1 / 16

Introduction to InfoSec – Recitation 3

Introduction to InfoSec – Recitation 3. Nir Krakowski ( nirkrako at post.tau.ac.il) Itamar Gilad ( itamargi at post.tau.ac.il). Today. Binary patching More about shellcodes Some more tools And… Python Socket Programming Q&A. Binary patching example.

amiel
Download Presentation

Introduction to InfoSec – Recitation 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) ItamarGilad (itamargi at post.tau.ac.il)

  2. Today • Binary patching • More about shellcodes • Some more tools • And… • Python • Socket Programming • Q&A

  3. Binary patching example intverify_login(char * username, char * password) { if ((0 == strcmp(username, “root”)) && (0 == strcmp(password, “my_pass”)) { return 0; } else { return 1; } }

  4. Patch Layout Function prolog Patch area (NOPs) Function body Function Epilog

  5. Execution Layout Function prolog Function body Patch area (CODE) Function Epilog

  6. Patch Layout Function prolog Divert execution around patch area Patch area (NOPs) Function body Function Epilog

  7. Patch Layout Function prolog Patch area (NOPs) Function body Jump into patch area Function Epilog

  8. Patch Layout Function prolog Patch area (NOPs) Function body Jump back into original code Function Epilog

  9. Patch Layout Function prolog Patch area (CODE) Function body Function Epilog

  10. More advanced exploitation • More resillient – • Use trampolines instead of stack addresses • Don’t count on static function addresses – dlopen(), dlsym() • ‘Egg hunting’ for executable file headers • Avoid null bytes / Avoid other bytes / UTF8 / etc. • Shellcodes that will run / not crash on multiple architectures • Do more – • Add users, modify files, install malware • Manipulate program flow / memory • Open a shell back home

  11. New tools! build_shellcode.py script (based on the patch_util_gcc.py script, but is made for simpler usage when creating shellcodes).

  12. New tools! • shellcode_host – reads a binary shellcode as instructed via the command line, and simulates execution. • shellcode_host_no_nulls – similar to shellcode_host, but the string is copied via strcpy, so no null characters (0x00) will be permitted in the body of the shellcode. • stack_overflow_host – similar to shellcode_host in the sense that it will allow null bytes inside the shellcode, but here you must overflow the stack and control the return address yourself. • stack_overflow_host_no_nulls – similar to stack_overflow_host, but no null bytes will be permitted

  13. How external function calls work • Many options - • syscall via int0x80 (as we've seen) • static lib – hard coded address (rare) • Dynamic lib - • Assume already loaded, call directly (hard-coded address, not resilient) • Call via the PLT / GOT (best method)

  14. External function calls • A call through it looks like - call _printf • Which is actually a simple jmp - _printf proc near jmpds:off_804A010 ; GOT entry _printfendp

  15. Practical usage for external function calls • We can call through the GOT entry directly • Or, we could replicate what the original code would do, and just call the call through function • Of course – other methods could still work (namely, direct syscalls)

  16. Questions?

More Related