240 likes | 356 Views
Countermeasures (0x660~0x680). Jinsoo Kim. Contents. 1. Advanced Camouflages Spoofing the logged IP address Logless Exploitation 2. Socket Reuse 3. Payload Smuggling String Encoding How to hide a sled. 1. Advanced Camouflages. How to spoof the logged IP address in the tinyweb daemon?.
E N D
Countermeasures(0x660~0x680) Jinsoo Kim
Contents • 1. Advanced Camouflages • Spoofing the logged IP address • Logless Exploitation • 2. Socket Reuse • 3. Payload Smuggling • String Encoding • How to hide a sled
1. Advanced Camouflages • How to spoof the logged IP address in the tinyweb daemon? • To spoof the IP address, we need to overwrite the client_addr_ptr with the address of our own injected sockaddr_in structure
1.1 How to spoof the logged IP address in the tinywebd daemon? • Creating and dumping a sockaddr_in structure on the standard output
Shell script spoofing the logged IP • xtool_tinywebd_spoof.sh(continued)
Stack frame of handle_connection() Low address Low address request Fake request request request[500] sockaddr_in request+15 NOP sled request+100 (Landing point) 540bytes shellcode return addr (request+100) ebp ebp fake sockaddr ptr return addr sockfd logfd Client_addr_ptr logfd High address High address
1.1 How to spoof the logged IP address in the tinyweb daemon? • Let’s see what this exploit does by attaching GDB to the running tinyweb daemon. Calculating offset and return address Set the offset and Return address to xtool_tinyweb_spoof.sh
Calculating offset and return address Return addr Offset Overwriting Return addr
Logless Exploitation • How to exploit tinywebd without leaving any trace in the log file?
2. Socket Reuse • For IDS or IPS, the connection to port 31337 used in our reverse binding shellcode is a big red flag • Socket Reuse • No need to open a new connection by reusing the existing socket for the root shell
Finding out the address of new_sockfd • Let’s find out the address of new_sockfd in main function by attacking GDB to the running tinywebd
3. Payload Smuggling • IDS or IPS systems are looking for patterns that signify an attack by inspecting packets • Packets containing the string “/bin/sh” • Can be fairly effective at catching script kiddies • However, they are easily bypassed with custom shellcode obfuscating itself
String Encoding in Shellcode • To avoid being detected by pattern matching, the string is simply encoded and decoded as followed • we simply add 5 to each byte in the string “/bin/sh” and then push the string to the stack • Then the shellcode subtracts 5 from each string byte on the stack
Adding 5 to each byte in “/bin/sh” for “/sh\x00” for “/bin”
Low address ebx 0x736e6734 0x056d7834 High address
Low address ecx ebx edx edx==0 ebx 0x6e69622f /bin 0x0068732f /sh\x00 High address
How to hide a sled? • NOP sled is another signature easy to detect by network IDS systems • To avoid this signature, different single-byte instructions instead of NOP can be used • Increment and decrement instructions for registers without affecting the control flow