Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Size: px

Start display at page:

Download "Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University"

Lorraine Gregory
7 years ago
Views:

1 Hacking Blind Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh Stanford University

2 Hacking buffer overflows Exploit GET /0xDEAD HTTP/1.0 shell $ cat /etc/passwd root:x:0:0:::/bin/sh sorbo:x:6:9:pac:/bin/sh

3 Crash or no Crash? Enough to build exploit GET /blabla HTTP/1.0 HTTP/ Not Found GET /AAAAAAAAAAAAAAAA connection closed

4 Don t even need to know what application is running! Exploit scenarios: 1. Open source 2. Open binary 3. Closed-binary (and source)????

5 Attack effectiveness Works on 64-bit Linux with ASLR, NX and canaries Server Requests Time (mins) nginx 2,401 1 MySQL 3, Toy proprietary service (unknown binary and source) 1,950 5

6 Attack requirements 1. Stack vulnerability, and knowledge of how to trigger it. 2. Server process that respawns after crash E.g., nginx, MySQL, Apache, OpenSSH, Samba.

7 Outline Introduction. Background on exploits. Blind ROP (BROP). Optimizations.

8 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address 0x urn; } handle_client() buf[1024]

9 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA handle_client() AAAAAAAAA AAAAAAAAA

10 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; 0x AAAAAAAAA AAAAAAAAA?? AAAAAAAAA AAAAAAAAA

11 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x AAAAAAAAA AAAAAAAAA AAAAAAAAA AAAAAAAAA

12 Stack vulnerabilities void process_packet(int s) { char buf[1024]; int len; read(s, &len, sizeof(len)); read(s, buf, len); Stack: urn address } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x x

13 Exploit protections void process_packet(int s) { char buf[1024]; 1. Make stack non-executable int len; (NX) read(s, &len, sizeof(len)); read(s, 2. buf, Randomize len); memory addresses (ASLR) Stack: urn address 0x } urn; Shellcode: dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x

14 Return-Oriented Programming (ROP).text: Stack: code fragment 0x Executable dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0); 0x Non-Executable

15 Return-Oriented Programming (ROP).text: Stack: code fragment 0x dup2(sock, 0); dup2(sock, 1); execve( /bin/sh, 0, 0);...

16 Return-Oriented Programming (ROP).text: Stack: code dup2(sock, 0); 0x fragment urn; 0x dup2(sock, 1); 0x x urn; execve( /bin/sh, 0, 0); urn; 0x x ROP gadget

17 Address Space Layout Randomization (ASLR).text: 0x code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x x x800000

18 Address Space Layout Randomization (ASLR).text: 0x ?? code fragment dup2(sock, 0); urn; dup2(sock, 1); urn; execve( /bin/sh, 0, 0); urn; Stack: 0x ?? 0x ?? 0x ??

19 Exploit requirements today 1. Break ASLR. 2. Copy of binary (find ROP gadgets / break NX). Is it even possible to hack unknown applications?

20 Blind Return-Oriented Programming (BROP) 1. Break ASLR. 2. Leak binary: Remotely find enough gadgets to call write(). write() binary from memory to network to disassemble and find more gadgets to finish off exploit.

21 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address buf[1024] 0x401183

22 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x401183

23 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

24 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

25 Defeating ASLR: stack reading Overwrite a single byte with value X: No crash: stack had value X. Crash: guess X was incorrect. Known technique for leaking canaries. Return address x (Was: 0x401183)

26 How to find gadgets?.text: 0x code fragment 0x x x x x401130?????????? Stack: urn address 0x buf[1024]

27 How to find gadgets?.text: 0x code 0x x x x x fragment crash???????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

28 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash?????? Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

29 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash???? Connection hangs Stack: urn address 0x AAAAAAAAA AAAAAAAAA

30 How to find gadgets?.text: 0x code 0x x x x x fragment crash crash no crash crash crash Connection closes Stack: urn address 0x AAAAAAAAA AAAAAAAAA

31 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

32 Three types of gadgets Stop gadget Crash gadget Useful gadget sleep(10); urn; abort(); urn; dup2(sock, 0); urn; Never crashes Always crashes Crash depends on urn

33 Finding useful gadgets 0x Stack: Crash!! dup2(sock, 0); urn; other urn address 0x x buf[1024] sleep(10); urn;

34 Finding useful gadgets 0x Stack: dup2(sock, 0); urn; 0x urn address 0x x buf[1024] sleep(10); urn; No crash

35 How to find gadgets?.text: 0x code fragment 0x x x x x crash crash stop gadget crash crash Stack: other urn address 0x buf[1024]

36 How to find gadgets?.text: 0x code fragment Connection hangs 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA

37 How to find gadgets?.text: 0x code fragment Connection closes 0x x x x x gadget! crash stop gadget crash crash Stack: 0x urn address 0x AAAAAAAAA AAAAAAAAA

38 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write

39 What are we looking for? write(int sock, void *buf, int len) pop rdi pop rsi pop rdx call write AAAAA buf[1024] 0x addr sock rdi 0x buf rsi 0x len rdx 0x700000

40 Pieces of the puzzle pop rsi pop rdi stop gadget [call sleep] pop rdx call write

41 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi pop rdx stop gadget [call sleep] call write

42 Finding the BROP gadget Stack: Connection hangs stop gadget urn address 0x buf[1024]

43 Finding the BROP gadget Stack: stop gadget crash gadget pop rbx Connection hangs urn address 0x buf[1024]

44 Stack: Finding the BROP gadget stop gadget crash gadget crash gadget crash gadget crash gadget crash gadget crash gadget urn address 0x pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 BROP gadget Connection hangs buf[1024]

45 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi pop rdx stop gadget [call sleep] call write

46 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi call strcmp stop gadget [call sleep] call write

47 Pieces of the puzzle The BROP gadget pop rbx pop rbp pop r12 pop r13 pop r14 pop r15 pop rsi pop r15 pop rdi PLT stop gadget [call sleep] call strcmp call write

48 Procedure Linking Table (PLT).text: PLT libc.text: PLT... call write call strcmp... jmp [sleep] jmp [write] jmp [strcmp] jmp [dup2] jmp [execve] jmp [...]

49 Fingerprinting strcmp arg1 arg2 result readable 0x0 crash 0x0 readable crash readable readable nocrash Can now control three arguments: strcmp sets RDX to length of string

50 Finding write Try sending data to socket by calling candidate PLT function. check if data received on socket. chain writes with different FD numbers to find socket. Use multiple connections.

51 Launching a shell 1. dump binary from memory to network. Not blind anymore! 2. dump symbol table to find PLT calls. 3. redirect stdin/out to socket: dup2(sock, 0); dup2(sock, 1); 4. read() /bin/sh from socket to memory 5. execve( /bin/sh, 0, 0)

52 Braille Fully automated: from first crash to shell. 2,000 lines of Ruby. Needs function that will trigger overflow: nginx: 68 lines. MySQL: 121 lines. toy proprietary service: 35 lines. try_exp(data) true crash false no crash

53 Attack complexity dump bin 222 find write 101 find strcmp 61 stack reading 846 find BROP gadget 469 find PLT 702 # of requests for nginx

Exploiting nginx chunked overflow bug, the undisclosed attack vector

Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked