Slide 1

Slide 1 text

Anatomy of a Buffer Overflow Attack Rob Gillen @argodev

Slide 2

Slide 2 text

CodeStock is proudly partnered with: Send instant feedback on this session via Twitter: Send a direct message with the room number to @CodeStock d codestock 413a This session is great! For more information on sending feedback using Twitter while at CodeStock, please see the “CodeStock README” in your CodeStock guide. RecruitWise and Staff with Excellence - www.recruitwise.jobs

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Don’t Be Stupid The following presentation describes real attacks on real systems. Please note that most of the attacks described would be considered ILLEGAL if attempted on machines that you do not have explicit permission to test and attack. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Please remember this basic guideline: With knowledge comes responsibility.

Slide 5

Slide 5 text

Disclaimer The content of this presentation represents my personal views and thoughts at the present time. This content is not endorsed by, or representative in any way of my employer nor is it intended to be a view into my work or a reflection on the type of work that I or my group performs. It is simply a hobby and personal interest and should be considered as such.

Slide 6

Slide 6 text

Credits The vulnerability that we’ll be discussing was initially discovered by C4SS!0 G0M3S ([email protected]) and was published on June 17, 2011. http://www.exploit-db.com/exploits/17539/ James Fitts created a MetaSploit module that I also reviewed while building this module http://www.exploit-db.com/exploits/17540/

Slide 7

Slide 7 text

Example Overview • Scenario – Machine 1: BackTrack 5 SR1 – Machine 2: • Windows 7 Professional x64, SP1, fully patched • Freefloat FTP Server v1.0 • Tasks – Discover a vulnerability exists – Craft & test an exploit • Goal: Obtain reverse shell

Slide 8

Slide 8 text

Attack Process • Identify target of interest • Identify software/versions being used • Setup local Instance • Fuzz to identify vulnerability • Design/Develop Exploit • Test • Package/Weaponize

Slide 9

Slide 9 text

Terminology • CPU Registers • Assembler Debugger • Buffer Overflows • Fuzzing • Shellcode • Encoding • Bind Shell/Reverse Shell

Slide 10

Slide 10 text

CPU Registers (8086) • EAX – Accumulator Register • EBX – Base Register • ECX – Counter Register • EDX – Data Register • ESI – Source Index • EDI – Destination Index • EBP – Base Pointer • ESP – Stack Pointer Content from: http://www.swansontec.com/sregisters.html

Slide 11

Slide 11 text

CPU Registers (8086) • EIP – program counter or commonly “instruction pointer” – a processor register that indicates where a computer is in its program sequence. • Holds the memory address of (“points to”) the next instruction that would be executed. • Any thoughts on why this specific register is particularly interesting? Content from: http://en.wikipedia.org/wiki/Instruction_pointer

Slide 12

Slide 12 text

Assembler Debugger

Slide 13

Slide 13 text

Buffer Overflow • Software accepts input, but doesn’t ensure that it is only as long as supported. • In this case, software accepts a value into the variable A, but the user sends an overly-long string (“excessive”) and overflows the space allocated to A and overwrites the integer previously stored in B Content from: http://en.wikipedia.org/wiki/Buffer_overflow

Slide 14

Slide 14 text

Fuzzing • Identify points where application or service accepts data • Send varying lengths/types of data until we crash the service and/or overwrite key buffers. • Increase buffer length until no longer successful (identify upper bounds of memory space available for exploit)

Slide 15

Slide 15 text

Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Name comes from the purpose – usually spawns a shell and performs some action • Often written in assembly code • Types: – “normal”, Staged, Egg-hunt, Omelette Content from: http://en.wikipedia.org/wiki/Shellcode

Slide 16

Slide 16 text

Shellcode Example [BITS 32] mov ebx, 0x00424F52 push ebx mov esi, esp xor eax, eax push eax push esi push esi push eax mov eax, 0x7E45058A call eax

Slide 17

Slide 17 text

[BITS 32] mov ebx, 0x00424F52 ; Loads a null-terminated string “ROB” to ebx push ebx ; pushes ebx to the stack mov esi, esp ; saves null-terminated string “ROB” in esi xor eax, eax ; Zero our eax (eax=0) push eax ; Push the fourth parameter (uType) to the stack (value 0) push esi ; Push the third parameter (lpCaption) to the stack (value ROB\00) push esi ; Push the second parameter (lpText) to the stack (value ROB\00) push eax ; Push the first parameter (hWnd) to the stack (value 0) mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax call eax ; Call the MessageBoxA function with all parameters supplied.

Slide 18

Slide 18 text

Shellcode Example BB 52 4F 42 00 53 89 E6 31 C0 50 56 56 50 B8 8A 05 45 7E FF D0

Slide 19

Slide 19 text

Encoding • There are often restrictions as to what data can be sent via the exploit (NULLs, etc.) • Self-extracting (smaller shellcode) • Self-decrypting (avoid IDS signatures) • Tools such as msfencode offer many options.

Slide 20

Slide 20 text

Encoded Shellcode \xbe\x13\xaf\x49\x81\xda\xc7 \xd9\x74\x24\xf4\x58\x31\xc9 \xb1\x06\x83\xe8\xfc\x31\x70 \x0f\x03\x70\x1c\x4d\xbc\x3a \x70\xde\x7d\x3d\x27\x69\x67 \x0c\x07\x39\x3e\x39\xd7\x02 \x34\xc0\x92\x0c\xb6\x1b

Slide 21

Slide 21 text

Bind Shell/Reverse Shell • Bind Shell – Target exposes a shell on a given port – Attacker connects to that port and executes commands – Remote Administration • Reverse Shell – Attacker listens for connections on a given port – Shell code on target connects to attacker and sends a shell – NAT-safe

Slide 22

Slide 22 text

Bind Shell Target Attacker Code executes on target and exposes a listener on a specific port (i.e. 4444) Attacker connects (Binds) to client ip:4444 Target sends shell to attacker

Slide 23

Slide 23 text

Reverse Shell Target Attacker Attacker exposes a listener on a specific port (i.e. 4444) Code executes on target and connects to the attacker ip:4444 Target sends shell to attacker

Slide 24

Slide 24 text

Fuzzing Pseudo-Code • Build array of increasing length strings (“A”) • Build array of valid commands • For each command in arrayOfCommands – For each string in arrayOfStrings • Establish FTP connection • Submit command + string • Watch for application hang/crash • Inspect register values/pointers

Slide 25

Slide 25 text

FUZZING THE SERVICE Demonstration

Slide 26

Slide 26 text

Design The Exploit • Iterate with various malicious buffer sizes to see how much space is available • Locate where within the evil buffer we actually overwrite EIP • Locate where within the evil buffer we can locate our shellcode (pointed to by other register)

Slide 27

Slide 27 text

Design The Exploit • Select / configure / encode shellcode • Integrate into exploit script (NOP slide, breakpoints, etc) • Identify reusable jump address to consistently move to shellcode • Test with breakpoints • Test in “real world” scenario

Slide 28

Slide 28 text

DESIGNING THE EXPLOIT Demonstration

Slide 29

Slide 29 text

Solutions? • Bounds checking is critical! • Fuzz your own applications • Address Space Layout Randomization (ASLR) • Operating System Support – Data Execution Prevention

Slide 30

Slide 30 text

Questions/Contact Rob Gillen [email protected] http://rob.gillenfamily.net @argodev