Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Artificial Intelligence

316_Buffer Overflow

advertisement 
316_Buffer Overflow
Application Defense
www.applicationdefense.com
The following excerpt was taken
from the attackers that posted the Web site mirror at
www.attrition.org.
Days after Madonna took a sharp swipe at music filesharers,
the singer’s web site was hacked Saturday
(4/19) by an electronic interloper who posted MP3 files
of every song from “American Life,” the controversial
performer’s new album, which will be officially released
Tuesday. The site, madonna.com, was taken offline
shortly after the attack was detected early Saturday
morning and remained shut for nearly 15 hours.
Debugger A debugger is a software tool that either hooks in to the
runtime environment of the application being debugged or acts similar
to (or as) a virtual machine for the program to run inside of.The software
allows you to debug problems within the application being
debugged.The debugger permits the end user to modify the environment,
such as memory, that the application relies on and is present in.
The two most popular debuggers are GDB (included in nearly every
open source *nix distribution) and Softice (www.numega.com).
GDB The GNU debugger (GDB) is the defacto debugger on UNIX
systems. GDB is available at: http://sources.redhat.com/gdb/.
Disassembler Typically, a software tool is used to convert compiled
programs in machine code to assembly code.The two most popular disassemblers
are objdump (included in nearly every open source *nix distribution)
and the far more powerful IDA (www.datarescue.com).
Links to Sites
www.securiteam.com—Securiteam is an excellent resource for finding
publicly available exploits, newly released vulnerabilities, and
security
tools. It is especially well known for its database of open source
exploits.
www.securityfocus.com—SecurityFocus is the largest online database
of security content. It has pages dedicated to UNIX and Linux
vulnerabilities, Microsoft vulnerabilities, exploits, tools,
security articles
and columns, and new security technologies.
www.ngssoftware.com—Next Generation Software released more
vulnerabilities than any other security firm in 2003.Their
vulnerability
advisories have technical information and in some cases contain
proof
of concept code.
www.applicationdefense.com—Application Defense has a solid
collection of free security and programming tools, in addition to a
suite
of commercial tools given to customers at no cost.
www.foundstone.com—Foundstone has an excellent Web site filled
with new vulnerability advisories and free security tools.
(Foundstone is
now a Division of McAfee.)
www.atstake.com—@stake has one of the largest repositories of free
“corporate-grown” security tools in addition to a slue of highly
technical vulnerability advisories.
Mailing Lists
SecurityFocus.com All of the mailing lists at securityfocus.com,
which is owned by Symantec, are excellent resources for up-to-date
threat, vulnerability, and exploit data.
■ Bugtraq@securityfocus.com
■ Focus-MS@securityfocus.com
■ Pen-Test@securityfocus.com
VulnWatch The vulnwatch mailing list provides technical detail or
newly released vulnerabilities in a moderated format. Plus, it
doesn’t
hurt that David Litchfield is currently the list’s moderator.You may
sign
up for vulnwatch at www.vulnwatch.org/.
NTBugTraq The NTBugTraq mailing list was created to provide
users with Microsoft-specific vulnerability information.You may add
yourself to the mailing list at no cost by registering at
www.ntbugtraq.com/.
FIRST The FIRST mailing list is available to users by invitation
only.
Initially, the FIRST list was created for government and private
industry information security professionals, but since then the site
has
grown significantly and new users may only be added at the request
of
current list representatives. More information can be found at
www.first.org.
NASM The NASM package contains an assembler named nasm and a
disassembler named ndisasm.The nasm assembly syntax is very easy to
understand and read and therefore is often preferred above the AT&T
syntax. More information and NASM downloads can be found on their
homepage at http://nasm.sourceforge.net/.
■ GDB GDB is the GNU debugger. In this chapter, we will mainly use
it to analyze core dump files. GDB can also disassemble functions of
compiled code by just using the command disassemble <function name>.
This can be very useful if you want to have a look at how to translate
your C code to assembly language. More information about GDB can
be found on the GNU Web site at www.gnu.org/.
■ ObjDump ObjDump is a tool used to disassemble files and obtain
important information from them. Even though we don’t use it in the
shellcode archive, it deserves some attention because it can be very
useful during shellcode development. More information about
ObjDump can be found on the GNU Web site at www.gnu.org/software/
binutils/.
Strace The strace program is very similar to ktrace: it can be used to
trace all system calls a program is issuing. strace is installed on most
Linux systems by default and can also be found for other operating systems
such as Irix.The strace homepage can be found at
www.liacs.nl/~wichert/strace/.
■ Readelf readelf is a program that allows you to get all kinds of information
about an ELF binary. In this chapter, we will use readelf to
locate a variable in a binary and then use that variable within shellcode.
This program is (like objdump) part of the GNU bintools package.
More information about that package is available at www.gnu.org/software/
binutils/.
Links to Sites
www.applicationdefense.com—Application Defense has a solid
collection of free security and programming tools, in addition to a suite
of commercial tools given to customers at no cost.
www.shellcode.com.ar/—An excellent site dedicated to security
information. Shellcode topics and examples are presented, but text and
documentation may be difficult to follow.
www.enderunix.org/docs/en/sc-en.txt—A good site with some
exceptional information on shellcode development. Includes a decent
whitepaper detailing the topic, too.
www.metasploit.com/shellcode.html—The Metasploit site has some
good information on shellcode, with multiple useful examples.
The first large part of the shellcode searches for a socket file
descriptor that
matches with the port 0x3412. If it finds one, stdin, stdout, and
stderr are dup’ed
with the socket, setresuid is called, and a shell is spawned via
execve.The code
that seeks the socket originates from a document that was released
by the Last
Stage of Delirium project and is called the findsck shellcode.You
can read their
document at this location: www.lsd-pl.net/documents/asmcodes1.0.2.pdf.
Links to Sites
■ www.applicationdefense.com—Application
Defense has a solid
collection of free security and programming tools, in addition to a suite
of commercial tools given to customers at no cost.
■ http://shellcode.org/Shellcode/—Numerous example shellcodes are
presented, some of which are well documented.
■ http://nasm.sourceforge.net—nasm is an 80x86 assembler designed
for portability and modularity. It supports a wide range of object file
formats, including Linux a.out and ELF, COFF, Microsoft 16-bit
OBJ, and Win32. It’s released under the LGPL license.
■ www.lsd-pl.net – Last Stage of Delirium’s website which has numerous
well written exploits, whitepapers, and even shellcode available for the
taking. Kudos LSD…
Can I make FreeBSD/Linux shellcode on my Windows machine?
Yes.The assembler used in this chapter is available for Windows and
the
output doesn’t differ if you run the assembler on a Windows
operating
system or on a Unix one. nasm Windows binaries are available on the
nasm
Web site at http://nasm.sf.net.
http://www.labri.fr/Perso/~betrema/winnt/—This is an excellent site,
with links to articles on memory management.
http://developer.intel.com/design/processor/—Intel’s Web site has
assembly language guides (for instance, the Intel Software
Developers’
Guide) with examples of assembly code and basic instruction.They are
among the best reference manuals for assembly for Windows.
http://spiff.tripnet.se/~iczelion/tutorials.html—Another excellent
resource for Windows assembly programmers. It has a good selection
of
tutorials.
http://board.win32asmcommunity.net/—A very good bulletin board
where people discuss common problems with assembly programming.
References
- Security demi-god, Zillion’s exploits are located at
Safemode.org. Zillion has a collection of excellent exploits that surely
will add to any pen-test toolkit.
■ www.applicationdefense.com – ApplicationDefense has a collection of
all exploits used in this book.
■ www.safemode.org
As an educational exercise, we recommend that you execute this
exploit in combination with a DNS spoofing utility such as the one provided
in the Dsniff package. http://naughty.monkey.org/~dugsong/
dsniff/. See if you can leverage the information that Dsniif provides for
target systems.
References
–
Mitre’s link to its CVE and CAN database for the CVE-2000-0763
vulnerability entry
■ www.securityfocus.com/bid/1585 - SecurityFocus vulnerability database
link to it’s entry for this vulnerability
■ www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0763
References
– All source code for Syngress’ Buffer
Overflows book can be downloaded for free with proof of book purchase
at ApplicationDefense.com
■ www.applicationdefense.com
■ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-
0096 – Mitre has cataloged this vulnerability into its CVE database.The
following link will lead you to its entry.
■ http://www.securityspace.com/smysecure/catid.html?ctype=
cve&id=CVE-2001-0096 – The Security Space web site entry has a list
of references for the Frontpage vulnerability.
■ http://cvs.snort.org/viewcvs.cgi/snort/rules/webfrontpage.
rules?rev=1.33 – Somewhat different than most of the other
security links that are provided in this book but nonetheless useful, this
link is to intrusion detection rules that will identify this attack being
executed over a wired network.
References
■ http://curl.haxx.se/
- cURL resources can be downloaded from this
URL.Try finding the exact point in the code that is exploited above.
■ www.perl.org – This site is the comprehensive PERL homepage. If by
some strange coincidence your system does not have Perl installed, you
can download it from here at no cost.
Lexical static code analyzers These tools usually have a set of “bad”
patterns for which they are looking in the source code. Often they are
simply looking for instances of frequently abused functions such as
gets().These tools can be as simple as grep or more complex, such as
RATS (www.securesoftware.com/download_rats.htm), ITS4 (www.cigital.
com/its4/), and Flawfinder (www.dwheeler.com/flawfinder/).
Semantic static code analyzers These tools not only look for
“generic” cases of broken functions but also consider the context. For
example, you can state that a buffer is 64 bytes long.Then if somewhere
else in the program its out-of-bounds element is addressed, the tool will
report this case as a possible bug. Among tools of this type is SPLINT
(www.splint.org) program. Compiler warnings can also be a good
reference.
■ Artificial intelligence or learning engines for static source code
analysis Application Defense Developer software identifies source
code issues via multiple methods for over 13 different
languages.These
vulnerabilities are identified through a combination of lexical
identification,
semantic (also known as contextual) analysis, and through an
expert learning system. More information on the source code security
suites can be found at www.applicationdefense.com.
■ Dynamic (execution-time) program tracers These are debugging
tools used for detecting memory leaks, but they are also very handy
in
detecting buffer overflows of various kinds.These tools include
Rational Purify (http://www-306.ibm.com/
software/awdtools/purify/),Valgrind (http://valgrind.kde.org/), and
ElectricFence (http://perens.com/FreeSoftware/).
Bug-specific binary auditing This process involves an analyzer
application reading the compiled program and scanning it according to
some heuristics, trying to find buffer overflows.This can be considered
an analog to lexical or semantic analysis of source code, but on the
assembly level.The most widely known program in this range is
Bugscan (www.logiclibrary.com/bugscan.html).
And if a program has any instances of gets, it is vulnerable—fix it
(change
gets for an input loop with appropriate checks) or somebody will
exploit it.
The process we just described can be made a little easier by using
some
“grep on steroids” tools, also known as lexical analyzers.The
following is the
output from Flawfinder (www.dwheeler.com/flowfinder):
As you can see, it is not very precise either. Other similar free
tools include
RATS (www.securesoftware.com/rats.php) and ITS4
(www.cigital.com/its4).
Lexical tools are not precise in general because they can catch only
simplest
mistakes—such as the use of gets().They cannot, for example, track
the size of a
buffer from a place where it is defined to the place when something
is copied
onto it; this is where so-called semantic analysis comes into play.
Links to Sites
■ www.phrack.org
Since issue 49, this site has had many interesting articles
on buffer overflows and shellcodes. Aleph1's article “Smashing the
stack for fun and profit” is in issue 49.
■ http://directory.google.com/Top/Computers/Programming/
Languages/Assembly/x86/FAQs,_Help,_and_Tutorials/ Intel assembly
language sources.
http://linuxassembly.org/resources.html Linux and assembler.
■ http://msdn.microsoft.com/visualc/vctoolkit2003/ Free Microsoft
Visual C++ 2003 command-line compiler.
■ http://gcc.gnu.org/bugzilla/show_bug.cgi?id=11232 GCC stack
allocation
bug.
■ http://people.redhat.com/~mingo/exec-shield/ANNOUNCE-execshield
Linux ExecShield.
■ www.logiclibrary.com/bugscan.html Bugscan.
■ www.splint.org SPLINT.
■ www.dwheeler.com/flawfinder/ Flawfinder.
Mailing Lists
■ http://securityfocus.com/archive/1
Bugtraq, a full-disclosure
moderated mailing list for the detailed discussion and announcement of
vulnerabilities: what they are, how to exploit them, and how to fix
them.
■ http://securityfocus.com/archive/101 Penetration testing, a mailing list
for the discussion of issues and questions about penetration testing and
network auditing.
■ http://securityfocus.com/archive/82 Vulnerability development; allows
people to report potential or undeveloped holes.The idea is to help
people who lack expertise, time, or information about how to research
a hole.
■ http://lists.netsys.com/mailman/listinfo/full-disclosure Full Disclosure,
an unmoderated list about computer security. All other lists mentioned
here are hosted on Symantec, Inc., servers and premoderated by its staff.
Double-Free Errors
Another possibility of exploiting memory managers in dlmalloc
arises when a programmer makes the mistake of freeing the pointer
that was already freed. This is a rare case, but still occurs (see, for
example. www.cert.org/advisories/CA-2002-07.html - CERT®
Advisory CA-2002-07 Double Free Bug in the zlib Compression
Library.
Fixing Heap Corruption
Vulnerabilities in the Source
Hands-down the most powerful, comprehensive, and accurate tool for assisting
developers remediate potential security risks before software hits production is
Application Defense’s Application Defense Developer software suite.The
Application Defense product suite is compatible with over 13 different programming
languages.
More information on pricing and free products demos for Application
Defense can be found at www.applicationdefense.com.
Another tool for aiding with Windows heap-corruption issues is Rational’s
Purify (www.rational.com), although it is not free. Free Linux tools are many,
and we will illustrate the use of two of them: ElectricFence
(http://perens.com/FreeSoftware/ElectricFence/) and Valgrind (http://valgrind.
kde.org/).
Links to Sites
www.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bhwin04-litchfield.ppt-Offers Windows heap corruption techniques.
http://lists.virus.org/darklab-0402/msg00000.html-Contains another
Windows heap overflow tutorial.
www.phrack.org/phrack/61/p61-0x06_Advanced_malloc_exploits.txtOffers advanced exploits for dlmalloc, with the view of automating
exploitation; also contains further references
www.math.tau.ac.il/~haimk/adv-ds-2000/sleator-tarjan-splay.pdf-Has
theoretical backgrounds of trees used in System V malloc.
www.hpl.hp.com/personal/Hans_Boehm/gc/-The Boehm-Weiser
Conservative Garbage Collector can be found here.
www.ajk.tele.fi/libc/stdlib/malloc.3.html-Offers BSD Malloc, originally
by Chris Kingsley.
www.cs.toronto.edu/~moraes/-Go to this Web site to find CSRI
UToronto Malloc, by Mark Moraes.
ftp://ftp.cs.colorado.edu/pub/misc/malloc-implementations-Visit this
site for information on GNU Malloc by Mike Haertel.
http://g.oswego.edu/dl/html/malloc.html-Contains information on
G++ Malloc by Doug Lea.
www.hoard.org/-For information about Hoard by Emery Berger, visit
this official Web site.
www.sdsu.edu/doc/texi/mmalloc_toc.html-mmalloc (the GNU
memory-mapped malloc package) can be found here.
www.malloc.de/en/index.html-Offers ptmalloc by Wolfram Gloger.
ftp://ftp.cs.colorado.edu/pub/misc/qf.c-Site with QuickFit Malloc.
www.research.att.com/sw/tools/vmalloc/-Vmalloc by Kiem-Phong Vo
can be found here.
www.rational.com-The official site for Rational Purify.
http://perens.com/FreeSoftware/ElectricFence/-The Web site for
ElectricFence.
http://valgrind.kde.org/Visit this site to find out more about Valgrind.
What issues are there with FreeBSD's heap implementation?
It has its own memory allocator and is also exploitable. However, it
is significantly
more difficult than Linux. See for example a heap overrun in CVS
http://archives.neochapsis.com/archives/vulnwatch/2003-q1/0028.html
and notes on exploiting it in www.blackhat.com/presentations/bheurope03/BBP/bh-europe-03-bbp.pdf.
Links to Sites
www.phrack.org-Since issue 49, this site has many interesting articles
on buffer overflows and shellcodes. An article in issue 57,“Advances in
Format String Exploitation,” contains additional material on exploiting
Solaris systems.
http://msdn.microsoft.com/visualc/vctoolkit2003/Microsoft-Offers the
Visual C++ 2003 command-line compiler for free.
www.logiclibrary.com/bugscan.html0-Bugscan can be found here.
www.applicationdefense.com-Site for Application Defense Source Code
Security Products.
www.splint.org-The Web site for SPLINT.
www.dwheeler.com/flawfinder/-The Flawfinder Web site.
http://community.core-sdi.com/~gera/InsecureProgramming/Contains samples of vulnerable programs, usually with non-obvious
flaws.
http://core-sec.com/examples/core_format_strings.pdf-Offers solutions
to programs in the previous link.
http://community.core-sdi.com/~juliano/usfs.html-Has tons of format
string vulnerabilities and related materials.
Spike fuzzer (www.immunitysec.com/resources-freesoftware.shtml) is a
utility written by Dave Aitel of immunitysec which can be used to
fuzz the data
that has to be sent to the remote server.
Ollydbg (http://home.t-online.de/home/Ollydbg/) is a debugger for
Microsoft Windows which has a host of plug-ins that help you not
only bypass
anti-debugging features and search for a string through additional
modules that
are loaded along with an application, but also to view the state of
registers and
the control flow of the program.
One of the main reasons for using Ollydbg is the “OllyUni Plugin”
written
by FX.This plug-in is available at www.phenoelit.de/win/.We’ll use
this plugin
in the next exploit.
Links to Sites
www.metasploit.com/—The Metasploit site has excellent information
on shellcode with an exploit framework that can be used to build
more
exploits.
http://ollydbg.win32asmcommunity.net/index.php—A discussion
forum for using Ollydbg.There are links to numerous plug-ins for
Olly
and tricks on using it to help find vulnerabilities.
www.securiteam.com/—A site with exploits and interesting articles,
along with links posted on various hacker sites.
www.k-otik.com—Another site with an exploit archive.
www.xfocus.org—A site with various exploits and discussion forums.
www.immunitysec.org—A site with some excellent articles on writing
exploits and some very useful tools including spike fuzzer.
References
■ http://curl.haxx.se/
- cURL resources can be downloaded from this
URL.Try finding the exact point in the code that is exploited above.
■ www.perl.org – This site is the comprehensive PERL homepage. If by
some strange coincidence your system does not have Perl installed, you
can download it from here at no cost.
References
–
Mitre’s CVE and CAN database link to this particular OpenSSL bug
entry
■ www.dsinet.org/textfiles/advisories/OpenSSL%20Security%
20Alert%20-%20Remote%20Buffer%20Overflows.txt – OpenSSL
Advisory Mirror
■ http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0656 – ICAT
Metadatabase link ascertained from Mitre’s CVE information
■ www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
References
■ www.securityfocus.com/bid/7002
- SecurityFocus vulnerability database
link to it’s entry for this vulnerability
■ www.securiteam.com/exploits/5OP02209FO.html - Securiteam
exploit database link to additional exploit code for a XLOCALEDIR
vulnerability
References
– All source code for Syngress’ Buffer
Overflows book can be downloaded for free with proof of book purchase
at ApplicationDefense.com
■ http://securityresponse.symantec.com/ avcenter/security/
Content/6214.html – Symantec’s security advisor for the corresponding
Microsoft MDAC vulnerability. It has an abundance of technical
information in addition to other pertinent industry links.
■ www.applicationdefense.com
A bit of history: ITS4 was the brainchild of John Viega
(now CTO of Secure Software) and Gary McGraw (CTO of Cigital Inc.)
who
experimented to create a tool that could find functions in C that
often have
security implications depending on their usage. Information on
Cigital’s ITS4
can be found at www.cigital.com.
Prexis is currently used by many large enterprises to investigate,
repair, and
validate the security of mission-critical applications on which
their business
relies. For more information on Prexis and Ounce Labs, visit
www.ouncelabs.com.
Application Defense Snapshot answers the question from a pure
security
perspective by providing each application with a quantitative risk
score.This risk
score combined with the application’s business value equals its
overall priority in
the organization. Figure 9.1 is a screenshot of Application Defense
Snapshot’s
executive report.The table within the actual report has been
converted to a
Microsoft Word table due to the size of the report and visual
limitations of a
printed manuscript. Live example reports can be ascertained at
www.applicationdefense.
com.
Links to Sites
www.applicationdefense.com-Application Defense has a solid collection
of free security and programming tools, in addition to a suite of
commercial tools given to customers at no cost.
www.securesoftware.com-John Viega and his corresponding software
security company, Secure Software, is available at this site.The freeware
tool RATS is also available for download at this site.
www.fortifysoftware.com-Fortify Software's homepage contains the
latest software security news, descriptions of available products, and
support help for existing customers.
www.ouncelabs.com-Ounce Labs and its corresponding Prexis product
can be downloaded from this Web site.
www.dwheeler.com/flawfinder/-This is David Wheeler's homepage,
which has download links and tool information for Flawfinder.
www.cigital.com-The Cigital Web site is the home of the ITS4
freeware tool.
References
■ oss.coresecurity.com/projects/inlineegg.html
- CORE Security
Technologies’ homepage for their InlineEgg open source project. All
source and code is freely available for download.
■ www.python.org – The Python Language’s homepage. Downloading
and installing it is a prerequisite for the InlineEgg module to run.
References
- Security demi-god, Zillion’s exploits are located at
Safemode.org. Zillion has a collection of excellent exploits that surely
will add to any pen-test toolkit.
■ www.applicationdefense.com – ApplicationDefense has a collection of
all exploits used in this book.
■ www.safemode.org
Related documents
MUS 450 - Northern State University
MUS 450 - Northern State University
Principles and Concepts of Human Movement Science
Principles and Concepts of Human Movement Science
Anti-Virus Evasion techniques and Countermeasures
Anti-Virus Evasion techniques and Countermeasures
recovery
recovery
Overview of the Operation for
Overview of the Operation for
Native American Student Movement
Native American Student Movement
11-Metasploit
11-Metasploit
7151/SF Partner Pgm
7151/SF Partner Pgm
Security Penetration Testing and Ethical Hacking
Security Penetration Testing and Ethical Hacking
Programming Tools
Programming Tools
Download
advertisement