Upload File

smashing the stack with hydra

22
SMASHING THE STACK WITH HYDRA Pratap Prabhu, Yingbo Song and Sal Stolfo Columbia University Intrusion Detection Systems Lab 1

Upload: pratap21

Post on 25-Jun-2015

1.503 views

Category:

Documents


3 download

Report

Tags:

DESCRIPTION

Presented this at DEFCON 17

TRANSCRIPT

Page 1: Smashing the stack with Hydra

SMASHING THE STACK WITH HYDRA

Pratap Prabhu, Yingbo Song and Sal Stolfo

Columbia University Intrusion Detection Systems Lab

1

Page 2: Smashing the stack with Hydra

Overview

•  Hydraisapolymorphicshellcodeengineforx86.

•  Goal:tobypasssignature,staAsAcal,andemulator‐basedIDS.

•  IntegratesseveralobfuscaAontechniquesintooneengine.Self‐cipher,staAsAcalmimicry,fork()code,andmore...

1 2

Page 3: Smashing the stack with Hydra

LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLE

Address of Calling function

INSTRUCTIONS

LOCALVARIABLE EIPLOCALVARIABLELOCALVARIABLEINSTRUCTIONS

NOPSLED PAYLOAD RETURNZONE

NOPSLED PAYLOAD RETURNZONE

“ret” jumps here

Overwrites EIP

2 3

Page 4: Smashing the stack with Hydra

PolymorphicShellcode

•  IDSsignatures:“\x90\x90\x90\x90”,“/bin/sh”

•  Useanencoderandcipherthepayloadwitharandomkey.

•  Doesn’tworkiftheIDScandetectthedecoder.

•  WhataboutstaAsAcalIDSwhichlooksatbytedistribuAons?

•  Networkemulator,anddynamicdisassembly‐basedIDS?

3 4

Page 5: Smashing the stack with Hydra

HydraFeatures

•  NOPinstrucAonsgenerator.•  RecursiveNOPsled.•  RandomizedregisterselecAon

andclearing.

•  RandomizedmulA‐layerciphering.

•  Inlinejunkcode/datainserAon.

•  MulA‐parAtedecoders.

•  MulA‐gramstaAsAcalmimicry.

•  Randomizedreturnzone.•  fork()’ingshellcode.•  Time‐lockedcipheringforanA‐

emulatorandanA‐disassembly.

•  Alphanumericencoding.

4 5

Page 6: Smashing the stack with Hydra

NOPSledObfuscaAon

•  NOPdoesn’thavetobe\x90.‘A’,‘B’,‘C’,..,’Z’allwork

•  Hydracontainsa“NOPgenerator”thatcanbuildalibraryofpossibleNOPinstrucAons.

•  Testmethod:

–  Addcodetosetupstack/registercanaryvariables.–  AddasledbuiltwithNOPinstrucAontobetested.–  AddvalidaAoncodetocheckstack/registervariables.–  Execute.

•  FindsNOPequivalentinstrucAons.5 6

Page 7: Smashing the stack with Hydra

NOPSledObfuscaAon

•  Notjustsingle‐byteNOPS.MulA‐byteNOPinstrucAonsbywayofrecursiveNOP.(Phrack,CLET)

•  Findall1‐byteNOPinstrucAonsbybrute‐force,thenfindtwo‐byteNOPswhere2ndbyteisaone‐byteNOP.Repeat.

•  LargerNOPinstrucAonrecursivelycontainssmallerNOPs.ExecuAoncanlandanywhereintheinstrucAon.

6 7

Page 8: Smashing the stack with Hydra

NOPSledObfuscaAon

•  HydrauAlizestwotypesofNOPinstrucAons.

1. BasicNOPequivalentinstrucAonswhichcanbeusedtobuildasledandsafelypassexecuAonintothepayload.

2. NOPswhichcanbesafelyinsertedbetweeninstrucAons.

•  Secondcase:“State‐safe”NOPsdonotcontaininstrucAonswhichmodifythestack,registers,controlflow,etc.

•  1.9MtotalNOPequivalentinstrucAonsfound.30,000state‐safeNOPs.

7 8

Page 9: Smashing the stack with Hydra

RandomregisteroperaAons

•  DifferentsynonymousinstrucAonsperinvocaAon.

•  HydraprovidesalargelibraryofsuchinstrucAonsandaplamormtoaddmore.

•  ForsomeoperaAons,thekeyusedisrandomlygeneratedtofurtherobfuscatethepayload.

Twoexamplewaystocleararegister

Method1:

movreg,<key>subreg,<key>

Method2:

pushdword<key>popregsubreg,<key>

8 9

Page 10: Smashing the stack with Hydra

MulA‐parAteDecoding

•  Hydrageneratesnon‐con)guousdecoders.

•  Thepaddeddecodercipherloopissplitapartandintermixedwiththeencodedpayload.

•  Currentlyonlybi‐parAtedecodingisimplemented:halfofthedecoderinstrucAonsareinfrontofthepayload,halfaperit.

•  DecoderinstrucAonsjumpbetweeneachotherwhiledecodingthepayload.

9 10

Page 11: Smashing the stack with Hydra

MulA‐LayerCiphering

•  MulAplecipheroperaAons,subsetsselectedatrandomperinvocaAon.Veryusefultechnique(ADMmutate,CLET,..)

•  RandomcipheroperaAons:ROR/ROL,XOR,ADD/SUB,etc…

•  CipherorderisrandomeachAme.

•  Arandomlychosen32‐bitkeyisgeneratedpercipher.

•  Sixroundsofcipheringbydefault–usercanspecifynumber.

10 11

Page 12: Smashing the stack with Hydra

InlineJunkCodeInserAon

•  HydraautomaAcallyaddsspacebetweeninstrucAons.Arbitrarydatacanbeinserted:

[instr1][junk][instr2][junk][instr3][junk][instr4]

•  Amountofdatatobeinsertedcanbespecified.

•  CaninsertNOPinstrucAons,anA‐disassemblycode,randomjunk,etc.Thecipherswillskiptheseareasduringdecoding.

•  CanalsoinsertcertainbytesforstaAsAcalmimicry.

11 12

Page 13: Smashing the stack with Hydra

StaAsAcalMimicry

•  StaAsAcalIDS–typicallyworkbylearningfrequenciesfornormalcontentthendetecAngexploitsasanomalies.

•  Hydrausesmachinelearning‐basedtechniquestomakeshellcodemimicnormaltraffic.

•  LearnastaAsAcalmodelforthedistribuAonofn‐gramswithinlegiAmatenetworkcontent.

•  SamplefromthisdistribuAon,andusepaddingandinlinepadding(junkinserAon)toskewthedistribuAonofshellcodetoappearnormal.

12 13

Page 14: Smashing the stack with Hydra

RandomizedAddressZone

•  Sequenceofrepeatedtargetaddresses.

•  Usedtooverwrites%ESPonthestacktopointtoNOPsled.

•  AnIDScanlookforastructuralsignaturesuchastheexistenceofNOPinstrucAonsandrepeatednumbers(sled+returnzone.)

•  Breaksignaturesbyaddingrandomoffsetstoeachaddresselementinthereturnaddresszone.

14 1414

Page 15: Smashing the stack with Hydra

Time‐CipherShellcode

•  EmulatorIDS?Buildstrippeddownx86emulatoranddynamicallyexecuteALLnetworktraffic.Lookforself‐decrypAonbehaviorand/orlargebasicblocks.

•  SoluAon?Usesyscall‐basedciphering.Exploitthefactthatemulatorscan’thandlefullOSfuncAonality.

•  HydrausestheAme()syscall.MostsignificantbitsusedaskeytodecodethemaincipherinstrucAons(ROR,XOR,etc).

•  Syscallnothandled?Timerunsout?Shellcodeisdecodedincorrectly–nopolymorphicbehaviorisobserved.

15

Page 16: Smashing the stack with Hydra

Time‐CipherShellcode

•  Goodforauser‐definedperiodofAme.Usercanadjustthe“shell‐life”windowbythenumberofbitsused.

•  NetworkIDScan’temulateallpossiblesyscalls.

•  Time‐cipheredshellcodewillpassthroughtheemulatorsandarriveonthetargethostwherethesyscallscanbehandled.

•  Bypassessomeemulatoranddisassemblybasedmethods,andslowsdownhumanreverseengineers.

16

Page 17: Smashing the stack with Hydra

ForkingShellcode

•  Exploitcouldcausethetargetprocesstohang.Notgood–couldbepickedupbyanIDS.Gracefulrecovery(SkylerCanSecWest’09.)

•  SoluAon:fork()’ingshellcode.Childexecutespayload,parenta1emptstorecovertheexploitedprocess.

•  Recoveryishard–correct%EIPisnormallylostduringexploit.

•  Needtoknowtargetprocessaddressspace–relaAveoffset.

•  Hydrafork()syourshellcodeforyouautomaAcally.17 17

Page 18: Smashing the stack with Hydra

AlphanumericEncoding

•  Hydraalsoincorporatesthealpha2encoder.

•  AutomaAcallyselectsalphanumericNOPsfromtheNOP‐generatortoconstructsled.Choiceofmorethan4000ASCIIinstrucAons.

•  AlphaNOPsareinsertedinbetweendecoderinstrucAonsandshellcodetofurtherobfuscatebothcontentandsize.

•  ModularnatureoftheengineallowstheAlphaencodingtocombinewithalloftheotheropAons.

18

Page 19: Smashing the stack with Hydra

NOPSLED PAYLOAD RETURNZONE

Traditional shellcode:

Hydra shellcode:

RECURSIVESLED

PAYLOAD

RandomizedRETURNZONE

DECODERMimicryBytes

MimicryBytesPAYLOAD

DECODER

Time‐lockCipherFork()

MimicryBytes

MimicryBytes

•  Hydra is designed to be modular.

•  Shellcode and mimicry bytes intermixed.

•  Only ciphers shellcode instructions, mimicry bytes kept in the clear.

ALPHADECODER

19

Page 20: Smashing the stack with Hydra

DEMO

20

Page 21: Smashing the stack with Hydra

THANKYOUDEFCON

Codetobereleasedinthefuture.

PratapPrabhu([email protected])YingboSong([email protected])SalvatoreStolfo([email protected])

21

Page 22: Smashing the stack with Hydra

•  Hydraaccept“trainingsamples”fornormaldataandlearnsmodelsfornormaltraffic.

•  Inline‐padshellcodetomakeitlookstaAsAcallysimilar.

StaAsAcalMimicry

Song, et al. Machine Learning Journal. 2009.

Markov chains and Monte-Carlo simulation.

13 22


Buffer Overflow ou Stack Overrun ou Stack smashing

Smashing the Stack in 2011 | my 20%dbrumley/courses/18487-f15/reading/Ma… · Smashing the Stack in 2011 January 25, 2011 Recently, as part of Professor Brumley‘s Vulnerability,

Buffer Overflows - Swarthmore CollegeClassic Security Vulnerability •“Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final Argument

Buffer Overflow Attackscshen/367/notes/Buffer Overflow.pdf · 2016. 2. 9. · Stack Buffer Overflow • Occur when buffer is located on stack – also referred to as stack smashing

Stack Smashing as of Today - Black Hat Briefings

Stack smashing

Stack Smashing Vulnerabilities in the UNIX Operating System

Smashing The Stack - University of RichmondSummer 2017 Roadmap 1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph

Stack Smashing Protector - Hackito Ergo Sum · 2010. 4. 16. · Stack Smashing Protector Paul Rascagneres (aka RootBSD) - - Licensed Beerware – HES2010 1. Introduction - GCC extension

Smashing The Stack For Fun And Profit Aleph One

Smashing the Stack Overview The Stack Region Buffer Overflow Shell Program Notes Avoiding Buffer Overflows Conclusion

openbsd - Inertia Warinertiawar.com/openbsd/hawkes_openbsd.pdf3 SSP/ProPolice Stack Smashing Protector adopted by OpenBSD to provide stack frame canaries SSP also rearranges stack

Smashing the Stack for Fun and Profit

Smashing the Stack

Functions, Varargs, and Stack Smashing

Smashing the stack for fun and profit

Smashing The Stack For Fun And Profit Aleph One - …staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/smashing...Smashing The Stack For Fun And Profit Aleph One [email protected]

Stack&Smashing& Attacks - George Mason Universityastavrou/courses/ISA_564_F15/... · This&won’t&work&today • The$attack$described$is$a$classical$stack$smashing$attack$which$then$

Windows Exploitation Smashing the Stack - hitz#7

Buffer overflow and stack smashing attacks Principles of application software security

Smashing the Stack in 2011 | my 20%rdriley/487/papers/Makowski_2011... · 2019. 5. 30. · Smashing the Stack for Fun and Profit article which had originally appeared in Phrack and

Smashing The Stack For Fun And Profit - EECS @ Michigan · Smashing The Stack For Fun And Profit by Aleph One [email protected] `smash the stack` ... Intel x86 CPU, and that

CS 6V81-05 - Smashing the Stack in 2011 - The University of Texas

Buffer Overflows and Defenses - Rutgers University...Stack Buffer Overflow occurs when buffer is located on stack used by Morris Worm “Smashing the Stack” paper popularized it

CS 201 Stack smashing. – 2 – Stack smashing (buffer overflow) One of the most prevalent remote security exploits 2002: 22.5% of security fixes provided

An Introduction to Full-Stack JavaScript _ Smashing Coding

Smashing The Stack For Fun And Profit Aleph Oneparisi/Risorse/stack_smashing.pdf · A stack is an abstract data type frequently used in computer science. A stack of objects has the

VoIPER: Smashing the VoIP stack while you sleep

Buffer overflow – Smashing The Stack

Offensive cyber security: Smashing the stack with Python

Stack Smashing Vulnerabilities in the UNIX Operating …web.eecs.umich.edu/~aprakash/security/handouts/Stack_Smashing...Stack Smashing Vulnerabilities in the UNIX Operating System

Smashing the stack for fun and fun - Ensimag

CS 201 Stack smashing

HITB LAB: ARM Exploitation Lab (Part 1) · Stack Smashing! • AlephOne’s 1996 Smashing the Stack for Fun and Profit [1] and DilDog’s The Tao of Windows Buffer Overruns [2] are

Smashing The Stack For Fun And Profit Aleph One Introduction