system hacking tutorial #1 - introduction to vulnerability and type of vulnerability
DESCRIPTION
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of VulnerabilityTRANSCRIPT
System Hacking & Reverse Engineering
documented by h2spice [email protected]
[Introduction to Vulnerability & Type of Vulnerability]
Who am I
Sanghwan,Ahn (h2spice)
Works for LINE.Corp
Carrying out research on the vulnerability (exploitation,hunt,analysis)
목차커리큘럼 소개
Track1 - Introduction to Vulnerability
Bugs
Crashes
Vulnerability
Exploitation
Defense Mechanism
Track2 - Type of Vulnerability
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
시스템 해킹 / 리버싱
취약점 원리
Buffer Overflow
Format String Bug
Stack Overflow
Use After Free
Heap Overflow
Heap Overflow
익스플로잇(Win32/*NIX/ARM)
Overwriting RET
Egg Hunting
Overwriting SEH
RTL
ROP
Heap Spraying
취약점 / 악성코드 분석
악성코드 분석
버그 헌팅
X86 ARM
취약점 분석
Software on X86
Mobile
소스코드 분석
퍼징
CVE-XXXX-XXXX
Exploit-DBInj3ct0r - 1337day
리버스 엔지니어링
iOS
Android
커리큘럼 소개
Overwriting .dtors
Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
About Bugs알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생
예상하지 못한 동작 혹은 결과를 유발
버그로 부터 크래쉬가 발생
버그의 종류 논리적인(Logical) 버그
문법적인(Syntax) 버그
리소스 (Resource) 버그
...
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
About Crashes소프트웨어 크래쉬 정상적이지 않은 명령어 실행(Invalid instruction execution)
특정 권한을 필요로하는 명렁어 실행(Privileged instruction execution)
정상적이지 않은 메모리 역참조(Dereference of invalid memory)
운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death)
복구 불가능한 크래쉬(Non-recoverable)
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
What is the vulnerability ?정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점(eg. execution of arbitrary code , bypass security mitigation, etc)
사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험성
악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다.
취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer)
포맷스트링 (Format String)
널 포인트 역참조 (Null Pointer Dereference)
메모리 해제 후 사용 (Use After Free)
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
How many vulnerability disclosure ?
0
1750
3500
5250
7000
0
1750
3500
5250
7000
1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012
[ Total Vulnerabilities by Year ]
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
How many vulnerability disclosure ?
0
1750
3500
5250
7000
0
1750
3500
5250
7000
1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012
[ High Severity Vulnerabilities by Year ]
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
Type of vulnerability
버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow)
힙 오버플로우 (Heap Overflow)
정수형 오버플로우 (Integer Overflow)
포맷 스트링 (Format String Bug)
널 포인트 역참조 (Null Pointer Dereference)
메모리 해제 후 사용 (Use After Free)
...
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
What is the exploitation
소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack)
서비스 거부 (DOS: Denial-of-Service)
정보 유출 (Information Leakage)
소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인(일반적으로 사용자 입력값으로 부터 흐름제어 가능)
공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
What is the exploitation일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization)
데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute)
스택 쿠키 / 까나리 (Stack Cookies/Canaries)
...
보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got)
데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP)
스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite
Track1. Intro to Vuln
Bug
Crashes
Vulnerability
Exploitation
Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생
운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생
What is the Buffer Overflow
high address
ArgumentsReturn Address
Stack Frame PointerLocal Variables
(buffer area)low address
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What is the Stack Overflow스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다.
int main(int argc, char* argv[]){ char buf[8]; strcpy(buf,argv[1]); return 0;}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Principle of Stack Overflow
char buf[8];
strcpy(buf,argv[1]);
argv[1] = “AAAAAAA”
A A A A A A A \0
argv[1] = “AAAAAAAAAAAA”
A A A A A A A A A A A A
// 8바이트 버퍼 할당
// 버퍼 오버플로우 발생 X
// 버퍼 오버플로우 발생 O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Stack LayoutLow Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Stack LayoutLow Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
Stack LayoutLow Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
A A A A
Stack LayoutLow Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
A A A A
A A A A
Stack LayoutLow Address
arg2
arg1
&ret (saved eip)
saved ebp
char buf[8]
High Address
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
A A A A
A A A A
A A A A
A A A A
What is the Heap Overflow힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다.
int main(int argc, char* argv[]){ char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0;}
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Principle of Heap Overflow
buf = malloc(4);
memcpy(buf,argv[1],sizeof(argv[1]));
argv[1] = “AAA”
A A A \0
argv[1] = “AAAAAAAAAAAA”
A A A A A A A A A A A A
// 4바이트 버퍼 할당
// 버퍼 오버플로우 발생 X
// 버퍼 오버플로우 발생 O
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit
Prev_InUse bit
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit
Two allocated chunks on the heap
Prev_InUse bit
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit1
Two allocated chunks on the heap
Chunk2
Prev_InUse bitChunk1 0
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit1
Two allocated chunks on the heap
Chunk2
Prev_InUse bitChunk1 012(0xc)
13(0xd)12(0xc)
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_sizesize
FD (pointer to the next free chunk)BK (pointer to the pref free chunk)
UnusedPrev_size
sizeData[4]
High Address
Prev_InUse bit
Two chunks, of which the first is free for allocation
Chunk1
unused Chunk
0
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit1
Two allocated chunks on the heap
Chunk2
Prev_InUse bitChunk1 012(0xc)
13(0xd)12(0xc)
A A A A
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit1
Two allocated chunks on the heap
Chunk2
Prev_InUse bitChunk1 012(0xc)
13(0xd)12(0xc)
A A A A
A A A A
Heap Layout
Calling .Start function:.Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Low Address
Prev_size
size
Data[4]
Prev_size
size
Data[4]
High Address
Prev_InUse bit1
Two allocated chunks on the heap
Chunk2
Prev_InUse bitChunk1 012(0xc)
13(0xd)12(0xc)
A A A A
A A A A
A A A A
A A A A
What is the Integer Overflowit occurs when the operation result stored is bigger than permissible range
it occurs when the operation result stored is smaller than permaissible range
it occurs in the operation process
difficulty in detecting, so massive code analysis is needed
0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0
0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0
1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0
2000030000
-15536
+
it is a negative number since it is interpreted as a sign bit
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Example of the Integer Overflow
Output 1 - The normal case
Output 2 - Integer Overflow
#include <stdio.h> #include <string.h>
int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]);
if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; }
printf("type1 = %d \n",type1); printf("type2 = %d\n",type2); return 0; }
Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
Example of Integer Buffer Overflow
#include <stdio.h> #include <string.h>
int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]);
if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; }
printf("type1 = %d \n",type1); printf("type2 = %d\n",type2); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 1 - The normal case
Output 2 - Integer Overflow
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflowdeclare variable
(signed/unsigned type, static buffer)
Output 1 - The normal case
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflowget size of user input data
and then, print size
Output 1 - The normal case
Example of Integer Buffer Overflowh2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
check size of user input data (code to prevent buffer overflow)
Output 1 - The normal case
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow copy user input data to buffer and then print user input data
Output 1 - The normal case
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
if variable signed type stored in big data, will occur integing overflow
Output 1 - The normal case
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
because type2 it has been set negative number, to bypass code that
prevent buffer overflow
Output 1 - The normal case
Example of Integer Buffer Overflow#include <stdio.h> #include <string.h>
#define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1))
int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]);
printf("size of input data = %d \n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; }
type2=(size_t) test_min(type1,BUFFER_SIZE);
printf("size of (size_t)type2 = %d\n",type2);
strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %s\n",buffer); return 0; }
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Output 2 - Integer Overflow
as a result, occur stack buffer overflow
Output 1 - The normal case
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free printf(buf);
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string)
Collect Usage : printf(“%s”, argv[1]);
Dangerous Usage : printf(arvg[1]);
임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space)
정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools)
But still show up in many competition or software
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After FreeFormat String / Parameter Description
%d 정수형 10진수 상수 (integer)
%f 실수형 상수 (float)
%lf 실수형 상수 (double)
%c 문자 값 (char)
%s 문자 스트링 ((const)(unsigned) char *)
%u 양의 정수 (10 진수)
%o 양의 정수 (8 진수)
%x 양의 정수 (16 진수)
%s 문자열
%n * int (쓰인 총 바이트 수)
%hn %n의 반인 2바이트 단위
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is used as string
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %x
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
when user input data is used as Format String
when user input data is used as string
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What’s the !!?!
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What’s the !!?!
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
………
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
when argument of printf( ) is used as format string “%x”
ESP
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
Hey! where is argument about Format string “%x”
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
What happened to this ?
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
What happened to this ?
we don’t have enough time
do as you usually do !
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
printf( ) 호출시 인자값 인자들은 스택에 적재되는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을
가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를
16진수로 출력해버리게됩니다.
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4printf( ) 호출시 인자값 인자들은 스택에 적재되
는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를
16진수로 출력해버리게됩니다.
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4ESP+8ESP+12ESP+16
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
ESP+4
Point1.
We c
an re
ad th
e
arbitra
ry mem
ory sp
ace
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free %n
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low address
when argument of printf( ) is used as format string “%n”
ESP
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
………
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
What’s the !!?!
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
high address
buf[256]
strcpy
printf
low addressESP
What’s the !!?!
%n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
4개의 문자열 (four strings)
Segmentation Fault / Crash Analysis
문자열의 길이? ( is it length of the string ?)
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
9개의 문자열 (four strings)
Segmentation Fault / Crash Analysis
문자열의 길이? ( it is length of the string !)
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
%n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는
다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed
so far to the target address)
Point2.
We c
an write
the
arbitra
ry mem
ory sp
ace
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free What about it ?What do you want me
to do ?
How do we make use of this ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다.
포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. (번거롭고 골치아프다)
ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다.
GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
But ?
What is the Format String Bug ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Free
It’s my prey
What is the Use After Free ?Track2. Type of Vuln
Buffer Overflow
Stack
Heap
Integer
Format String
Use After Freenot occurs crash
논리적인 취약점 (Logical Vulnerability)
할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
but, there are vulnerability
Proof of Concept about Use After Free#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s \n",argv[1]); printf("[+]data of buf1A = %s\n",buf1A); free(buf1A); printf("[+]free buf1A\n"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1A\n"); printf("[+]after free, data of buf1A = %s \n", buf1A); }
h2spice@ubuntu:~/Desktop/useafterfree$ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Output :
Proof of Concept about Use After Free#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s \n",argv[1]); printf("[+]data of buf1A = %s\n",buf1A); free(buf1A); printf("[+]free buf1A\n"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1A\n"); printf("[+]after free, data of buf1A = %s \n", buf1A); }
h2spice@ubuntu:~/Desktop/useafterfree$ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Output :
Proof of Concept about Use After Free#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s \n",argv[1]); printf("[+]data of buf1A = %s\n",buf1A); free(buf1A); printf("[+]free buf1A\n"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1A\n"); printf("[+]after free, data of buf1A = %s \n", buf1A); }
h2spice@ubuntu:~/Desktop/useafterfree$ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Output :
Proof of Concept about Use After Free#include <stdio.h>
#define MAX 512
int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s \n",argv[1]); printf("[+]data of buf1A = %s\n",buf1A); free(buf1A); printf("[+]free buf1A\n"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1A\n"); printf("[+]after free, data of buf1A = %s \n", buf1A); }
h2spice@ubuntu:~/Desktop/useafterfree$ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Output :
What is Exploitable Crash ?
mov eax,dword ptr [esi+0Ch]
mov eax,dword ptr [ecx]
mov edx,dword ptr [eax+5Ch]
call edx
Thank You :)