Advanced Buffer Overflow Technique Greg Hoglund Attack Theory Formalize the Attack MethodRe-Use of Attack CodeSeparate the Deployment from the PayloadPayloads can be chosen for desired effectDetails and Restraints of both Payload and Deployment code Exploits A "BUG" in SoftwareNew bugs reported every dayautomated testing tools USSR Labs"Exploit" is code that takes advantage of a bug in order to cause an effect What can happen? Machine Crashkernel exceptionVIP processApplication Crash (most common)Recoverable ExceptionMobile Code (deadly)File Access (read or write)Denial of Service Exploits can be grouped Some bugs are all the sameSome bugs keep coming backimproper filteringbounds checkingbad authenticationimpersonationIn other words, need better testing Entry -vs- Effect The attack payload is not the same as the entry pointMissle -vs- Warhead analogyThe Delivery Mechanism can be decoupled from the Payload Exploits come in 2 parts Injection Vector (deployment)the actual entry-point, usually tied explicity with the bug itselfPayload (deployed)usually not tied to bug at all - limited only by imagination. Some restraints. Injection Vector Target DependantOS DependantApplication Version DependantProtocol DependantEncoding Dependant Payload Independent of Injection VectorStill Depends on Machine, Processor, etc. With some exceptionsMobile Code, Just like a VirusOnce established, can spread by any meanstrustscanning for more bugs Payload Denial of Serviceuse as launching point (arp spoofing)Remote Shell (common)covert channel or 'netcat' likeWorm/Virus extremely dangerousRootkit (common - stealth) Injector/Payload Pairs One injector works on 'n qualified hosts'Example - IIS Injector works on ~20% of Web Hosts.PayloadRemote Shell for controlShutdown MachineShutdown ALL Machines on subnet Types of Injection Content Basedcharacters inserted into a data stream that result in the remote process doing something it shouldn't. Process is still in control.Buffer Overflowpoor programming practice subverts architecture of code execution. Process loses control. Types of Injection Trust BasedBoot virus/ Floppy/ CD (parasite process)MACRO virusEmail Attachments (Melissa, etc)Web Browsing (exploit user's trust, etc)click thru Governments write Injector Code? 1995 US Defense Intelligence Agency ReportCuban Military targets US w/ custom viriiUniversity of Havana, team of less than 20 computer expertsRussian KGBprior to 1991 coup attempt, KGB has virii intended to shut down US computers in times of war Mobile code in Global 2000? 1995 E&Y report67% of companies hit bit virus1996 E&Y report63% of companies hit by virus1996 UK Information Security Breaches Survey51% of companies hit by virus How hard can it hit? NCSA 1997 report33% of all machines infected with virusaverage cost of recovery ~$8000 US dollarsNovember 1988 Morris Wormstrikes ~6,000 computers (10% of Internet at time) within hoursspreads via Buffer Overflow in fingerdspreads via Sendmail exploit How hard can it hit? 1989, "WANK" WormHits NASA Goddard Space Centerspreads to US DOE High Energy Physics network (HEPNET)2 weeks to clean all systems Buffer Overflow Injection Overflow the StackOverflow the HeapGoal: Must control the value of the instruction pointer (processor specific)Goal: Get the Instruction Pointer to point to a user-controlled buffer. Challenges Injector/Payload size restrictionstight coding requirementsInjector and Payload in same buffercannot step on each otherGuessing Address Valuessometimes called 'offsets'NULL characters, BAD charactersuse encoding and stack tricks Stack Injection Stack is used for execution housekeeping as well as buffer storage. Stack-based buffer must be filled in direction of housekeeping data.Must overwrite the housekeeping data Address Housekeeping A B C D code heap IP DI SI FLAG SP BP stack IP Stack Overflow 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C The Problem with NULL STOPS 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C NULL must be PAST housekeeping data OK 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C Little and Big Endian On Intel x86 (Little Endian), Values are stored 'backwards' - least significant byte goes first:00 40 10 FF is stored as:FF 10 40 00 We store address in housekeeping data 00 40 21 0400 40 21 0000 40 20 0C00 40 20 0800 40 20 0400 40 20 00 CD 68 45 7F Original Address 0C 20 40 00 New Address Injection is Complete We control the instruction pointer 04 21 40 00 New Address Where to put the payload 00 40 21 0400 40 21 0000 40 20 0C00 40 20 0800 40 20 0400 40 20 00 04 21 40 00 New Address Confined Payload Byte CompressionUse only preloaded functionsPayload doesn't need to build jumptablesUseable functions must be loadedUse Hardcoded addressesPayload designed for a specific process with predictable featuresData portion of payload needs to be small Using more stack for payload OK 77 40 20 0877 40 20 0C77 40 20 1077 40 20 1477 40 20 1877 40 20 1C 0D 45 68 77 NO NULL in Address Much Larger Payload When does the address contain a NULL character Lowland Address - starts with 00stack is in lowland on Windows NTusually 00 40 XX XXlimits size of payloadHighland Address - no zeros in addressstack is in highland under Linuxunlimited payload size Large payload, Lowland address We cannot use a lowland address directly, because it limits our payloadWe can use a CPU registerWe can use stack values that remain undamaged A register points to the stack A B C D code heap IP DI SI FLAG SP BP stack IP Call thru a Register Call eax, call ebx, etcFF D0 = call eaxFF D3 = call ebxFF D1 = call ecxetc, etc Push a register then return Push registerpush eax = 50push ebx = 53etcThen RETRET = C3 Guessing where to go We jump to the wrong addresscrashes softwarepayload doesn't executeUse NOP (no-op) - a single byte instructionNOP = 90 Fill buffer with NOP's"NOP Sled" NOP Sled End up at payload Inject the Payload into the HEAP When the stack is limited in sizeStore part on the payload on stack, the other on the heapProtocol HeadersHTTP headersRecent TransactionsOpen Files Use the CPU A B C D code heap IP DI SI FLAG SP BP stack Execute code on the heap A B C D code heap IP DI SI FLAG SP BP stack IP Trespassing the HEAP Two C++ objects near one anotherAny buffer that can overwrite a pointerfunction pointerstring pointer (alter behavior w/o mobile code) Overwrite the VTABLE C++ objects have a virtual function table Vtable pointer Member variables grow away from vtable pointer (NT) Overwrite VTABLE Must have 2 C++ Objects (on heap) Overwrite vtable ptr Where do I make the VTABLE point? Your own VTABLE The VTABLE has addresses for all virtual functions in the class. This usually includes a destructor - which will be called when the object is destroyed (deallocated from memory)Overwrite any function that works Injection is complete Kernel level overflows all over in NTOff by one errors causing frame pointer overwriteMulti-stage attacks where you must first get the target into a state before attempting overflowThe effects of URL or MIME encoding Now for the Payload Using Loaded FunctionsEncoding our own dataLoading new functions & DLL'sMaking a shell The Payload Real Code DATA NOP Sled Getting Bearings Call RELOC:RELOC: pop ediEB 00 00 00 00edi now has our code addresswe can use this as an offset to our data Reverse Short Call NO NULL BytesRELOC: jmp RELOC2Call RELOC:RELOC2: pop ediEB FF FF FF FE XOR Protection Cannot have NULL's in data portion XOR every BYTE XOR again to decode Begin decode Hardcoded Function Calls code Pros/Cons to hard coding PRO: makes code smallerCON: what if function isn't always in same place?Dynamically loaded DLL'sPRO: some DLL's are *usually* always in the same placeKERNEL32.DLL Dynamic Function Loading Use LoadLibrary() and GetProcAddress()usually always in same placehard coding usually worksLoad New DLL'sFind any function by ASCII namehandy Load Function by Name Function name stored here getprocaddress Build a jumptable getprocaddress Use Jumptable HASH Loading (el8) Process already has ASCII names of all loaded functions stored in process-headerWe can locate any loaded function by checking the CRC of each loaded ASCII nameWe do not need to store function names in our DATA section - only CRC'smakes payload smaller! PE Header PE OFFSET Optional Header ASCII NAME Address Check CRC's CRC Limited Character Set means Limited Instruction Set Payload is filteredMIMEURLalphanumeric only (email headers)short jumps (difficult to maintain) pop/pushsubtract The Bridge Avoids jump instructionsize must be calculated exactly Load New DLL WININET.DLL Use DLL functionsInternetOpenURL()InternetReadFile()Does all the hard workMakes payload smallerDownload and Execute any file, anywhereFile stored anonymously - hard to trace WS2_32.DLL Socketbindlistensend recvaccept Interrupt Calls Don't require addressesSmallEasy to useLoad register with call numberLoad register with argument pointerinterrupt (2 bytes long)CD 2E (interrupt 2E)CD 80 (interrupt 80) Remote Command Shell Spawn a processCreateProcessA (kernel32 function)INT 80 (linux) (execve syscall)Pipe the output thru socketNamed pipes (~5 functions) Connect in or out over any TCP socket Covert Channel If exploited process is root or SYSTEMTDI or NDIS hooksession over ACK packets or ICMP IISPatch any point where URL requests are handledno kernel required WORMS Payload searches for new hosts to attackTrust Exploitationsniff passwords on wireSMB sessions to other NT hostsNT Registry AlterationNFS/Drive SharingConsider survivability of Payloadwhat % of hosts are eligible? Lysine Deficiency Worm will die if certain condition is not metExistance of FileExistance of Network EntityFloppy in floppy drive (testing lab) RECAP Injection is not the same as payloadPayloads can performDenial of ServiceWORMRemote ShellRootkit RECAP Injection has many challengesNULL charactersStack sizeHighland/Lowland addressCalling thru CPU registers RECAP Filters limit what we can use in a payloadLimited OP-CODE sets can still be used to build fully functional programs RECAP Our payload is encodedWe can build jumptablesWe can load new DLL's and FunctionsWe can hard-code addresses or load them dynamicallyWe can use Lysine Deficiency to keep Worms from spreading uncontrolled Thank You Your mind is your primary weaponhttp://www.rootkit.comhoglund@ieway.com
下载该文档
文档格式:PPT
更新时间:2014-08-11
下载次数:0
点击次数:1
Advanced Buffer Overflow Technique Greg Hoglund Attack Theory Formalize the Attack MethodRe-Use of Attack CodeSeparate the Deployment from the PayloadPayloads can be chosen for desired effectDetails and Restraints of both Payload and Deployment code Exploits A "BUG" in SoftwareNew bugs reported every dayautomated testing tools USSR Labs"Exploit" is code that takes advantage of a bug in order to cause an effect What can happen? Machine Crashkernel exceptionVIP processApplication Crash (most common)Recoverable ExceptionMobile Code (deadly)File Access (read or write)Denial of Service Exploits can be grouped Some bugs are all the sameSome bugs keep coming backimproper filteringbounds checkingbad authenticationimpersonationIn other words, need better testing Entry -vs- Effect The attack payload is not the same as the entry pointMissle -vs- Warhead analogyThe Delivery Mechanism can be decoupled from the Payload Exploits come in 2 parts Injection Vector (deployment)the actual entry-point, usually tied explicity with the bug itselfPayload (deployed)usually not tied to bug at all - limited only by imagination. Some restraints. Injection Vector Target DependantOS DependantApplication Version DependantProtocol DependantEncoding Dependant Payload Independent of Injection VectorStill Depends on Machine, Processor, etc. With some exceptionsMobile Code, Just like a VirusOnce established, can spread by any meanstrustscanning for more bugs Payload Denial of Serviceuse as launching point (arp spoofing)Remote Shell (common)covert channel or 'netcat' likeWorm/Virus extremely dangerousRootkit (common - stealth) Injector/Payload Pairs One injector works on 'n qualified hosts'Example - IIS Injector works on ~20% of Web Hosts.PayloadRemote Shell for controlShutdown MachineShutdown ALL Machines on subnet Types of Injection Content Basedcharacters inserted into a data stream that result in the remote process doing something it shouldn't. Process is still in control.Buffer Overflowpoor programming practice subverts architecture of code execution. Process loses control. Types of Injection Trust BasedBoot virus/ Floppy/ CD (parasite process)MACRO virusEmail Attachments (Melissa, etc)Web Browsing (exploit user's trust, etc)click thru Governments write Injector Code? 1995 US Defense Intelligence Agency ReportCuban Military targets US w/ custom viriiUniversity of Havana, team of less than 20 computer expertsRussian KGBprior to 1991 coup attempt, KGB has virii intended to shut down US computers in times of war Mobile code in Global 2000? 1995 E&Y report67% of companies hit bit virus1996 E&Y report63% of companies hit by virus1996 UK Information Security Breaches Survey51% of companies hit by virus How hard can it hit? NCSA 1997 report33% of all machines infected with virusaverage cost of recovery ~$8000 US dollarsNovember 1988 Morris Wormstrikes ~6,000 computers (10% of Internet at time) within hoursspreads via Buffer Overflow in fingerdspreads via Sendmail exploit How hard can it hit? 1989, "WANK" WormHits NASA Goddard Space Centerspreads to US DOE High Energy Physics network (HEPNET)2 weeks to clean all systems Buffer Overflow Injection Overflow the StackOverflow the HeapGoal: Must control the value of the instruction pointer (processor specific)Goal: Get the Instruction Pointer to point to a user-controlled buffer. Challenges Injector/Payload size restrictionstight coding requirementsInjector and Payload in same buffercannot step on each otherGuessing Address Valuessometimes called 'offsets'NULL characters, BAD charactersuse encoding and stack tricks Stack Injection Stack is used for execution housekeeping as well as buffer storage. Stack-based buffer must be filled in direction of housekeeping data.Must overwrite the housekeeping data Address Housekeeping A B C D code heap IP DI SI FLAG SP BP stack IP Stack Overflow 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C The Problem with NULL STOPS 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C NULL must be PAST housekeeping data OK 00 40 20 0800 40 20 0C00 40 20 1000 40 20 1400 40 20 1800 40 20 1C Little and Big Endian On Intel x86 (Little Endian), Values are stored 'backwards' - least significant byte goes first:00 40 10 FF is stored as:FF 10 40 00 We store address in housekeeping data 00 40 21 0400 40 21 0000 40 20 0C00 40 20 0800 40 20 0400 40 20 00 CD 68 45 7F Original Address 0C 20 40 00 New Address Injection is Complete We control the instruction pointer 04 21 40 00 New Address Where to put the payload 00 40 21 0400 40 21 0000 40 20 0C00 40 20 0800 40 20 0400 40 20 00 04 21 40 00 New Address Confined Payload Byte CompressionUse only preloaded functionsPayload doesn't need to build jumptablesUseable functions must be loadedUse Hardcoded addressesPayload designed for a specific process with predictable featuresData portion of payload needs to be small Using more stack for payload OK 77 40 20 0877 40 20 0C77 40 20 1077 40 20 1477 40 20 1877 40 20 1C 0D 45 68 77 NO NULL in Address Much Larger Payload When does the address contain a NULL character Lowland Address - starts with 00stack is in lowland on Windows NTusually 00 40 XX XXlimits size of payloadHighland Address - no zeros in addressstack is in highland under Linuxunlimited payload size Large payload, Lowland address We cannot use a lowland address directly, because it limits our payloadWe can use a CPU registerWe can use stack values that remain undamaged A register points to the stack A B C D code heap IP DI SI FLAG SP BP stack IP Call thru a Register Call eax, call ebx, etcFF D0 = call eaxFF D3 = call ebxFF D1 = call ecxetc, etc Push a register then return Push registerpush eax = 50push ebx = 53etcThen RETRET = C3 Guessing where to go We jump to the wrong addresscrashes softwarepayload doesn't executeUse NOP (no-op) - a single byte instructionNOP = 90 Fill buffer with NOP's"NOP Sled" NOP Sled End up at payload Inject the Payload into the HEAP When the stack is limited in sizeStore part on the payload on stack, the other on the heapProtocol HeadersHTTP headersRecent TransactionsOpen Files Use the CPU A B C D code heap IP DI SI FLAG SP BP stack Execute code on the heap A B C D code heap IP DI SI FLAG SP BP stack IP Trespassing the HEAP Two C++ objects near one anotherAny buffer that can overwrite a pointerfunction pointerstring pointer (alter behavior w/o mobile code) Overwrite the VTABLE C++ objects have a virtual function table Vtable pointer Member variables grow away from vtable pointer (NT) Overwrite VTABLE Must have 2 C++ Objects (on heap) Overwrite vtable ptr Where do I make the VTABLE point? Your own VTABLE The VTABLE has addresses for all virtual functions in the class. This usually includes a destructor - which will be called when the object is destroyed (deallocated from memory)Overwrite any function that works Injection is complete Kernel level overflows all over in NTOff by one errors causing frame pointer overwriteMulti-stage attacks where you must first get the target into a state before attempting overflowThe effects of URL or MIME encoding Now for the Payload Using Loaded FunctionsEncoding our own dataLoading new functions & DLL'sMaking a shell The Payload Real Code DATA NOP Sled Getting Bearings Call RELOC:RELOC: pop ediEB 00 00 00 00edi now has our code addresswe can use this as an offset to our data Reverse Short Call NO NULL BytesRELOC: jmp RELOC2Call RELOC:RELOC2: pop ediEB FF FF FF FE XOR Protection Cannot have NULL's in data portion XOR every BYTE XOR again to decode Begin decode Hardcoded Function Calls code Pros/Cons to hard coding PRO: makes code smallerCON: what if function isn't always in same place?Dynamically loaded DLL'sPRO: some DLL's are *usually* always in the same placeKERNEL32.DLL Dynamic Function Loading Use LoadLibrary() and GetProcAddress()usually always in same placehard coding usually worksLoad New DLL'sFind any function by ASCII namehandy Load Function by Name Function name stored here getprocaddress Build a jumptable getprocaddress Use Jumptable HASH Loading (el8) Process already has ASCII names of all loaded functions stored in process-headerWe can locate any loaded function by checking the CRC of each loaded ASCII nameWe do not need to store function names in our DATA section - only CRC'smakes payload smaller! PE Header PE OFFSET Optional Header ASCII NAME Address Check CRC's CRC Limited Character Set means Limited Instruction Set Payload is filteredMIMEURLalphanumeric only (email headers)short jumps (difficult to maintain) pop/pushsubtract The Bridge Avoids jump instructionsize must be calculated exactly Load New DLL WININET.DLL Use DLL functionsInternetOpenURL()InternetReadFile()Does all the hard workMakes payload smallerDownload and Execute any file, anywhereFile stored anonymously - hard to trace WS2_32.DLL Socketbindlistensend recvaccept Interrupt Calls Don't require addressesSmallEasy to useLoad register with call numberLoad register with argument pointerinterrupt (2 bytes long)CD 2E (interrupt 2E)CD 80 (interrupt 80) Remote Command Shell Spawn a processCreateProcessA (kernel32 function)INT 80 (linux) (execve syscall)Pipe the output thru socketNamed pipes (~5 functions) Connect in or out over any TCP socket Covert Channel If exploited process is root or SYSTEMTDI or NDIS hooksession over ACK packets or ICMP IISPatch any point where URL requests are handledno kernel required WORMS Payload searches for new hosts to attackTrust Exploitationsniff passwords on wireSMB sessions to other NT hostsNT Registry AlterationNFS/Drive SharingConsider survivability of Payloadwhat % of hosts are eligible? Lysine Deficiency Worm will die if certain condition is not metExistance of FileExistance of Network EntityFloppy in floppy drive (testing lab) RECAP Injection is not the same as payloadPayloads can performDenial of ServiceWORMRemote ShellRootkit RECAP Injection has many challengesNULL charactersStack sizeHighland/Lowland addressCalling thru CPU registers RECAP Filters limit what we can use in a payloadLimited OP-CODE sets can still be used to build fully functional programs RECAP Our payload is encodedWe can build jumptablesWe can load new DLL's and FunctionsWe can hard-code addresses or load them dynamicallyWe can use Lysine Deficiency to keep Worms from spreading uncontrolled Thank You Your mind is your primary weaponhttp://www.rootkit.comhoglund@ieway.com