Difference between revisions of "Summerschool Aachen 2004/Programming Errors Lab"

From C4 Wiki
Jump to: navigation, search
(Exploiting Buffer Overflows)
Line 3: Line 3:
 
==Notes from the Lab Session==
 
==Notes from the Lab Session==
  
Solution for case 1a:
+
===Solution for case 1a===
  
 
* use gdb to get the address of buf
 
* use gdb to get the address of buf
Line 15: Line 15:
  
 
==Notes from Presentations==
 
==Notes from Presentations==
 +
 +
===Metasploit===
  
 
[http://www.metasploit.com/ Metasploit] is a nice repository for shellcode, UNIX as well as Windows.
 
[http://www.metasploit.com/ Metasploit] is a nice repository for shellcode, UNIX as well as Windows.
Line 20: Line 22:
 
-- [[Lisa Thalheim]]
 
-- [[Lisa Thalheim]]
  
==Example vulnerability on the SRCF==
+
===Example vulnerability on the SRCF===
  
 
As I think I mentioned, the [http://www.srcf.ucam.org/ SRCF] has a big
 
As I think I mentioned, the [http://www.srcf.ucam.org/ SRCF] has a big
Line 59: Line 61:
 
--[[Steven Murdoch]]
 
--[[Steven Murdoch]]
  
==Exploiting Buffer Overflows==
+
===Exploiting Buffer Overflows===
  
 
When I tried to exploit buffer overflows like case 1 on my Fedora Core 2 system
 
When I tried to exploit buffer overflows like case 1 on my Fedora Core 2 system

Revision as of 22:54, 22 September 2004

Presentation Summary

Notes from the Lab Session

Solution for case 1a

  • use gdb to get the address of buf
  • print 20 no-ops (0x90) into a file
  • append the shellcode (e.g. from packetstorm) to that file
  • fill that file to 104 bytes
  • append the address of buf to that file
  • run ./case1a "`cat $file`" and voila!

--Alexander Becher

Notes from Presentations

Metasploit

Metasploit is a nice repository for shellcode, UNIX as well as Windows.

-- Lisa Thalheim

Example vulnerability on the SRCF

As I think I mentioned, the SRCF has a big problem allowing so many users to run CGI and PHP scripts on our webserver. We try to limit the number of insecure scripts by looking for old versions of vulnerable software, but we do not have the resources to check whether user-written scripts are exploitable. What we try to do is stop one user's script from interfering with other user's scripts, and stop attackers from being able to escalate a exploitable CGI into a root exploit.

This approach does not always work and there have been two successful root compromises since 2000. The first was simply getting a user shell using an exploitable CGI (Ikonboard). The attacker then used a ptrace exploit to get root. This was before a patch to the vulnerability has been released. They then installed the SuKIT rootkit.

The more interesting one was where the attacker used site-specific knowledge to get root. It is likely he used a vulnerable CGI to look around the system. What he noticed is that one other vulnerable CGI was written by an ex-sysadmin and so could get access to that account. While that user did not have root access, he did own one old file which was processed by a cron job. This cron job ran as root and did not check for shell metacharacters in the input file (since it was meant to only be written to by sysadmins). The attacker embedded a command in the input file so as to create a root shell when it was processed by the cron job. Fortunately we stopped tha attack before any harm could be done, and we also captured a list of commands he entered. In reaction to this attack we introduced two new policies. Firstly all scripts run as root were audited to ensure that no files writable by non-root users were opened. Secondly each system administrator had a new account created, which was isolated from their normal account, and that could not run CGIs.

--Steven Murdoch

Exploiting Buffer Overflows

When I tried to exploit buffer overflows like case 1 on my Fedora Core 2 system I noticed some difficulties. First of all, the place for the local variables on the stack is significantly larger than it was declared in the source file. This is a problem if you want to exploit off-by-one programming errors, because you are not able to overwrite something usefull. The second thing I noticed was even worser. Normally, all memory offsets of local stack variables stay at the same place, even if you restart the program. Of course it depends on the input, but I used the same arguments and the offsets were allways different. It was the Gnu C Compiler that troubled my day. Since version 3.0 Gnu changed the memory alignment of the compiler, but i don't know the details. Because Sami had still the older GCC 2.9 on his system, we started trying to exploit the buffer overflows on his system. We were succesfull with Case 1 and tried Case 2 until it was too late to think any further. Yes, days are getting shorter ;)

--Feanor 22:34, 22 Sep 2004 (CEST)