EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)

Introduction

What we will cover  We are covering software exploitation in a Linux 32-bit environment  Topics  Buffer overflows (stack)  Ret2libc

Tools  Virtualization software  VMware Workstation or VMware Player (free)  Virtualbox (free)  Linux Environment  GDB  Editor (Vim, emacs, etc.)  Python

x86 Background

Linux Memory Structure .text  Contains program instructions  Readable, executable, not writable  Heap  Contains dynamically allocated memory objects  Readable, writable, (usually) executable  Stack  Contains static variables and base pointers  Readable, writable, (sometimes) executable

Stack  Grows down from 0xBFFFFFFF  Argv, Environment, and Auxiliary Vectors at base Stack Heap 0xbfffffff

Stack Frame Contents of Stack Stack Base (EBP) Stack Pointer (ESP)

Common Register Conventions  ESP – Stack Pointer  EBP – Stack Frame Base Pointer  EIP – Instruction Pointer  EAX, EBX, ECX, EDX – Fairly widely used, often used as function arguments

Function Calls  The x86 instruction CALL is used, which automatically does the following:  Put all the arguments onto the stack (right to left)  Put instruction pointer (EIP) onto stack  Now in the callee, push base pointer onto stack and set base pointer to stack pointer (function prologue)  Execute instructions in new function  Clean up locals  Set stack pointer to base and restore base pointer by popping the stack (function epilogue)

Function Calls Visualized  Function A has a stack comprised of a base, contents, and a top (stack pointer) ESP EBP Stack Contents A Base A

Function Calls Visualized  Function A calls Function B, so pushes its arguments and instruction pointer on the stack ESP Stack Contents A Base A EIP for A Arguments for B EBP

Function Calls Visualized  Function B executes its prologue to set up its own stack frame. First, push the old EBP EBP for A Stack Contents A Base A EIP for A Arguments for B ESP EBP

Function Calls Visualized  Now change EBP to ESP’s value. We have a new stack frame ESPEBP EBP for A Stack Contents A Base A EIP for A Arguments for B

Function Calls Visualized  Function B sets up its own locals ESP EBP for A Stack Contents A Base A EIP for A Arguments for B Stack Contents B EBP

Function Calls Visualized  On finishing, function B first cleans up locals EBP for A Stack Contents A Base A EIP for A Arguments for B ESPEBP

Function Calls Visualized  Next, it enters its function epilogue, in which it restores the previous base pointer Stack Contents A Base A EIP for A Arguments for B EBP ESP

Function Calls Visualized  Finally, the EIP is popped and execution continues at its location Stack Contents A Base A Arguments for B EBP ESP

Function Calls Visualized  A does the rest of the cleanup Stack Contents A Base A EBP ESP

GDB Tutorial

GDB  GDB runs on top of the program’s execution  What can we do with it?  Examine disassembled code  Alter the program’s execution  Watch registers  Step through program  Starting it on program “a.out”: gdb a.out -silent

Some Useful Commands - Registers  i r – Information about registers (gdb) i r eax 0x1 1 ecx 0xbffff edx 0xbffff7a ebx 0xb7fcdff esp 0xbffff778 0xbffff778 ebp 0xbffff778 0xbffff778 esi 0x0 0 edi 0x0 0 eip 0x x eflags 0x246 [ PF ZF IF ] cs 0x ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51  print $regname – Prints register, ex. print $esp

Some Useful Commands - Memory  x/10x ADDR – Examine 10 words at ADDR (gdb) x/10x $esp 0xbffff778: 0x xb7e x xbffff814 0xbffff788: 0xbffff81c 0xb7ffeff4 0xb7fff918 0x xbffff798: 0x xb7fedbdb (gdb) x/10x 0xbffff000 0xbffff000: 0x xb7ff0c7c 0x x xbffff010: 0x x x xb7fde858 0xbffff020: 0xbffff088 0xb7ffeff4  x/5i ADDR – Examine 5 instructions at ADDR (gdb) x/5i $eip => 0x : and $0xfffffff0,%esp 0x804853a : sub $0x420,%esp 0x : mov %gs:0x14,%eax 0x : mov %eax,0x41c(%esp) 0x804854d : xor %eax,%eax  Other useful data types are w (default), s (string)

Some Useful Commands - Breakpoints  b ADDR – Break at address (gdb) b main Breakpoint 1 at 0x (gdb) b *0x Breakpoint 2 at 0x  Remember the * before a hex address  Working with breakpoints:  i b – Information on breakpoints  d – Deletes all breakpoints  d n – Deletes breakpoint n

Some Useful Commands - Execution  r – Run, with optional arguments  c – Continue after breaking  ni – Next instruction (step over)  si – Step one intruction (step into)  Useful with: display/i $pc  finish – Continue until current function returns

Some Useful Commands - Frames  i f – Information about current stack frame (gdb) i f Stack level 0, frame at 0xbffff780: eip = 0x in main; saved eip 0xb7e69113 Arglist at 0xbffff778, args: Locals at 0xbffff778, Previous frame's sp is 0xbffff780 Saved registers: ebp at 0xbffff778, eip at 0xbffff77c  up, down – Move up or down frames

Some Useful Commands – Misc.  disas FUNCTION – Print disassembly of function (gdb) disas main Dump of assembler code for function main: 0x : push %ebp 0x : mov %esp,%ebp 0x : and $0xfffffff0,%esp 0x a : sub $0x420,%esp …  list – Shows source if you have debugging info  set confirm off – Stop the nagging!  set disassembly-flavor – Change disas style (gdb) disas main Dump of assembler code for function main: 0x : push ebp 0x : mov ebp,esp 0x : and esp,0xfffffff0 0x a : sub esp,0x420

Using Python for Debugging Exploits  Python can be run from the command-line: $python -c ‘print “Message”’  This can be embedded into command-line instructions with backtick (`) marks: $./a.out `python -c ‘print “Message”’`  gdb works in the same way r `python -c ‘print “Message”’`  The above commands result in running the program (a.out) with the argument Message

Using Python for Writing Exploits  Break up the exploit string into smaller components  Use the string repeat functionality: “A”*4  “AAAA”  If the program takes command line arguments: $./a.out `python sploit.py`

Reliable Local Exploits  You have to clear the environment, one way to do this is with Python: import os sploit = “big_scary_exploit_string” os.execve(“a.out”,[“a.out”,sploit],{})  To debug:  gdb python  catch exec  r sploit.py  Now you’re ready to debug like normal.

Stack Based Buffer Overflows

Overview  Stack based buffer overflows occur when writing goes past the boundaries of local variables  Example: char buf[64]; strcpy(buf, argv[1]);  The previous example will overflow buf’s boundaries and write onto stack memory if argv[1] contains more than 64 bytes  This allows us to alter local variables and also change the execution of the program

Altering Code Execution Flow  Since we can write over stack memory, we can write over the saved EIP address Stored EIP Stored EBP buf[64] Padding New EIP

Demos

Stack Smashing  Now we want to achieve execution of arbitrary code  Instead of giving EIP the address of another function, we give it the address of our buffer  Our buffer contains machine code instructions (known as shellcode)  For reliability, we use 0x90 opcodes to pad before our shellcode, these are NOP instructions and execution will slide past them if it lands there

Stack Smashing Illustrated buf[64] EBP EIP Shellcode NOP Sled Evil Pointer

Demo – Stack Smashing

Ret2libc

Overview  What happens if we’re working with a slightly more modern machine with non-executable stack memory?  Rather than write our own code to spawn a shell, let’s use libc!  We will use system() for the demonstration for simplicity, but bear in mind that system drops privileges, so execv() is needed for privilege escalation

Payload buf[64] EBP EIP Padding system() exit() Pointer to “/bin/sh”

Where to put “/bin/sh”?  In buffer, after its address  Environment  Argv  Auxiliary Vectors  Anywhere else reliable

Demo – Ret2libc

Conclusion

Future Reading  We didn’t cover any Windows exploitation. If you want to learn the tools and techniques for the Windows environment, check out the Corelan tutorials at: oit-writing-tutorial-part-1-stack-based-overflows/ oit-writing-tutorial-part-1-stack-based-overflows/  We covered Ret2libc, but the next step in mitigation evasion, Return Oriented Programming (ROP) wasn’t covered. It’s worth it to read up on this, as it’s complex, but extremely powerful.

Thanks for coming  Let me know if there are any questions  Weekly meetings are 7pm on Wednesdays in FO  Come join our team for the upcoming Capture the Flag competitions and put these skills to use