SlideShare a Scribd company logo

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

sanghwan ahn
sanghwan ahn

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

Software
1 of 87
Download to read offline
System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
Thank You :)

Recommended

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 

Recommended

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & AttacksMarcus Botacin
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析Mr. Vengineer
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?Mr. Vengineer
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow nullnullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharman|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world! Hacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
 

More Related Content

What's hot

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelJinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析Mr. Vengineer
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?Mr. Vengineer
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasurestharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack FirmwareSimen Li
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 

What's hot (20)

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 

Viewers also liked

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
 
kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00Nhóc Nhóc
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworksphanleson
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Stringsphanleson
 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)phanleson
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingJonathan Salwan
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media FormatsRussell Sanford
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)Sam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 

Viewers also liked (19)

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
 
kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM Training
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacksKapil Nagrale
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09dhanya.sumeru
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewToe Khaing
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitationDharmalingam Ganesan
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Idguest215c4e
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonMalachi Jones
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blindNikitaAndhale
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docxaryan532920
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability (20)

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of View
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 

Recently uploaded

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 

Recently uploaded (20)

Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

  • 1. System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. 목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
  • 4. 시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 5. Track1. Introduction to Vulnerability
  • 6. Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 7. About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 8. About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 9. What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 10. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 11. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 12. Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 13. What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 14. What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 15. Track2. Type of Vulnerability
  • 16. Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 17. What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 18. What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 19. Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 20. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 21. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 22. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 23. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 24. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 25. What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 26. Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 27. Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 28. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 29. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
  • 30. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 31. Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
  • 32. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 33. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 34. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 35. What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 36. Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 37. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
  • 38. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
  • 39. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
  • 40. Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
  • 41. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
  • 42. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
  • 43. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
  • 44. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
  • 45. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
  • 46. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
  • 47. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
  • 48. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
  • 49. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
  • 50. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
  • 51. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 52. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 53. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
  • 54. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
  • 55. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
  • 56. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
  • 57. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
  • 58. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
  • 59. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
  • 60. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 61. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 62. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
  • 63. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
  • 64. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
  • 65. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
  • 66. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
  • 67. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
  • 68. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 69. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 70. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
  • 71. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 72. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
  • 73. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 74. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 75. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 76. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 77. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
  • 78. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
  • 79. Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
  • 80. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
  • 81. Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
  • 82. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 83. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 84. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 85. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 86. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx