Cyber Attacks & DefenseWeek 7: Misc Attacks

What We Have Learned

• Week1: Basic reverse engineering• Week2: Buffer Overflow -> Control-flow Hijacking• Week3: Writing Shellcode• Week4: StackCookie, ASLR, and DEP• Week5: Return-oriented Programming• Week6: Arbitrary Read/Write, Format String Vulnerability

Attack Strategy

• Arbitrary Write• Overwrite control data• Return address• Function Pointer• Global Offset Table

• Buffer Overflow• Sequential Write (a case of arbitrary write)

Defense/Attack Strategy

• StackCookie• Place a random number right previous to the control data on the stack• The cookie is smashed before control data is modified

• Attack• Leak stack cookie directly -> apply that in your attack payload• Leak stack cookie via side-channel attack (byte-granular guessing)• Non-sequential buffer overflow -> directly overwrite return address

Defense/Attack Strategy

• Data Execution Prevention• You cannot execute on stack/heap data• Code is fixed

• Launch Code-reuse Attack• Re-use functions in libc (execve, system, etc.)• Return-oriented programming

• Pop-pop-ret..

Defense/Attack Strategy

• Address Space Layout Randomization (ASLR)• Randomize address space• Attackers don’t know about where the functions/gadgets are

• Information Leak attack• Relative offset between the pointers are fixed• Sequential leak• Arbitrary read• Leak Stack (code address, stack address, heap address)• Leak GOT (libc address)

Attack Techniques

• Buffer overflow – return address overwriting• Buffer overflow – frame pointer overwriting• Buffer overflow – Index manipulation• Sequential read – Leaking Stack Contents• Arbitrary read – Leaking libc address from GOT• Arbitrary write – Overwriting GOT entries• Format String attack – Using it as SR/AR/AW primitives

Week 7: Apply Techniques Learned

• You have learned many cyber ninja skils• Week1 – Week6 challenges made you strong

• Test yourself with challenges in Week7• 11 challenges

• Required skills are combination of• Reverse engineering• Basic UNIX system knowledge• What you learned from Cyber Attacks/Defense until now

0-run-command

• Can you run your command (maybe, cat flag?) in my secure directory listing system?

0-run-command

• Code

• system() runs commands in /bin only (cat flag!)• What’s check_input?

0-run-command

• Code

• Bad characters: ./;|&`…

• Can you inject your command, cat flag to system()?

1-guess-my-random

• Can you guess the random number in my secure random checker?

• Don’t guess the random, exploit the buffer overflow vulnerability!• Where is it???

2-one-format-string

• You have only one chance to launch format string attack

• Naturally, there is no buffer overflow vulnerability in the code

2-one-format-string

• Can you• 1) Launch the Format String Attack to collect required information for your

exploit?

• 2) Launch the Format String Attack (at the same time with 1) to alter the ‘size’of the read, to create a buffer overflow vulnerability?

• 3) Launch the buffer overflow attack based on the information that youcollected from 1?

3-2048

• 2048 game

Are you goot at 2048??

Then, show meyour skills!

3-2048

• Code

• Can you get the score over 3932156?

Good luck!

4-where-to-jump

• The program runs the address that you typed!

• Where do you want to jump? 1 jump to rule them all!• NO executable stack!

• Think creatively!!!

5-get-flag-without-write-nor-exec

• Seccomp-BPF• https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html

• It only allows the following system calls:• open/read/lseek/exit_group/exit• No write, no execve

• Can you leak the flag content?• Refer to README!

6-deprivileged

• It has a buffer overflow vulnerability, but it is deprivileged

• Can you still read the flag? (Yes you can…)

7-tocttou

• The program checks if the file is ‘yours’, open that, and print its contents

• Can you read the flag?

• By exploiting the gap in• Time of Check (ToC)• To• Time of Use (ToU)• TOCTTOU!

8-caffeinated-tocttou

• 3 seconds were too long for• 7-tocttou

• So I injected some caffeine to the program

• Can you still read the flag?

9-guess-passwd

• Can you bypass my super-secure password check program?

• You cannot read the file

• PASSWD is definitely not “000000000000….”

• Observe the ‘time’

a-rop-static

• This is a very small program (1672 bytes)

• Contains a buffer overflow vulnerability

a-rop-static

• You can call• read()• write()• exit()• puts()• main()• strlen()• _start

• Can you run execve(“/bin/sh”, 0, 0)?