x86-64 buffer overflow exploits and the borrowed code chunks - SuSE

More documents

Recommendations

Info

6 SINGLE WRITE EXPLOITS 8 6 Single write exploits The last sections focused on stack based overflows and how to exploit them. I already mentioned that heap based buffer overflows or format string bugs can be mapped to stack based overflows in most cases. To demonstrate this, I wrote a second overflow server which basically allows you to write an arbitrary (64-bit) value to an arbitrary (64-bit) address. This scenario is what happens under the hood of a so called malloc exploit or format string exploit. Due to overwriting of internal memory control structures it allows the attacker to write arbitrary content to an arbitrary address. A in depth description of the malloc exploiting techniques can be found in [8]. 1 #include 2 #include 3 #include 4 #include 5 #include 6 #include 7 #include 8 #include 9 #include 10 #include 11 #include 12 void die(const char *s) 13 { 14 perror(s); 15 exit(errno); 16 } 17 int handle_connection(int fd) 18 { 19 char buf[1024]; 20 size_t val1, val2; 21 write(fd, "OF Server 1.0\n", 14); 22 read(fd, buf, sizeof(buf)); 23 write(fd, "OK\n", 3); 24 read(fd, &val1, sizeof(val1)); 25 read(fd, &val2, sizeof(val2)); 26 *(size_t*)val1 = val2; 27 write(fd, "OK\n", 3); 28 return 0; 29 } 30 void sigchld(int x) 31 { 32 while (waitpid(-1, NULL, WNOHANG) != -1); 33 } 34 int main() 35 { 36 int sock = -1, afd = -1; 37 struct sockaddr_in sin; 38 int one = 1; 39 printf("&sock = %p system=%p mmap=%p\n", &sock, system, mmap); 40 if ((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0) 41 die("socket"); 42 memset(&sin, 0, sizeof(sin)); 43 sin.sin_family = AF_INET; 44 sin.sin_port = htons(1234); 45 sin.sin_addr.s_addr = INADDR_ANY; NO-NX 46 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); 47 if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
6 SINGLE WRITE EXPLOITS 9 48 die("bind"); 49 if (listen(sock, 10) < 0) 50 die("listen"); 51 signal(SIGCHLD, sigchld); 52 for (;;) { 53 if ((afd = accept(sock, NULL, 0)) < 0 && errno != EINTR) 54 die("accept"); 55 if (afd < 0) 56 continue; 57 if (fork() == 0) { 58 handle_connection(afd); 59 exit(0); 60 } 61 close(afd); 62 } 63 return 0; 64 } An exploiting client has to fill val1 and val2 with proper values. Most of the time the Global Offset Table GOT is the place of choice to write values to. A disassembly of the new server2 binary shows why. 0000000000400868 : 400868: ff 25 8a 09 10 00 jmpq *1051018(%rip) # 5011f8 40086e: 68 04 00 00 00 pushq $0x4 400873: e9 a0 ff ff ff jmpq 400818 When write() is called, transfer is controlled to the write() entry in the Procedure Linkage Table PLT. This is due to the position independent code, please see [2]. The code looks up the real address to jump to from the GOT. The slot which holds the address of glibc’s write() is at address 0x5011f8. If we fill this address with an address of our own, control is transfered there. However, we again face the problem that we can not execute any shellcode due to restrictive page protections. We have to use the code chunks borrow technique in some variant. The trick is here to shift the stack frame upwards to a stack location where we control the content. This location is buf in this example but in a real server it could be some other buffer some functions upwards in the calling chain as well. Basically the same technique called stack pointer lifting was described in [5] but this time we use it to not exploit a stack based overflow but a single-write failure. How can we lift the stack pointer? By jumping in a appropriate function outro. We just have to find out how many bytes the stack pointer has to be lifted. If I calculate correctly it has to be at least two 64-bit values (val1 and val2) plus a saved return address from the write call = 3*sizeof(u int64 t) = 3*8 = 24 Bytes. At least. Then %rsp points directly into buf which is under control of the attacker and the game starts again. Some code snippets from glibc which shows that %rsp can be lifted at almost arbitrary amounts: 48158: 48 81 c4 d8 00 00 00 add $0xd8,%rsp 4815f: c3 retq 4c8f5: 48 81 c4 a8 82 00 00 add $0x82a8,%rsp 4c8fc: c3 retq NO-NX
Page 1 and 2: x86-64 buffer overflow exploits and
Page 3 and 4: 3 ELF64 LAYOUT AND X86-64 EXECUTION
Page 5 and 6: 4 THE BORROWED CODE CHUNKS TECHNIQU
Page 7: 5 AND DOES THIS REALLY WORK? 7 That
Page 11 and 12: 6 SINGLE WRITE EXPLOITS 11 34 read(
Page 13 and 14: 7 AUTOMATED EXPLOITATION 13 A stack
Page 15 and 16: 7 AUTOMATED EXPLOITATION 15 When ru
Page 17 and 18: 8 RELATED WORK 17 32 read(sock, tri
Page 19 and 20: 11 CREDITS 19 11 Credits Thanks to

x86-64 buffer overflow exploits and the borrowed code chunks - SuSE

Create successful ePaper yourself

Delete template?

Save as template?