<< hack 4 fun

Ak ste čítali legendárny Smashing The Stack For Fun And Profit popisujúci Buffer Overflow techniky by Aleph One, isto Vás zaujme aj aktuálne PDF – Smashing the stack in 2010 z dielne Andrea Cugliari – Linuxová časť a Mariano Graziano – Windows z Júla tohto roku. Report Vás prevedie teoretickými vedomosťami a krátkymi praktickými zručnosťami. BO azda nepotrebuje vysvetlenie, no predsa – pretečenie vyrovnávacej pamäte alebo preplnenie vyrovnávacej pamäte (angl. buffer overflow, alebo aj buffer overrun) je chyba v programe, ktorá vedie k zápisu mimo vyhradeného priestoru v pamäti a k chybnému behu, prípadne aj k pádu programu. Pád programu je často prvým krokom k vytvoreniu PoC, resp. finálneho exploitu.

Smashing The Stack For Fun And Profit by Aleph One:

http://www.phrack.org/issues.html?issue=49&id=14&mode=txt

Smashing the stack in 2010 - Report for the Computer Security exam at the Politecnico di Torino:

http://mariano-graziano.llab.it/docs/report.pdf

Obsah:

Contents

I Introduction and Theoretical Background ………………………………………………. 5

1 Theoretical Background ………………………………………………………………….. 5

1.1 Processes and memory layout in x86 ………………………………………………… 5

1.2 Registers, Pointers and Assembler ……………………………………………………. 5

1.3 Stack layout in x86 …………………………………………………………………….. 8

1.4 Function call and termination …………………………………………………………. 9

1.5 Buffer Overflow issue …………………………………………………………………. 12

1.6 Shellcodes ……………………………………………………………………………… 13

II Hands on Linux …………………………………………………………………………… 21

2 Setup Testbed environment ……………………………………………………………. 21

3 Linux buffer overflow ……………………………………………………………………. 22

3.1 How to change the flow of execution ………………………………………………. 22

3.2 How to spawn a Shell …………………………………………………………………. 27

3.3 Polite exit from a process: exit system call ………………………………………… 30

3.4 Write an exploit ………………………………………………………………………… 33

4 Protections against buffer overflow ……………………………………………………. 35

4.1 Programmers protections ……………………………………………………………… 35

4.2 System default protections …………………………………………………………… 36

4.2.1 Address Space Layout Randomization (ASLR) ……………………………………. 36

4.2.2 Stack Execute Invalidation (NX bit) ……………………………………………….. 39

4.3 Compiler and linker protections ……………………………………………………….. 41

4.3.1 StackShield (Optional) ………………………………………………………………. 41

4.3.2 StackGuard (Optional) ………………………………………………………………. 42

4.3.3 Stack Smashing Protector – ProPolice (Default installed) ………………………. 43

4.3.4 Run time checks ……………………………………………………………………… 43

4.4 Protections in a practical scenario …………………………………………………… 44

4.5 Combined Tricks in a future scenario ………………………………………………… 45

III Hands on Windows ………………………………………………………………………. 47

5 Setup Testbed environment …………………………………………………………….. 47

6 Windows buffer overflow 101 …………………………………………………………… 48

6.1 How to change the flow execution ………………………………………………….. 48

6.2 How to spawn a shell ………………………………………………………………….. 52

6.3 ExitProcess system call ……………………………………………………………….. 56

6.4 Write an exploit ………………………………………………………………………… 59

7 Protections against buffer overflow ……………………………………………………. 60

7.1 Buer Security Check – /GS ……………………………………………………………. 61

7.2 /SafeSEH ……………………………………………………………………………….. 63

7.2.1 /GS & /SafeSEH possible tricks …………………………………………………. 63

7.3 Address Space Layout Randomization (ASLR) ……………………………………… 64

7.3.1 Address Space Layout Randomization (ASLR) possible tricks ………………….. 66

7.4 Data Execution Prevention (DEP) ……………………………………………………. 66

7.4.1 Data Execution Prevention (DEP) possible tricks ………………………………… 68

7.5 Runtime Checks ………………………………………………………………………… 68

7.6 Results …………………………………………………………………………………… 69

7.7 Today, tomorrow, the future …………………………………………………………. 70

7.8 Conclusions ……………………………………………………………………………… 71