P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\titulka.jpg PA193 - Secure coding principles and practices LABS: Language level vulnerabilities: Buffer overflow, type overflow, strings •Petr Švenda svenda@fi.muni.cz • D:\Documents\Obrázky\services_icon_full_bw5.jpg P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Plan •Information about project, forming groups •Fun with buffer overflow and memory layouts •Analysis of disassembly 2 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • 3 | PA193 - Buffer overflow, string vulnerabilities // Note: GCC and MSVC uses different memory alignment // Try "12345678DevilEvecosia" as a password for gcc build // Try "1234567812345678Devil I am. Ha Ha" as a password for MSVC debug build void demoBufferOverflowData() { int unused_variable = 30; #define NORMAL_USER 'n' #define ADMIN_USER 'a' int userRights = NORMAL_USER; #define USER_INPUT_MAX_LENGTH 8 char userName[USER_INPUT_MAX_LENGTH]; char passwd[USER_INPUT_MAX_LENGTH]; // print some info about variables printf("%-20s: %p\n", "userName", userName); printf("%-20s: %p\n", "passwd", passwd); printf("%-20s: %p\n", "unused_variable", &unused_variable); printf("%-20s: %p\n", "userRights", &userRights); printf("\n"); // Get user name memset(userName, 1, USER_INPUT_MAX_LENGTH); memset(passwd, 2, USER_INPUT_MAX_LENGTH); printf("login as: "); fflush(stdout); gets(userName); // Get password printf("%s@vulnerable.machine.com: ", userName); fflush(stdout); gets(passwd); // Check user rights (set to NORMAL_USER and not changed in code) if (userRights == NORMAL_USER) { printf("\nWelcome, normal user '%s', your rights are limited.\n\n", userName); fflush(stdout); } if (userRights == ADMIN_USER) { printf("\nWelcome, all mighty admin user '%s'!\n", userName); fflush(stdout); } // How to FIX: //memset(userName, 0, USER_INPUT_MAX_LENGTH); //fgets(userName, USER_INPUT_MAX_LENGTH - 1, stdin); //memset(passwd, 0, USER_INPUT_MAX_LENGTH); //fgets(passwd, USER_INPUT_MAX_LENGTH - 1, stdin); } P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Setup •Create new Visual Studio 2015 Project –File->New->Project->VisualC++->Win32 Console app –Turn off ‘Precompiled header’ and ‘SDL checks’ •Paste BufferOverflow.cpp from IS instead of project’s main file •Try to compile (disable warning on gets() function) –#define _CRT_SECURE_NO_WARNINGS •Insert breakpoint (begin of demoBufferOverflowData()) – F9 •Run program in debug mode – F5 •Execute next step of program – F10 •Display memory –Debug → Windows → Memory –Program must be in debugging session and running! 4 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •Úvod do C, 5.5.2014 • •void demoBufferOverflowData() { • int unused_variable = 30; •#define NORMAL_USER 'n' •#define ADMIN_USER 'a' • int userRights = NORMAL_USER; •#define USER_INPUT_MAX_LENGTH 8 • char userName[USER_INPUT_MAX_LENGTH]; • char passwd[USER_INPUT_MAX_LENGTH]; • • // print some info about variables • printf("%-20s: %p\n", "userName", userName); • printf("%-20s: %p\n", "passwd", passwd); • printf("%-20s: %p\n", "unused_variable", &unused_variable); • printf("%-20s: %p\n", "userRights", &userRights); • printf("\n"); • • // Get user name • printf("login as: "); • gets(userName); • • // Get password • printf("%s@vulnerable.machine.com: ", userName); • gets(passwd); • • // Check user rights (set to NORMAL_USER and not changed in code) • if (userRights == NORMAL_USER) { • printf("\nWelcome, normal user '%s', your rights are limited.\n\n", userName); • } • if (userRights == ADMIN_USER) { • printf("\nWelcome, all mighty admin user '%s'!\n", userName); • } •} •Reading username and password (no length checking) •Print information about current user rights •Array with fixed length (will be overwritten) •Variable containing current access rights •Help output of address of local variables stored on the stack P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •| PA193 - Buffer overflow, string vulnerabilities Data in memory • bufferOverflow1 •passwd •userName •userRights •unused_variable P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •| PA193 - Buffer overflow, string vulnerabilities Running without malicious input • bufferOverflow_correct •passwd •userName P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •| PA193 - Buffer overflow, string vulnerabilities Running with malicious input – userName • bufferOverflow2 •insert ‘evil’ into userName P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •| PA193 - Buffer overflow, string vulnerabilities Running with malicious input - passwd • • • • • • • • • •Too long password overflow userName and userRights bufferOverflow3 •Insert •‘1234567812345678Devil I am. Ha Ha’ into passwd P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg •Úvod do C, 5.5.2014 Running with attacker input - result • bufferOverflow_hacked P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions (debug mode) •How are userName, password and userRights positioned in memory? •How you will find memory location (address) of userRights variable? •How many bytes you need to write into userName variable to change userRights ? •Can you get admin rights by changing userName only? – 11 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions (debug mode) •Why is program throwing debugger exception when finishing function demoBufferOverflowData()? •How program was able to detect memory corruption? •Why 0xcc bytes are here? How you can type 0xcc into terminal? •Can you get admin rights without raising runtime exception (memory around userName variable corrupted) when leaving demoBufferOverflowData()? •Where you can find return address? •What should be the return address value? –Try R-Click -> Go to Disassembly • 12 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Questions (release mode) •Release mode, /GS on –What is memory layout with respect to debug mode? –Can you still execute buffer overflow and change userRights? –What is the value of canary word? •Release mode, /GS off –What is the influence of /GS disabled? –What is the impact on addresses of variables? –Can you become admin in Release? Why? • • 13 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Lab – compiler protections •GCC (e.g., QT Creator) & MSVC (Visual Studio) –list of compiler flags, release mode •Compile program with/without compiler protection –bufferoverflowdemo.cpp::demoBufferOverflowData() •download from IS materials –return pointer smash behavior (crash, exception) •Disassembly display of resulting binary –instruction-wise mode in IDE (Visual Studio), OllyDbg –existence of canary word (function with/without GS buffer) •Display address of variable, function..., •run program multiple times – memory randomization (ASLR) • – 14 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Compiler flags •Locate all flags discussed during lecture •Visual Studio Projects Settings •Observe memory layout for stack frame with and without the flag –what is changing? –what is missing? 15 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Compiler settings for /DEP and /ASLR • 16 PA193 | LABS | BufferOverflow D:\Documents\School\PA193_SecureProgramming\01_BufferOverflow\VS_CodeGenerFlags.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Deeper look into disassembly • 17 PA193 | LABS | BufferOverflow D:\Documents\School\PA193_SecureProgramming\01_BufferOverflow\VS_disassembly.png P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Deeper look into disassembly (cont.) • 18 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg BinScope Binary Analyzer •Download Microsoft SDL’s Binscope –https://blogs.microsoft.com/microsoftsecure/2012/08/15/microsofts-free-security-tools-binscope-bin ary-analyzer/ –https://www.microsoft.com/en-us/download/details.aspx?id=44995 •Run BinScope Binary Analyzer (cmd or GUI) –binscope.exe –binscope.exe /o results.xml targetApp.exe •Run on the binaries produced with different compiler settings –/GS... 19 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Homework •No homework this week, work on parser project –Implementation presentation till 13.10. (your seminar) •What should you have already: –Formed group confirmed with me –Format for parsing confirmed with me –Setup Github repository for project •And link send to me! – 20 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • 21 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg OPTIONAL: IF YOU LIKE TO HAVE MORE FUN! • 22 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Exploiting exercises •Protostar image (http://exploit-exercises.com) –pre-prepared virtual machine –http://exploit-exercises.com/protostar (task description) •Important: site now not available, use this link: –https://web.archive.org/web/20140922114755/http://exploit-exercises.com/protostar –Or protostar.zip in IS •Login credentials: user / user; root / godmode •Challenges stored in /opt/protostar/bin/ directory –stack0-7 •Run it, supply malformed input leading to crash •Think about how to fix the source code • – 23 PA193 | LABS | BufferOverflow P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Protostar virtual image with exercises • 24 PA193 | LABS | BufferOverflow D:\Documents\School\PA193_SecureProgramming\01_BufferOverflow\protostar.png