Source: OpenSecurityTraining Purpose of the course • Give you a deep understanding of the mechanics of software exploitation • Prepare you to identify vulnerabilities in software source code • Help you understand the how and why of exploit mitigation technology • Depth not breadth. We will cover a few key concepts deeply, rather than covering many topics briefly. Course Outline 1 • Basic stack overflows • Shellcode • More on stack overflows • Heaps and Heap overflows Course outline 2 • Other Vulnerable Scenarios • Recognizing vulnerabilities • Finding Vulnerabilities • Exploit mitigation technology What are we trying to achieve? • Arbitrary code execution • Examples – Forcing ssh to give you root access to the power grid (like Trinity in the previous slide!) – Turning your vanilla HTTP session with a web server into a root shell session. – Forcing a privileged administrator process to execute code your normally wouldn’t be able to. – Etc…. x86 Review Lab - The EBP register points to the base of the stack frame. Local variables, which are stored on the stack, are referenced via this base pointer. - Every time a function is called, a new stack frame is setup so that the function has its own fresh context (its own clean set of local variables). - The call instruction also puts a return address on the stack so that the function knows where to return execution to. - Key point: local function variables are stored in the same place where return addresses are. Shellcode • So that’s nice, but it isn’t quite “Arbitrary code execution” since we are relying on simple_login to contain this root shell spawning code prepackaged (not realistic). • How do we insert our own arbitrary code into the program to execute? Shellcode 2 • Among other places, we can actually just insert this code into the program through a typical input medium. In other words, when simple_login attempts to read in our password guess, we can feed it in an executable program. • Thus the password[64] buffer will end up containing a small standalone program that we will later execute by redirecting the overwritten stored return address to the address of buffer! Properties of Shellcode • Aims to be small since it often has to fit in small input buffers. • Position independent (can’t make any assumptions about program state when it begins executing) • Should contain no null characters (many standard string copying library calls terminate upon seeing a null character) • Must be self-contained in an executable section (shouldn’t reference data in data sections, etc). Example shellcode payloads 1) Execute a shell 2) Add an Administrator user 3) Download and install a rootkit 4) Connect back to attacker controlled server and wait for commands 5) Etc… Linux Assembly Programming • Easier than Windows! • Simple to use and powerful system call interface • Look up the number corresponding to the system call in /usr/include/asm-i386/unistd.h • Place system call number in eax, and arguments in ebx,ecx,edx… etc in the order they appear in the corresponding man page • Execute int 0x80 to alert the kernel you want to perform a system call. 1) Null bytes are bad. Basically every standard library function is going to treat those null characters as terminators and end up truncating our program. 2) Not position independent. That 0x80490a4 address referenced is going to be meaningless when we inject this into another program. The extended (eax, ebx, ecx…) x86 registers are 32 bit. So when we attempt to Move a less than 32 bit value to one of them (mov eax, 0x4), the compiler pads the Value with 0. If we instead move the immediate value to the appropriately sized Version of the registers, the null padding will not be added. Recall: Eax = 32 bits, ax = 16 bits, al = 8 bits We still have 1 null byte left. What if we actually need to use a null byte in our code Somewhere like when we are trying to exit with a status code of 0? What about that pesky string address we are still referencing? Suggestions? Attempting to achieve position independence and our reliance on that fixed string address. -We can create a null byte to use by performing xor ebx, ebx
-Store the string we want to print/reference on the stack, and then just pass esp to the system call! But wait, the code still won’t work as shellcode. Challenge: What did Corey do wrong?? Corey burned a good hour trying to figure this mystery out…
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |