1. Advanced Buffer Overflow Technique
Greg Hoglund

2. Attack Theory Formalize the Attack Method Re-Use of Attack Code
Separate the Deployment from the Payload
Payloads can be chosen for desired effect
Details and Restraints of both Payload and Deployment code

3. Exploits A “BUG” in Software New bugs reported every day
automated testing tools
USSR Labs
“Exploit” is code that takes advantage of a bug in order to cause an effect

4. What can happen? Machine Crash Application Crash (most common)
kernel exception
VIP process
Application Crash (most common)
Recoverable Exception
Mobile Code (deadly)
File Access (read or write)
Denial of Service

5. Exploits can be grouped
Some bugs are all the same
Some bugs keep coming back
improper filtering
bounds checking
bad authentication
impersonation
In other words, need better testing

6. Entry -vs- Effect
The attack payload is not the same as the entry point
Missle -vs- Warhead analogy
The Delivery Mechanism can be decoupled from the Payload

7. Exploits come in 2 parts Injection Vector (deployment)
the actual entry-point, usually tied explicity with the bug itself
Payload (deployed)
usually not tied to bug at all - limited only by imagination. Some restraints.

8. Injection Vector Target Dependant OS Dependant
Application Version Dependant
Protocol Dependant
Encoding Dependant

9. Payload Independent of Injection Vector
Still Depends on Machine, Processor, etc.
With some exceptions
Mobile Code, Just like a Virus
Once established, can spread by any means
trust
scanning for more bugs

10. Payload Denial of Service Remote Shell (common) Worm/Virus
use as launching point (arp spoofing)
Remote Shell (common)
covert channel or ‘netcat’ like
Worm/Virus
extremely dangerous
Rootkit (common - stealth)

11. Injector/Payload Pairs
One injector works on ‘n qualified hosts’
Example - IIS Injector works on ~20% of Web Hosts.
Payload
Remote Shell for control
Shutdown Machine
Shutdown ALL Machines on subnet

12. Types of Injection Content Based Buffer Overflow
characters inserted into a data stream that result in the remote process doing something it shouldn’t. Process is still in control.
Buffer Overflow
poor programming practice subverts architecture of code execution. Process loses control.

13. Types of Injection Trust Based
Boot virus/ Floppy/ CD (parasite process)
MACRO virus
Attachments (Melissa, etc)
Web Browsing (exploit user’s trust, etc)
click thru

14. Governments write Injector Code?
1995 US Defense Intelligence Agency Report
Cuban Military targets US w/ custom virii
University of Havana, team of less than 20 computer experts
Russian KGB
prior to 1991 coup attempt, KGB has virii intended to shut down US computers in times of war

15. Mobile code in Global 2000? 1995 E&Y report 1996 E&Y report
67% of companies hit bit virus
1996 E&Y report
63% of companies hit by virus
1996 UK Information Security Breaches Survey
51% of companies hit by virus

16. How hard can it hit? NCSA 1997 report November 1988 Morris Worm
33% of all machines infected with virus
average cost of recovery ~$8000 US dollars
November 1988 Morris Worm
strikes ~6,000 computers (10% of Internet at time) within hours
spreads via Buffer Overflow in fingerd
spreads via Sendmail exploit

17. How hard can it hit? 1989, “WANK” Worm Hits NASA Goddard Space Center
spreads to US DOE High Energy Physics network (HEPNET)
2 weeks to clean all systems

18. Buffer Overflow Injection
Overflow the Stack
Overflow the Heap
Goal: Must control the value of the instruction pointer (processor specific)
Goal: Get the Instruction Pointer to point to a user-controlled buffer.

19. Challenges Injector/Payload size restrictions
tight coding requirements
Injector and Payload in same buffer
cannot step on each other
Guessing Address Values
sometimes called ‘offsets’
NULL characters, BAD characters
use encoding and stack tricks

20. Stack Injection
Stack is used for execution housekeeping as well as buffer storage.
Stack-based buffer must be filled in direction of housekeeping data.
Must overwrite the housekeeping data

21. Address Housekeeping A IP IP B DI
code C SI D
FLAG SP BP
heap
stack

22. Stack Overflow C C

23. The Problem with NULL 00 40 20 08 00 40 20 0C 00 40 20 10 STOPS C
STOPS

24. NULL must be PAST housekeeping data C C OK

25. Little and Big Endian
On Intel x86 (Little Endian), Values are stored ‘backwards’ - least significant byte goes first:
FF is stored as: FF

26. We store address in housekeeping data C
CD F
Original Address 0C
New Address

27. Injection is Complete We control the instruction pointer New Address
New Address

28. Where to put the payload C
New Address

29. Confined Payload Byte Compression Use only preloaded functions
Payload doesn’t need to build jumptables
Useable functions must be loaded
Use Hardcoded addresses
Payload designed for a specific process with predictable features
Data portion of payload needs to be small

30. Using more stack for payload C C 0D
NO NULL in Address OK

31. Much Larger Payload

32. When does the address contain a NULL character
Lowland Address - starts with 00
stack is in lowland on Windows NT
usually XX XX
limits size of payload
Highland Address - no zeros in address
stack is in highland under Linux
unlimited payload size

33. Large payload, Lowland address
We cannot use a lowland address directly, because it limits our payload
We can use a CPU register
We can use stack values that remain undamaged

34. A register points to the stackIP IP B DI
code C SI D
FLAG SP BP
heap
stack

35. Call thru a Register Call eax, call ebx, etc FF D0 = call eax
FF D3 = call ebx
FF D1 = call ecx
etc, etc

36. Push a register then return
Push register
push eax = 50
push ebx = 53
etc
Then RET
RET = C3

37. Guessing where to go We jump to the wrong address
crashes software
payload doesn’t execute
Use NOP (no-op) - a single byte instruction
NOP = 90
Fill buffer with NOP’s
“NOP Sled”

38. NOP Sled
End up at payload

39. Inject the Payload into the HEAP
When the stack is limited in size
Store part on the payload on stack, the other on the heap
Protocol Headers
HTTP headers
Recent Transactions
Open Files

40. Execute code on the heapIP IP B DI
code C SI D
FLAG SP BP
heap
stack

41. Trespassing the HEAP Two C++ objects near one another
Any buffer that can overwrite a pointer
function pointer
string pointer (alter behavior w/o mobile code)

42. Overwrite the VTABLE C++ objects have a virtual function table
Vtable pointer
Member variables grow away from vtable pointer (NT)

43. Overwrite VTABLE Must have 2 C++ Objects (on heap)
Overwrite vtable ptr

44. Where do I make the VTABLE point?

45. Your own VTABLE
The VTABLE has addresses for all virtual functions in the class. This usually includes a destructor - which will be called when the object is destroyed (deallocated from memory)
Overwrite any function that works

46. Injection is complete Kernel level overflows all over in NT
Off by one errors causing frame pointer overwrite
Multi-stage attacks where you must first get the target into a state before attempting overflow
The effects of URL or MIME encoding

47. Now for the Payload Using Loaded Functions Encoding our own data
Loading new functions & DLL’s
Making a shell

48. The Payload
NOP Sled
Real Code
DATA

49. Getting Bearings Call RELOC: RELOC: pop ediEB
edi now has our code address
we can use this as an offset to our data

50. Reverse Short Call NO NULL Bytes RELOC: jmp RELOC2 Call RELOC:
RELOC2: pop edi
EB FF FF FF FE

51. XOR Protection
Cannot have NULL’s in data portion
XOR every BYTE

52. XOR again to decode
Begin decode

53. Hardcoded Function Calls

54. Pros/Cons to hard coding
PRO: makes code smaller
CON: what if function isn’t always in same place?
Dynamically loaded DLL’s
PRO: some DLL’s are *usually* always in the same place
KERNEL32.DLL

55. Dynamic Function Loading
Use LoadLibrary() and GetProcAddress()
usually always in same place
hard coding usually works
Load New DLL’s
Find any function by ASCII name
handy

56. Load Function by Name
getprocaddress
Function name stored here

57. Build a jumptable
getprocaddress

58. Use Jumptable

59. HASH Loading (el8)
Process already has ASCII names of all loaded functions stored in process-header
We can locate any loaded function by checking the CRC of each loaded ASCII name
We do not need to store function names in our DATA section - only CRC’s
makes payload smaller!

60. PE Header
PE OFFSET
Optional Header
ASCII NAME
Address

61. Check CRC’s
CRC

62. Limited Character Set means Limited Instruction Set
Payload is filtered
MIME
URL
alphanumeric only ( headers)
short jumps (difficult to maintain)
pop/push
subtract

63. The Bridge
Avoids jump instruction
size must be calculated exactly

64. Load New DLL

65. WININET.DLL Use DLL functions Does all the hard work
InternetOpenURL()
InternetReadFile()
Does all the hard work
Makes payload smaller
Download and Execute any file, anywhere
File stored anonymously - hard to trace

66. WS2_32.DLL
Socket
bind
listen
send
recv
accept

67. Interrupt Calls Don’t require addresses Small Easy to use
Load register with call number
Load register with argument pointer
interrupt (2 bytes long)
CD 2E (interrupt 2E)
CD 80 (interrupt 80)

68. Remote Command Shell Spawn a process Pipe the output thru socket
CreateProcessA (kernel32 function)
INT 80 (linux) (execve syscall)
Pipe the output thru socket
Named pipes (~5 functions)
Connect in or out over any TCP socket

69. Covert Channel If exploited process is root or SYSTEM IIS
TDI or NDIS hook
session over ACK packets or ICMP
IIS
Patch any point where URL requests are handled
no kernel required

70. WORMS Payload searches for new hosts to attack Trust Exploitation
sniff passwords on wire
SMB sessions to other NT hosts
NT Registry Alteration
NFS/Drive Sharing
Consider survivability of Payload
what % of hosts are eligible?

71. Lysine Deficiency Worm will die if certain condition is not met
Existance of File
Existance of Network Entity
Floppy in floppy drive (testing lab)

72. RECAP Injection is not the same as payload Payloads can perform
Denial of Service
WORM
Remote Shell
Rootkit

73. RECAP Injection has many challenges NULL characters Stack size
Highland/Lowland address
Calling thru CPU registers

74. RECAP Filters limit what we can use in a payload
Limited OP-CODE sets can still be used to build fully functional programs

75. RECAP Our payload is encoded We can build jumptables
We can load new DLL’s and Functions
We can hard-code addresses or load them dynamically
We can use Lysine Deficiency to keep Worms from spreading uncontrolled

76. Your mind is your primary weapon
Thank You
Your mind is your primary weapon