This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:10 [2020/07/12 20:56] Silvia Pripoae Checksec usage |
session:10 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | = 0x09. Defense Mechanisms | + | ====== 0x09. Defense Mechanisms |
- | == Resources | + | ===== Resources |
- | [[http:// | + | [[http:// |
- | [[https://security.cs.pub.ro/summer-school/res/arc/09-defense-mechanisms-skel.zip|Activities archive]] | + | Get the tasks by cloning |
- | == Tutorials | + | |
+ | ===== Tutorials | ||
The previous sessions ([[: | The previous sessions ([[: | ||
Line 24: | Line 25: | ||
</ | </ | ||
- | == Tools | + | ===== Tools ===== |
The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | ||
Line 42: | Line 43: | ||
<note warning> To get it to work in the Kali VM, you have to update pwntools to the latest version using: | <note warning> To get it to work in the Kali VM, you have to update pwntools to the latest version using: | ||
< | < | ||
- | pip install -U pwntools | + | $ pip install -U pwntools |
</ | </ | ||
</ | </ | ||
- | === Executable Space Protection | + | ==== Executable Space Protection |
The **executable space protection** is an instance of the **principle of least privilege**, | The **executable space protection** is an instance of the **principle of least privilege**, | ||
Line 69: | Line 70: | ||
There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | ||
- | ==== Walk-through | + | === Walk-through |
The Linux kernel provides support for managing memory protections in the '' | The Linux kernel provides support for managing memory protections in the '' | ||
Line 196: | Line 197: | ||
</ | </ | ||
- | ==== Bypassing NX | + | === Bypassing NX === |
**ret-to-plt/ | **ret-to-plt/ | ||
Line 204: | Line 205: | ||
**Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | **Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | ||
- | === Address Space Layout Randomization | + | ==== Address Space Layout Randomization |
Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | ||
Line 234: | Line 235: | ||
</ | </ | ||
- | === Bypassing ASLR | + | ==== Bypassing ASLR ==== |
**Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | **Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | ||
Line 247: | Line 248: | ||
**Restrict entropy.** There are various ways of reducing the entropy of the randomized address. For example, you can decrease the initial stack size by setting a huge amount of dummy environment variables. | **Restrict entropy.** There are various ways of reducing the entropy of the randomized address. For example, you can decrease the initial stack size by setting a huge amount of dummy environment variables. | ||
- | **Partial overwrite.** This technique is useful when we are able to overwrite only the least significant byte(s) of an address (e.g. a GOT entry). We must take into account the offsets of the original and final addresses from the beginning of the mapping. If these offsets only differ in the last 12 bits, the exploit is deterministic, | + | **Partial overwrite.** This technique is useful when we are able to overwrite only the least significant byte(s) of an address (e.g. a GOT entry). We must take into account the offsets of the original and final addresses from the beginning of the mapping. If these offsets only differ in the last 8 bits, the exploit is deterministic, |
<code bash> | <code bash> | ||
gdb-peda$ p read | gdb-peda$ p read | ||
Line 254: | Line 255: | ||
$2 = {<text variable, no debug info>} 0xe6ea0 < | $2 = {<text variable, no debug info>} 0xe6ea0 < | ||
</ | </ | ||
- | Otherwise, we can still try to overwrite a larger part of the address | + | However, since bits 12-16 of the offsets differ, the corresponding bits in the full addresses would have to be bruteforced (probability 1/4). |
**Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | **Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | ||
- | === Tutorial: Chaining Information Leaks with GOT Overwrite | + | ==== Tutorial: Chaining Information Leaks with GOT Overwrite |
In this tutorial we will exploit a program that is similar to '' | In this tutorial we will exploit a program that is similar to '' | ||
Line 286: | Line 287: | ||
Whenever we operate with addresses belonging to shared libraries, we must be aware that the offsets are highly dependent on the particular build of the library. We can identify this build either by its BuildID (retrieved with the file command), or by its version string: | Whenever we operate with addresses belonging to shared libraries, we must be aware that the offsets are highly dependent on the particular build of the library. We can identify this build either by its BuildID (retrieved with the file command), or by its version string: | ||
<code bash> | <code bash> | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
linux-gate.so.1 (0xf7ee8000) | linux-gate.so.1 (0xf7ee8000) | ||
libc.so.6 => / | libc.so.6 => / | ||
/ | / | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
/ | / | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.2) stable release version 2.27. | GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.2) stable release version 2.27. | ||
</ | </ | ||
Line 307: | Line 308: | ||
For this '' | For this '' | ||
<code bash> | <code bash> | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
(gdb) p printf | (gdb) p printf | ||
$1 = {<text variable, no debug info>} 0x513a0 < | $1 = {<text variable, no debug info>} 0x513a0 < | ||
Line 316: | Line 317: | ||
We will also need the address of '' | We will also need the address of '' | ||
<code bash> | <code bash> | ||
- | silvia@imladris: | + | silvia@imladris:/ |
080483b0 < | 080483b0 < | ||
| | ||
Line 329: | Line 330: | ||
</ | </ | ||
< | < | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
Here's a libc address: 0xf7dfb3a0 | Here's a libc address: 0xf7dfb3a0 | ||
Give me and address to modify! | Give me and address to modify! | ||
Line 335: | Line 336: | ||
Give me a value! | Give me a value! | ||
4158497824 | 4158497824 | ||
- | silvia@imladris:/ | + | silvia@imladris:/ |
10 | 10 | ||
</ | </ | ||
Line 366: | Line 367: | ||
</ | </ | ||
- | === RELRO | + | ==== RELRO ==== |
**RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | **RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | ||
Line 377: | Line 378: | ||
This is not a game-over in terms of exploitation, | This is not a game-over in terms of exploitation, | ||
+ | ==== seccomp ==== | ||
- | == Challenges | + | **seccomp** is a mechanism though which an application may transition into a state where the system calls it performs are restricted. The policy, which may act on a whitelist or blacklist model, is described using [[https:// |
- | === 01. Challenge - ret-to-libc | + | seccomp filters are instated using the '' |
- | Looks good! Let's get serious | + | This may severely limit our exploitation prospects in some cases. In the challenges that we have solved during these sessions, a common goal was spawning a shell and retrieving a certain file (the flag). If the exploited binary used a seccomp filter that disallowed the '' |
- | Continue working in the '' | + | The [[https://github.com/david942j/seccomp-tools|seccomp-tools suite]] provides tools for analyzing seccomp filters. The '' |
+ | <code bash> | ||
+ | silvia@imladris:/ | ||
+ | | ||
+ | ================================= | ||
+ | 0000: 0x20 0x00 0x00 0x00000004 | ||
+ | 0001: 0x15 0x00 0x09 0x40000003 | ||
+ | 0002: 0x20 0x00 0x00 0x00000000 | ||
+ | 0003: 0x15 0x07 0x00 0x000000ad | ||
+ | 0004: 0x15 0x06 0x00 0x00000077 | ||
+ | 0005: 0x15 0x05 0x00 0x000000fc | ||
+ | 0006: 0x15 0x04 0x00 0x00000001 | ||
+ | 0007: 0x15 0x03 0x00 0x00000005 | ||
+ | 0008: 0x15 0x02 0x00 0x00000003 | ||
+ | 0009: 0x15 0x01 0x00 0x00000004 | ||
+ | 0010: 0x06 0x00 0x00 0x00050026 | ||
+ | 0011: 0x06 0x00 0x00 0x7fff0000 | ||
+ | </ | ||
- | The final goal of this task is to bypass | + | In the example above we see a filter operating on the whitelist model: it specifies a subset of syscalls that are allowed: '' |
- | - Display all '' | + | <note tip> |
- | - Return to '' | + | To install seccomp-tools on the Kali VM, use the the gem package manager: |
- | - Find the offset of the '' | + | <code> |
- | - Make the binary print ''" | + | $ gem install seccomp-tools |
- | - **(bonus)** The process should '' | + | </code> |
- | - Remember how we had ASLR disabled? The other '' | + | |
- | - Where is '' | + | |
- | <note important> | + | |
- | //Hint//: Use '' | + | |
</ | </ | ||
- | <note important> | + | ===== Challenges ===== |
- | //Hint//: When you will finally attack this, '' | + | |
- | </ | + | |
- | === 02. Challenge | + | ==== 01-04. Challenges |
- | Go to the '' | + | All of the challenges |
- | Imagine this scenario: we have an executable where we can change at least 4B of random memory, but ASLR is turned | + | The challenges are based on the same //" |
- | Alter the execution of '' | + | They are numbered in the suggested solving |
- | + | ||
- | === 03. Challenge - ret-to-plt | + | |
- | + | ||
- | Go to the '' | + | |
- | + | ||
- | '' | + | |
- | + | ||
- | Your task is to build an exploit that makes the application always print the **same second random number**. That is the first printed random number is whatever, but the second printed random number will always be the same, for all runs. In the sample output below the second printed random number is always '' | + | |
- | + | ||
- | <code text> | + | |
- | hari@solyaris-home: | + | |
- | Hi! Options: | + | |
- | 1. Get random number | + | |
- | 2. Go outside | + | |
- | Here's a random number: 2070249950. Have fun with it! | + | |
- | Hi! Options: | + | |
- | 1. Get random number | + | |
- | 2. Go outside | + | |
- | Here's a random number: 1023098942. Have fun with it! | + | |
- | Segmentation fault (core dumped) | + | |
- | hari@solyaris-home: | + | |
- | Hi! Options: | + | |
- | 1. Get random number | + | |
- | 2. Go outside | + | |
- | Here's a random number: 1152946153. Have fun with it! | + | |
- | Hi! Options: | + | |
- | 1. Get random number | + | |
- | 2. Go outside | + | |
- | Here's a random number: 1023098942. Have fun with it! | + | |
- | + | ||
- | </ | + | |
- | + | ||
- | You can use this Python skeleton for buffer overflow input: | + | |
- | + | ||
- | <file python skel.py> | + | |
- | # | + | |
- | import struct, sys | + | |
- | + | ||
- | def dw(i): | + | |
- | return struct.pack("< | + | |
- | + | ||
- | #TODO update count for your prog | + | |
- | pad_count_to_ret = 100 | + | |
- | payload = " | + | |
- | + | ||
- | #TODO figure out where to return | + | |
- | ret_addr = 0xdeadbeef | + | |
- | payload += dw(ret_addr) | + | |
- | + | ||
- | + | ||
- | #TODO add stuff after the payload if you need to | + | |
- | payload += "" | + | |
- | + | ||
- | sys.stdout.write(payload) | + | |
- | </ | + | |
- | + | ||
- | **Bonus**: The process should SEGFAULT after printing the second (constant) number. Make it exit cleanly (the exit code does not matter, just no SIGSEGV). | + | |
- | + | ||
- | === 04. Challenge - colors | + | |
- | + | ||
- | Go to the '' | + | |
<note important> | <note important> | ||
- | //Hint//: If you are going to use an inline python command, stdin will get closed and the new shell will have nothing to read. Use cat to concatenate your attack string with stdin like this: '' | + | In the case of '' |
</ | </ | ||
- | |||
- | ===== 04.a. | ||
- | |||
- | Exploit the '' | ||
- | |||
- | ===== 04.b. | ||
- | |||
- | ASLR still disabled. Call '' | ||
- | |||
- | ===== 04.c. | ||
- | |||
- | Again, ASLR disabled. Call '' | ||
- | |||
- | |||
- | === 05. Challenge - bruteforce | ||
- | |||
- | Continue working in the '' | ||
- | |||
- | Try the previous exploit with ASLR enabled. You can rerun the binary multiple times. | ||
<note important> | <note important> | ||
- | Figure out how addresses look like using '' | + | To set LD_LIBRARY_PATH from a pwntools script, use this method: |
+ | <code python> | ||
+ | p = process('./rwslotmachineX', env={'LD_LIBRARY_PATH' | ||
+ | </code> | ||
</ | </ | ||
- | < | + | < |
- | The ASLR entropy | + | //Hint//: Do not waste time on reverse engineering '' |
</ | </ | ||
- | === 06. Challenge - mprotect | ||
- | Go to either the '' | + | ==== 05. Bonus - rwslotmachine5 ==== |
- | Using any of the 2 binaries, try to call '' | + | This challenge is similar |
- | < | + | < |
- | To make your life easier, you can disable ASLR. The purpose of this task is to bypass NX, and not ASLR. | + | You can find a table describing x86 syscalls [[http:// |
- | </note> | + | |
- | + | ||
- | <note important> | + | |
- | //Hint//: The '' | + | |
</ | </ |