Presentation is loading. Please wait.

Presentation is loading. Please wait.

EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)

Similar presentations


Presentation on theme: "EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)"— Presentation transcript:

1 EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)

2 Introduction

3 What we will cover  We are covering software exploitation in a Linux 32-bit environment  Topics  Buffer overflows (stack)  Ret2libc

4 Tools  Virtualization software  VMware Workstation or VMware Player (free)  Virtualbox (free)  Linux Environment  GDB  Editor (Vim, emacs, etc.)  Python

5 x86 Background

6 Linux Memory Structure .text  Contains program instructions  Readable, executable, not writable  Heap  Contains dynamically allocated memory objects  Readable, writable, (usually) executable  Stack  Contains static variables and base pointers  Readable, writable, (sometimes) executable

7 Stack  Grows down from 0xBFFFFFFF  Argv, Environment, and Auxiliary Vectors at base Stack Heap 0xbfffffff

8 Stack Frame Contents of Stack Stack Base (EBP) Stack Pointer (ESP)

9 Common Register Conventions  ESP – Stack Pointer  EBP – Stack Frame Base Pointer  EIP – Instruction Pointer  EAX, EBX, ECX, EDX – Fairly widely used, often used as function arguments

10 Function Calls  The x86 instruction CALL is used, which automatically does the following:  Put all the arguments onto the stack (right to left)  Put instruction pointer (EIP) onto stack  Now in the callee, push base pointer onto stack and set base pointer to stack pointer (function prologue)  Execute instructions in new function  Clean up locals  Set stack pointer to base and restore base pointer by popping the stack (function epilogue)

11 Function Calls Visualized  Function A has a stack comprised of a base, contents, and a top (stack pointer) ESP EBP Stack Contents A Base A

12 Function Calls Visualized  Function A calls Function B, so pushes its arguments and instruction pointer on the stack ESP Stack Contents A Base A EIP for A Arguments for B EBP

13 Function Calls Visualized  Function B executes its prologue to set up its own stack frame. First, push the old EBP EBP for A Stack Contents A Base A EIP for A Arguments for B ESP EBP

14 Function Calls Visualized  Now change EBP to ESP’s value. We have a new stack frame ESPEBP EBP for A Stack Contents A Base A EIP for A Arguments for B

15 Function Calls Visualized  Function B sets up its own locals ESP EBP for A Stack Contents A Base A EIP for A Arguments for B Stack Contents B EBP

16 Function Calls Visualized  On finishing, function B first cleans up locals EBP for A Stack Contents A Base A EIP for A Arguments for B ESPEBP

17 Function Calls Visualized  Next, it enters its function epilogue, in which it restores the previous base pointer Stack Contents A Base A EIP for A Arguments for B EBP ESP

18 Function Calls Visualized  Finally, the EIP is popped and execution continues at its location Stack Contents A Base A Arguments for B EBP ESP

19 Function Calls Visualized  A does the rest of the cleanup Stack Contents A Base A EBP ESP

20 GDB Tutorial

21 GDB  GDB runs on top of the program’s execution  What can we do with it?  Examine disassembled code  Alter the program’s execution  Watch registers  Step through program  Starting it on program “a.out”: gdb a.out -silent

22 Some Useful Commands - Registers  i r – Information about registers (gdb) i r eax 0x1 1 ecx 0xbffff814 -1073743852 edx 0xbffff7a4 -1073743964 ebx 0xb7fcdff4 -1208164364 esp 0xbffff778 0xbffff778 ebp 0xbffff778 0xbffff778 esi 0x0 0 edi 0x0 0 eip 0x8048537 0x8048537 eflags 0x246 [ PF ZF IF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51  print $regname – Prints register, ex. print $esp

23 Some Useful Commands - Memory  x/10x ADDR – Examine 10 words at ADDR (gdb) x/10x $esp 0xbffff778: 0x00000000 0xb7e69113 0x00000001 0xbffff814 0xbffff788: 0xbffff81c 0xb7ffeff4 0xb7fff918 0x00000001 0xbffff798: 0x00000000 0xb7fedbdb (gdb) x/10x 0xbffff000 0xbffff000: 0x00000000 0xb7ff0c7c 0x00000000 0x00000000 0xbffff010: 0x00000000 0x00000000 0x00000000 0xb7fde858 0xbffff020: 0xbffff088 0xb7ffeff4  x/5i ADDR – Examine 5 instructions at ADDR (gdb) x/5i $eip => 0x8048537 : and $0xfffffff0,%esp 0x804853a : sub $0x420,%esp 0x8048540 : mov %gs:0x14,%eax 0x8048546 : mov %eax,0x41c(%esp) 0x804854d : xor %eax,%eax  Other useful data types are w (default), s (string)

24 Some Useful Commands - Breakpoints  b ADDR – Break at address (gdb) b main Breakpoint 1 at 0x8048537 (gdb) b *0x8048637 Breakpoint 2 at 0x8048637  Remember the * before a hex address  Working with breakpoints:  i b – Information on breakpoints  d – Deletes all breakpoints  d n – Deletes breakpoint n

25 Some Useful Commands - Execution  r – Run, with optional arguments  c – Continue after breaking  ni – Next instruction (step over)  si – Step one intruction (step into)  Useful with: display/i $pc  finish – Continue until current function returns

26 Some Useful Commands - Frames  i f – Information about current stack frame (gdb) i f Stack level 0, frame at 0xbffff780: eip = 0x8048537 in main; saved eip 0xb7e69113 Arglist at 0xbffff778, args: Locals at 0xbffff778, Previous frame's sp is 0xbffff780 Saved registers: ebp at 0xbffff778, eip at 0xbffff77c  up, down – Move up or down frames

27 Some Useful Commands – Misc.  disas FUNCTION – Print disassembly of function (gdb) disas main Dump of assembler code for function main: 0x08048534 : push %ebp 0x08048535 : mov %esp,%ebp 0x08048537 : and $0xfffffff0,%esp 0x0804853a : sub $0x420,%esp …  list – Shows source if you have debugging info  set confirm off – Stop the nagging!  set disassembly-flavor – Change disas style (gdb) disas main Dump of assembler code for function main: 0x08048534 : push ebp 0x08048535 : mov ebp,esp 0x08048537 : and esp,0xfffffff0 0x0804853a : sub esp,0x420

28 Using Python for Debugging Exploits  Python can be run from the command-line: $python -c ‘print “Message”’  This can be embedded into command-line instructions with backtick (`) marks: $./a.out `python -c ‘print “Message”’`  gdb works in the same way r `python -c ‘print “Message”’`  The above commands result in running the program (a.out) with the argument Message

29 Using Python for Writing Exploits  Break up the exploit string into smaller components  Use the string repeat functionality: “A”*4  “AAAA”  If the program takes command line arguments: $./a.out `python sploit.py`

30 Reliable Local Exploits  You have to clear the environment, one way to do this is with Python: import os sploit = “big_scary_exploit_string” os.execve(“a.out”,[“a.out”,sploit],{})  To debug:  gdb python  catch exec  r sploit.py  Now you’re ready to debug like normal.

31 Stack Based Buffer Overflows

32 Overview  Stack based buffer overflows occur when writing goes past the boundaries of local variables  Example: char buf[64]; strcpy(buf, argv[1]);  The previous example will overflow buf’s boundaries and write onto stack memory if argv[1] contains more than 64 bytes  This allows us to alter local variables and also change the execution of the program

33 Altering Code Execution Flow  Since we can write over stack memory, we can write over the saved EIP address Stored EIP Stored EBP buf[64] Padding New EIP

34 Demos

35 Stack Smashing  Now we want to achieve execution of arbitrary code  Instead of giving EIP the address of another function, we give it the address of our buffer  Our buffer contains machine code instructions (known as shellcode)  For reliability, we use 0x90 opcodes to pad before our shellcode, these are NOP instructions and execution will slide past them if it lands there

36 Stack Smashing Illustrated buf[64] EBP EIP Shellcode NOP Sled Evil Pointer

37 Demo – Stack Smashing

38 Ret2libc

39 Overview  What happens if we’re working with a slightly more modern machine with non-executable stack memory?  Rather than write our own code to spawn a shell, let’s use libc!  We will use system() for the demonstration for simplicity, but bear in mind that system drops privileges, so execv() is needed for privilege escalation

40 Payload buf[64] EBP EIP Padding system() exit() Pointer to “/bin/sh”

41 Where to put “/bin/sh”?  In buffer, after its address  Environment  Argv  Auxiliary Vectors  Anywhere else reliable

42 Demo – Ret2libc

43 Conclusion

44 Future Reading  We didn’t cover any Windows exploitation. If you want to learn the tools and techniques for the Windows environment, check out the Corelan tutorials at: https://www.corelan.be/index.php/2009/07/19/expl oit-writing-tutorial-part-1-stack-based-overflows/ https://www.corelan.be/index.php/2009/07/19/expl oit-writing-tutorial-part-1-stack-based-overflows/  We covered Ret2libc, but the next step in mitigation evasion, Return Oriented Programming (ROP) wasn’t covered. It’s worth it to read up on this, as it’s complex, but extremely powerful.

45 Thanks for coming  Let me know if there are any questions  Weekly meetings are 7pm on Wednesdays in FO 2.410  Come join our team for the upcoming Capture the Flag competitions and put these skills to use


Download ppt "EXPLOITATION CRASH COURSE – FALL 2013 UTD Computer Security Group – Andrew Folloder csg.utdallas.edu (credit: Scott Hand)"

Similar presentations


Ads by Google