Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 11:09:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

memory exploits

Browse Source
This commit is contained in:
bt3gl 2014-11-20 13:20:19 -05:00
parent 37268762e1
commit 943728662f
2 changed files with 181 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

171
Memory_Exploits/README.md
View File

@ -1,22 +1,183 @@
# Memory Exploits
## Assembly
## Memory Corruption
* Unbounded data copying is bad.
* Lots of APIs:
- strcpy()
- strcat()
- sprintf()
- gets()
#### strcpy
* Memory corruption basic example:
```
int vul_fc(char *userstring)
{
char buf[128];
strcpy(buf, userstring);
/*..*/
}
```
#### strncp and NULL byte
* Better APIs can be not used properly, for eample **strncpy()**, it the parameter to limit lenght is not understood:
```
int vuln_function(char *userstring)
{
char buf[128];
strncp(buf, usertring, strlen(userstring));
/*..*/
}
```
* If the lenght does not account for NULL termination: the amount of data to copy is greater than or equal to size of buf, no NULL byte will be placed:
```
int vuln_function(char *userstring)
{
char buf[128];
strncp(buf, usertring, sizeof(buf));
/*..*/
}
```
* The correct would be **sizeof(buf)-1**.
* C string functions need to have a NULL byte to know where the string ends. Later in the code, it will assume that the string is only as long as the sizeof(buf) when in reality the string is as long as wherefer the next NULL is in memory.
* This could be an adjacent piece of memory the attacker controls, such as another buffer declared on the stack.
#### strncat
* For example string concatenation **strcat()**. This function appends a string from the source buffer to the destination buffer, adding to the end of an existing C strng in dest.
* The size parameter does not account for daa already in the destination buffer:
```
int vuln_function(char *string)
{
char buf1[256];
strncat(buf1, "static data", sizeof(buf1) - 1);
/*..*/
strncat(buf1, string, sizeof(buf1)-1);
}
```
* If there is already data in buf1, it can overwrite beyond the buffer!
#### Wide-characters
* Many misunderstandings with wide-characters such as *wchar_t*.
* Under win32, wchar_t is 16 bits (UTF-16 code unit). On linux, wchar-t is 32 bits (UTF-32).
* Size miscalculation can happen by not considering that sizeof() returns count of 8 bit chars and wchar_t is larger than that:
```
int vul_funcion(char *string1)
{
wchar_t buf1[256];
mbstowcs(buf1, string1, sizeof(buf1)-1);
}
```
* The size lenght is given as sizeof(), however the size argument for mbstowcs() is the count of wide characters to write. Wide characters are bigger than bytes:
```
wchar_t buf1[256];
mbstowcs(buf1, string1, sizeof(buf1)-1);
```
* On Windows, where wchar_t is 16 bits, sizeof(buf) is 512. In the above code, a copy of 511 wide-characters is copied into the destination buffer, when it was intended to be 255.
----
## Data Type Bugs
* Primitive data types (32 bit):
- signed char/unsigned char
- signed short/unsigned short
- signed int/unsigned int
* Redefinitions used for sizes:
- size_t (unsigned)
- size_t (signed)
* Integer overflow: Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
```
x = 255;
x += 1;
```
* Pointer overflow: pointers are unsigned integers:
```
int StrStuff(int sock, char *buf, size_t buflen)
{
size_t dataSize;
char *maxpoint = buf + buflen;
dataSize = readDataSize(sock);
if (buf + dataSize < maxpoint)
{
read(sock, buf, dataSize);
return 0;
}
return 1;
}
```
### Integer Overflow Exploitation
* In the code below, buf is intend to have enough space +1 to store a NULL byte for a string.
* If the network data supplied is 0xFFFFFFF (max 32 bit value), when 1 is added, it will wrap to 0. This means that the length passed to malloc is zero bytes.
* malloc() will return an under-sized buffer that allows memory corruption in read().
```
int getData(int sock)
{
unsigned int len;
char *buf = NULL;
len = getDataLen(sock);
buf = malloc(len + 1);
read(sock, buf, len);
buf[len+1] = 0x0;
}
```
### Auding Tips
* grep for malloc() and other memory allocation functions.
---------------------------
## Folders
### Assembly
- Shell spawn
----
## Buffer Overflows
### Buffer Overflows
- Stack overflow examples
----
## Integer Overflows
### Integer Overflows
---
## Tools
### Tools
---
## C-codes
### C-codes
- Get env variable

16
Pen_Testing/threat_modeling.md → Pen_Testing/README.md
View File

@ -1,4 +1,17 @@
# Threat Modeling (Design Review)
## Auditing Code
* Initial value assigments (failure to asign initial values can lead to vulnerabilities).
* Memory corruption (see Memory_Exploits folder).
* Static analysis tools:
- commercial: Fortify, Klockwork, Coverity
- free: LLVM Clang Static Analyzer, FindBugs (Java), RATS
----
## Threat Modeling (Design Review)
1. Information Collection:
* Assets
@ -37,3 +50,4 @@
* Checked build: an binary with no source code but with debugging information.
* Source black box: black box and fuzz testing (example: web applications). Example: auditing a web server with entry point at TCP port 80, you use a HTTP protocol fuzzer.
----