SlideShare a Scribd company logo

Tranning-2

Download as PPTX, PDF
A
Ali Hussain
1 of 35
Introduction to Software Exploitation Faheem & Ali Ebryx (pvt) Ltd Reference: http://opensecuritytraining.info/Expl oits1.html
Purpose of the course •Give you a deep understanding of the mechanics of software exploitation •Demonstration of buffer overflow attack •Custom Shell-code writing and executing •Exploit finding techniques http://opensecuritytraining.info/Exploits1.html
Lets get down to business http://opensecuritytraining.info/Exploits1.html
What are we trying to achieve? •Arbitrary code execution •Examples –Forcing ssh to give you root access to the power grid (like Trinity in the previous slide!) –Bypassing authentication checks. –Forcing a privileged administrator process to execute code your normally wouldn’t be able to. –Etc…. http://opensecuritytraining.info/Exploits1.html
You are presented with the following program…. This worked in the movies… What arbitrary code execution do we want? Go_shell() would be nice!http://opensecuritytraining.info/Exploits1.html
Real life Sayyyyy what? http://opensecuritytraining.info/Exploits1.html
x86 Review Lab •The EBP register points to the base of the stack frame. Local variables, which are stored on the stack, are referenced via this base pointer. •Every time a function is called, a new stack frame is setup so that the function has its own fresh context (its own clean set of local variables). •The call instruction also puts a return address on the stack so that the function knows where to return execution to.http://opensecuritytraining.info/Exploits1.html
Boring…. Let’s investigate Stack (grows downwards) Junk Junk Junk Junk Junk Junk Junk Main() just called http://opensecuritytraining.info/Exploits1.html
Stack (grows downwards) Return address into main Main’s saved frame pointer (ebp) Char password[64]; Junk Junk Junk Junk Authorize() just called The top of authorize()’s stack frame stores main()’s saved frame pointer (0xbffff5f8) as well as the return address to return execution too once authorize() is finished (0x080483b)http://opensecuritytraining.info/Exploits1.html
Stack (grows downwards) Return address into main Main’s saved frame pointer (ebp) “password” Junk Junk Junk Junk Authorize() just called Notice the 64 byte difference between the top of the stack (esp) and the base of the frame (ebp). These are the 64 bytes we created to store password. Also worth noting is that where password is stored on the stack is 68 bytes away from the saved return address into main… http://opensecuritytraining.info/Exploits1.html
f password is more than the 64 bytes than we allocated for it on the stack? The instruction pointer ends up pointing to 0x41414141, which is “AAAA.” This means we can cause arbitrary code execution since we can set the instruction pointer.http://opensecuritytraining.info/Exploits1.html
Since 0x41414141 is arbitrary, we have achieved our goal of “Arbitrary code execution.” However, 0x41414141 isn’t very useful since it just crashes the program (because 0x41414141 points to nowhere). Remember what we want to achieve is execution of go_shell() since that does something useful (gives us administrator access). To achieve this, we first fill up the password[64] buffer with 64 bytes of junk, then 4 extra bytes of junk to overwrite the saved frame pointer, and then also write 4 bytes representing the address of go_shell(). http://opensecuritytraining.info/Exploits1.html
Oh, Yeahh we corrupted that stack! We are now executing go_shell()’s code! http://opensecuritytraining.info/Exploits1.html
It’s more useful for us to put this all together outside of a debugger. he unix pipe “|” is to redirect output of our command (cat payload;cat) and use it as he input for simple_login. We have to put the extra “cat” in the command to echo ommands to the shell we will spawn, otherwise an EOF is sent and the shell closes mmediately before we can actually execute any programs. http://opensecuritytraining.info/Exploits1.html
Shellcode •So that’s nice, but it isn’t quite “Arbitrary code execution” since we are relying on simple_login to contain this root shell spawning code prepackaged (not realistic). •How do we insert our own arbitrary code into the program to execute? http://opensecuritytraining.info/Exploits1.html
Shellcode 2 •Among other places, we can actually just insert this code into the program through a typical input medium. In other words, when simple_login attempts to read in our password guess, we can feed it in an executable program. •Thus the password[64] buffer will end up containing a small standalone program that we will later execute by redirecting the overwritten stored return address to the address of buffer! http://opensecuritytraining.info/Exploits1.html
Properties of shellcode •Aims to be small since it often has to fit in small input buffers. •Position independent (can’t make any assumptions about program state when it begins executing) •Should contain no null characters (many standard string copying library calls terminate upon seeing a null character) •Must be self contained in an executable section (shouldn’t reference data in data sections, etc). http://opensecuritytraining.info/Exploits1.html
Example shellcode payloads 1)Execute a shell 2)Add an Administrator user 3)Download and install a rootkit 4)Connect back to attacker controlled server and wait for commands 5)Etc… http://opensecuritytraining.info/Exploits1.html
Hello, World! - Linux http://opensecuritytraining.info/Exploits1.html
Can we use it as shellcode? What are the problems here? http://opensecuritytraining.info/Exploits1.html
Can we use it as shellcode? 1)Null bytes are bad. Basically every standard library function is going to treat those null characters as terminators and end up truncating our program. 2)Not position independent. That 0x80490a4 address referenced is going to be meaningless when we inject this into another program. http://opensecuritytraining.info/Exploits1.html
he extended (eax, ebx, ecx…) x86 registers are 32 bit. So when we attempt to Move a less than 32 bit value to one of them (mov eax, 0x4), the compiler pads the alue with 0. If we instead move the immediate value to the appropriately sized ersion of the registers, the null padding will not be added. ecall: ax = 32 bits, ax = 16 bits, al = 8 bits We still have 1 null byte left. What if we actually need to use a null byte in our code Somewhere like when we are trying to exit with a status code of 0? What about that pesky string address we are still referencing? Suggestions? http://opensecuritytraining.info/Exploits1.html
pting to achieve position independence and our reliance on that fixed string address. -We can create a null byte to use by performing xor ebx, ebx - Store the string we want to print/reference on the stack, and then just pass esp to the system call! But wait, the code still won’t work as shellcode. Challenge: What did Corey do wrong?? http://opensecuritytraining.info/Exploits1.html
Corey burned a good hour trying to figure this mystery out… Standard library functions also truncate on the new line byte (0x0a)! Hence 0x0a Is bad like null bytes! http://opensecuritytraining.info/Exploits1.html
The easy way out…. cally I just changed the newline character to another exclamation point to get rid of ibc copy problem, and to put emphasis on how hard we are owning these programs. u are jaded you might just think I’m cheating here…http://opensecuritytraining.info/Exploits1.html
New goal! •Previously we forced the simple login program to execute go_shell(). By overwriting the saved return address and thereby setting the eip to go_shell()’s start. •But we want to use our new toy, our snazzy shellcode. •How do we get our shellcode into the program so we can overflow the return address again and set eip to execute our shellcode? http://opensecuritytraining.info/Exploits1.html
Game Plan •Instead of spraying a bunch of junk into the password buffer to get to the saved return address, we will first input our shellcode’s opcodes. (This is perfectly acceptable program input). •Then, we will change the eip of the program to point to the password buffer, where are shellcode’s opcode is stored! http://opensecuritytraining.info/Exploits1.html
For ease I created a hello_shell.pl script which just prints out our shellcode’s opcodes, making it easier to inject into the password[64] buffer in the simple login program. http://opensecuritytraining.info/Exploits1.html
member, when overflowing the password[64] buffer of the simple_login program overwrite the eip, we first filled password with 64 bytes of junk (0x41), 4 additional tes of junk to overwrite the saved frame pointer, and then 4 bytes representing the dress with which we were going to overwrite the saved return address with. AAAAAA…. 64 times><AAAA><0x080482aa> Old payload… http://opensecuritytraining.info/Exploits1.html
New Payload Heres what we are going for… <NOP.NOP.NOP><SHELLCODE OPS><AAAA><Address of password buffer> • <NOP.NOP.NOP><SHELLCODE OPS> still needs to be a total of 64 bytes combined. • Recall, NOPS are just do nothing instructions, so when eip points to the password buffer, it will just ‘do nothing’ until it starts hitting the shellcode op codes. •sizeof<NOPS> = 64 – sizeof<SHELLCODE OPS> http://opensecuritytraining.info/Exploits1.html
•First we build the <NOPS><SHELLCODE> portion of the shellcode •Still need the <AAAA><Address of Password Buffer> part of the payload •We need to determine the address of the password bufferhttp://opensecuritytraining.info/Exploits1.html
•We set a break point after the gets() call that reads in the buffer so we can try to find out shellcode on the stack •Looks like 0xbffff594 lies in the middle of our NOPS, so the password buffer must be there. We will make this our target eip.http://opensecuritytraining.info/Exploits1.html
Final Payload Construction •We now have the <NOPS><Shellcode><AAAA><address of password buffer> payload complete •Let’s use it! http://opensecuritytraining.info/Exploits1.html
•We just forced simple_login to execute arbitrary code that we injected into it!!! •In reality, an attacker would want to do something more useful than just print a message. •What would you do if you wanted to execute arbitrary code but the architecture forbid you from executing the password buffer as if it were code? http://opensecuritytraining.info/Exploits1.html
Something more useful! http://opensecuritytraining.info/Exploits1.html

Recommended

Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debugging
n|u - The Open Security Community
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Php manish
Php manishPhp manish
Php manish
Manish Jain
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
Andrew McNicol
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
Wim Godden
 

Recommended

Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Anti Debugging
Anti DebuggingAnti Debugging
Anti Debugging
n|u - The Open Security Community
 
Introduction to ida python
Introduction to ida pythonIntroduction to ida python
Introduction to ida python
geeksec80
 
Php manish
Php manishPhp manish
Php manish
Manish Jain
 
Introduction to Python for Security Professionals
Introduction to Python for Security ProfessionalsIntroduction to Python for Security Professionals
Introduction to Python for Security Professionals
Andrew McNicol
 
Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016Static Analysis of PHP Code – IPC Berlin 2016
Static Analysis of PHP Code – IPC Berlin 2016
Rouven Weßling
 
What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?What is the Joomla Framework and why do we need it?
What is the Joomla Framework and why do we need it?
Rouven Weßling
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
Wim Godden
 
Python - Introduction
Python - IntroductionPython - Introduction
Python - Introduction
stn_tkiller
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
Sam Bowne
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
TECHNOLOGY CONTROL CO.
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
fg.informatik Universität Basel
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
Cysinfo Cyber Security Community
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
Cysinfo Cyber Security Community
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
Christian Martorella
 
Basic Concepts in Python
Basic Concepts in PythonBasic Concepts in Python
Basic Concepts in Python
Sumit Satam
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
Elizabeth Smith
 
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvJava Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lv
Anton Arhipov
 
Python programming introduction
Python programming introductionPython programming introduction
Python programming introduction
Siddique Ibrahim
 
Python basics
Python basicsPython basics
Python basics
RANAALIMAJEEDRAJPUT
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Edureka!
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
Rafael Winterhalter
 
Full Python in 20 slides
Full Python in 20 slidesFull Python in 20 slides
Full Python in 20 slides
rfojdar
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
Saumil Shah
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gathering
Chris Harrington
 

More Related Content

What's hot

Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvJava Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lv
Anton Arhipov
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Edureka!
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
Rafael Winterhalter
 
Full Python in 20 slides
Full Python in 20 slidesFull Python in 20 slides
Full Python in 20 slides
rfojdar
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 

What's hot (20)

Python - Introduction
Python - IntroductionPython - Introduction
Python - Introduction
 
CNIT 126 13: Data Encoding
CNIT 126 13: Data EncodingCNIT 126 13: Data Encoding
CNIT 126 13: Data Encoding
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Dynamic Binary Instrumentation
Dynamic Binary Instrumentation Dynamic Binary Instrumentation
Dynamic Binary Instrumentation
 
Reversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basicsReversing malware analysis training part4 assembly programming basics
Reversing malware analysis training part4 assembly programming basics
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Basic Concepts in Python
Basic Concepts in PythonBasic Concepts in Python
Basic Concepts in Python
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Java Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lvJava Bytecode Fundamentals - JUG.lv
Java Bytecode Fundamentals - JUG.lv
 
Python programming introduction
Python programming introductionPython programming introduction
Python programming introduction
 
Python basics
Python basicsPython basics
Python basics
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
Advanced Python Tutorial | Learn Advanced Python Concepts | Python Programmin...
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
Full Python in 20 slides
Full Python in 20 slidesFull Python in 20 slides
Full Python in 20 slides
 
Operating Systems - A Primer
Operating Systems - A PrimerOperating Systems - A Primer
Operating Systems - A Primer
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 

Viewers also liked

BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
Shellmates
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
Ali Hussain
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
Ammar WK
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
Ammar WK
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 

Viewers also liked (20)

BSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama ElhamerBSides Algiers - Metasploit framework - Oussama Elhamer
BSides Algiers - Metasploit framework - Oussama Elhamer
 
Metasploit for information gathering
Metasploit for information gatheringMetasploit for information gathering
Metasploit for information gathering
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im Übersetzungsprozess
 
Penetration test
Penetration testPenetration test
Penetration test
 
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: MettleStatic PIE, How and Why - Metasploit's new POSIX payload: Mettle
Static PIE, How and Why - Metasploit's new POSIX payload: Mettle
 
Webinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia ClavisWebinar Metasploit Framework - Academia Clavis
Webinar Metasploit Framework - Academia Clavis
 
Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"Slide Palestra "Metasploit Framework"
Slide Palestra "Metasploit Framework"
 
Scrum Überblick Teil 1
Scrum Überblick Teil 1Scrum Überblick Teil 1
Scrum Überblick Teil 1
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Prepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec ProfessionalPrepare Yourself to Become Infosec Professional
Prepare Yourself to Become Infosec Professional
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 

Similar to Tranning-2

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 

Similar to Tranning-2 (20)

Anatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow AttackAnatomy of a Buffer Overflow Attack
Anatomy of a Buffer Overflow Attack
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
 
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationStructured Exception Handler Exploitation
Structured Exception Handler Exploitation
 
writing self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniqueswriting self-modifying code and utilizing advanced assembly techniques
writing self-modifying code and utilizing advanced assembly techniques
 
64-bit Loki
64-bit Loki64-bit Loki
64-bit Loki
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Stack-Based Buffer Overflows
Stack-Based Buffer OverflowsStack-Based Buffer Overflows
Stack-Based Buffer Overflows
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 

Tranning-2

  • 1. Introduction to Software Exploitation Faheem & Ali Ebryx (pvt) Ltd Reference: http://opensecuritytraining.info/Expl oits1.html
  • 2. Purpose of the course •Give you a deep understanding of the mechanics of software exploitation •Demonstration of buffer overflow attack •Custom Shell-code writing and executing •Exploit finding techniques http://opensecuritytraining.info/Exploits1.html
  • 3. Lets get down to business http://opensecuritytraining.info/Exploits1.html
  • 4. What are we trying to achieve? •Arbitrary code execution •Examples –Forcing ssh to give you root access to the power grid (like Trinity in the previous slide!) –Bypassing authentication checks. –Forcing a privileged administrator process to execute code your normally wouldn’t be able to. –Etc…. http://opensecuritytraining.info/Exploits1.html
  • 5. You are presented with the following program…. This worked in the movies… What arbitrary code execution do we want? Go_shell() would be nice!http://opensecuritytraining.info/Exploits1.html
  • 7. x86 Review Lab •The EBP register points to the base of the stack frame. Local variables, which are stored on the stack, are referenced via this base pointer. •Every time a function is called, a new stack frame is setup so that the function has its own fresh context (its own clean set of local variables). •The call instruction also puts a return address on the stack so that the function knows where to return execution to.http://opensecuritytraining.info/Exploits1.html
  • 8. Boring…. Let’s investigate Stack (grows downwards) Junk Junk Junk Junk Junk Junk Junk Main() just called http://opensecuritytraining.info/Exploits1.html
  • 9. Stack (grows downwards) Return address into main Main’s saved frame pointer (ebp) Char password[64]; Junk Junk Junk Junk Authorize() just called The top of authorize()’s stack frame stores main()’s saved frame pointer (0xbffff5f8) as well as the return address to return execution too once authorize() is finished (0x080483b)http://opensecuritytraining.info/Exploits1.html
  • 10. Stack (grows downwards) Return address into main Main’s saved frame pointer (ebp) “password” Junk Junk Junk Junk Authorize() just called Notice the 64 byte difference between the top of the stack (esp) and the base of the frame (ebp). These are the 64 bytes we created to store password. Also worth noting is that where password is stored on the stack is 68 bytes away from the saved return address into main… http://opensecuritytraining.info/Exploits1.html
  • 11. f password is more than the 64 bytes than we allocated for it on the stack? The instruction pointer ends up pointing to 0x41414141, which is “AAAA.” This means we can cause arbitrary code execution since we can set the instruction pointer.http://opensecuritytraining.info/Exploits1.html
  • 12. Since 0x41414141 is arbitrary, we have achieved our goal of “Arbitrary code execution.” However, 0x41414141 isn’t very useful since it just crashes the program (because 0x41414141 points to nowhere). Remember what we want to achieve is execution of go_shell() since that does something useful (gives us administrator access). To achieve this, we first fill up the password[64] buffer with 64 bytes of junk, then 4 extra bytes of junk to overwrite the saved frame pointer, and then also write 4 bytes representing the address of go_shell(). http://opensecuritytraining.info/Exploits1.html
  • 13. Oh, Yeahh we corrupted that stack! We are now executing go_shell()’s code! http://opensecuritytraining.info/Exploits1.html
  • 14. It’s more useful for us to put this all together outside of a debugger. he unix pipe “|” is to redirect output of our command (cat payload;cat) and use it as he input for simple_login. We have to put the extra “cat” in the command to echo ommands to the shell we will spawn, otherwise an EOF is sent and the shell closes mmediately before we can actually execute any programs. http://opensecuritytraining.info/Exploits1.html
  • 15. Shellcode •So that’s nice, but it isn’t quite “Arbitrary code execution” since we are relying on simple_login to contain this root shell spawning code prepackaged (not realistic). •How do we insert our own arbitrary code into the program to execute? http://opensecuritytraining.info/Exploits1.html
  • 16. Shellcode 2 •Among other places, we can actually just insert this code into the program through a typical input medium. In other words, when simple_login attempts to read in our password guess, we can feed it in an executable program. •Thus the password[64] buffer will end up containing a small standalone program that we will later execute by redirecting the overwritten stored return address to the address of buffer! http://opensecuritytraining.info/Exploits1.html
  • 17. Properties of shellcode •Aims to be small since it often has to fit in small input buffers. •Position independent (can’t make any assumptions about program state when it begins executing) •Should contain no null characters (many standard string copying library calls terminate upon seeing a null character) •Must be self contained in an executable section (shouldn’t reference data in data sections, etc). http://opensecuritytraining.info/Exploits1.html
  • 18. Example shellcode payloads 1)Execute a shell 2)Add an Administrator user 3)Download and install a rootkit 4)Connect back to attacker controlled server and wait for commands 5)Etc… http://opensecuritytraining.info/Exploits1.html
  • 19. Hello, World! - Linux http://opensecuritytraining.info/Exploits1.html
  • 20. Can we use it as shellcode? What are the problems here? http://opensecuritytraining.info/Exploits1.html
  • 21. Can we use it as shellcode? 1)Null bytes are bad. Basically every standard library function is going to treat those null characters as terminators and end up truncating our program. 2)Not position independent. That 0x80490a4 address referenced is going to be meaningless when we inject this into another program. http://opensecuritytraining.info/Exploits1.html
  • 22. he extended (eax, ebx, ecx…) x86 registers are 32 bit. So when we attempt to Move a less than 32 bit value to one of them (mov eax, 0x4), the compiler pads the alue with 0. If we instead move the immediate value to the appropriately sized ersion of the registers, the null padding will not be added. ecall: ax = 32 bits, ax = 16 bits, al = 8 bits We still have 1 null byte left. What if we actually need to use a null byte in our code Somewhere like when we are trying to exit with a status code of 0? What about that pesky string address we are still referencing? Suggestions? http://opensecuritytraining.info/Exploits1.html
  • 23. pting to achieve position independence and our reliance on that fixed string address. -We can create a null byte to use by performing xor ebx, ebx - Store the string we want to print/reference on the stack, and then just pass esp to the system call! But wait, the code still won’t work as shellcode. Challenge: What did Corey do wrong?? http://opensecuritytraining.info/Exploits1.html
  • 24. Corey burned a good hour trying to figure this mystery out… Standard library functions also truncate on the new line byte (0x0a)! Hence 0x0a Is bad like null bytes! http://opensecuritytraining.info/Exploits1.html
  • 25. The easy way out…. cally I just changed the newline character to another exclamation point to get rid of ibc copy problem, and to put emphasis on how hard we are owning these programs. u are jaded you might just think I’m cheating here…http://opensecuritytraining.info/Exploits1.html
  • 26. New goal! •Previously we forced the simple login program to execute go_shell(). By overwriting the saved return address and thereby setting the eip to go_shell()’s start. •But we want to use our new toy, our snazzy shellcode. •How do we get our shellcode into the program so we can overflow the return address again and set eip to execute our shellcode? http://opensecuritytraining.info/Exploits1.html
  • 27. Game Plan •Instead of spraying a bunch of junk into the password buffer to get to the saved return address, we will first input our shellcode’s opcodes. (This is perfectly acceptable program input). •Then, we will change the eip of the program to point to the password buffer, where are shellcode’s opcode is stored! http://opensecuritytraining.info/Exploits1.html
  • 28. For ease I created a hello_shell.pl script which just prints out our shellcode’s opcodes, making it easier to inject into the password[64] buffer in the simple login program. http://opensecuritytraining.info/Exploits1.html
  • 29. member, when overflowing the password[64] buffer of the simple_login program overwrite the eip, we first filled password with 64 bytes of junk (0x41), 4 additional tes of junk to overwrite the saved frame pointer, and then 4 bytes representing the dress with which we were going to overwrite the saved return address with. AAAAAA…. 64 times><AAAA><0x080482aa> Old payload… http://opensecuritytraining.info/Exploits1.html
  • 30. New Payload Heres what we are going for… <NOP.NOP.NOP><SHELLCODE OPS><AAAA><Address of password buffer> • <NOP.NOP.NOP><SHELLCODE OPS> still needs to be a total of 64 bytes combined. • Recall, NOPS are just do nothing instructions, so when eip points to the password buffer, it will just ‘do nothing’ until it starts hitting the shellcode op codes. •sizeof<NOPS> = 64 – sizeof<SHELLCODE OPS> http://opensecuritytraining.info/Exploits1.html
  • 31. •First we build the <NOPS><SHELLCODE> portion of the shellcode •Still need the <AAAA><Address of Password Buffer> part of the payload •We need to determine the address of the password bufferhttp://opensecuritytraining.info/Exploits1.html
  • 32. •We set a break point after the gets() call that reads in the buffer so we can try to find out shellcode on the stack •Looks like 0xbffff594 lies in the middle of our NOPS, so the password buffer must be there. We will make this our target eip.http://opensecuritytraining.info/Exploits1.html
  • 33. Final Payload Construction •We now have the <NOPS><Shellcode><AAAA><address of password buffer> payload complete •Let’s use it! http://opensecuritytraining.info/Exploits1.html
  • 34. •We just forced simple_login to execute arbitrary code that we injected into it!!! •In reality, an attacker would want to do something more useful than just print a message. •What would you do if you wanted to execute arbitrary code but the architecture forbid you from executing the password buffer as if it were code? http://opensecuritytraining.info/Exploits1.html

Editor's Notes

  1. 3