SlideShare a Scribd company logo

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

sanghwan ahn
sanghwan ahn

The document discusses system hacking and reverse engineering techniques. It provides an introduction to vulnerabilities and types of vulnerabilities. The document outlines two tracks - the first introduces bugs, crashes, vulnerabilities, exploitation and defense mechanisms. The second track discusses different types of vulnerabilities like buffer overflows, format string bugs, and use-after-free vulnerabilities. It explains the principles and exploitation of stack and heap overflows.

1 of 87
Downloaded 129 times
System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice h2spice@gmail.com
Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
Track1. Introduction to Vulnerability
Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
Track2. Type of Vulnerability
Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx
Thank You :)

Recommended

System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
sanghwan ahn
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
sanghwan ahn
 
A Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They DoA Stealthy Stealers - Spyware Toolkit and What They Do
A Stealthy Stealers - Spyware Toolkit and What They Do
sanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
Code Vulnerabilities & Attacks
Code Vulnerabilities & AttacksCode Vulnerabilities & Attacks
Code Vulnerabilities & Attacks
Marcus Botacin
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Maksim Shudrak
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
sanghwan ahn
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
yushiang fu
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
nullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Howard Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
sanghwan ahn
 

More Related Content

What's hot (20)

Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
yushiang fu
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
nullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernelLeak kernel pointer by exploiting uninitialized uses in Linux kernel
Leak kernel pointer by exploiting uninitialized uses in Linux kernel
JinbumPark
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
Alexandre Moneger
 
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
RISC-V : Berkeley Boot Loader & Proxy Kernelのソースコード解析
Mr. Vengineer
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-drivers
yushiang fu
 
Intel Nervana Graph とは?
Intel Nervana Graph とは?Intel Nervana Graph とは?
Intel Nervana Graph とは?
Mr. Vengineer
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
DefconRussia
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
nullowaspmumbai
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
n|u - The Open Security Community
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
Patricia Aas
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
Patricia Aas
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
[ZigBee 嵌入式系統] ZigBee 應用實作 - 使用 TI Z-Stack Firmware
Simen Li
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
Sumit Kumar
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 

Viewers also liked (18)

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Howard Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
sanghwan ahn
 
kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00
Nhóc Nhóc
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)
phanleson
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Bach Khoa Da Nang
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
Russell Sanford
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM Training
Vigilant Technologies
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
Andrey Apuhtin
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Howard Lewis Ship
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
sanghwan ahn
 
kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00kiến trúc máy tính và hợp ngữ Bài 00
kiến trúc máy tính và hợp ngữ Bài 00
Nhóc Nhóc
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
Buffer overflow(bao cao)
Buffer overflow(bao cao)Buffer overflow(bao cao)
Buffer overflow(bao cao)
phanleson
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Bach Khoa Da Nang
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
Lyon Yang
 
Course lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented ProgrammingCourse lecture - An introduction to the Return Oriented Programming
Course lecture - An introduction to the Return Oriented Programming
Jonathan Salwan
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
Russell Sanford
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
Siddharth Bhattacharya
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
George Boobyer
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
Cysinfo Cyber Security Community
 
Oracle ASM Training
Oracle ASM TrainingOracle ASM Training
Oracle ASM Training
Vigilant Technologies
 
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
CNIT 127 Ch 4: Introduction to format string bugs (rev. 2-9-17)
Sam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
Andrey Apuhtin
 

Similar to System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability (20)

Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09
dhanya.sumeru
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of View
Toe Khaing
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7
Georgian Micsa
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
Evgeni Tsonev
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09Buffer Overflows Shesh Jun 3 09
Buffer Overflows Shesh Jun 3 09
dhanya.sumeru
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
BufferOverflow - Offensive point of View
BufferOverflow - Offensive point of ViewBufferOverflow - Offensive point of View
BufferOverflow - Offensive point of View
Toe Khaing
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
drewz lin
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Linux binary analysis and exploitation
Linux binary analysis and exploitationLinux binary analysis and exploitation
Linux binary analysis and exploitation
Dharmalingam Ganesan
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
harshal kshatriya
 
What`s new in Java 7
What`s new in Java 7What`s new in Java 7
What`s new in Java 7
Georgian Micsa
 
Debugging With Id
Debugging With IdDebugging With Id
Debugging With Id
guest215c4e
 
Offensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with PythonOffensive cyber security: Smashing the stack with Python
Offensive cyber security: Smashing the stack with Python
Malachi Jones
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
NikitaAndhale
 
1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx 1Buttercup On Network-based Detection of Polymorphic B.docx
1Buttercup On Network-based Detection of Polymorphic B.docx
aryan532920
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
Cysinfo Cyber Security Community
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Vincenzo Iozzo
 

Recently uploaded (20)

The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
How to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud PerformanceHow to Optimize Your AWS Environment for Improved Cloud Performance
How to Optimize Your AWS Environment for Improved Cloud Performance
ThousandEyes
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 

System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulnerability

  • 1. System Hacking & Reverse Engineering [Introduction to Vulnerability & Type of Vulnerability] documented by h2spice [email protected]
  • 2. Who am I Sanghwan,Ahn (h2spice) Works for LINE.Corp Carrying out research on the vulnerability (exploitation,hunt,analysis)
  • 3. 목차 커리큘럼 소개 Track1 - Introduction to Vulnerability Bugs Crashes Vulnerability Exploitation Defense Mechanism Track2 - Type of Vulnerability Buffer Overflow Stack Heap Integer Format String Use After Free
  • 4. 시스템 해킹 / 리버싱 Buffer Overflow 취약점 원리 Stack Overflow Heap Overflow Format String Bug Heap Overflow Use After Free Overwriting RET Overwriting SEH 익스플로잇(Win32/*NIX/ARM) Egg Hunting RTL ROP Heap Spraying 커리큘럼 소개 취약점 / 악성코드 분석 악성코드 분석 Software on X86 버그 헌팅 X86 ARM Mobile 취약점 분석 소스코드 분석 퍼징 CVE-XXXX-XXXX Exploit-DB Inj3ct0r - 1337day 리버스 엔지니어링 iOS Android Overwriting .dtors Overwriting GOT
  • 5. Track1. Introduction to Vulnerability
  • 6. Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 7. About Bugs 알수없는 에러 혹은 소프트웨어 설계상의 실수로부터 발생 예상하지 못한 동작 혹은 결과를 유발 버그로 부터 크래쉬가 발생 버그의 종류 논리적인(Logical) 버그 문법적인(Syntax) 버그 리소스 (Resource) 버그 ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 8. About Crashes 소프트웨어 크래쉬 정상적이지 않은 명령어 실행 (Invalid instruction execution) 특정 권한을 필요로하는 명렁어 실행 (Privileged instruction execution) 정상적이지 않은 메모리 역참조 (Dereference of invalid memory) 운영체제/ 커널 크래쉬 BSOD (Blue Screen of Death) 복구 불가능한 크래쉬(Non-recoverable) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 9. What is the vulnerability ? 정의 ( from Wikipedia) 컴퓨터의 하드웨어 또는 소프트웨어의 결함이나 체계 설계 상의 허점으로 인해 사용자(특히, 악의를 가진 공격자)에게 허용된 권한 이상의 동작이나 허용된 범위 이상의 정보 열람을 가능하게 하는 약점 (eg. execution of arbitrary code , bypass security mitigation, etc) 사용자 및 관리자의 부주의나 사회공학 기법에 의한 약점을 포함한 정보 체계의 모든 정보 보안상의 위험 성 악의를 가진 공격자는 이러한 약점을 이용하여 공격 대상 컴퓨터 또는 정보화 기기에서 공격자가 의도한 동작을 수행하거나, 특정 정보를 탈취한다. 보안 취약성 또는 취약성으로 부르기도 한다. 취약점의 예 버퍼 오버플로우 (Stack, Heap, Integer) 포맷스트링 (Format String) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 10. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ Total Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 11. How many vulnerability disclosure ? 7000 5250 3500 1750 0 7000 5250 3500 1750 0 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 [ High Severity Vulnerabilities by Year ] Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 12. Type of vulnerability 버퍼 오버플로우 (Buffer Overflow) 스택 오버플로우 (Stack Overflow) 힙 오버플로우 (Heap Overflow) 정수형 오버플로우 (Integer Overflow) 포맷 스트링 (Format String Bug) 널 포인트 역참조 (Null Pointer Dereference) 메모리 해제 후 사용 (Use After Free) ... Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 13. What is the exploitation 소프트웨어 내 예상하지 못한 / 의도하지 않은 동작에 의해 발생 흐름 제어 (Control hijack) 서비스 거부 (DOS: Denial-of-Service) 정보 유출 (Information Leakage) 소프트웨어 내 크래쉬를 이용하여 익스플로잇(Exploitation) 공격 소프트웨어에서 익스플로잇 가능한 크래쉬가 발생될때, 어떤 버그로 부터 크래쉬가 발생되는지 확인 (일반적으로 사용자 입력값으로 부터 흐름제어 가능) 공격코드를 삽입하여 공격자가 삽입한 임의의 코드로 흐름 제어 Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 14. What is the exploitation 일반적인 보호 메커니즘(Common defense mechanisms) 무작위성 주소공간 배치 난수화 (ASLR: Address Space Layout Randomization) 데이터 실행 방지 ( DEP : Data Execution Prevention) or W^X (Write xor eXecute) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) ... 보호 메커니즘 우회 (Bypass defense mechanisms) 무작위성 주소공간 배치 난수확 (ASLR) : Bruteforce , Ret-to-Text (ret2text), Function Ptr Overwrite, Ret-to-Ret (ret2ret), Ret-to-Pop (ret2pop), Ret-to-Eax (ret2eax), Ret-to-Got (ret2got) 데이터 실행 방지 (DEP) : Ret-to-Libc (ret2libc), Return Oriented Programming (ROP) 스택 쿠키 / 까나리 (Stack Cookies/Canaries) : Bruteforce, Error Handler Overwrite Track1. Intro to Vuln Bug Crashes Vulnerability Exploitation Defense Mechanism
  • 15. Track2. Type of Vulnerability
  • 16. Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 17. What is the Buffer Overflow C / C++ 컴파일러가 배열의 경계검사 (Boundary Check)를 하지 않아 선언된 크기보다 더 큰 데이터를 기록함으로써 발생 운영체제가 스택이나 힙 영역에 임의의 데이터를 기록 / 실행을 허용함으로써 발생 high address Arguments Return Address Stack Frame Pointer Local Variables (buffer area) low address Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 18. What is the Stack Overflow 스택 버퍼 오버플로우는 할당된 정적 버퍼의 크기보다 더 많은 데이터가 복사되어질 때 발생합니다. int main(int argc, char* argv[]) { char buf[8]; strcpy(buf,argv[1]); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 19. Principle of Stack Overflow char buf[8]; strcpy(buf,argv[1]); argv[1] = “AAAAAAA” A A A A A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 8바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 20. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 21. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 22. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 23. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 24. Stack Layout Low Address arg2 arg1 &ret (saved eip) saved ebp A A A A A A A A A A A A char buf[8] High Address Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... strcpy(buf,argv[1]); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free A A A A
  • 25. What is the Heap Overflow 힙 버퍼 오버플로우는 할당된 동적 버퍼의 크기보다 더 많은 데이터가 복 사되어질 때 발생합니다. int main(int argc, char* argv[]) { char *buf buf = malloc(4); memcpy(buf,argv[1],size); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 26. Principle of Heap Overflow buf = malloc(4); memcpy(buf,argv[1],sizeof(argv[1])); argv[1] = “AAA” A A A 0 argv[1] = “AAAAAAAAAAAA” A A A A A A A A A A A A // 4바이트 버퍼 할당 // 버퍼 오버플로우 발생 X // 버퍼 오버플로우 발생 O Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 27. Heap Layout Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 28. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] High Address Prev_In Use bit Prev_In Use bit
  • 29. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In
  • 30. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 31. Heap Layout Two chunks, of which the first is free for allocation Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size unused Chunk FD (pointer to the next free chunk) BK (pointer to the pref free chunk) Unused Prev_size size Data[4] High Address Prev_In Use bit Chunk1 0
  • 32. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 33. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 34. Heap Layout Two allocated chunks on the heap Calling .Start function: .Start : push %ebp mov %esp, %ebp sub $0xC, %esp ... memcpy(buf,argv[1], sizeof(argv[1])); ... leave ret Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free Low Address Prev_size size Data[4] Prev_size size Data[4] Chunk1 12(0xc) Us0e bit A A A A A A A A A A A A A A A A High Address Prev_In Us1e bit Chunk2 Prev_In 12(0xc) 13(0xd)
  • 35. What is the Integer Overflow it occurs when the operation result stored is bigger than permissible range it occurs when the operation result stored is smaller than permaissible range it occurs in the operation process difficulty in detecting, so massive code analysis is needed 0 1 0 0 1 1 1 0 0 0 1 0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 0 1 1 0 1 0 1 0 0 0 0 20000 30000 -15536 + it is a negative number since it is interpreted as a sign bit Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 36. Example of the Integer Overflow Output 1 - The normal case Output 2 - Integer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Track2. Type of Vuln Buffer Overflow Stack Heap Integer Format String Use After Free
  • 37. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> int main(int argc, char* argv[]) { signed int type1=NULL; /*signed type*/ signed int type2=NULL; /*unsigned type*/ unsigned int type3=999999999999999999; /*integer overflow*/ type1 = strlen(argv[1]); if(argv[2]!=NULL) { /*due to some operations*/ type2=type3; } printf("type1 = %d n",type1); printf("type2 = %dn",type2); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$
  • 38. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ declare variable (signed/unsigned type, static buffer) Output 1 - The normal case
  • 39. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ get size of user input data and then, print size Output 1 - The normal case
  • 40. Example of Integer Buffer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } check size of user input data (code to prevent buffer overflow) Output 1 - The normal case
  • 41. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ Output 2 - Integer Overflow copy user input data to buffer type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ and then print user input data Output 1 - The normal case
  • 42. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ if variable signed type stored in big data, will occur integing overflow Output 1 - The normal case
  • 43. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ because type2 it has been set negative number, to bypass code that prevent buffer overflow Output 1 - The normal case
  • 44. Example of Integer Buffer Overflow #include <stdio.h> #include <string.h> #define BUFFER_SIZE 4096 #define test_min(val1, val2) ((val1 > val2) ? (val2) : (val1)) int main(int argc, char* argv[]) { off_t type1=NULL; /*signed type*/ size_t type2=NULL; /*unsigned type*/ off_t type3=999999999999999; /*integer overflow*/ char buffer[BUFFER_SIZE]; /*fixed buffer*/ type1 = strlen(argv[1]); printf("size of input data = %d n",type1); if(argv[2]!=NULL) { /*due to some operations*/ type1=type3; } type2=(size_t) test_min(type1,BUFFER_SIZE); printf("size of (size_t)type2 = %dn",type2); strncpy(buffer,argv[1],type2); /* occurs stack overflow */ printf("data output = %sn",buffer); return 0; } Output 1 - The normal case h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc $ ./integer_overflow hello size of input data = 5 size of (size_t)type2 = 5 data output = hello h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ Output 2 - Integer Overflow h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ ./integer_overflow hello ? size of input data = 5 size of (size_t)type2 = -1530494977 Segmentation fault (core dumped) h2spice@ubuntu:~/Desktop/integer_overflow/sample/poc$ as a result, occur stack buffer overflow
  • 45. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free printf(buf);
  • 46. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 사용자 입력값으로 포맷스트링이 들어왔을때 발생 (vulnerability occurs when user input data is used as format string) Collect Usage : printf(“%s”, argv[1]); Dangerous Usage : printf(arvg[1]); 임의의 메모리를 읽고 쓰는데 사용할 수 있음 (can be used to read & write arbitrary memory space) 정적 분석 도구를 이용하여 탐지 가능(Can be detected by Static Analysis Tools) But still show up in many competition or software
  • 47. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free Format String / Parameter Description %d 정수형 10진수 상수 (integer) %f 실수형 상수 (float) %lf 실수형 상수 (double) %c 문자 값 (char) %s 문자 스트링 ((const)(unsigned) char *) %u 양의 정수 (10 진수) %o 양의 정수 (8 진수) %x 양의 정수 (16 진수) %s 문자열 %n * int (쓰인 총 바이트 수) %hn %n의 반인 2바이트 단위
  • 48. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string
  • 49. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %x
  • 50. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free when user input data is used as string when user input data is used as Format String
  • 51. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 52. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What’s the !!?!
  • 53. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free ………
  • 54. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address
  • 55. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%x” low address ESP
  • 56. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP Hey! where is argument about Format string “%x”
  • 57. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ?
  • 58. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What happened to this ? we don’t have enough time do as you usually do !
  • 59. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP
  • 60. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf ESP printf( ) 호출시 인자값 인자들은 스택에 적재되 low address 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 61. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 printf( ) 호출시 인자값 인자들은 스택에 적재되 는데, printf(%x) 실행시 esp는 printf( )에 들어갈 인자값을 가르키고 있을 것입니다. 하지만 %x에 맞는 인자가 없을 경우, 컴 퓨터는 그냥 esp+4 지점의 값, strcpy의 인자값중 하나를 16진수로 출력해버리게됩니다.
  • 62. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+16 ESP+12 ESP+8 ESP+4
  • 63. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP+4 Point1. We can read the arbitrary memory space
  • 64. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n
  • 65. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf when argument of printf( ) is used as format string “%n” low address ESP
  • 66. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP ………
  • 67. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?!
  • 68. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free high address buf[256] strcpy printf low address ESP What’s the !!?! %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 69. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 70. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 4개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( is it length of the string ?)
  • 71. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 72. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free 9개의 문자열 (four strings) Segmentation Fault / Crash Analysis 문자열의 길이? ( it is length of the string !)
  • 73. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 74. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free
  • 75. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 76. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address)
  • 77. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free %n은 두가지 동작을 하는데 한가지는 지금까지 출력된 자리수를 구하고, 두번째는 다음 스택의 내용을 주소로 인식하여 해당 주소에 방금 계산한 값을 기록합니다.(%n writes the number of bytes printed so far to the target address) Point2. We can write the arbitrary memory space
  • 78. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free What about it ? What do you want me to do ?
  • 79. Track2. Type of Vuln How do we make use of this ? Buffer Overflow Stack Heap Integer Format String Use After Free 버퍼 오버 플로우의 경우 Return Address 를 덮어씌워 Control Flow를 조작할 수 있다. But ? 포맷스트링도 Return Address 를 덮어씌워 Control Flow를 조작 할 수 있다. (번거롭고 골치아프다) ELF 바이너리의 .Dtors 세션을 덮어씌워 Control Flow를 조작할 수 있다. GOT (Global Offset Table) 를 덮어씌워 Control Flow를 조작할 수 있다.
  • 80. Track2. Type of Vuln What is the Format String Bug ? Buffer Overflow Stack Heap Integer Format String Use After Free It’s my prey
  • 81. Track2. Type of Vuln What is the Use After Free ? Buffer Overflow Stack Heap Integer Format String Use After Free not occurs crash but, there are vulnerability 논리적인 취약점 (Logical Vulnerability) 할당 -> 사용 -> 해제 -> 사용 (Malloc -> Use -> Free -> Use) 크래쉬가 발생하지 않음 (but not occurs crash)
  • 82. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 83. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 84. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 85. Proof of Concept about Use After Free #include <stdio.h> #define MAX 512 int main(int argc, char* argv[]) { char* buf1A; char* buf2A; char* buf3A; char* data = "hello world"; buf1A = (char*) malloc(MAX); buf2A = (char*) malloc(MAX); strncpy(buf1A, data, MAX-1); printf("[+]user input data = %s n",argv[1]); printf("[+]data of buf1A = %sn",buf1A); free(buf1A); printf("[+]free buf1An"); strncpy(buf1A, argv[1], MAX-1); printf("[+]copy user input data to buf1An"); printf("[+]after free, data of buf1A = %s n", buf1A); } Output : h2spice@ubuntu:~/Desktop/useafterfree $ ./useafterfreePoc use-after-free [+]user input data = use-after-free [+]data of buf1A = hello world [+]free buf1A [+]copy user input data to buf1A [+]after free, data of buf1A = use-after-free
  • 86. What is Exploitable Crash ? mov eax,dword ptr [esi+0Ch] mov eax,dword ptr [ecx] mov edx,dword ptr [eax+5Ch] call edx