SlideShare a Scribd company logo

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

sanghwan ahn, profile picture
sanghwan ahn

The document discusses system hacking and reverse engineering techniques. It provides an introduction to vulnerabilities and types of vulnerabilities. The document outlines two tracks - the first introduces bugs, crashes, vulnerabilities, exploitation and defense mechanisms. The second track discusses different types of vulnerabilities like buffer overflows, format string bugs, and use-after-free vulnerabilities. It explains the principles and exploitation of stack and heap overflows.

Software
1 of 87
Downloaded 130 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
Thank You :)

More Related Content

PDF
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
PDF
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
PDF
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
PDF
Code Vulnerabilities & Attacks
Marcus Botacin
 
PDF
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
PDF
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
PDF
How to find_vulnerability_in_software
sanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Code Vulnerabilities & Attacks
Marcus Botacin
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
How to find_vulnerability_in_software
sanghwan ahn
 

What's hot (20)

PDF
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
PPTX
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
PDF
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
PDF
ch6-pv2-device-drivers
yushiang fu
 
PDF
Intel Nervana Graph とは?
Mr. Vengineer
 
PDF
Zn task - defcon russia 20
DefconRussia
 
PPTX
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
PDF
Buffer overflow null
nullowaspmumbai
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
PDF
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
PDF
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
PPTX
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
PDF
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
ODP
Design and implementation_of_shellcodes
Amr Ali
 
PDF
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
PDF
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
PPT
Buffer Overflows
Sumit Kumar
 
PDF
2.Format Strings
phanleson
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
ch6-pv2-device-drivers
yushiang fu
 
Intel Nervana Graph とは?
Mr. Vengineer
 
Zn task - defcon russia 20
DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Buffer overflow null
nullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Design and implementation_of_shellcodes
Amr Ali
 
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Buffer Overflows
Sumit Kumar
 
2.Format Strings
phanleson
 

Viewers also liked (18)

PDF
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Howard Lewis Ship
 
PDF
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
sanghwan ahn
 
PDF
kiến trúc máy tính và hợp ngữ Bài 00
Nhóc Nhóc
 
DOC
Exploit Frameworks
phanleson
 
PPT
Buffer overflow(bao cao)
phanleson
 
PPTX
Buffer overflow
Bach Khoa Da Nang
 
PPTX
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
PPTX
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
PDF
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
PDF
Bug Hunting with Media Formats
Russell Sanford
 
PPT
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
PDF
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PPTX
Oracle ASM Training
Vigilant Technologies
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
PDF
Rand rr1751
Andrey Apuhtin
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Howard Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
sanghwan ahn
 
kiến trúc máy tính và hợp ngữ Bài 00
Nhóc Nhóc
 
Exploit Frameworks
phanleson
 
Buffer overflow(bao cao)
phanleson
 
Buffer overflow
Bach Khoa Da Nang
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Bug Hunting with Media Formats
Russell Sanford
 
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
IOT Exploitation
Cysinfo Cyber Security Community
 
Oracle ASM Training
Vigilant Technologies
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Rand rr1751
Andrey Apuhtin
 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability (20)

PPTX
Buffer overflow
Evgeni Tsonev
 
PDF
Low Level Exploits
hughpearse
 
PPTX
Buffer overflow attacks
Kapil Nagrale
 
PPTX
Control hijacking
Prachi Gulihar
 
PPTX
Buffer Overflows Shesh Jun 3 09
dhanya.sumeru
 
PDF
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
ODP
BufferOverflow - Offensive point of View
Toe Khaing
 
PPT
6 buffer overflows
drewz lin
 
PDF
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
PPTX
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
PPT
Buffer Overflow Attacks
harshal kshatriya
 
PDF
What`s new in Java 7
Georgian Micsa
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
ODP
Debugging With Id
guest215c4e
 
PDF
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
ODP
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
DOCX
Report on hacking blind
NikitaAndhale
 
DOCX
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
PPTX
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
PPT
AntiRE en Masse
Kurt Baumgartner
 
Buffer overflow
Evgeni Tsonev
 
Low Level Exploits
hughpearse
 
Buffer overflow attacks
Kapil Nagrale
 
Control hijacking
Prachi Gulihar
 
Buffer Overflows Shesh Jun 3 09
dhanya.sumeru
 
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
BufferOverflow - Offensive point of View
Toe Khaing
 
6 buffer overflows
drewz lin
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
Buffer Overflow Attacks
harshal kshatriya
 
What`s new in Java 7
Georgian Micsa
 
antoanthongtin_Lesson 3- Software Security (1).pptx
23162024
 
Debugging With Id
guest215c4e
 
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Report on hacking blind
NikitaAndhale
 
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
AntiRE en Masse
Kurt Baumgartner
 

Recently uploaded (20)

PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Introduction Database Management System for Course Database
ReinertYosua
 
Transform Your Business with a Software ERP System
Canada Software Company
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
System and Network Administraation Chapter 3
jaramharo
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
AI in Product Development-omnex systems
omnex systems
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Nekopoi APK 2025 free lastest update
umarali35kp
 

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

  • 1. System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. 목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
  • 4. 시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 5. Track1. Introduction to Vulnerability
  • 6. Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 7. About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 8. About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 9. What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 10. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 11. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 12. Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 13. What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 14. What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 15. Track2. Type of Vulnerability
  • 16. Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 17. What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 18. What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 19. Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 20. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 21. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 22. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 23. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 24. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 25. What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 26. Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 27. Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 28. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 29. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
  • 30. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 31. Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
  • 32. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 33. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 34. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 35. What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 36. Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 37. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
  • 38. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
  • 39. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
  • 40. Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
  • 41. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
  • 42. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
  • 43. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
  • 44. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
  • 45. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
  • 46. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
  • 47. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
  • 48. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
  • 49. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
  • 50. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
  • 51. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 52. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 53. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
  • 54. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
  • 55. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
  • 56. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
  • 57. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
  • 58. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
  • 59. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
  • 60. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 61. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 62. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
  • 63. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
  • 64. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
  • 65. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
  • 66. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
  • 67. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
  • 68. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 69. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 70. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
  • 71. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 72. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
  • 73. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 74. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 75. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 76. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 77. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
  • 78. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
  • 79. Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
  • 80. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
  • 81. Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
  • 82. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 83. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 84. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 85. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 86. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx