DOC PREVIEW
U of I CS 498 - Exploits Enabling Worms

This preview shows page 1-2-3-26-27-28 out of 28 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 28 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Exploits Enabling Worms Cyber Security Spring 06 Background reading Worm Anatomy and Model http portal acm org citation cfm id 9481 96 Smashing the Stack for Fun and Profit http phrack org phrack 49 P49 14 The Shellcoder s Handbook Due back at library early next week Outline Review worm structure Examine exploited vulnerabilities Buffer Overflow Return to Libc Format String exploits Heap Overflow What is a Worm An autonomous process that can cause a copy of itself or a variant to execute on a remote machine Various Goals Install trojan s for later access Install zombies for later DDoS or other activities Install spies for information gathering Personal fame Generally varies from a virus in that it propagates independently A virus needs a host program to propagate But otherwise many of the issues between worms and virus are the same Life Cycle of a Worm Initialization Install software understand the local machine configuration Payload Activation Activate the worm on the current host Network Propagation Identify new targets and propagate itself The cycle starts all over on the newly infected devices Network Propagation in More Detail Target Acquisition Identify hosts to attack Random address scans Code Red or locality biased Nimda Code Red v2 effectiveness changed based on good seeding Network Reconnaissance Determine if the target is available and what is running on it Attack Attempt to gain root access on the target Traditionally this has been buffer overflow Can also attack other weaknesses like weak passwords Infection Leverage root access to start the Initialization phase on the new host Dealing with Infected Machines Could try to remove the infected binaries and files Relying on virus scanning programs for their expertise on the infection Backup personal information and reimage the machine The only way to be sure Particularly for new or very insidious infections Be careful how much you restore If you backed up an infected file you may have re infected yourself Ideally you can use backups from before the infection Worm defenses Keep machines up to date on OS and daemon patches Limit network access E g no inbound TCP connections for the home network 10 minutes to infection for unguarded machines on the internet Use NIDS to look for characteristic behavior Keep signatures up to date Proactively block access from probing devices Example Worm LION Active around 2001 Three versions Not a particularly effective worm Uses a BIND exploit that attacks the named daemon Not activated on default RedHat 6 2 installations Administrator would have to explicitly add to inetd table and run as root Details on the BIND exploit http www networkassociates com us security resour ces sv ent24 htm Variant of the earlier worms ADMworm Millenium Worm Ramen worm Lion Life Cycle Attempts to connection to TCP port 53 on candidate target hosts Selects random class B network blocks to scan If target responds send malformed UDP IQUERY packet to UDP port 53 Used to determine if target is running vulnerable version of Linux running BIND 8 If vulnerable send overflow packet Attack code walks file descriptor table of exploited process to find FD of initial TCP connection Duplicates FD to stdin stdout stderr Spawn bin sh running at root Lion Life Cycle Continued Now can use original TCP connection as control channel to send shell commands Download and install software Versions 1 and 2 download from fixed site Version 3 uses Ramen distribution code to download from infecting host Send password files to central location for later analysis Cover tracks Erase logs and temporary files Buffer Overflow Exploits Write too much data into a stack buffer Replace return address on the stack with address of attack code Generally attack code attempts to start a shell If process is SetUID root shell will be root Attack code is often in the buffer Stack Structure Stack Ptr Buffer 512 Low address Saved Frame Ptr void func char a char buffer 512 strcpy buffer a Return Address Frame Ptr Function Arguments a Previous frames High address Shell Code Insert code to spawn a shell Phrack article discusses how to do this from first principles Create assembly code to exec bin sh Use GDB to get hex of machine code Rework assembly as necessary to avoid internal 0 s Could break attack if strcpy is used by attack target Will result in a hex string like xeb x1f x5e x89 x76 x08 x31 xc0 x88 x46 x07 x89 x4 6 x0c xb0 x0b x89 xf3 x8d x4e x08 x8d x56 x0c xcd x 80 x31 xdb x89 xd8 x40 xcd x80 xe8 xdc xff xff xff bin sh Structure of Buffer Buffer more than 512 bytes will replace other information on the stack like return address Problem is determining absolute address in buffer to jump to and ensuring you replace the return address Pad with leading NOPs and trailing return addresses Then your guesses on the stack structure do not need to be exact NOPs Shell Code Return Address Replacements Copied Stack Buffer 512 NOPs Shell Code Saved Frame Ptr Return Address N copies of Address X Function Arguments Previous frames Previous frames Address X Calculating New Return Address If you have source Use GDB to find stack address at appropriate invocation GDB reporting may not be accurate might take several guesses Use Eggshell program Approximate target program Takes buffer size and offset arguments Computes candidate buffers Emits buffers in environment variable named EGG Creates new shell on the way out so EGG is available after program has completed If you don t have source Brute force Examination of core files or other dumps Return to libc Make stack non executable to protect from buffer overflow Newer windows feature Feature in some flavors of Unix Linux Adapt by setting the return address to a known library Libc is home to nice functions like system which we can use to spawn a shell Return to Libc Stack Frame Ptr Buffer 512 Buffer 512 Saved Frame Ptr Return Address X new frame ptr Y system Y Z new return Function Arguments Previous frames Libc Segement ptr to bin sh X Previous frames Z exit Format String Errors What is a format string printf Foo 0x x d n addr count What happens if the arguments are missing printf Foo 0x x d n What if the end user can specify his own format string printf fmtstring Information Disclosure By specifying arbitrary x s or d s you can read the stack Made easier by direct parameter access 128 x print the 128 th argument as a hex Looking at the stack you can see the address to your own format string Reading arbitrary addresses You


View Full Document

U of I CS 498 - Exploits Enabling Worms

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download Exploits Enabling Worms
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Exploits Enabling Worms and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Exploits Enabling Worms 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?