sanghwan ahn, profile picture
Uploaded bysanghwan ahn
PDF, PPTX1,859 views

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

The document discusses system hacking and reverse engineering techniques. It provides an introduction to vulnerabilities and types of vulnerabilities. The document outlines two tracks - the first introduces bugs, crashes, vulnerabilities, exploitation and defense mechanisms. The second track discusses different types of vulnerabilities like buffer overflows, format string bugs, and use-after-free vulnerabilities. It explains the principles and exploitation of stack and heap overflows.

Download as PDF, PPTX
System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
Thank You :)

More Related Content

PDF
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
bysanghwan ahn
 
PDF
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
bysanghwan ahn
 
PDF
A Stealthy Stealers - Spyware Toolkit and What They Do
bysanghwan ahn
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
PDF
Code Vulnerabilities & Attacks
byMarcus Botacin
 
PDF
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
byMaksim Shudrak
 
PDF
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
byMaksim Shudrak
 
PDF
How to find_vulnerability_in_software
bysanghwan ahn
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
bysanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
bysanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
bysanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
Code Vulnerabilities & Attacks
byMarcus Botacin
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
byMaksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
byMaksim Shudrak
 
How to find_vulnerability_in_software
bysanghwan ahn
 

What's hot

PDF
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
byJinbumPark
 
PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
PPTX
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
PDF
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
byMr. Vengineer
 
PDF
ch6-pv2-device-drivers
byyushiang fu
 
PDF
Intel Nervana Graph とは?
byMr. Vengineer
 
PDF
Zn task - defcon russia 20
byDefconRussia
 
PPTX
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
PDF
Buffer overflow null
bynullowaspmumbai
 
PPTX
Buffer Overflow Demo by Saurabh Sharma
byn|u - The Open Security Community
 
PDF
Presentation buffer overflow attacks and theircountermeasures
bytharindunew
 
PDF
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
PPTX
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
PDF
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
ODP
Design and implementation_of_shellcodes
byAmr Ali
 
PDF
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
PDF
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
bySimen Li
 
PPT
Buffer Overflows
bySumit Kumar
 
PDF
2.Format Strings
byphanleson
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
byJinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
byMr. Vengineer
 
ch6-pv2-device-drivers
byyushiang fu
 
Intel Nervana Graph とは?
byMr. Vengineer
 
Zn task - defcon russia 20
byDefconRussia
 
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
Buffer overflow null
bynullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
byn|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
bytharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
byPatricia Aas
 
Design and implementation_of_shellcodes
byAmr Ali
 
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
bySimen Li
 
Buffer Overflows
bySumit Kumar
 
2.Format Strings
byphanleson
 

Viewers also liked

PDF
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
byHoward Lewis Ship
 
PDF
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
bysanghwan ahn
 
PDF
kiến trúc máy tính và hợp ngữ Bài 00
byNhóc Nhóc
 
DOC
Exploit Frameworks
byphanleson
 
PPT
Buffer overflow(bao cao)
byphanleson
 
PPTX
Buffer overflow
byBach Khoa Da Nang
 
PPTX
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
byCODE BLUE
 
PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PDF
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
PDF
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
PDF
Bug Hunting with Media Formats
byRussell Sanford
 
PPT
Hacking A Web Site And Secure Web Server Techniques Used
bySiddharth Bhattacharya
 
PDF
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
PDF
IOT Exploitation
byCysinfo Cyber Security Community
 
PPTX
Oracle ASM Training
byVigilant Technologies
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
bySam Bowne
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
PDF
Rand rr1751
byAndrey Apuhtin
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
byHoward Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
bysanghwan ahn
 
kiến trúc máy tính và hợp ngữ Bài 00
byNhóc Nhóc
 
Exploit Frameworks
byphanleson
 
Buffer overflow(bao cao)
byphanleson
 
Buffer overflow
byBach Khoa Da Nang
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
byCODE BLUE
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
Course lecture - An introduction to the Return Oriented Programming
byJonathan Salwan
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
byLyon Yang
 
Bug Hunting with Media Formats
byRussell Sanford
 
Hacking A Web Site And Secure Web Server Techniques Used
bySiddharth Bhattacharya
 
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
IOT Exploitation
byCysinfo Cyber Security Community
 
Oracle ASM Training
byVigilant Technologies
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
bySam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
Rand rr1751
byAndrey Apuhtin
 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

PDF
Memory Attack - The Memory Attack Techniques
byUbuntu Korea Community
 
PPTX
Control hijacking
byPrachi Gulihar
 
PDF
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
PPTX
Buffer overflow attacks
byKapil Nagrale
 
PPTX
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
PPTX
Buffer overflow attack
byKrish
 
ODP
BufferOverflow - Offensive point of View
byToe Khaing
 
PPTX
Buffer overflow
byAbu Juha Ahmed Muid
 
PDF
IRJET - Buffer Overflows Attacks & Defense
byIRJET Journal
 
DOCX
1Buttercup On Network-based Detection of Polymorphic B.docx
byaryan532920
 
PPTX
Buffer overflow
byEvgeni Tsonev
 
PPTX
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
bySoftware Guru
 
PDF
Windbg랑 친해지기
byJi Hun Kim
 
PPT
6 buffer overflows
bydrewz lin
 
PPT
Buffer OverFlow
byRambabu Duddukuri
 
PDF
An automated approach to fix buffer overflows
byIJECEIAES
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PDF
Heap Base Exploitation
byUTD Computer Security Group
 
PDF
Software Security
byRoman Oliynykov
 
PPSX
Ids 008 buffer overflow
byjyoti_lakhani
 
Memory Attack - The Memory Attack Techniques
byUbuntu Korea Community
 
Control hijacking
byPrachi Gulihar
 
Advanced Arm Exploitation
byHimanshu Khokhar Jaat
 
Buffer overflow attacks
byKapil Nagrale
 
antoanthongtin_Lesson 3- Software Security (1).pptx
by23162024
 
Buffer overflow attack
byKrish
 
BufferOverflow - Offensive point of View
byToe Khaing
 
Buffer overflow
byAbu Juha Ahmed Muid
 
IRJET - Buffer Overflows Attacks & Defense
byIRJET Journal
 
1Buttercup On Network-based Detection of Polymorphic B.docx
byaryan532920
 
Buffer overflow
byEvgeni Tsonev
 
¡Ups! código inseguro: detección, explotación y mitigación de vulnerabilidade...
bySoftware Guru
 
Windbg랑 친해지기
byJi Hun Kim
 
6 buffer overflows
bydrewz lin
 
Buffer OverFlow
byRambabu Duddukuri
 
An automated approach to fix buffer overflows
byIJECEIAES
 
Exploitation Crash Course
byUTD Computer Security Group
 
Heap Base Exploitation
byUTD Computer Security Group
 
Software Security
byRoman Oliynykov
 
Ids 008 buffer overflow
byjyoti_lakhani
 

Recently uploaded

DOCX
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
PDF
Comprehensive Guide to Performance Testing Tools and Services
byKanika Vatsyayan
 
PDF
Agentic AI meets Serverless on AWS - AWS User Group Cologne 2025
byVadym Kazulkin
 
PPTX
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
PDF
Working with Machine Learning in Production
byFrederick Apina
 
PPTX
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
PDF
Build Web, Mobile & Desktop Apps with Flutter
byShiv Technolabs Pvt. Ltd.
 
PPTX
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
PPTX
power point presentation of Soft computing
byyashhjain24
 
PDF
git - from commit to merge - semcomp beta 2018 workshop
byJoao Marins
 
PDF
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
DOCX
Ethereum News: ETH Dominates DeFi and Smart Contracts
byCoinography Coionography
 
PDF
Top Django Questions for Preparation .pdf
bysenseacademy2
 
PPTX
What Tools Can Replace Tableau for Interactive Dashboards.pptx
byVarsha Nayak
 
PDF
Important Features A Leave Management System Should Have
byCitytech Software DMCC
 
PDF
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PPTX
Streamline Safety with Advanced Chemical Inventory Management System
byEHA Soft Solutions
 
PDF
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
PPTX
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
What Tools Can Replace Tableau for Interactive Dashboards.docx
byVarsha Nayak
 
Comprehensive Guide to Performance Testing Tools and Services
byKanika Vatsyayan
 
Agentic AI meets Serverless on AWS - AWS User Group Cologne 2025
byVadym Kazulkin
 
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
Working with Machine Learning in Production
byFrederick Apina
 
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
Build Web, Mobile & Desktop Apps with Flutter
byShiv Technolabs Pvt. Ltd.
 
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
power point presentation of Soft computing
byyashhjain24
 
git - from commit to merge - semcomp beta 2018 workshop
byJoao Marins
 
Cloud-based Hotel PMS_ Why hotels Must Upgrade Now.pdf
byHotelogix
 
Ethereum News: ETH Dominates DeFi and Smart Contracts
byCoinography Coionography
 
Top Django Questions for Preparation .pdf
bysenseacademy2
 
What Tools Can Replace Tableau for Interactive Dashboards.pptx
byVarsha Nayak
 
Important Features A Leave Management System Should Have
byCitytech Software DMCC
 
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Streamline Safety with Advanced Chemical Inventory Management System
byEHA Soft Solutions
 
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

  • 1.
    System Hacking &Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
  • 2.
    Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3.
    목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
  • 4.
    시스템 해킹 /리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 5.
  • 6.
    Track1. Intro toVuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 7.
    About Bugs 알수없는에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 8.
    About Crashes 소프트웨어크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 9.
    What is thevulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 10.
    How many vulnerabilitydisclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 11.
    How many vulnerabilitydisclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 12.
    Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 13.
    What is theexploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 14.
    What is theexploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 15.
    Track2. Type ofVulnerability
  • 16.
    Track2. Type ofVuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 17.
    What is theBuffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 18.
    What is theStack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 19.
    Principle of StackOverflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 20.
    Stack Layout LowAddress arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 21.
    Stack Layout LowAddress arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 22.
    Stack Layout LowAddress arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 23.
    Stack Layout LowAddress arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 24.
    Stack Layout LowAddress arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 25.
    What is theHeap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 26.
    Principle of HeapOverflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 27.
    Heap Layout Calling.Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 28.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 29.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
  • 30.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 31.
    Heap Layout Twochunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
  • 32.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 33.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 34.
    Heap Layout Twoallocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 35.
    What is theInteger Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 36.
    Example of theInteger Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 37.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
  • 38.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
  • 39.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
  • 40.
    Example of IntegerBuffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
  • 41.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
  • 42.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
  • 43.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
  • 44.
    Example of IntegerBuffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
  • 45.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
  • 46.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
  • 47.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
  • 48.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
  • 49.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
  • 50.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
  • 51.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 52.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 53.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
  • 54.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
  • 55.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
  • 56.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
  • 57.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
  • 58.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
  • 59.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
  • 60.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 61.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 62.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
  • 63.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
  • 64.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
  • 65.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
  • 66.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
  • 67.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
  • 68.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 69.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 70.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
  • 71.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 72.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
  • 73.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 74.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 75.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 76.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 77.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
  • 78.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
  • 79.
    Track2. Type ofVuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
  • 80.
    Track2. Type ofVuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
  • 81.
    Track2. Type ofVuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
  • 82.
    Proof of Conceptabout Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 83.
    Proof of Conceptabout Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 84.
    Proof of Conceptabout Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 85.
    Proof of Conceptabout Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 86.
    What is ExploitableCrash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
  • 87.