SlideShare ist ein Scribd-Unternehmen logo

Nethemba - Writing exploits

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)

A brief description of writing exploits including:  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit

TechnologieUnterhaltung & Humor
1 von 24
Downloaden Sie, um offline zu lesen
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com          www.nethemba.com             www.nethemba.com      
Motivation  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit          www.nethemba.com       
A Brief History  08/11/1996 Phrack #49  Smashing The Stack For Fun And Profit, Elias  Levy “ … Code that does this is said  to smash the stack, and can  cause return from the routine to  jump to a random address.  This  can produce some of the most  insidious data­dependent bugs    known to mankind.”        www.nethemba.com       
Stack Frame Low Memory Address void func(int a, int b, int c) {    char buffer1[BUFSIZE];    char buffer2[BUFSIZE]; buffer2 } int main(int argc, char **argv) { buffer1   func(10, 20, 30); EBP } EIP  prologue, epilogue 10 push ebp mov esp, ebp 20 mov ebp, esp pop ebp 30 sub esp, $const ret   High Memory Address        www.nethemba.com       
Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { dest   func(argv[1]); EBP } EIP args   High Memory Address        www.nethemba.com       
Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { SHELLCODE   func(argv[1]); JUNK } JMP TO SC JUNK   High Memory Address        www.nethemba.com       
Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Next → Next → Next → 0xFFFFFFFF Pointer to Pointer to Pointer to Default Exception Exception Exception Exception Handler Handler Handler Handler High Memory Address          www.nethemba.com       
Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Shellcode Next → Next → 0xFFFFFFFF address POP POP RET Pointer to Pointer to Default Exception Exception Exception   Handler Handler   Handler High Memory Address      www.nethemba.com       
Low Memory Address Stack cookies – canaries Local Vars  Protection provided by the compiler  Canary (/gs, ­fstack­protector, StackGuard,  Next SEH ProPolice)  SE Handler  Can rearrange the stack layout, so  EBP string variables are on higher  EIP addresses and cannot overwrite  args other local variables  Contain “bad” characters (0x00,   0xFF) High Memory Address        www.nethemba.com       
Stack cookies – canaries  Usually a challenge  Entropy weaknesses (24­bit entropy on Ubuntu,  can by bypassed in reasonable time)  Sometimes helps to overwrite SEH  Cannot protect from buffer overflows in heap          www.nethemba.com       
Protection ­ DEP  Stack is no longer executable  W^X  Both HW (NX bit) and software support  Prevent basic buffer overflows  Four policy levels on Windows platform:  Optin,  OptOut, AlwaysOn, AlwaysOff  Can be bypassed by “return­to­libc”          www.nethemba.com       
Return to LIBC  The most generic method to bypass NX  No executable code in stack  EIP is overwritten by library function (system())  Parameters are passed via stack  Chained “return to libc”  No loops, conditional jumps, complicated things  28/12/2001 Phrack #58, Advanced return­into­   lib(c) exploits        www.nethemba.com       
Low Memory Address Return to LIBC Low Memory Address  uuu ←basic buffer overflow Local Vars Local Vars   EBP EBP EIP system() args     return to libc → EIP JUNK “/bin/sh0” High Memory Address   High Memory Address        www.nethemba.com       
ASLR  Address Stack Layout Randomization  Including Libraries, Heap, Stack  But not necessary in all libraries  You need at least one module without ASLR for  bypassing in Windows  Implementation weaknesses  Can by bypassed by format string exploits          www.nethemba.com       
Format String Attacks int main(int argc, char **argv) {   printf(“%s”, argv[1]); // correct   printf(argv[1]); // wrong } ● Reading, writing from arbitrary memory ● Direct parameter access via %<num>$ ● Writing via %n, %hn (2 bytes) ● 28/07/2002 Phrack #59, Advances in format string  exploitation          www.nethemba.com       
Return Oriented Programming ● The successor of “return to libc” technique ● Small number of instructions ending with “ret”  (Gadgets) chained together ● If we find them enough, we have the Turing  Machine ● Fixed Memory location for data interchange, usually  in .data section ● 2 registers are usually efficient          www.nethemba.com       
Return Oriented Programming ● You can bypass character restrictions (neg) ● No injected code, just rewritten stack ● ESP determines which instructions you execute ● Automated by tools (ropeme, ROPGadget) # execve /bin/sh bindport 8080 generated by RopGadget v3.3 p += pack("<I", 0x08050dda) # pop %edx | ret p += pack("<I", 0x080cd6a0) # @ .data p += pack("<I", 0x080a49f6) # pop %eax | ret p += "//us" p += pack("<I", 0x080796ed) # mov %eax,(%edx) | ret ...          www.nethemba.com       
Return Oriented Programming ● We can build the custom stack at fixed location  (bypass ASLR) ● .data, .bss (readelf) ● Multi­stage exploit ● GOT entry overwriting offset = execve() ­ printf() execve() = printf() + offsef ● Countermeasure: Position  Independent Executable (PIE)          www.nethemba.com       
Metasploit ● msfpescan, msfelfscan, msfmachscan ● irb, framework for exploits development ● tools/ (memdump, metasm_shell,  pattern_create.rb, pattern_offset.rb,  nasm_shell) ● mixins          www.nethemba.com       
Immunity Debugger ● 'mona' (successor of pvefindaddr) ● skeleton for metasploit exploit can by generated  with Immunity Debugger (mona plugin)          www.nethemba.com       
Radare ● Reverse engineering framework, *nix­style,  multiplatform ● 11/06/2009 Phrack #66, Manual Binary  Mangling With Radare radare: the entrypoint for everything :) rahash: block based hashing utility radiff: multiple binary diffing algorithms rabin:  extract information from binaries rasc:   shellcode construction helper rasm:   commandline assembler/disassembler rax:    inline multiple base converter  xrefs:  blind search for relative code references        www.nethemba.com       
Wargames ● http://overthewire.org  ● http://smashthestack.org          www.nethemba.com       
References ● http://www.radare.org/get/radare.pdf ● https://www.metasploit.com          www.nethemba.com       
Any questions? Thank you for listening Norbert Szetei, CEH          www.nethemba.com       

Empfohlen

Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Tom Lee
 
Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Tom Lee
 
Python Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesPython Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesTom Lee
 
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]Tom Lee
 
Scanner,BufferedReader,Applet
Scanner,BufferedReader,AppletScanner,BufferedReader,Applet
Scanner,BufferedReader,AppletAnuj Singh Rajput
 
Yapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlYapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlBruce Gray
 
setjmp
setjmpsetjmp
setjmpshinaisan
 
Better rspec 進擊的 RSpec
Better rspec 進擊的 RSpecBetter rspec 進擊的 RSpec
Better rspec 進擊的 RSpecLi Hsuan Hung
 

Empfohlen

Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Tom Lee
 
Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Tom Lee
 
Python Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesPython Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesTom Lee
 
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]Tom Lee
 
Scanner,BufferedReader,Applet
Scanner,BufferedReader,AppletScanner,BufferedReader,Applet
Scanner,BufferedReader,AppletAnuj Singh Rajput
 
Yapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlYapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlBruce Gray
 
setjmp
setjmpsetjmp
setjmpshinaisan
 
Better rspec 進擊的 RSpec
Better rspec 進擊的 RSpecBetter rspec 進擊的 RSpec
Better rspec 進擊的 RSpecLi Hsuan Hung
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]RootedCON
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires Dell EMC World
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better businessDell EMC World
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Finding Product Market Fit
Finding Product Market FitFinding Product Market Fit
Finding Product Market FitScott Bales
 
Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Thoughtworks
 
Recommendation system
Recommendation system Recommendation system
Recommendation system Vikrant Arya
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash CourseUTD Computer Security Group
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
JavaScript on the GPU
JavaScript on the GPUJavaScript on the GPU
JavaScript on the GPUJarred Nicholls
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
2 buffer overflows
2 buffer overflows2 buffer overflows
2 buffer overflowsKarthic Rao
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008ClubHack
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
javascript teach
javascript teachjavascript teach
javascript teachguest3732fa
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_Whiteguest3732fa
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 

Weitere ähnliche Inhalte

Andere mochten auch

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]RootedCON
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires Dell EMC World
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better businessDell EMC World
 
How Functions Work
How Functions WorkHow Functions Work
How Functions WorkSaumil Shah
 
Finding Product Market Fit
Finding Product Market FitFinding Product Market Fit
Finding Product Market FitScott Bales
 
Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Thoughtworks
 
Recommendation system
Recommendation system Recommendation system
Recommendation system Vikrant Arya
 

Andere mochten auch (7)

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better business
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Finding Product Market Fit
Finding Product Market FitFinding Product Market Fit
Finding Product Market Fit
 
Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns
 
Recommendation system
Recommendation system Recommendation system
Recommendation system
 

Ähnlich wie Nethemba - Writing exploits

Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregoryzakiakhmad
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with PythonThomas Gregory
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Kernel TLV
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughterQuinn Wilton
 
2 buffer overflows
2 buffer overflows2 buffer overflows
2 buffer overflowsKarthic Rao
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick reviewCe.Se.N.A. Security
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008ClubHack
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
 
javascript teach
javascript teachjavascript teach
javascript teachguest3732fa
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_Whiteguest3732fa
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Tim Bunce
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksJapneet Singh
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64The Linux Foundation
 
Seh based attack
Seh based attackSeh based attack
Seh based attackMihir Shah
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

Ähnlich wie Nethemba - Writing exploits (20)

Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
JavaScript on the GPU
JavaScript on the GPUJavaScript on the GPU
JavaScript on the GPU
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
2 buffer overflows
2 buffer overflows2 buffer overflows
2 buffer overflows
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
javascript teach
javascript teachjavascript teach
javascript teach
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_White
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Mehr von OWASP (Open Web Application Security Project)

Mehr von OWASP (Open Web Application Security Project) (16)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Kürzlich hochgeladen

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Kürzlich hochgeladen (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Nethemba - Writing exploits

  • 1. Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com          www.nethemba.com             www.nethemba.com      
  • 2. Motivation  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit          www.nethemba.com       
  • 3. A Brief History  08/11/1996 Phrack #49  Smashing The Stack For Fun And Profit, Elias  Levy “ … Code that does this is said  to smash the stack, and can  cause return from the routine to  jump to a random address.  This  can produce some of the most  insidious data­dependent bugs    known to mankind.”        www.nethemba.com       
  • 4. Stack Frame Low Memory Address void func(int a, int b, int c) {    char buffer1[BUFSIZE];    char buffer2[BUFSIZE]; buffer2 } int main(int argc, char **argv) { buffer1   func(10, 20, 30); EBP } EIP  prologue, epilogue 10 push ebp mov esp, ebp 20 mov ebp, esp pop ebp 30 sub esp, $const ret   High Memory Address        www.nethemba.com       
  • 5. Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { dest   func(argv[1]); EBP } EIP args   High Memory Address        www.nethemba.com       
  • 6. Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { SHELLCODE   func(argv[1]); JUNK } JMP TO SC JUNK   High Memory Address        www.nethemba.com       
  • 7. Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Next → Next → Next → 0xFFFFFFFF Pointer to Pointer to Pointer to Default Exception Exception Exception Exception Handler Handler Handler Handler High Memory Address          www.nethemba.com       
  • 8. Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Shellcode Next → Next → 0xFFFFFFFF address POP POP RET Pointer to Pointer to Default Exception Exception Exception   Handler Handler   Handler High Memory Address      www.nethemba.com       
  • 9. Low Memory Address Stack cookies – canaries Local Vars  Protection provided by the compiler  Canary (/gs, ­fstack­protector, StackGuard,  Next SEH ProPolice)  SE Handler  Can rearrange the stack layout, so  EBP string variables are on higher  EIP addresses and cannot overwrite  args other local variables  Contain “bad” characters (0x00,   0xFF) High Memory Address        www.nethemba.com       
  • 10. Stack cookies – canaries  Usually a challenge  Entropy weaknesses (24­bit entropy on Ubuntu,  can by bypassed in reasonable time)  Sometimes helps to overwrite SEH  Cannot protect from buffer overflows in heap          www.nethemba.com       
  • 11. Protection ­ DEP  Stack is no longer executable  W^X  Both HW (NX bit) and software support  Prevent basic buffer overflows  Four policy levels on Windows platform:  Optin,  OptOut, AlwaysOn, AlwaysOff  Can be bypassed by “return­to­libc”          www.nethemba.com       
  • 12. Return to LIBC  The most generic method to bypass NX  No executable code in stack  EIP is overwritten by library function (system())  Parameters are passed via stack  Chained “return to libc”  No loops, conditional jumps, complicated things  28/12/2001 Phrack #58, Advanced return­into­   lib(c) exploits        www.nethemba.com       
  • 13. Low Memory Address Return to LIBC Low Memory Address  uuu ←basic buffer overflow Local Vars Local Vars   EBP EBP EIP system() args     return to libc → EIP JUNK “/bin/sh0” High Memory Address   High Memory Address        www.nethemba.com       
  • 14. ASLR  Address Stack Layout Randomization  Including Libraries, Heap, Stack  But not necessary in all libraries  You need at least one module without ASLR for  bypassing in Windows  Implementation weaknesses  Can by bypassed by format string exploits          www.nethemba.com       
  • 15. Format String Attacks int main(int argc, char **argv) {   printf(“%s”, argv[1]); // correct   printf(argv[1]); // wrong } ● Reading, writing from arbitrary memory ● Direct parameter access via %<num>$ ● Writing via %n, %hn (2 bytes) ● 28/07/2002 Phrack #59, Advances in format string  exploitation          www.nethemba.com       
  • 16. Return Oriented Programming ● The successor of “return to libc” technique ● Small number of instructions ending with “ret”  (Gadgets) chained together ● If we find them enough, we have the Turing  Machine ● Fixed Memory location for data interchange, usually  in .data section ● 2 registers are usually efficient          www.nethemba.com       
  • 17. Return Oriented Programming ● You can bypass character restrictions (neg) ● No injected code, just rewritten stack ● ESP determines which instructions you execute ● Automated by tools (ropeme, ROPGadget) # execve /bin/sh bindport 8080 generated by RopGadget v3.3 p += pack("<I", 0x08050dda) # pop %edx | ret p += pack("<I", 0x080cd6a0) # @ .data p += pack("<I", 0x080a49f6) # pop %eax | ret p += "//us" p += pack("<I", 0x080796ed) # mov %eax,(%edx) | ret ...          www.nethemba.com       
  • 18. Return Oriented Programming ● We can build the custom stack at fixed location  (bypass ASLR) ● .data, .bss (readelf) ● Multi­stage exploit ● GOT entry overwriting offset = execve() ­ printf() execve() = printf() + offsef ● Countermeasure: Position  Independent Executable (PIE)          www.nethemba.com       
  • 19. Metasploit ● msfpescan, msfelfscan, msfmachscan ● irb, framework for exploits development ● tools/ (memdump, metasm_shell,  pattern_create.rb, pattern_offset.rb,  nasm_shell) ● mixins          www.nethemba.com       
  • 20. Immunity Debugger ● 'mona' (successor of pvefindaddr) ● skeleton for metasploit exploit can by generated  with Immunity Debugger (mona plugin)          www.nethemba.com       
  • 21. Radare ● Reverse engineering framework, *nix­style,  multiplatform ● 11/06/2009 Phrack #66, Manual Binary  Mangling With Radare radare: the entrypoint for everything :) rahash: block based hashing utility radiff: multiple binary diffing algorithms rabin:  extract information from binaries rasc:   shellcode construction helper rasm:   commandline assembler/disassembler rax:    inline multiple base converter  xrefs:  blind search for relative code references        www.nethemba.com       
  • 22. Wargames ● http://overthewire.org  ● http://smashthestack.org          www.nethemba.com       
  • 23. References ● http://www.radare.org/get/radare.pdf ● https://www.metasploit.com          www.nethemba.com       
  • 24. Any questions? Thank you for listening Norbert Szetei, CEH          www.nethemba.com