KEMBAR78
Low Level Exploits | PDF
Uploaded byhughpearse
PDF, PPTX1,510 views

Low Level Exploits

This document discusses various low-level exploits, beginning with creating shellcode by extracting opcodes from a compiled C program. It then covers stack-based buffer overflows, including return-to-stack exploits and return-to-libc. Next it discusses heap overflows using the unlink technique, integer overflows, and format string vulnerabilities. The document provides code examples and explanations of the techniques.

Download as PDF, PPTX
Low Level Exploits Email: hughpearse@gmail.com Twitter: https://twitter.com/hughpearse LinkedIn: http://ie.linkedin.com/in/hughpearse
Table of Contents Creating Shellcode Buffer Overflows On the Stack Return to Stack Return to LibC - Linux Return to SEH - Windows Return to Heap (Heap Spraying) Heap Overflows (unlink macro) Integer Overflows Format String Vulnerability Null Pointers ROP Chains Questions References
Creating Shellcode
Creating Shellcode Natively Compiled Code does not normally run in an interpreter such as a JVM. C++ Compiler #include<stdio.h> main(){ printf("hello, world"); } Assembly Assembler Op-codes
Creating Shellcode The ELF file typically runs on a Linux/Apple/UNIX while the PE file typically runs on Windows. Elf File Format PE File Format Elf Header MZ-DOS Header Program Header Table PE Signature Section 1 Section 2 Image File Header ... Section Table (Image Section Headers) Section n Sections 1-n Section Header Table (Optional) COFF Debug Sections
Creating Shellcode When a linux application executes the hex value 0x80 it causes a software interrupt. The kernel then takes over by taking the values in the general registers in the CPU and launching the appropriate system call based on the values in the registers. Applications Kernel Hardware Syscalls Ordinary Instructions
Creating Shellcode Let us write an application to execute the exit syscall. //exit.c main(){ exit(0); } Compile the program using the following command: gcc -static exit.c -o exit.out This command creates a file called "exit.out". Lets look at the contents of this file.
Creating Shellcode objdump -d ./exit 08048f14 <main>: 8048f14: 8048f15: 8048f17: 8048f1a: 8048f1d: 8048f24: 8048f29: 8048f2b: 8048f2d: 8048f2f: 55 push 89 e5 mov 83 e4 f0 83 ec 10 c7 04 24 00 00 00 00 e8 77 08 00 00 66 90 xchg 66 90 xchg 66 90 xchg 90 nop %ebp %esp,%ebp and $0xfffffff0,%esp sub $0x10,%esp movl $0x0,(%esp) call 80497a0 <exit> %ax,%ax %ax,%ax %ax,%ax 08053a0c <_exit>: 8053a0c: 8b 5c 24 04 8053a10: b8 fc 00 00 00 8053a15: ff 15 a4 f5 0e 08 8053a1b: b8 01 00 00 00 8053a20: cd 80 8053a22: f4 8053a23: 90 8053a24: 66 90 8053a26: 66 90 8053a28: 66 90 8053a2a: 66 90 8053a2c: 66 90 8053a2e: 66 90 mov 0x4(%esp),%ebx mov $0xfc,%eax call *0x80ef5a4 mov $0x1,%eax int $0x80 hlt nop xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax
Creating Shellcode The output of the "objdump" command has three columns. Virtual addresses, Op-codes and Mnemonics. We want the opcodes to create our payload. We will be storing our shellcode inside a character array. This means we cannot have null values. Also sometimes endianness can be a problem.
Creating Shellcode Virtual addresses, Op-codes, Mnemonics 08048f14 <main>: 8048f14: 8048f15: 8048f17: 8048f1a: 8048f1d: 8048f24: 8048f29: 8048f2b: 8048f2d: 8048f2f: 55 push 89 e5 mov 83 e4 f0 83 ec 10 c7 04 24 00 00 00 00 e8 77 08 00 00 66 90 xchg 66 90 xchg 66 90 xchg 90 nop %ebp %esp,%ebp and $0xfffffff0,%esp sub $0x10,%esp movl $0x0,(%esp) call 80497a0 <exit> %ax,%ax %ax,%ax %ax,%ax 08053a0c <_exit>: 8053a0c: 8b 5c 24 04 8053a10: b8 fc 00 00 00 8053a15: ff 15 a4 f5 0e 08 8053a1b: b8 01 00 00 00 8053a20: cd 80 8053a22: f4 8053a23: 90 8053a24: 66 90 8053a26: 66 90 8053a28: 66 90 8053a2a: 66 90 8053a2c: 66 90 8053a2e: 66 90 mov 0x4(%esp),%ebx mov $0xfc,%eax call *0x80ef5a4 mov $0x1,%eax int $0x80 hlt nop xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax
Creating Shellcode Our op-codes should look like this: 8b 5c 24 04 b8 fc 00 00 00 ff 15 a4 f5 0e 08 b8 01 00 00 00 cd 80 Paste this text into a text editor and use the "find and replace" feature to replace space with "x" to make a hexadecimal character array out of it. Don't forget to surround the text with quotes. "x8bx5cx24x04xb8xfcx00x00x00xffx15xa4xf5x0ex08 xb8x01x00x00x00xcdx80" We now have a string containing machine instructions.
Creating Shellcode Simply execute the character array to test it. #include <stdio.h> #include <stdlib.h> #include <string.h> char* shellcode = "x8bx5cx24....." int main(){ void (*f)(); f = (void (*)())shellcode; (void)(*f)(); }
Buffer Overflows On the Stack
Buffer Overflows On the Stack When an application is launched three import program sections are created in memory. These sections contain different types of information. 1. Text -> Stores machine instructions 2. Stack -> Stores automatic variables and return addresses 3. Heap -> Stores variables whose size is only known at runtime by using the malloc() function. For the moment we are interested in the Stack.
Buffer Overflows On the Stack Stack Frames The stack is divided up into contiguous pieces called frames. A frame is created each time a function is called. A frame contains: 1. the arguments to the function. 2. the function's local variables. 3. the address at which the function is executing. 4. the address at which to return to after executing.
Buffer Overflows On the Stack When the program starts, the stack has only one frame for main(). This is called the initial frame or the outermost frame. Each time a function is called, a new frame is made. Each time a function returns, the frame for that function is eliminated. If a function is recursive, there can be many frames for the same function. The frame for the function in which execution is actually occurring is called the innermost frame. This is the most recently created of all the stack frames that still exist.
Buffer Overflows On the Stack //example-functions.h void e(int a1, int a2){ int local1=1; int local2=2; f(local1, local2); } void f(int a1, int a2){ int local1; int local2; } Local Variables Return Address Frame for f() Parameters Local Variables Return Address Frame for e() Parameters
Buffer Overflows On the Stack Find the address of other functions that were statically compiled into the program by using the command: gdb -q -ex "info functions" --batch ./hello-world | tr -s " " | cut -d " " -f 2 | sort | uniq [AAAA][AAAA][AAAA][AAAA] [AAAA][function return address] [AAAA][AAAA] [AAAA][AAAA] Frame [AAAA] for f() [function return address] Parameters Local Variables Return Address Function F does not return to E; Function F returns to X. Parameters Frame for e()
Return to Stack
Return to Stack Return to Stack A buffer overflow attack is a general definition for a class of attacks to put more data in a buffer than it can hold thus overwriting the return address. Return to Stack is a specific stack buffer overflow attack where the return address is the same as the address on the stack for storing the variable information. Thus you are executing the stack. [instructions][instructions][return address]
Return to Stack As you can see in the diagram the local variables of the function have been overwritten. The Return to Stack exploit is also known as "Smashing The Stack". [instructions] [instructions] [stack return address] Frame for f() Parameters Local Variables Return Address Parameters Frame for e()
Return to LibC
Return to LibC (Linux) "Smash the stack" attacks have been made more difficult by a technology called a non-executable stack. NX stack can still be bypassed. A buffer overflow is still required but the data on the stack is not executable shellcode, it contains read-only arguments to a function. LibC is a dynamic library that is part of every userspace application on a linux system. This library contains all sorts of functions such as system() to launch an application.
Return to LibC (Linux) Now we can spawn a shell system("/bin/bash wget ..."); system() in LibC [arguments] [arguments] [stack return address] Frame for f() Parameters Local Variables Return Address Parameters Frame for e()
Return to Structured Exception Handler (SEH)
Return to SEH (Windows) Stack cookies are numbers that are placed before the return address when a function begins, and checked before the function returns. This prevents buffer overflow attacks. [buffer][cookie][saved EBP][saved EIP]
Return to SEH (Windows) If the overwritten cookie does not match with the original cookie, the code checks to see if there is a developer defined exception handler. If not, the OS exception handler will kick in. [buffer][cookie][SEH record][saved ebp][saved eip] (1.) - Overwrite an Exception Handler registration structure (2.) - Trigger an exception before the cookie is checked (3.) - Return to overwritten Exception Handler
Return to Heap
Return to Heap (Heap Spraying) Heap spraying is an unreliable method of increasing the chances of returning to executable instructions in a buffer overflow attack. Attackers create thousands of data structures in memory which contain mostly null operations (the 0x90 instruction) with the executable machine instructions at the end of the structure. Statistically the chances of returning to a valid location on a "NOP sled" are increased by increasing the size of the data structures. Sometimes the chance can be up to 50%.
Heap Overflows
unlink() Technique by w00w00 The Bin structure in the .bss segment stores unused memory chunks in a doubly linked list. The chunks contain forward pointers and backward pointers. 16 24 32 ... 512 576 640
unlink() Technique by w00w00 When memory is allocated, the pointers of the previous and next block are re-written using the unlink() function by dereferencing the pointers in the middle block. #define unlink( P, BK, FD ) { BK = P->bk; FD = P->fd; FD->bk = BK; BK->fd = FD; }
unlink() Technique by w00w00 How a normal unlink() works. Step 1:
unlink() Technique by w00w00 How a normal unlink() works. Step 2:
unlink() Technique by w00w00 When a heap management operation (such as free / malloc / unlink) is made, pointers in the chunk headers are dereferenced. We want to target the unlink() macro (a deprecated version of the Doug Lea memory allocator algorithm).
unlink() Technique by w00w00 Heap overflows work by overflowing areas of heap memory and overwriting the headers of the next area in memory. If the first chunk contains a buffer, then we can overwrite the headers in the next chunk which is unallocated. AAAAAA AAAAAA AAAAAA
unlink() Technique by w00w00 By altering these pointers we can write to arbitrary addresses in memory. Dereferencing is confusing! Unlink has 2 write operations. By overwriting the header of a chunk, we can choose what we write to memory! [fwd-ptr] = bk-ptr and [bk-ptr] = fwd-ptr Try overwriting pointers in the Global Offset Table.
unlink() Technique by w00w00 We can force unlink() to write to the GOT, and write to the shellcode chunk. instructions-pointer is written somewhere on the Global Offset Table GOT Instructions GOT i-ptr
unlink() Technique by w00w00 The memory pointed to by fd+12 is overwritten with bk, then the memory pointed to by bk+8 is overwritten with the value of fd. unlink() overwrites the GOT with the shellcode's address in the first step. This was the primary goal of the exploit. The second step writes a pointer just past the start of the shellcode. This would normally render the shellcode unrunnable, but the shellcode can be made to start with a jump instruction, skipping over the part of the shellcode that is overwritten during unlinking.
Integer Overflows
Integer Overflows Primitive Data Types 8 bits: maximum representable value 2^8−1 = 255 16 bits: maximum representable value 2^16−1 = 65,535 In order to represent a negative value, a bit must be removed from the byte and used as a flag to indicate whether the value is positive or negative.
Integer Overflows Signed 16 bit integer −32,768 to 32,767 0111 1111 +1 1000 0000 +1 1000 0000 +1 1000 0000 1111 1111 = 32,767 0000 0000 = -0 or 32,768 0000 0001 = -1 or 32,769 0000 0010 = -2 or 32,770
Integer Overflows Some programs may make the assumption that a number always contains a positive value. If the number has a signature bit at the beginning, an overflow can cause its value to become negative. An overflow may violate the program's assumption and may lead to unintended behavior.
Format String Vulnerabilities
Format String Vulnerabilities What is a format string? int x=3; printf("%d", x); How many formats exist in C/C++? There are at least 17 basic ones, and lots of permutations. %d Signed decimal integer %s Character string %x Unsigned hexadecimal integer %u Unsigned decimal integer %n The number of characters written so far
Format String Vulnerabilities How do format string vulnerabilities occur? They are usually lazy programmers who make mistakes. This is correct: printf("%s", argv[1]); This is incorrect: printf(argv[1]); #include <stdio.h> void main(int argc, char *argv[]){ printf("%s", argv[1]); }
Format String Vulnerabilities But they both seem to work? Yes! It will work which makes it difficult to detect. ./correct "Hello123" Output: Hello123 ./incorrect "Hello123" Output: Hello123
Format String Vulnerabilities Lets try inputting format string specifiers ./correct "%x" Output: %x ./incorrect "%x" Output: 12ffb8
Format String Vulnerabilities Lets take another look at what format string specifiers can do. %x - Pop data off the stack and display it %s - Dereference pointer seen above and read to null byte value %n - Dereference counter location and write the functions output count to address %x - Read from stack %s - Read from memory %n - Write to memory
Format String Vulnerabilities Exploiting the vulnerability ./incorrect "AAAA %x %x %x %x %x" Output: AAAA 12ffb89a 12f376 77648426 41414141
Null Pointers
Null Pointers Each application has its own address space, with which it is free to do with it as it wants. NULL can be a valid virtual address in your application using mmap(). user land - uses virtual addresses kernel land - uses physical addresses
Null Pointers Address space switching expensive so the kernel just runs in the address space of whichever process was last executing. At any moment, the processor knows whether it is executing code in user mode or in kernel mode. Pages in virtual memory have flags on it that specifies whether or not user code is allowed to access it.
Null Pointers Find kernel code that is initialized to NULL struct my_ops { ssize_t (*do_it)(void); }; static struct my_ops *ops = NULL; This structure must be executed by the kernel return ops->do_it();
Null Pointers Disable OS security echo 0 > /proc/sys/vm/mmap_min_addr In your userland application you must declare code that is to be executed with kernel privileges void get_root(void) { commit_creds(prepare_kernel_cred(0)); } Map a page at zero virtual address mmap(0, 4096, PROT_READ | PROT_WRITE , MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED , -1 , 0);
Null Pointers Immediately Declare a pointer at null void (**fn)(void) = NULL; Set the address of our malicious userspace code as the value of our pointer *fn = get_root; Finally trigger the vulnerable kernel function that executes the structure. This is usually a syscall such as read(), write() etc...
Null Pointers This works for 2 reasons: (1.) - Since the kernel runs in the address space of a userspace process, we can map a page at NULL and control what data a NULL pointer dereference in the kernel sees, just like we could for our own process! (2.) - To get code executing in kernel mode, we don't need to do any trickery to get at the kernel's data structures. They're all there in our address space, protected only by the fact that we're not normally able to run code in kernel mode.
Null Pointers When the CPU is in user mode, translations are only effective for the userspace region of memory, thus protecting the kernel from user programs. When in kernel mode, translations are effective for both userspace and kernelspace regions, thus giving the kernel easy access to userspace memory, it just uses the process' own mappings. Without any exploit, just triggering the syscall would cause a crash.
Return Oriented Programming Chains (ROP)
ROP Chains ROP chains are chains of short instruction sequences followed by a return instruction. These short sequences are called gadgets. Each gadget returns to the next gadget without ever executing a single bit from our non-executable shellcode. ROP chains enable attackers to bypass DEP and ASLR. Since we cannot execute our own code on the stack, the only thing we can do is call existing functions. To access these existing functions using buffer overflow, we require at least one non-ASLR module to be loaded.
ROP Chains Scan executable memory regions of libraries using automated tools to find useful instruction sequences followed by a return. Existing functions will provide us with some options: (1.) - execute commands (classic "ret-to-libc") (2.) - mark memory as executable A single gadget could look like this: POP EAX RET
ROP Chains A single gadget would just continue to follow a path of execution that is being stored in the stack. This means we only control the instruction pointer for 2 instructions. We have to select a gadget that can alter multiple frames. ROP Gadget [AAAA][AAAA] [AAAA][AAAA] Frame [AAAA][stack return address] for f() Parameters Local Variables Return Address Parameters Frame for e()
ROP Chains Using a stack pivot, the ESP register (stack pointer) is loaded with the address to our own data so that input data is realigned and can be interpreted as return addresses and arguments to the called functions. Pivots basically enables us to use a forged stack. Sample ROP exploit: (1.) - Start the ROP chain (2.) - Use a gadget pivot to the stack pointer to buffer (3.) - Return to fake stack, and launch more gadgets (4.) - Use gadgets to set up stack/registers (5.) - Use gadgets to disable DEP/ASLR (6.) - Return to shellcode and execute
Fin
Questions Questions
References SEH Exploit https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ Heap Overflow http://www.thehackerslibrary.com/?p=872 http://etutorials.org/Networking/network+security+assessment/Chapter+13.+Application-Level+Risks/13.5+Heap+Overflows/ http://geekscomputer.blogspot.com/2008/12/buffer-overflows.html http://drdeath.myftp.org:881/books/Exploiting/Understanding.Heap.Overflow.Exploits.pdf https://rstforums.com/forum/62318-run-time-detection-heap-based-overflows.rst http://www.phrack.org/archives/57/p57_0x08_Vudo%20malloc%20tricks_by_MaXX.txt http://www.cgsecurity.org/exploit/heaptut.txt http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf Null Dereference Exploits http://www.computerworld.com.au/article/212804/null_pointer_exploit_excites_researchers/ http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1 http://blog.mobiledefense.com/2012/11/analysis-of-null-pointer-dereference-in-the-android-kernel/ http://lwn.net/Articles/342330/ http://lwn.net/Articles/75174/ http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory http://blog.mobiledefense.com/2012/11/analysis-of-null-pointer-dereference-in-the-android-kernel/ ROP Chains https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.html https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

More Related Content

PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
PDF
Exploit techniques and mitigation
byYaniv Shani
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 
PDF
Return oriented programming
byhybr1s
 
PPTX
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
PPTX
Return oriented programming (ROP)
byPipat Methavanitpong
 
PPT
Advance ROP Attacks
byn|u - The Open Security Community
 
PDF
Return-Oriented Programming: Exploits Without Code Injection
byguest9f4856
 
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
Exploit techniques and mitigation
byYaniv Shani
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 
Return oriented programming
byhybr1s
 
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
Return oriented programming (ROP)
byPipat Methavanitpong
 
Advance ROP Attacks
byn|u - The Open Security Community
 
Return-Oriented Programming: Exploits Without Code Injection
byguest9f4856
 

What's hot

PPTX
An introduction to ROP
bySaumil Shah
 
PDF
Handling inline assembly in Clang and LLVM
byMin-Yih Hsu
 
PDF
Triton and symbolic execution on gdb
byWei-Bo Chen
 
PPTX
Operating Systems - A Primer
bySaumil Shah
 
PDF
Klee and angr
byWei-Bo Chen
 
PPTX
Power of linked list
byPeter Hlavaty
 
PDF
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
PPTX
x86
byWei-Bo Chen
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
PDF
ROP 輕鬆談
byhackstuff
 
PDF
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
PPTX
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 
PDF
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
byCODE BLUE
 
PPTX
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
PDF
CNIT 127: Ch 3: Shellcode
bySam Bowne
 
PPTX
Hacking - high school intro
byPeter Hlavaty
 
PDF
R ext world/ useR! Kiev
byRuslan Shevchenko
 
PDF
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
PDF
How to write a TableGen backend
byMin-Yih Hsu
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
An introduction to ROP
bySaumil Shah
 
Handling inline assembly in Clang and LLVM
byMin-Yih Hsu
 
Triton and symbolic execution on gdb
byWei-Bo Chen
 
Operating Systems - A Primer
bySaumil Shah
 
Klee and angr
byWei-Bo Chen
 
Power of linked list
byPeter Hlavaty
 
CNIT 127 Ch 3: Shellcode
bySam Bowne
 
x86
byWei-Bo Chen
 
How Safe is your Link ?
byPeter Hlavaty
 
ROP 輕鬆談
byhackstuff
 
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
Triton and Symbolic execution on GDB@DEF CON China
byWei-Bo Chen
 
Take a Jailbreak -Stunning Guards for iOS Jailbreak- by Kaoru Otsuka
byCODE BLUE
 
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
CNIT 127: Ch 3: Shellcode
bySam Bowne
 
Hacking - high school intro
byPeter Hlavaty
 
R ext world/ useR! Kiev
byRuslan Shevchenko
 
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
How to write a TableGen backend
byMin-Yih Hsu
 
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 

Viewers also liked

PDF
Smashing The Stack
byDaniele Bellavista
 
PPTX
Introduction to Linux Exploit Development
byjohndegruyter
 
PPTX
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
PPT
Introduction to pointers and memory management in C
byUri Dekel
 
PDF
Advanced exploit development
byDan H
 
PPT
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
PDF
The Stack Frame
byIvo Marinkov
 
PPTX
How Functions Work
bySaumil Shah
 
PDF
Insecure coding in C (and C++)
byOlve Maudal
 
PDF
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
PDF
Basic of Exploitation
byJongseok Choi
 
PPT
Reliable Windows Heap Exploits
byamiable_indian
 
PDF
DbiFuzz framework #ZeroNights E.0x03 slides
byPeter Hlavaty
 
PPTX
Racing with Droids
byPeter Hlavaty
 
PDF
Linux Shellcode disassembling
byHarsh Daftary
 
PPTX
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
PDF
Anatomy of A Shell Code, Reverse engineering
byAbhineet Ayan
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
ODP
Design and implementation_of_shellcodes
byAmr Ali
 
PDF
Shellcode and heapspray detection in phoneyc
byZ Chen
 
Smashing The Stack
byDaniele Bellavista
 
Introduction to Linux Exploit Development
byjohndegruyter
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
bysecurityxploded
 
Introduction to pointers and memory management in C
byUri Dekel
 
Advanced exploit development
byDan H
 
Debugging Applications with GNU Debugger
byPriyank Kapadia
 
The Stack Frame
byIvo Marinkov
 
How Functions Work
bySaumil Shah
 
Insecure coding in C (and C++)
byOlve Maudal
 
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
Basic of Exploitation
byJongseok Choi
 
Reliable Windows Heap Exploits
byamiable_indian
 
DbiFuzz framework #ZeroNights E.0x03 slides
byPeter Hlavaty
 
Racing with Droids
byPeter Hlavaty
 
Linux Shellcode disassembling
byHarsh Daftary
 
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
Anatomy of A Shell Code, Reverse engineering
byAbhineet Ayan
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
Design and implementation_of_shellcodes
byAmr Ali
 
Shellcode and heapspray detection in phoneyc
byZ Chen
 

Similar to Low Level Exploits

PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPTX
Software to the slaughter
byQuinn Wilton
 
PDF
Buffer overflow tutorial
byhughpearse
 
PDF
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
PPTX
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
byahmed8790
 
PPTX
Stack-Based Buffer Overflows
byDaniel Tumser
 
PPT
Software Exploits
byKevinCSmallwood
 
ODP
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
PDF
Riding the Overflow - Then and Now
byMiroslav Stampar
 
PDF
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
PPTX
Buffer overflow attacks
byJapneet Singh
 
PPTX
Buffer Overflow by SecArmour
bySec Armour
 
PDF
Smashing the Buffer
byMiroslav Stampar
 
ODP
Exploiting Memory Overflows
byAnkur Tyagi
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
PPT
Buffer Overflows
bySumit Kumar
 
PPTX
test
byaaro11
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Exploitation Crash Course
byUTD Computer Security Group
 
Software to the slaughter
byQuinn Wilton
 
Buffer overflow tutorial
byhughpearse
 
Ceh v5 module 20 buffer overflow
byVi Tính Hoàng Nam
 
fjfh mjgkj jkhglkjh jhlkh lhlkkhl kjhjkhjk
byahmed8790
 
Stack-Based Buffer Overflows
byDaniel Tumser
 
Software Exploits
byKevinCSmallwood
 
Introduction to Binary Exploitation
byCysinfo Cyber Security Community
 
Riding the Overflow - Then and Now
byMiroslav Stampar
 
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
Buffer overflow attacks
byJapneet Singh
 
Buffer Overflow by SecArmour
bySec Armour
 
Smashing the Buffer
byMiroslav Stampar
 
Exploiting Memory Overflows
byAnkur Tyagi
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
Buffer Overflows
bySumit Kumar
 
test
byaaro11
 
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 

More from hughpearse

PDF
HughPearseEsriTraining
byhughpearse
 
PDF
HughPearse-ACE-Forensics-Certification
byhughpearse
 
PDF
Prism-Proof Cloud Email Services
byhughpearse
 
PDF
Nmap flags table
byhughpearse
 
PDF
ACE forensics certification
byhughpearse
 
PDF
Diffie-Hellman key exchange
byhughpearse
 
PDF
Metasploit cheat sheet
byhughpearse
 
HughPearseEsriTraining
byhughpearse
 
HughPearse-ACE-Forensics-Certification
byhughpearse
 
Prism-Proof Cloud Email Services
byhughpearse
 
Nmap flags table
byhughpearse
 
ACE forensics certification
byhughpearse
 
Diffie-Hellman key exchange
byhughpearse
 
Metasploit cheat sheet
byhughpearse
 

Recently uploaded

PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
NDP Act GAID Simplified: From Confusion to Compliance
byMuiz Adeleke
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 

Low Level Exploits

  • 1.
    Low Level Exploits Email:hughpearse@gmail.com Twitter: https://twitter.com/hughpearse LinkedIn: http://ie.linkedin.com/in/hughpearse
  • 2.
    Table of Contents CreatingShellcode Buffer Overflows On the Stack Return to Stack Return to LibC - Linux Return to SEH - Windows Return to Heap (Heap Spraying) Heap Overflows (unlink macro) Integer Overflows Format String Vulnerability Null Pointers ROP Chains Questions References
  • 3.
  • 4.
    Creating Shellcode Natively CompiledCode does not normally run in an interpreter such as a JVM. C++ Compiler #include<stdio.h> main(){ printf("hello, world"); } Assembly Assembler Op-codes
  • 5.
    Creating Shellcode The ELFfile typically runs on a Linux/Apple/UNIX while the PE file typically runs on Windows. Elf File Format PE File Format Elf Header MZ-DOS Header Program Header Table PE Signature Section 1 Section 2 Image File Header ... Section Table (Image Section Headers) Section n Sections 1-n Section Header Table (Optional) COFF Debug Sections
  • 6.
    Creating Shellcode When alinux application executes the hex value 0x80 it causes a software interrupt. The kernel then takes over by taking the values in the general registers in the CPU and launching the appropriate system call based on the values in the registers. Applications Kernel Hardware Syscalls Ordinary Instructions
  • 7.
    Creating Shellcode Let uswrite an application to execute the exit syscall. //exit.c main(){ exit(0); } Compile the program using the following command: gcc -static exit.c -o exit.out This command creates a file called "exit.out". Lets look at the contents of this file.
  • 8.
    Creating Shellcode objdump -d./exit 08048f14 <main>: 8048f14: 8048f15: 8048f17: 8048f1a: 8048f1d: 8048f24: 8048f29: 8048f2b: 8048f2d: 8048f2f: 55 push 89 e5 mov 83 e4 f0 83 ec 10 c7 04 24 00 00 00 00 e8 77 08 00 00 66 90 xchg 66 90 xchg 66 90 xchg 90 nop %ebp %esp,%ebp and $0xfffffff0,%esp sub $0x10,%esp movl $0x0,(%esp) call 80497a0 <exit> %ax,%ax %ax,%ax %ax,%ax 08053a0c <_exit>: 8053a0c: 8b 5c 24 04 8053a10: b8 fc 00 00 00 8053a15: ff 15 a4 f5 0e 08 8053a1b: b8 01 00 00 00 8053a20: cd 80 8053a22: f4 8053a23: 90 8053a24: 66 90 8053a26: 66 90 8053a28: 66 90 8053a2a: 66 90 8053a2c: 66 90 8053a2e: 66 90 mov 0x4(%esp),%ebx mov $0xfc,%eax call *0x80ef5a4 mov $0x1,%eax int $0x80 hlt nop xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax
  • 9.
    Creating Shellcode The outputof the "objdump" command has three columns. Virtual addresses, Op-codes and Mnemonics. We want the opcodes to create our payload. We will be storing our shellcode inside a character array. This means we cannot have null values. Also sometimes endianness can be a problem.
  • 10.
    Creating Shellcode Virtual addresses,Op-codes, Mnemonics 08048f14 <main>: 8048f14: 8048f15: 8048f17: 8048f1a: 8048f1d: 8048f24: 8048f29: 8048f2b: 8048f2d: 8048f2f: 55 push 89 e5 mov 83 e4 f0 83 ec 10 c7 04 24 00 00 00 00 e8 77 08 00 00 66 90 xchg 66 90 xchg 66 90 xchg 90 nop %ebp %esp,%ebp and $0xfffffff0,%esp sub $0x10,%esp movl $0x0,(%esp) call 80497a0 <exit> %ax,%ax %ax,%ax %ax,%ax 08053a0c <_exit>: 8053a0c: 8b 5c 24 04 8053a10: b8 fc 00 00 00 8053a15: ff 15 a4 f5 0e 08 8053a1b: b8 01 00 00 00 8053a20: cd 80 8053a22: f4 8053a23: 90 8053a24: 66 90 8053a26: 66 90 8053a28: 66 90 8053a2a: 66 90 8053a2c: 66 90 8053a2e: 66 90 mov 0x4(%esp),%ebx mov $0xfc,%eax call *0x80ef5a4 mov $0x1,%eax int $0x80 hlt nop xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax xchg %ax,%ax
  • 11.
    Creating Shellcode Our op-codesshould look like this: 8b 5c 24 04 b8 fc 00 00 00 ff 15 a4 f5 0e 08 b8 01 00 00 00 cd 80 Paste this text into a text editor and use the "find and replace" feature to replace space with "x" to make a hexadecimal character array out of it. Don't forget to surround the text with quotes. "x8bx5cx24x04xb8xfcx00x00x00xffx15xa4xf5x0ex08 xb8x01x00x00x00xcdx80" We now have a string containing machine instructions.
  • 12.
    Creating Shellcode Simply executethe character array to test it. #include <stdio.h> #include <stdlib.h> #include <string.h> char* shellcode = "x8bx5cx24....." int main(){ void (*f)(); f = (void (*)())shellcode; (void)(*f)(); }
  • 13.
  • 14.
    Buffer Overflows Onthe Stack When an application is launched three import program sections are created in memory. These sections contain different types of information. 1. Text -> Stores machine instructions 2. Stack -> Stores automatic variables and return addresses 3. Heap -> Stores variables whose size is only known at runtime by using the malloc() function. For the moment we are interested in the Stack.
  • 15.
    Buffer Overflows Onthe Stack Stack Frames The stack is divided up into contiguous pieces called frames. A frame is created each time a function is called. A frame contains: 1. the arguments to the function. 2. the function's local variables. 3. the address at which the function is executing. 4. the address at which to return to after executing.
  • 16.
    Buffer Overflows Onthe Stack When the program starts, the stack has only one frame for main(). This is called the initial frame or the outermost frame. Each time a function is called, a new frame is made. Each time a function returns, the frame for that function is eliminated. If a function is recursive, there can be many frames for the same function. The frame for the function in which execution is actually occurring is called the innermost frame. This is the most recently created of all the stack frames that still exist.
  • 17.
    Buffer Overflows Onthe Stack //example-functions.h void e(int a1, int a2){ int local1=1; int local2=2; f(local1, local2); } void f(int a1, int a2){ int local1; int local2; } Local Variables Return Address Frame for f() Parameters Local Variables Return Address Frame for e() Parameters
  • 18.
    Buffer Overflows Onthe Stack Find the address of other functions that were statically compiled into the program by using the command: gdb -q -ex "info functions" --batch ./hello-world | tr -s " " | cut -d " " -f 2 | sort | uniq [AAAA][AAAA][AAAA][AAAA] [AAAA][function return address] [AAAA][AAAA] [AAAA][AAAA] Frame [AAAA] for f() [function return address] Parameters Local Variables Return Address Function F does not return to E; Function F returns to X. Parameters Frame for e()
  • 19.
  • 20.
    Return to Stack Returnto Stack A buffer overflow attack is a general definition for a class of attacks to put more data in a buffer than it can hold thus overwriting the return address. Return to Stack is a specific stack buffer overflow attack where the return address is the same as the address on the stack for storing the variable information. Thus you are executing the stack. [instructions][instructions][return address]
  • 21.
    Return to Stack Asyou can see in the diagram the local variables of the function have been overwritten. The Return to Stack exploit is also known as "Smashing The Stack". [instructions] [instructions] [stack return address] Frame for f() Parameters Local Variables Return Address Parameters Frame for e()
  • 22.
  • 23.
    Return to LibC(Linux) "Smash the stack" attacks have been made more difficult by a technology called a non-executable stack. NX stack can still be bypassed. A buffer overflow is still required but the data on the stack is not executable shellcode, it contains read-only arguments to a function. LibC is a dynamic library that is part of every userspace application on a linux system. This library contains all sorts of functions such as system() to launch an application.
  • 24.
    Return to LibC(Linux) Now we can spawn a shell system("/bin/bash wget ..."); system() in LibC [arguments] [arguments] [stack return address] Frame for f() Parameters Local Variables Return Address Parameters Frame for e()
  • 25.
  • 26.
    Return to SEH(Windows) Stack cookies are numbers that are placed before the return address when a function begins, and checked before the function returns. This prevents buffer overflow attacks. [buffer][cookie][saved EBP][saved EIP]
  • 27.
    Return to SEH(Windows) If the overwritten cookie does not match with the original cookie, the code checks to see if there is a developer defined exception handler. If not, the OS exception handler will kick in. [buffer][cookie][SEH record][saved ebp][saved eip] (1.) - Overwrite an Exception Handler registration structure (2.) - Trigger an exception before the cookie is checked (3.) - Return to overwritten Exception Handler
  • 28.
  • 29.
    Return to Heap(Heap Spraying) Heap spraying is an unreliable method of increasing the chances of returning to executable instructions in a buffer overflow attack. Attackers create thousands of data structures in memory which contain mostly null operations (the 0x90 instruction) with the executable machine instructions at the end of the structure. Statistically the chances of returning to a valid location on a "NOP sled" are increased by increasing the size of the data structures. Sometimes the chance can be up to 50%.
  • 30.
  • 31.
    unlink() Technique byw00w00 The Bin structure in the .bss segment stores unused memory chunks in a doubly linked list. The chunks contain forward pointers and backward pointers. 16 24 32 ... 512 576 640
  • 32.
    unlink() Technique byw00w00 When memory is allocated, the pointers of the previous and next block are re-written using the unlink() function by dereferencing the pointers in the middle block. #define unlink( P, BK, FD ) { BK = P->bk; FD = P->fd; FD->bk = BK; BK->fd = FD; }
  • 33.
    unlink() Technique byw00w00 How a normal unlink() works. Step 1:
  • 34.
    unlink() Technique byw00w00 How a normal unlink() works. Step 2:
  • 35.
    unlink() Technique byw00w00 When a heap management operation (such as free / malloc / unlink) is made, pointers in the chunk headers are dereferenced. We want to target the unlink() macro (a deprecated version of the Doug Lea memory allocator algorithm).
  • 36.
    unlink() Technique byw00w00 Heap overflows work by overflowing areas of heap memory and overwriting the headers of the next area in memory. If the first chunk contains a buffer, then we can overwrite the headers in the next chunk which is unallocated. AAAAAA AAAAAA AAAAAA
  • 37.
    unlink() Technique byw00w00 By altering these pointers we can write to arbitrary addresses in memory. Dereferencing is confusing! Unlink has 2 write operations. By overwriting the header of a chunk, we can choose what we write to memory! [fwd-ptr] = bk-ptr and [bk-ptr] = fwd-ptr Try overwriting pointers in the Global Offset Table.
  • 38.
    unlink() Technique byw00w00 We can force unlink() to write to the GOT, and write to the shellcode chunk. instructions-pointer is written somewhere on the Global Offset Table GOT Instructions GOT i-ptr
  • 39.
    unlink() Technique byw00w00 The memory pointed to by fd+12 is overwritten with bk, then the memory pointed to by bk+8 is overwritten with the value of fd. unlink() overwrites the GOT with the shellcode's address in the first step. This was the primary goal of the exploit. The second step writes a pointer just past the start of the shellcode. This would normally render the shellcode unrunnable, but the shellcode can be made to start with a jump instruction, skipping over the part of the shellcode that is overwritten during unlinking.
  • 40.
  • 41.
    Integer Overflows Primitive DataTypes 8 bits: maximum representable value 2^8−1 = 255 16 bits: maximum representable value 2^16−1 = 65,535 In order to represent a negative value, a bit must be removed from the byte and used as a flag to indicate whether the value is positive or negative.
  • 42.
    Integer Overflows Signed 16bit integer −32,768 to 32,767 0111 1111 +1 1000 0000 +1 1000 0000 +1 1000 0000 1111 1111 = 32,767 0000 0000 = -0 or 32,768 0000 0001 = -1 or 32,769 0000 0010 = -2 or 32,770
  • 43.
    Integer Overflows Some programsmay make the assumption that a number always contains a positive value. If the number has a signature bit at the beginning, an overflow can cause its value to become negative. An overflow may violate the program's assumption and may lead to unintended behavior.
  • 44.
  • 45.
    Format String Vulnerabilities Whatis a format string? int x=3; printf("%d", x); How many formats exist in C/C++? There are at least 17 basic ones, and lots of permutations. %d Signed decimal integer %s Character string %x Unsigned hexadecimal integer %u Unsigned decimal integer %n The number of characters written so far
  • 46.
    Format String Vulnerabilities Howdo format string vulnerabilities occur? They are usually lazy programmers who make mistakes. This is correct: printf("%s", argv[1]); This is incorrect: printf(argv[1]); #include <stdio.h> void main(int argc, char *argv[]){ printf("%s", argv[1]); }
  • 47.
    Format String Vulnerabilities Butthey both seem to work? Yes! It will work which makes it difficult to detect. ./correct "Hello123" Output: Hello123 ./incorrect "Hello123" Output: Hello123
  • 48.
    Format String Vulnerabilities Letstry inputting format string specifiers ./correct "%x" Output: %x ./incorrect "%x" Output: 12ffb8
  • 49.
    Format String Vulnerabilities Letstake another look at what format string specifiers can do. %x - Pop data off the stack and display it %s - Dereference pointer seen above and read to null byte value %n - Dereference counter location and write the functions output count to address %x - Read from stack %s - Read from memory %n - Write to memory
  • 50.
    Format String Vulnerabilities Exploitingthe vulnerability ./incorrect "AAAA %x %x %x %x %x" Output: AAAA 12ffb89a 12f376 77648426 41414141
  • 51.
  • 52.
    Null Pointers Each applicationhas its own address space, with which it is free to do with it as it wants. NULL can be a valid virtual address in your application using mmap(). user land - uses virtual addresses kernel land - uses physical addresses
  • 53.
    Null Pointers Address spaceswitching expensive so the kernel just runs in the address space of whichever process was last executing. At any moment, the processor knows whether it is executing code in user mode or in kernel mode. Pages in virtual memory have flags on it that specifies whether or not user code is allowed to access it.
  • 54.
    Null Pointers Find kernelcode that is initialized to NULL struct my_ops { ssize_t (*do_it)(void); }; static struct my_ops *ops = NULL; This structure must be executed by the kernel return ops->do_it();
  • 55.
    Null Pointers Disable OSsecurity echo 0 > /proc/sys/vm/mmap_min_addr In your userland application you must declare code that is to be executed with kernel privileges void get_root(void) { commit_creds(prepare_kernel_cred(0)); } Map a page at zero virtual address mmap(0, 4096, PROT_READ | PROT_WRITE , MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED , -1 , 0);
  • 56.
    Null Pointers Immediately Declarea pointer at null void (**fn)(void) = NULL; Set the address of our malicious userspace code as the value of our pointer *fn = get_root; Finally trigger the vulnerable kernel function that executes the structure. This is usually a syscall such as read(), write() etc...
  • 57.
    Null Pointers This worksfor 2 reasons: (1.) - Since the kernel runs in the address space of a userspace process, we can map a page at NULL and control what data a NULL pointer dereference in the kernel sees, just like we could for our own process! (2.) - To get code executing in kernel mode, we don't need to do any trickery to get at the kernel's data structures. They're all there in our address space, protected only by the fact that we're not normally able to run code in kernel mode.
  • 58.
    Null Pointers When theCPU is in user mode, translations are only effective for the userspace region of memory, thus protecting the kernel from user programs. When in kernel mode, translations are effective for both userspace and kernelspace regions, thus giving the kernel easy access to userspace memory, it just uses the process' own mappings. Without any exploit, just triggering the syscall would cause a crash.
  • 59.
  • 60.
    ROP Chains ROP chainsare chains of short instruction sequences followed by a return instruction. These short sequences are called gadgets. Each gadget returns to the next gadget without ever executing a single bit from our non-executable shellcode. ROP chains enable attackers to bypass DEP and ASLR. Since we cannot execute our own code on the stack, the only thing we can do is call existing functions. To access these existing functions using buffer overflow, we require at least one non-ASLR module to be loaded.
  • 61.
    ROP Chains Scan executablememory regions of libraries using automated tools to find useful instruction sequences followed by a return. Existing functions will provide us with some options: (1.) - execute commands (classic "ret-to-libc") (2.) - mark memory as executable A single gadget could look like this: POP EAX RET
  • 62.
    ROP Chains A singlegadget would just continue to follow a path of execution that is being stored in the stack. This means we only control the instruction pointer for 2 instructions. We have to select a gadget that can alter multiple frames. ROP Gadget [AAAA][AAAA] [AAAA][AAAA] Frame [AAAA][stack return address] for f() Parameters Local Variables Return Address Parameters Frame for e()
  • 63.
    ROP Chains Using astack pivot, the ESP register (stack pointer) is loaded with the address to our own data so that input data is realigned and can be interpreted as return addresses and arguments to the called functions. Pivots basically enables us to use a forged stack. Sample ROP exploit: (1.) - Start the ROP chain (2.) - Use a gadget pivot to the stack pointer to buffer (3.) - Return to fake stack, and launch more gadgets (4.) - Use gadgets to set up stack/registers (5.) - Use gadgets to disable DEP/ASLR (6.) - Return to shellcode and execute
  • 64.
  • 65.
  • 66.
    References SEH Exploit https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ Heap Overflow http://www.thehackerslibrary.com/?p=872 http://etutorials.org/Networking/network+security+assessment/Chapter+13.+Application-Level+Risks/13.5+Heap+Overflows/ http://geekscomputer.blogspot.com/2008/12/buffer-overflows.html http://drdeath.myftp.org:881/books/Exploiting/Understanding.Heap.Overflow.Exploits.pdf https://rstforums.com/forum/62318-run-time-detection-heap-based-overflows.rst http://www.phrack.org/archives/57/p57_0x08_Vudo%20malloc%20tricks_by_MaXX.txt http://www.cgsecurity.org/exploit/heaptut.txt http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf NullDereference Exploits http://www.computerworld.com.au/article/212804/null_pointer_exploit_excites_researchers/ http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1 http://blog.mobiledefense.com/2012/11/analysis-of-null-pointer-dereference-in-the-android-kernel/ http://lwn.net/Articles/342330/ http://lwn.net/Articles/75174/ http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory http://blog.mobiledefense.com/2012/11/analysis-of-null-pointer-dereference-in-the-android-kernel/ ROP Chains https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.html https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/