Cyber Attacks & DefenseWeek 7: Misc Attacks
What We Have Learned
• Week1: Basic reverse engineering• Week2: Buffer Overflow -> Control-flow Hijacking• Week3: Writing Shellcode• Week4: StackCookie, ASLR, and DEP• Week5: Return-oriented Programming• Week6: Arbitrary Read/Write, Format String Vulnerability
Attack Strategy
• Arbitrary Write• Overwrite control data• Return address• Function Pointer• Global Offset Table
• Buffer Overflow• Sequential Write (a case of arbitrary write)
Defense/Attack Strategy
• StackCookie• Place a random number right previous to the control data on the stack• The cookie is smashed before control data is modified
• Attack• Leak stack cookie directly -> apply that in your attack payload• Leak stack cookie via side-channel attack (byte-granular guessing)• Non-sequential buffer overflow -> directly overwrite return address
Defense/Attack Strategy
• Data Execution Prevention• You cannot execute on stack/heap data• Code is fixed
• Launch Code-reuse Attack• Re-use functions in libc (execve, system, etc.)• Return-oriented programming
• Pop-pop-ret..
Defense/Attack Strategy
• Address Space Layout Randomization (ASLR)• Randomize address space• Attackers don’t know about where the functions/gadgets are
• Information Leak attack• Relative offset between the pointers are fixed• Sequential leak• Arbitrary read• Leak Stack (code address, stack address, heap address)• Leak GOT (libc address)
Attack Techniques
• Buffer overflow – return address overwriting• Buffer overflow – frame pointer overwriting• Buffer overflow – Index manipulation• Sequential read – Leaking Stack Contents• Arbitrary read – Leaking libc address from GOT• Arbitrary write – Overwriting GOT entries• Format String attack – Using it as SR/AR/AW primitives
Week 7: Apply Techniques Learned
• You have learned many cyber ninja skils• Week1 – Week6 challenges made you strong
• Test yourself with challenges in Week7• 11 challenges
• Required skills are combination of• Reverse engineering• Basic UNIX system knowledge• What you learned from Cyber Attacks/Defense until now
0-run-command
• Can you run your command (maybe, cat flag?) in my secure directory listing system?
0-run-command
• Code
• system() runs commands in /bin only (cat flag!)• What’s check_input?
0-run-command
• Code
• Bad characters: ./;|&`…
• Can you inject your command, cat flag to system()?
1-guess-my-random
• Can you guess the random number in my secure random checker?
• Don’t guess the random, exploit the buffer overflow vulnerability!• Where is it???
2-one-format-string
• You have only one chance to launch format string attack
• Naturally, there is no buffer overflow vulnerability in the code
2-one-format-string
• Can you• 1) Launch the Format String Attack to collect required information for your
exploit?
• 2) Launch the Format String Attack (at the same time with 1) to alter the ‘size’of the read, to create a buffer overflow vulnerability?
• 3) Launch the buffer overflow attack based on the information that youcollected from 1?
3-2048
• 2048 game
Are you goot at 2048??
Then, show meyour skills!
3-2048
• Code
• Can you get the score over 3932156?
Good luck!
4-where-to-jump
• The program runs the address that you typed!
• Where do you want to jump? 1 jump to rule them all!• NO executable stack!
• Think creatively!!!
5-get-flag-without-write-nor-exec
• Seccomp-BPF• https://www.kernel.org/doc/html/v4.16/userspace-api/seccomp_filter.html
• It only allows the following system calls:• open/read/lseek/exit_group/exit• No write, no execve
• Can you leak the flag content?• Refer to README!
6-deprivileged
• It has a buffer overflow vulnerability, but it is deprivileged
• Can you still read the flag? (Yes you can…)
7-tocttou
• The program checks if the file is ‘yours’, open that, and print its contents
• Can you read the flag?
• By exploiting the gap in• Time of Check (ToC)• To• Time of Use (ToU)• TOCTTOU!
8-caffeinated-tocttou
• 3 seconds were too long for• 7-tocttou
• So I injected some caffeine to the program
• Can you still read the flag?
9-guess-passwd
• Can you bypass my super-secure password check program?
• You cannot read the file
• PASSWD is definitely not “000000000000….”
• Observe the ‘time’
a-rop-static
• This is a very small program (1672 bytes)
• Contains a buffer overflow vulnerability
a-rop-static
• You can call• read()• write()• exit()• puts()• main()• strlen()• _start
• Can you run execve(“/bin/sh”, 0, 0)?
Top Related