Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Countermeasures 0x610~0x Seokmyung Hong.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
CS2422 Assembly Language & System Programming October 3, 2006.
Position Independent Code self sufficiency of combining program.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Practical Session 8 Computer Architecture and Assembly Language.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Attacking Applications: SQL Injection & Buffer Overflows.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Dr. José M. Reyes Álamo 1.  Review: ◦ Statement Labels ◦ Unconditional Jumps ◦ Conditional Jumps.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
ELF binary # readelf -a foo.out ELF Header:
Introduction to Information Security ROP – Recitation 5.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
1 The Stack and Procedures Chapter 5. 2 A Process in Virtual Memory  This is how a process is placed into its virtual addressable space  The code is.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
Assembly 09. Outline Strings in x86 esi, edi, ecx, eax stosb, stosw, stosd cld, std rep loop 1.
CSc 453 Linking and Loading
Practical Session 8. Position Independent Code- self sufficiency of combining program Position Independent Code (PIC) program has everything it needs.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
Introduction to Information Security
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Return Oriented Programming
Computer Architecture & Operations I
Introduction to Information Security
Techniques, Tools, and Research Issues
Introduction to Information Security
Exploiting & Defense Day 2 Recap
Computer Architecture and Assembly Language
Discussions on HW2 Objectives
Lecture 9: Buffer Overflow*
EECE.3170 Microprocessor Systems Design I
EECE.3170 Microprocessor Systems Design I
Multi-modules programming
Week 2: Buffer Overflow Part 2.
Discussions on HW2 Objectives
Introduction to Computer Systems
Crisis and Aftermath Morris worm.
Understanding and Preventing Buffer Overflow Attacks in Unix
System and Cyber Security
Computer Architecture and System Programming Laboratory
Computer Architecture and Assembly Language
More on operators and procedures in the Linked
Computer Architecture and System Programming Laboratory
Week 3: Format String Vulnerability
Format String Vulnerability
Presentation transcript:

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Today – Advanced Shellcode What are shellcodes More about shellcodes Some more tools Function calls and the import table Polymorphic shellcodes Q&A

Shellcodes Originates from the unix shell executable “sh” Running sh essentially grants access to run any other command afterwards The term has been loosely generalized to fit any code that runs after a exploiting a vulnerability for code execution Last week we saw a very basic shell-code which avoids null bytes.

More advanced exploitation More robust & resillient – o Use trampolines instead of stack addresses o Don’t count on static function addresses – dlopen(), dlsym() o ‘Egg hunting’ for executable file headers o Avoid null bytes / Avoid other bytes / handle UTF8 / etc. o Shellcodes that will run / not crash on multiple architectures Do more complex things – o Add users, modify files, install malware o Manipulate program flow / memory o Open a shell back home

New tools! build_shellcode.py based on the patch_util_gcc.py script, but is made for simpler usage when creating shellcodes

New tools! shellcode_host – reads a binary shellcode as instructed via the command line, and simulates execution. shellcode_host_no_nulls – similar to shellcode_host, but the string is copied via strcpy, so no null characters (0x00) will be permitted in the body of the shellcode. stack_overflow_host – similar to shellcode_host in the sense that it will allow null bytes inside the shellcode, but here you must overflow the stack and control the return address yourself. stack_overflow_host_no_nulls – similar to stack_overflow_host, but no null bytes will be permitted

How external function calls work Many options - o syscall via int0x80 (as we've seen) o static lib – hard coded address (rare) o Dynamic lib - Assume already loaded, call directly (hard-coded address, not resilient) Call via the PLT / GOT (best method)

Global Offset Table

External function calls A call through it looks like - call _printf Which is actually a simple jmp - _printf proc near jmp ds:off_804A010 ; PLT entry _printf endp

Practical usage for external function calls We can call through the PLT entry directly Or, we could replicate what the original code would do, and just call the call-through function Of course – other methods could still work (namely, direct syscalls)

Polymorphic shellcodes Polymorphic code ~= self-modifying code Usually, polymorphic code is made of two parts: A Decoder + the actual code in encoded form o The decoder can thin and be built to withstand constraints such as: only printable chars Only [a-z][A-Z][0-9] Must be a valid utf-8 char Must not contain characters X,Y,Z Polymorphic shellcodes can be used to evade detectors that use signature based detection, by modifying the signature of the same functionality

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecxoriginal size - 1 edxoriginal size+after_end–1

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0

Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0

This Week’s Exercise Counts as a double exercise! Write a shellcode for remote exploitation using sockets Exploit a network daemon remotely in several ways o Basic shellcode o Socket bound shell More advanced shellcodes o Hijack the original connection socket o Polymorphic shellcode bypassing limitations

The end Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.