1 / 26

CS519/419 Cyber Attacks & Defense

CS519/419 Cyber Attacks & Defense. Yeongjin Jang 01/23/18. Notice. Week-1 deadline passed If VM does not works for you, please use the vm-ctf1 server Piazza is up https://piazza.com/class/jc9wsr9swhl1bf. Project. Project Proposal

aarmas
Download Presentation

CS519/419 Cyber Attacks & Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS519/419Cyber Attacks & Defense Yeongjin Jang 01/23/18

  2. Notice • Week-1 deadline passed • If VM does not works for you, please use the vm-ctf1 server • Piazza is up • https://piazza.com/class/jc9wsr9swhl1bf

  3. Project • Project Proposal • Deadline 2/14 Wed - to have enough time (~4 weeks) to finish the project • You can build a team up to 3 members • Please come to the office hour to discuss the topic • Topics • Bug finding • Vulnerability analysis • Wargame solving • Etc. • You will present the result either on 3/13 or 3/15

  4. Assignment Week-2 stack-quiz stack-ovfl frame-pointer one-off weird-main (x2 points)

  5. Assignment Week-2 Local GGGG FFFF 0x80484e8 Ret addr Saved ebp EEEE %ebp DDDD CCCC BBBB Not used.. AAAA %esp stack-ovfl

  6. Assignment Week-2 Local 0x80484e8 Ret addr Saved ebp EEEE %ebp DDDD CCCC BBBB Not used.. AAAA %esp frame-pointer

  7. Assignment Week-2 Local 0x80484e8 Ret addr Saved ebp E %ebp DDDD CCCC BBBB Not used.. AAAA %esp one-off

  8. Assignment Week-2 Workflow • Overwrite the stack frame • Make the function incorrectly return • Change the return address • execute_me() • Prints the flag

  9. Permissions in Linux • In Linux, your privilege is restricted by your uid and gid • Permissions • uid/gid/everyone • Read/write for the user (red9057), read/write for the group (red9057) • Only read for anyone else

  10. Permissions for the Flags • What about our flags in challenges/*? • Read by root (uid) • Read by week2-05 or week-06 (gid) • No permission for anyone else

  11. How Can We Read the Flag? • Sticky bits (for groups, users) • Assignment binaries are set with gid sticky bit • Running this program will inherit the gid of the binary to you • r-s :read, no write, s(sticky on run) • You will be in gid week2-05 or week2-06 during its execution

  12. How System Uses the Sticky Bits? • Some operations require the root privilege (administrator) • You will become root UID while running such programs • Changing password • Using the raw socket

  13. Many Such Programs…

  14. Attack Class: Privilege Escalation • Exploit a vulnerability in a program that run with a higher privilege to do something that is not allowed to you • E.g., exploit a vulnerability in /usr/bin/sudo to become the root user!

  15. Assignment Week-2 Workflow • Overwrite the stack frame • Make the function incorrectly return • Change the return address • execute_me() • Prints the flag

  16. How Real Attacks Work? • 1. Find a vulnerability that can hijack the control pointer • 2. Change the control to the function that you want to execute • 3. Run with escalated privilege!

  17. How Real Attacks Work? Local GGGG FFFF 0x80484e8 Ret addr Saved ebp EEEE %ebp DDDD CCCC BBBB Not used.. AAAA %esp 1. Find a vulnerability that can hijack the control pointer

  18. How Real Attacks Work? Local GGGG Target function 0x80484e8 Ret addr Saved ebp EEEE %ebp DDDD CCCC BBBB Not used.. AAAA %esp • 2. Find a function that you want to execute • Execute_me() • What if the function is not in the binary??? • Write your code and make it available in the memory!

  19. Shellcode • A binary code (small piece of program) that runs a shell (i.e., /bin/sh) • execve(“/bin/sh”, 0, 0) • Why shell? • You can run any command after spawning a shell • $ cat flag-32 • Inheriting the sticky privilege for privilege escalation • setreuid(geteuid(), geteuid()) • setregid(getegid(), getegid())

  20. Week3 Assignment Part 1 • Write shellcodes • x86-shellcode • x86/x64 non-zero shellcode • x64 ASCII non-zero shellcode (0x01 ~ 0x7f) • x86 alphanumeric shellcode ([0-9a-zA-Z]+) • The code will run • setregid(getegid(), getegid()) • execve(“/bin/sh”, 0, 0)

  21. Linux System Call • System call • Operating system’s operation • Do some privileged works • open files, execute files, change privileges, make network connections, etc. • Lists (numbers are different) • x86 • https://syscalls.kernelgrok.com/ • amd64 • http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/

  22. How to Call a Syscall? • Examples • setegid() • Set eax = 0x32 (getegid16) • int $0x80 (will return the result in eax) • setregid(getegid(), getegid()) • Move the eax from getegid to ebx • Move the same value to ecx • Set eax = 0x47 (setregid16) • Int $0x80 • X86 • eax = system call number • ebx = 1st argument • ecx = 2nd argument • edx = 3rd argument • esi = 4th argument • edi = 5th argument • Run • int $0x80 • (software interrupt 0x80)

  23. How to Call Execve? • execve(“/bin/sh”, 0, 0) • eax = 0xb (sys_execve) • ebx = addr of the “/bin/sh” string • ecx = 0 • edx = 0 • How to make the string? • On the stack!

  24. How to Call Execve? %esp NULL %esp n/sh %esp //bi %esp • Push $0 (NULL) • Push 0x68732f6e (“n/sh”) • Push 0x69622f2f (“//bi”) • %esp will point to “//bin/sh” • Mov %esp, %ebx

  25. How to make Zero without Zero? xor %ecx, %ecx mov $0x01010101, %ecx sub $0x01010101, %ecx push $1 pop %ecx dec %ecx

  26. Assignment: Week-3 • Please solve challenges in the /home/labs/week3 directory • Debug programs in the samples directory • These programs will not give you the flag • Get flags from programs in the challeges directory • Due: 2/6 4:00pm

More Related