SlideShare ist ein Scribd-Unternehmen logo

Nethemba - Writing exploits

OWASP (Open Web Application Security Project)
OWASP (Open Web Application Security Project)

A brief description of writing exploits including:  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit

TechnologieUnterhaltung & Humor
1 von 24
Downloaden Sie, um offline zu lesen
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com          www.nethemba.com             www.nethemba.com      
Motivation  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit          www.nethemba.com       
A Brief History  08/11/1996 Phrack #49  Smashing The Stack For Fun And Profit, Elias  Levy “ … Code that does this is said  to smash the stack, and can  cause return from the routine to  jump to a random address.  This  can produce some of the most  insidious data­dependent bugs    known to mankind.”        www.nethemba.com       
Stack Frame Low Memory Address void func(int a, int b, int c) {    char buffer1[BUFSIZE];    char buffer2[BUFSIZE]; buffer2 } int main(int argc, char **argv) { buffer1   func(10, 20, 30); EBP } EIP  prologue, epilogue 10 push ebp mov esp, ebp 20 mov ebp, esp pop ebp 30 sub esp, $const ret   High Memory Address        www.nethemba.com       
Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { dest   func(argv[1]); EBP } EIP args   High Memory Address        www.nethemba.com       
Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { SHELLCODE   func(argv[1]); JUNK } JMP TO SC JUNK   High Memory Address        www.nethemba.com       
Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Next → Next → Next → 0xFFFFFFFF Pointer to Pointer to Pointer to Default Exception Exception Exception Exception Handler Handler Handler Handler High Memory Address          www.nethemba.com       
Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Shellcode Next → Next → 0xFFFFFFFF address POP POP RET Pointer to Pointer to Default Exception Exception Exception   Handler Handler   Handler High Memory Address      www.nethemba.com       
Low Memory Address Stack cookies – canaries Local Vars  Protection provided by the compiler  Canary (/gs, ­fstack­protector, StackGuard,  Next SEH ProPolice)  SE Handler  Can rearrange the stack layout, so  EBP string variables are on higher  EIP addresses and cannot overwrite  args other local variables  Contain “bad” characters (0x00,   0xFF) High Memory Address        www.nethemba.com       
Stack cookies – canaries  Usually a challenge  Entropy weaknesses (24­bit entropy on Ubuntu,  can by bypassed in reasonable time)  Sometimes helps to overwrite SEH  Cannot protect from buffer overflows in heap          www.nethemba.com       
Protection ­ DEP  Stack is no longer executable  W^X  Both HW (NX bit) and software support  Prevent basic buffer overflows  Four policy levels on Windows platform:  Optin,  OptOut, AlwaysOn, AlwaysOff  Can be bypassed by “return­to­libc”          www.nethemba.com       
Return to LIBC  The most generic method to bypass NX  No executable code in stack  EIP is overwritten by library function (system())  Parameters are passed via stack  Chained “return to libc”  No loops, conditional jumps, complicated things  28/12/2001 Phrack #58, Advanced return­into­   lib(c) exploits        www.nethemba.com       
Low Memory Address Return to LIBC Low Memory Address  uuu ←basic buffer overflow Local Vars Local Vars   EBP EBP EIP system() args     return to libc → EIP JUNK “/bin/sh0” High Memory Address   High Memory Address        www.nethemba.com       
ASLR  Address Stack Layout Randomization  Including Libraries, Heap, Stack  But not necessary in all libraries  You need at least one module without ASLR for  bypassing in Windows  Implementation weaknesses  Can by bypassed by format string exploits          www.nethemba.com       
Format String Attacks int main(int argc, char **argv) {   printf(“%s”, argv[1]); // correct   printf(argv[1]); // wrong } ● Reading, writing from arbitrary memory ● Direct parameter access via %<num>$ ● Writing via %n, %hn (2 bytes) ● 28/07/2002 Phrack #59, Advances in format string  exploitation          www.nethemba.com       
Return Oriented Programming ● The successor of “return to libc” technique ● Small number of instructions ending with “ret”  (Gadgets) chained together ● If we find them enough, we have the Turing  Machine ● Fixed Memory location for data interchange, usually  in .data section ● 2 registers are usually efficient          www.nethemba.com       
Return Oriented Programming ● You can bypass character restrictions (neg) ● No injected code, just rewritten stack ● ESP determines which instructions you execute ● Automated by tools (ropeme, ROPGadget) # execve /bin/sh bindport 8080 generated by RopGadget v3.3 p += pack("<I", 0x08050dda) # pop %edx | ret p += pack("<I", 0x080cd6a0) # @ .data p += pack("<I", 0x080a49f6) # pop %eax | ret p += "//us" p += pack("<I", 0x080796ed) # mov %eax,(%edx) | ret ...          www.nethemba.com       
Return Oriented Programming ● We can build the custom stack at fixed location  (bypass ASLR) ● .data, .bss (readelf) ● Multi­stage exploit ● GOT entry overwriting offset = execve() ­ printf() execve() = printf() + offsef ● Countermeasure: Position  Independent Executable (PIE)          www.nethemba.com       
Metasploit ● msfpescan, msfelfscan, msfmachscan ● irb, framework for exploits development ● tools/ (memdump, metasm_shell,  pattern_create.rb, pattern_offset.rb,  nasm_shell) ● mixins          www.nethemba.com       
Immunity Debugger ● 'mona' (successor of pvefindaddr) ● skeleton for metasploit exploit can by generated  with Immunity Debugger (mona plugin)          www.nethemba.com       
Radare ● Reverse engineering framework, *nix­style,  multiplatform ● 11/06/2009 Phrack #66, Manual Binary  Mangling With Radare radare: the entrypoint for everything :) rahash: block based hashing utility radiff: multiple binary diffing algorithms rabin:  extract information from binaries rasc:   shellcode construction helper rasm:   commandline assembler/disassembler rax:    inline multiple base converter  xrefs:  blind search for relative code references        www.nethemba.com       
Wargames ● http://overthewire.org  ● http://smashthestack.org          www.nethemba.com       
References ● http://www.radare.org/get/radare.pdf ● https://www.metasploit.com          www.nethemba.com       
Any questions? Thank you for listening Norbert Szetei, CEH          www.nethemba.com       

Empfohlen

Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]
Tom Lee
 
Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Inside Python [OSCON 2012]
Inside Python [OSCON 2012]
Tom Lee
 
Python Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesPython Compiler Internals Presentation Slides
Python Compiler Internals Presentation Slides
Tom Lee
 
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
Tom Lee
 
Scanner,BufferedReader,Applet
Scanner,BufferedReader,AppletScanner,BufferedReader,Applet
Scanner,BufferedReader,Applet
Anuj Singh Rajput
 
Yapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlYapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line Perl
Bruce Gray
 
setjmp
setjmpsetjmp
setjmp
shinaisan
 
Better rspec 進擊的 RSpec
Better rspec 進擊的 RSpecBetter rspec 進擊的 RSpec
Better rspec 進擊的 RSpec
Li Hsuan Hung
 

Empfohlen

Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]Inside PHP [OSCON 2012]
Inside PHP [OSCON 2012]
Tom Lee
 
Inside Python [OSCON 2012]
Inside Python [OSCON 2012]Inside Python [OSCON 2012]
Inside Python [OSCON 2012]
Tom Lee
 
Python Compiler Internals Presentation Slides
Python Compiler Internals Presentation SlidesPython Compiler Internals Presentation Slides
Python Compiler Internals Presentation Slides
Tom Lee
 
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
A(n abridged) tour of the Rust compiler [PDX-Rust March 2014]
Tom Lee
 
Scanner,BufferedReader,Applet
Scanner,BufferedReader,AppletScanner,BufferedReader,Applet
Scanner,BufferedReader,Applet
Anuj Singh Rajput
 
Yapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line PerlYapc::NA::2009 - Command Line Perl
Yapc::NA::2009 - Command Line Perl
Bruce Gray
 
setjmp
setjmpsetjmp
setjmp
shinaisan
 
Better rspec 進擊的 RSpec
Better rspec 進擊的 RSpecBetter rspec 進擊的 RSpec
Better rspec 進擊的 RSpec
Li Hsuan Hung
 
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
RootedCON
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
Dell EMC World
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better business
Dell EMC World
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
Finding Product Market Fit
Finding Product Market FitFinding Product Market Fit
Finding Product Market Fit
Scott Bales
 
Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns
Thoughtworks
 
Recommendation system
Recommendation system Recommendation system
Recommendation system
Vikrant Arya
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
Kory Kyzar
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
UTD Computer Security Group
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
zakiakhmad
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
Thomas Gregory
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
JavaScript on the GPU
JavaScript on the GPUJavaScript on the GPU
JavaScript on the GPU
Jarred Nicholls
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
2 buffer overflows
2 buffer overflows2 buffer overflows
2 buffer overflows
Karthic Rao
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
Ce.Se.N.A. Security
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008
ClubHack
 
javascript teach
javascript teachjavascript teach
javascript teach
guest3732fa
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_White
guest3732fa
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 

Weitere ähnliche Inhalte

Andere mochten auch

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
RootedCON
 

Andere mochten auch (7)

Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
Fermín J. Serna - Exploits & Mitigations: EMET [RootedCON 2010]
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
 
MT54 Better security is better business
MT54 Better security is better businessMT54 Better security is better business
MT54 Better security is better business
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
Finding Product Market Fit
Finding Product Market FitFinding Product Market Fit
Finding Product Market Fit
 
Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns Lean Product Management for Enterprises: The Art of Known Unknowns
Lean Product Management for Enterprises: The Art of Known Unknowns
 
Recommendation system
Recommendation system Recommendation system
Recommendation system
 

Ähnlich wie Nethemba - Writing exploits

Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008
ClubHack
 
javascript teach
javascript teachjavascript teach
javascript teach
guest3732fa
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_White
guest3732fa
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 

Ähnlich wie Nethemba - Writing exploits (20)

Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom GregoryExploit Development: EzServer Buffer Overflow oleh Tom Gregory
Exploit Development: EzServer Buffer Overflow oleh Tom Gregory
 
Exploit Development with Python
Exploit Development with PythonExploit Development with Python
Exploit Development with Python
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
JavaScript on the GPU
JavaScript on the GPUJavaScript on the GPU
JavaScript on the GPU
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
2 buffer overflows
2 buffer overflows2 buffer overflows
2 buffer overflows
 
Exploit techniques - a quick review
Exploit techniques - a quick reviewExploit techniques - a quick review
Exploit techniques - a quick review
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008Nibin - Reverse Engineering for exploit writers - ClubHack2008
Nibin - Reverse Engineering for exploit writers - ClubHack2008
 
javascript teach
javascript teachjavascript teach
javascript teach
 
JSBootcamp_White
JSBootcamp_WhiteJSBootcamp_White
JSBootcamp_White
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )Perl Memory Use 201207 (OUTDATED, see 201209 )
Perl Memory Use 201207 (OUTDATED, see 201209 )
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64XS Boston 2008 Paravirt Ops in Linux IA64
XS Boston 2008 Paravirt Ops in Linux IA64
 
Seh based attack
Seh based attackSeh based attack
Seh based attack
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 

Mehr von OWASP (Open Web Application Security Project)

Mehr von OWASP (Open Web Application Security Project) (16)

Paralelni polisweb
Paralelni poliswebParalelni polisweb
Paralelni polisweb
 
Preco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost NethembaPreco sa rozhodnut pre spolocnost Nethemba
Preco sa rozhodnut pre spolocnost Nethemba
 
Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4Planning the OWASP Testing Guide v4
Planning the OWASP Testing Guide v4
 
Bypassing Web Application Firewalls
Bypassing Web Application FirewallsBypassing Web Application Firewalls
Bypassing Web Application Firewalls
 
Nethemba metasploit
Nethemba metasploitNethemba metasploit
Nethemba metasploit
 
Sms ticket-hack4
Sms ticket-hack4Sms ticket-hack4
Sms ticket-hack4
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Php sec
Php secPhp sec
Php sec
 
Nove trendy-zranitelnosti
Nove trendy-zranitelnostiNove trendy-zranitelnosti
Nove trendy-zranitelnosti
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 
Mifare classic-slides
Mifare classic-slidesMifare classic-slides
Mifare classic-slides
 
1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak1.nove trendy-zranitelnosti luptak
1.nove trendy-zranitelnosti luptak
 
Nethemba profil
Nethemba profilNethemba profil
Nethemba profil
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

Nethemba - Writing exploits

  • 1. Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com          www.nethemba.com             www.nethemba.com      
  • 2. Motivation  Basic code injection  W^X (DEP), ASLR, Canary (Armoring)  Return Oriented Programming (ROP)  Tools of the Trade  Metasploit          www.nethemba.com       
  • 3. A Brief History  08/11/1996 Phrack #49  Smashing The Stack For Fun And Profit, Elias  Levy “ … Code that does this is said  to smash the stack, and can  cause return from the routine to  jump to a random address.  This  can produce some of the most  insidious data­dependent bugs    known to mankind.”        www.nethemba.com       
  • 4. Stack Frame Low Memory Address void func(int a, int b, int c) {    char buffer1[BUFSIZE];    char buffer2[BUFSIZE]; buffer2 } int main(int argc, char **argv) { buffer1   func(10, 20, 30); EBP } EIP  prologue, epilogue 10 push ebp mov esp, ebp 20 mov ebp, esp pop ebp 30 sub esp, $const ret   High Memory Address        www.nethemba.com       
  • 5. Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { dest   func(argv[1]); EBP } EIP args   High Memory Address        www.nethemba.com       
  • 6. Buffer Overflow Low Memory Address void func(char *src) {    char dest[64];    strcpy(dest, src); } int main(int argc, char **argv) { SHELLCODE   func(argv[1]); JUNK } JMP TO SC JUNK   High Memory Address        www.nethemba.com       
  • 7. Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Next → Next → Next → 0xFFFFFFFF Pointer to Pointer to Pointer to Default Exception Exception Exception Exception Handler Handler Handler Handler High Memory Address          www.nethemba.com       
  • 8. Low Memory Address Buffer Overflow – SEH try {   int a = 5; Local Vars   int b = 0; Next SEH   int c = a / b; } catch (Exception e) { SE Handler   printf(“ignore ..”); } EBP EIP args Shellcode Next → Next → 0xFFFFFFFF address POP POP RET Pointer to Pointer to Default Exception Exception Exception   Handler Handler   Handler High Memory Address      www.nethemba.com       
  • 9. Low Memory Address Stack cookies – canaries Local Vars  Protection provided by the compiler  Canary (/gs, ­fstack­protector, StackGuard,  Next SEH ProPolice)  SE Handler  Can rearrange the stack layout, so  EBP string variables are on higher  EIP addresses and cannot overwrite  args other local variables  Contain “bad” characters (0x00,   0xFF) High Memory Address        www.nethemba.com       
  • 10. Stack cookies – canaries  Usually a challenge  Entropy weaknesses (24­bit entropy on Ubuntu,  can by bypassed in reasonable time)  Sometimes helps to overwrite SEH  Cannot protect from buffer overflows in heap          www.nethemba.com       
  • 11. Protection ­ DEP  Stack is no longer executable  W^X  Both HW (NX bit) and software support  Prevent basic buffer overflows  Four policy levels on Windows platform:  Optin,  OptOut, AlwaysOn, AlwaysOff  Can be bypassed by “return­to­libc”          www.nethemba.com       
  • 12. Return to LIBC  The most generic method to bypass NX  No executable code in stack  EIP is overwritten by library function (system())  Parameters are passed via stack  Chained “return to libc”  No loops, conditional jumps, complicated things  28/12/2001 Phrack #58, Advanced return­into­   lib(c) exploits        www.nethemba.com       
  • 13. Low Memory Address Return to LIBC Low Memory Address  uuu ←basic buffer overflow Local Vars Local Vars   EBP EBP EIP system() args     return to libc → EIP JUNK “/bin/sh0” High Memory Address   High Memory Address        www.nethemba.com       
  • 14. ASLR  Address Stack Layout Randomization  Including Libraries, Heap, Stack  But not necessary in all libraries  You need at least one module without ASLR for  bypassing in Windows  Implementation weaknesses  Can by bypassed by format string exploits          www.nethemba.com       
  • 15. Format String Attacks int main(int argc, char **argv) {   printf(“%s”, argv[1]); // correct   printf(argv[1]); // wrong } ● Reading, writing from arbitrary memory ● Direct parameter access via %<num>$ ● Writing via %n, %hn (2 bytes) ● 28/07/2002 Phrack #59, Advances in format string  exploitation          www.nethemba.com       
  • 16. Return Oriented Programming ● The successor of “return to libc” technique ● Small number of instructions ending with “ret”  (Gadgets) chained together ● If we find them enough, we have the Turing  Machine ● Fixed Memory location for data interchange, usually  in .data section ● 2 registers are usually efficient          www.nethemba.com       
  • 17. Return Oriented Programming ● You can bypass character restrictions (neg) ● No injected code, just rewritten stack ● ESP determines which instructions you execute ● Automated by tools (ropeme, ROPGadget) # execve /bin/sh bindport 8080 generated by RopGadget v3.3 p += pack("<I", 0x08050dda) # pop %edx | ret p += pack("<I", 0x080cd6a0) # @ .data p += pack("<I", 0x080a49f6) # pop %eax | ret p += "//us" p += pack("<I", 0x080796ed) # mov %eax,(%edx) | ret ...          www.nethemba.com       
  • 18. Return Oriented Programming ● We can build the custom stack at fixed location  (bypass ASLR) ● .data, .bss (readelf) ● Multi­stage exploit ● GOT entry overwriting offset = execve() ­ printf() execve() = printf() + offsef ● Countermeasure: Position  Independent Executable (PIE)          www.nethemba.com       
  • 19. Metasploit ● msfpescan, msfelfscan, msfmachscan ● irb, framework for exploits development ● tools/ (memdump, metasm_shell,  pattern_create.rb, pattern_offset.rb,  nasm_shell) ● mixins          www.nethemba.com       
  • 20. Immunity Debugger ● 'mona' (successor of pvefindaddr) ● skeleton for metasploit exploit can by generated  with Immunity Debugger (mona plugin)          www.nethemba.com       
  • 21. Radare ● Reverse engineering framework, *nix­style,  multiplatform ● 11/06/2009 Phrack #66, Manual Binary  Mangling With Radare radare: the entrypoint for everything :) rahash: block based hashing utility radiff: multiple binary diffing algorithms rabin:  extract information from binaries rasc:   shellcode construction helper rasm:   commandline assembler/disassembler rax:    inline multiple base converter  xrefs:  blind search for relative code references        www.nethemba.com       
  • 22. Wargames ● http://overthewire.org  ● http://smashthestack.org          www.nethemba.com       
  • 23. References ● http://www.radare.org/get/radare.pdf ● https://www.metasploit.com          www.nethemba.com       
  • 24. Any questions? Thank you for listening Norbert Szetei, CEH          www.nethemba.com