System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability
1. System Hacking & Reverse Engineering
[Introduction to Vulnerability & Type of Vulnerability]
documented by h2spice
h2spice@gmail.com
2. Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
3. 목차
커리큘럼 소개
Track1 - Introduction to Vulnerability
Bugs
Crashes
Vulnerability
Exploitation
Defense Mechanism
Track2 - Type of Vulnerability
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
4. 시스템 해킹 / 리버싱
Buffer Overflow
취약점 원리
Stack Overflow
Heap Overflow
Format String Bug
Heap Overflow
Use After Free
Overwriting RET
Overwriting SEH
익스플로잇(Win32/*NIX/ARM)
Egg Hunting
RTL
ROP
Heap Spraying
커리큘럼 소개
취약점 / 악성코드 분석
악성코드 분석
Software on X86
버그 헌팅
X86 ARM
Mobile
취약점 분석
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DB
Inj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
Overwriting .dtors
Overwriting GOT
7. About Bugs
알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생
예상하지 못한 동작 혹은 결과를 유발
버그로 부터 크래쉬가 발생
버그의 종류
논리적인(Logical) 버그
문법적인(Syntax) 버그
리소스 (Resource) 버그
...
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
8. About Crashes
소프트웨어 크래쉬
정상적이지 않은 명령어 실행
(Invalid instruction execution)
특정 권한을 필요로하는 명렁어 실행
(Privileged instruction execution)
정상적이지 않은 메모리 역참조
(Dereference of invalid memory)
운영체제/ 커널 크래쉬
BSOD (Blue Screen of Death)
복구 불가능한 크래쉬(Non-recoverable)
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
9. What is the vulnerability ?
정의 ( from Wikipedia)
컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진
공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점
(eg. execution of arbitrary code , bypass security mitigation, etc)
사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험
성
악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한
동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다.
취약점의 예
버퍼 오버플로우 (Stack, Heap, Integer)
포맷스트링 (Format String)
널 포인트 역참조 (Null Pointer Dereference)
메모리 해제 후 사용 (Use After Free)
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
10. How many vulnerability disclosure ?
7000
5250
3500
1750
0
7000
5250
3500
1750
0
1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012
[ Total Vulnerabilities by Year ]
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
11. How many vulnerability disclosure ?
7000
5250
3500
1750
0
7000
5250
3500
1750
0
1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012
[ High Severity Vulnerabilities by Year ]
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
12. Type of vulnerability
버퍼 오버플로우 (Buffer Overflow)
스택 오버플로우 (Stack Overflow)
힙 오버플로우 (Heap Overflow)
정수형 오버플로우 (Integer Overflow)
포맷 스트링 (Format String Bug)
널 포인트 역참조 (Null Pointer Dereference)
메모리 해제 후 사용 (Use After Free)
...
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
13. What is the exploitation
소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생
흐름 제어 (Control hijack)
서비스 거부 (DOS: Denial-of-Service)
정보 유출 (Information Leakage)
소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격
소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인
(일반적으로 사용자 입력값으로 부터 흐름제어 가능)
공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
14. What is the exploitation
일반적인 보호 메커니즘(Common defense mechanisms)
무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization)
데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute)
스택 쿠키 / 까나리 (Stack Cookies/Canaries)
...
보호 메커니즘 우회 (Bypass defense mechanisms)
무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr
Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got
(ret2got)
데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP)
스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense
Mechanism
16. Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
17. What is the Buffer Overflow
C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다
더 큰 데이터를 기록함으로써 발생
운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생
high address
Arguments
Return Address
Stack Frame Pointer
Local Variables
(buffer area)
low address
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
18. What is the Stack Overflow
스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가
복사되어질 때 발생합니다.
int main(int argc, char* argv[])
{
char buf[8];
strcpy(buf,argv[1]);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
19. Principle of Stack Overflow
char buf[8];
strcpy(buf,argv[1]);
argv[1] = “AAAAAAA”
A A A A A A A 0
argv[1] = “AAAAAAAAAAAA”
A A A A A A A A A A A A
// 8바이트 버퍼 할당
// 버퍼 오버플로우 발생 X
// 버퍼 오버플로우 발생 O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
20. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
21. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
22. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
23. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
24. Stack Layout
Low Address
arg2
arg1
&ret (saved eip)
saved ebp
A A A A
A A A A
A A A A
char buf[8]
High Address
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
strcpy(buf,argv[1]);
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
25. What is the Heap Overflow
힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복
사되어질 때 발생합니다.
int main(int argc, char* argv[])
{
char *buf
buf = malloc(4);
memcpy(buf,argv[1],size);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
26. Principle of Heap Overflow
buf = malloc(4);
memcpy(buf,argv[1],sizeof(argv[1]));
argv[1] = “AAA”
A A A 0
argv[1] = “AAAAAAAAAAAA”
A A A A A A A A A A A A
// 4바이트 버퍼 할당
// 버퍼 오버플로우 발생 X
// 버퍼 오버플로우 발생 O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
27. Heap Layout
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Prev_In
Use bit
28. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Prev_In
Use bit
29. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 Us0e bit
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
30. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
31. Heap Layout
Two chunks, of which the first is free for allocation
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
unused Chunk
FD (pointer to the next free chunk)
BK (pointer to the pref free chunk)
Unused
Prev_size
size
Data[4]
High Address
Prev_In
Use bit
Chunk1
0
32. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
33. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
34. Heap Layout
Two allocated chunks on the heap
Calling .Start function:
.Start :
push %ebp
mov %esp, %ebp
sub $0xC, %esp
...
memcpy(buf,argv[1],
sizeof(argv[1]));
...
leave
ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
Chunk1 12(0xc) Us0e bit
A A A A
A A A A
A A A A
A A A A
High Address
Prev_In
Us1e bit
Chunk2
Prev_In
12(0xc)
13(0xd)
35. What is the Integer Overflow
it occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
20000
30000
-15536
+
it is a negative number since it is interpreted as a sign bit
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
36. Example of the Integer Overflow
Output 1 -
The normal case
Output 2 -
Integer Overflow
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
signed int type1=NULL; /*signed type*/
signed int type2=NULL; /*unsigned type*/
unsigned int type3=999999999999999999; /*integer overflow*/
type1 = strlen(argv[1]);
if(argv[2]!=NULL)
{ /*due to some operations*/
type2=type3;
}
printf("type1 = %d n",type1);
printf("type2 = %dn",type2);
return 0;
}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
37. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
int main(int argc, char* argv[])
{
signed int type1=NULL; /*signed type*/
signed int type2=NULL; /*unsigned type*/
unsigned int type3=999999999999999999; /*integer overflow*/
type1 = strlen(argv[1]);
if(argv[2]!=NULL)
{ /*due to some operations*/
type2=type3;
}
printf("type1 = %d n",type1);
printf("type2 = %dn",type2);
return 0;
}
Output 1 - The normal case
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
38. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
declare variable
(signed/unsigned type,
static buffer)
Output 1 - The normal case
39. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
get size of user input data
and then, print size
Output 1 - The normal case
40. Example of Integer Buffer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
check size of user input data
(code to prevent buffer overflow)
Output 1 - The normal case
41. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
Output 2 - Integer Overflow copy user input data to buffer
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
and then print user input data
Output 1 - The normal case
42. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
if variable signed type stored in big
data, will occur integing overflow
Output 1 - The normal case
43. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
because type2 it has been set
negative number, to bypass code that
prevent buffer overflow
Output 1 - The normal case
44. Example of Integer Buffer Overflow
#include <stdio.h>
#include <string.h>
#define BUFFER_SIZE 4096
#define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[])
{
off_t type1=NULL; /*signed type*/
size_t type2=NULL; /*unsigned type*/
off_t type3=999999999999999; /*integer overflow*/
char buffer[BUFFER_SIZE]; /*fixed buffer*/
type1 = strlen(argv[1]);
printf("size of input data = %d n",type1);
if(argv[2]!=NULL)
{ /*due to some operations*/
type1=type3;
}
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %dn",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */
printf("data output = %sn",buffer);
return 0;
}
Output 1 - The normal case
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc
$ ./integer_overflow hello
size of input data = 5
size of (size_t)type2 = 5
data output = hello
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
./integer_overflow hello ?
size of input data = 5
size of (size_t)type2 = -1530494977
Segmentation fault (core dumped)
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
as a result, occur stack buffer overflow
45. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free printf(buf);
46. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability
occurs when user input data is used as format string)
Collect Usage : printf(“%s”, argv[1]);
Dangerous Usage : printf(arvg[1]);
임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to
read & write arbitrary memory space)
정적 분석 도구를 이용하여 탐지 가능(Can be detected by
Static Analysis Tools)
But still show up in many competition or software
47. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free Format String / Parameter Description
%d 정수형 10진수 상수 (integer)
%f 실수형 상수 (float)
%lf 실수형 상수 (double)
%c 문자 값 (char)
%s 문자 스트링 ((const)(unsigned) char *)
%u 양의 정수 (10 진수)
%o 양의 정수 (8 진수)
%x 양의 정수 (16 진수)
%s 문자열
%n * int (쓰인 총 바이트 수)
%hn %n의 반인 2바이트 단위
48. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is
used as string
49. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %x
50. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is
used as string
when user input data is used
as Format String
51. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What’s the !!?!
52. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What’s the !!?!
53. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
………
54. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
55. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
when argument of printf( ) is
used as format string “%x”
low address
ESP
56. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
Hey! where is argument
about Format string “%x”
57. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What happened to this ?
58. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What happened to this ?
we don’t have enough time
do as you usually do !
59. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
60. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
ESP printf( ) 호출시 인자값 인자들은 스택에 적재되
low address
는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을
가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴
퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를
16진수로 출력해버리게됩니다.
61. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4
printf( ) 호출시 인자값 인자들은 스택에 적재되
는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을
가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴
퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를
16진수로 출력해버리게됩니다.
62. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+16
ESP+12
ESP+8
ESP+4
63. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4
Point1. We can read the
arbitrary memory space
64. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %n
65. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
when argument of printf( ) is
used as format string “%n”
low address
ESP
66. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
………
67. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What’s the !!?!
68. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP
What’s the !!?!
%n은 두가지 동작을 하는데
한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한
값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
69. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
70. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
4개의 문자열 (four strings)
Segmentation Fault / Crash Analysis
문자열의 길이? ( is it length of the string ?)
71. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
72. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
9개의 문자열 (four strings)
Segmentation Fault / Crash Analysis
문자열의 길이? ( it is length of the string !)
73. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
74. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
75. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데
한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한
값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
76. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데
한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한
값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
77. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데
한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한
값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
Point2. We can write the
arbitrary memory space
78. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free What about it ?
What do you want me
to do ?
79. Track2. Type of Vuln How do we make use of this ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control
Flow를 조작할 수 있다.
But ?
포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작
할 수 있다. (번거롭고 골치아프다)
ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할
수 있다.
GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할
수 있다.
80. Track2. Type of Vuln What is the Format String Bug ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
It’s my prey
81. Track2. Type of Vuln What is the Use After Free ?
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free not occurs crash
but, there are vulnerability
논리적인 취약점 (Logical Vulnerability)
할당 -> 사용 -> 해제 -> 사용
(Malloc -> Use -> Free -> Use)
크래쉬가 발생하지 않음 (but not occurs crash)
82. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
83. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
84. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
85. Proof of Concept about Use After Free
#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[])
{
char* buf1A;
char* buf2A;
char* buf3A;
char* data = "hello world";
buf1A = (char*) malloc(MAX);
buf2A = (char*) malloc(MAX);
strncpy(buf1A, data, MAX-1);
printf("[+]user input data = %s n",argv[1]);
printf("[+]data of buf1A = %sn",buf1A);
free(buf1A);
printf("[+]free buf1An");
strncpy(buf1A, argv[1], MAX-1);
printf("[+]copy user input data to buf1An");
printf("[+]after free, data of buf1A = %s n", buf1A);
}
Output :
h2spice@ubuntu:~/Desktop/useafterfree
$ ./useafterfreePoc use-after-free
[+]user input data = use-after-free
[+]data of buf1A = hello world
[+]free buf1A
[+]copy user input data to buf1A
[+]after free, data of buf1A = use-after-free
86. What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx