor %eax, %eax # Fill eax with zeros.
2 xor %ebx, %ebx # Fill ebx with zeros.
3 mov $1, %bl # Put 1 (EXIT FAILURE) in ebx (only one
byte).
4 mov $252, %al # Put 252 (exit group syscall no) in eax.
5 int $0x80 # Issue syscall.
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 22/36
![Page 23: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/23.jpg)
Wrapper for Creating/Testing a Shellcode
Assembly Wrapper
1 .globl main
2
3 main:4 # Prepare registers an syscall arguments.
5 # int $0x80 # Do syscall.
Assembly Shellcode Sample
1 .globl main
2
3 main:4 xor %eax, %eax # Fill eax with zeros.
5 xor %ebx, %ebx # Fill ebx with zeros.
6 mov $1, %bl # Put 1 (EXIT FAILURE) in ebx (only one
byte).
7 mov $252, %al # Put exit group syscall no in eax.
8 int $0x80 # Issue syscall.
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 23/36
![Page 24: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/24.jpg)
Building a Shellcode Wrapper
Makefile
1 ASFLAGS = -march=i386 --32
2 CFLAGS = -Wall -m32
3 LDFLAGS = -m32
4
5 .PHONY: all clean6
7 all: shellcode-wrapper-exit
8
9 shellcode-wrapper-exit: shellcode-wrapper-exit.o
10
11 shellcode-wrapper-exit.o: shellcode-wrapper-exit.s
12
13 clean:14 -rm -f shellcode-wrapper-exit shellcode-wrapper-exit.o *∼
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 24/36
![Page 25: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/25.jpg)
Extracting Hex Data
I actual shellcode is the machine code instruction
I use objdump on the object file and process the result
I use echo -en above to print in binary form
Using objdump to extract hex data
for i in $(objdump -d <module-name>.o | tr ’\t’ ’ ’ | tr ’ ’ ’\n’
| egrep ’^[0-9a-f]2$’) ; do echo -n "\x$i" ; done
I the reverse is achievable (getting the assembly mnemonicsfrom hex)
Using objdump to extract hex data
echo -en "hexadecimal data" > shellcode
objdump -b binary -m i386 -D shellcode
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 25/36
![Page 26: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/26.jpg)
Shellcode Constraints
I due to input data filtering
I small code
I null-free
I position-independent
I alphanumeric (not always)
I more on the next lecture
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 26/36
![Page 27: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/27.jpg)
Null-free
I required when dealing with null-terminated stringsI BAD: mov $1, %eax
I uses null bytesI \xb8\x01\x00\x00\x00
I GOOD: xor %eax, %eax + inc %eaxI doesn’t use null bytesI \x31\xc0\x40
I BAD: mov $100, %eaxI uses null bytesI \xb8\x64\x00\x00\x00
I GOOD: xor %eax, %eax + mov $100, %alI doesn’t use null bytesI \x31\xc0\xb0\x64
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 27/36
![Page 28: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/28.jpg)
Outline
Vulnerabilities and Exploits
Runtime Exploiting
Shellcode
Trigerring and Placing Shellcodes
Conclusion
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 28/36
![Page 29: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/29.jpg)
Using the Local Stack
I place shellcode in local buffer on stack
I rewrite return address to point to beginning of the buffer onthe stack
I may need NOPs if exact address is not known
I unable to be done if stack is non-executable
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 29/36
![Page 30: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/30.jpg)
Using an Environment Variable
I initialize an environment variable with the shellcode string
I environment variable is placed on the stack of main
I may be large enough to store large shellcodes
I unable to be done if stack is non-executable
I more on the next lecture
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 30/36
![Page 31: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/31.jpg)
Using the Heap
I place the shellcode on the heap
I requires a heap buffer overflow
I made difficult by ASLR and non-executable flags
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 31/36
![Page 32: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/32.jpg)
Triggering Shellcodes
I stack buffer overflowI overwrite return address and point to address on stack or
environment variableI overwrite local pointer and point to address on stack or
environment variable
I heap buffer overflowI overwrites metadata pointers for heap allocated data
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 32/36
![Page 33: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/33.jpg)
Outline
Vulnerabilities and Exploits
Runtime Exploiting
Shellcode
Trigerring and Placing Shellcodes
Conclusion
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 33/36
![Page 34: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/34.jpg)
Keywords
I bugs
I vulnerabilities
I exploit
I shellcode
I shellcode construction
I shellcode triggering
I shellcode placing
I syscall
I null
I stack buffer overflow
I heap buffer overflow
I pwntools
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 34/36
![Page 35: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/35.jpg)
Useful Links
I http://www.blackhatlibrary.net/Category:Shellcode
I http://www.shell-storm.org/shellcode/
I http://www.metasploit.com/
I https://github.com/Gallopsled/pwntools
I https://docs.pwntools.com/en/stable/
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 35/36
![Page 36: Lecture 6 - Exploiting. Shellcodeself.cs.pub.ro/cns/res/lectures/lecture-06.pdf · I design with security in mind I audit systems, penetration testing I security-centered training](https://reader034.vdocuments.net/reader034/viewer/2022050306/5f6e98cc8680794eda30d838/html5/thumbnails/36.jpg)
References
I The Ethical Hacker’s Handbook, 3rd EditionI Chapter 13 & 14
I A Guide to Kernel ExploitationI Chapter 1: From User-Land to Kernel-Land Attacks
I The Art of Exploitation, 2nd EditionI Chapter 0x500. Shellcode
I Hacking Exposed. Malware and RootkitsI Part II: Rootkits
CSE Dep, ACS, UPB Lecture 6, Exploiting. Shellcodes 36/36