Presentation is loading. Please wait.

Presentation is loading. Please wait.

About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte 

Published byCamilla Blake Modified over 8 years ago

Similar presentations

Presentation on theme: "About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte "— Presentation transcript:

1

2 About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte  gera@coresecurity.com

3 About Exploits Writing Outline  Basics  Turning bugs into primitives  Turning primitives into exploits  Conclusions Outline

4 About Exploits Writing Basics

5 About Exploits Writing Basics  Argot  Execution flow Basics  Security bugs  Invalid assumptions

6 About Exploits Writing Turning bugs into primitives buggy software Exploit primitives consumer logic primitives provider r w adapt

7 About Exploits Writing Turning bugs into primitives writing Stack based buffer overflow: int main(int argv, char **argc) { char buf[80]; strcpy(buf,argc[1]); } buf80 bytes frame pointer main’s args return address 4 bytes multiple stack frame overwrite primitive jump primitive write-anything-somewhere primitive

8 About Exploits Writing Stack based complex buffer overflow: int main(int argv, char **argc) { char *pbuf=malloc(strlen(argc[2])+1); char buf[80]; strcpy(buf,argc[1]); strcpy(pbuf,argc[2]); exit(0); } write-anything-anywhere primitive buf80 bytes frame pointer main’s args return address 4 bytes pbuf4 bytes multiple stack frame overwrite primitive Turning bugs into primitives writing

9 About Exploits Writing GOT Heap based buffer overflow (free bug) : int main(int argv, char **argc) { char buf=malloc(84), buf2=malloc(84); strcpy(buf,argc[1]); free(buf2); } mirrored 4 bytes write-anything-anywhere primitive buf88 bytes fdbk buf288 bytes szfdbk sz Turning bugs into primitives writing sz

10 About Exploits Writing msg80 bytes 1234 frame pointer 4 bytes printf’s ret addr4 bytes aaaa %x %n &msg4 bytes Format string bug: int main(int argv, char **argc) { char msg[80]; strcpy(msg, argc[1]); printf(msg,1234); } 4 bytes write-anything-anywhere Primitive GOT./example aaaa%x%n./example aaaa----bbbb----cccc%.4223d%n%… write-anything-anywhere primitive Turning bugs into primitives writing

11 About Exploits Writing Other writing bugs: mirrored 4 bytes write-anything-anywhere: Double free() Corrupted heap + malloc() Double fclose() single stack frame overwrite: Negative length on bcopy() / memcopy() Stack based buffer overflow in PA-RISC other: Array overflows Turning bugs into primitives writing

12 About Exploits Writing format string: int main(int argv, char **argc) { printf(argc[1]); } stack reading primitive Turning bugs into primitives reading frame pointer main’s args return address 4 bytes printf's arg4 bytes printf's ret addr4 bytes./example %08x|%08x|%08x|...

13 About Exploits Writing msg80 bytes 1234 frame pointer 4 bytes printf’s ret addr4 bytes aaaa %x %n &msg4 bytes Format string bug: int main(int argv, char **argc) { char msg[80]; strcpy(msg, argc[1]); printf(msg,1234); } write-anything-anywhere primitive./example aaaa%x%n Turning bugs into primitives writing %s./example aaaa%x%s read-anywhere primitive Turning bugs into primitives reading

14 About Exploits Writing Unterminated string: int main(int argv, char **argc) { char buf[80]; strcnpy(buf,argc[1],sizeof buf); printf(“%s”, buf); } buf80 bytes frame pointer main’s args return address 4 bytes stack or heap reading primitive Turning bugs into primitives reading

15 About Exploits Writing Fixed size write(): int main(int argv, char **argc) { char buf[80]; strlcpy(buf, argc[1], sizeof buf); write(1, buf, sizeof buf); } buf80 bytes frame pointer main’s args return address 4 bytes stack or heap reading primitive Turning bugs into primitives reading

16 About Exploits Writing Other primitives: restart the target application (crash) consume in-process memory pre-forking vs. post-forking daemons consume system memory consume processor usage consume network bandwith consume file system / file access signal dispatching (divert execution flow) Turning bugs into primitives other

17 About Exploits Writing Questions ?

18 About Exploits Writing transforming primitives: write --> jump write --> read write --> crash jump --> crash jump --> read jump --> processor usage / any other? signal --> crash signal --> write write + signal --> jump read --> crash crash --> signal (SIGSEGV) --> etc... Turning bugs into primitives transforming

19 About Exploits Writing class Exploit: def _write(self, addr, data):... def isWritable(self, addr): self._write(self, addr, '1234') return self.targetCrashed() Turning bugs into primitives transforming write-->read binary search.text.data 8048000 8053000 807B000 CRASH NO CRASH class Exploit: def _write(self, addr, data):... def isWritable(self, addr): self._write(self, addr, '1234') return self.targetCrashed() def get_textTop(self): addr= 0x8048000 delta= 0x0080000 while delta: addr += delta if self.isWritable(addr): addr -= delta delta >>= 1 return addr+4

20 About Exploits Writing Turning bugs into primitives transforming jump-->read class Exploit: def _jump(self, addr, data):... def _read_codeAddr(self): self._jump(0x8048808)... {... printf(“Magic Number: %d\n”,mn);... }... 8048804mov-4(%ebp),%eax 8048808 push%eax 804880apush0x8044430 804880fcallprintf...

21 About Exploits Writing Questions ?

22 About Exploits Writing Questions ? Ideas ?

23 About Exploits Writing Turning primitives into exploits buggy software Exploit primitives consumer logic primitives provider r w adapt

24 About Exploits Writing Turning primitives into exploits write+jump class Exploit: def _write(self, addr, data):... def maxToWrite(self): return 1000 def _jump(self, addr):... def tryAttack(self): if len(code) > self.maxToWrite(): raise “shellcode is too big” self._write(0x08084488, code) self._jump(0x08084488)

25 About Exploits Writing Turning primitives into exploits write def tryAttack(self, addr): addr = self.get_stackTop()-self.maxToWrite() while not self.done(): padd = self.maxToWrite() - len(code) code_addr = addr + padd buf = string(code_addr)*(padd/4) buf = buf + code addr –= padd self._write(addr, buf) code class Exploit: def _write(self, addr, data):... def maxToWrite(self): return 1000 addr = self.get_textTop() self._write(addr, buf) addr += padd code_addr...

26 About Exploits Writing Turning primitives into exploits read + write class Exploit: def _write(self, addr, data):... def _read(self, addr, len):... def tryAttack(self): if self._read(0x8048000,3) != 'ELF': raise “ELF not found” addr = self.find_GOT(“exit”) self._write(addr, string(addr+4)+code) code_addr code

27 About Exploits Writing Turning primitives into exploits stack-read class Exploit: def _stackRead(self):... def tryAttack(self): stack = self._stackRead() fp = stack.longAt(BUFSIZE) code_addr = fp – BUFSIZE – 3*4 self._writeSomewhere(code) self._jump(code_addr)... buf80 bytes frame pointer main’s args return address 4 bytes

28 About Exploits Writing Questions ?

29 About Exploits Writing Questions ? Ideas ?

30 About Exploits Writing Extra  Higher level language for exploits  Data inference Extra  Natural evolution of security bugs  Modeling the vulnerable program

31 About Exploits Writing Thank You!  Gerardo Richarte  gera@coresecurity.com

32 About Exploits Writing CORE SECURITY TECHNOLOGIES · Offices Worldwide Rua do Rócio 288 | 7º andar Vila Olímpia | São Paulo | SP CEP 04552-000 | Brazil Tel: (55 11) 3054-2535 Fax: (55 11) 3054-2534 info.brazil@corest.com Florida 141 | 2º cuerpo | 7º piso (C1005AAC) Buenos Aires Tel/Fax: (54 11) 4878-CORE (2673) info.argentina@corest.com Headquarters 44 Wall Street | 12th Floor New York, NY 10005 | USA Ph: (212) 461-2345 Fax: (212) 461-2346 info.usa@corest.com www.corest.com

Download ppt "About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte "

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.

Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Similar presentations

Ads by Google