All right. >> Sorry, I wasn't recording. Totally forgot. 10-24. >> We're talking dynamic linking from an executable into a shared library. And, and almost immediately going to like send everybody into groups to work on solving this from like a super hard CTF. But that's okay, you'll be fine. >> But, but the essence of it is this. >> Whenever your executable calls a function that doesn't live inside your executable. It's going to be some external function and it's gonna get handled at the Link King far. Okay, everything's in G, lib, C that EMART, etc, etc. >> If I've got an imported function, then when I compile it, when I compile the function itself, it says my connections unstable. I don't know if I'm breaking up or not, but when I go to the video quality is keeps going in and out. Ok, I can switch back to low fidelity. It's been looking fine for me. I'm not sure if that's the individual recipient dependent or not, but it looked good for me to know. >> Alright, well now it will look less good, but maybe more reliable. >> Should we go from prone import star. >> And I want to do this. >> So else my Got Milk 32-bit. >> I want to show you these two tables and, and, and kind of reference it with these imported functions. Alright, so when there's an imported function, how exactly does that happen? >> Like we have a vague idea that you've got an executable and it's going to look at a shared library. And from that shared library it's going to find the assembly that's going to actually execute that program. And, and so here's my best explanation I can do out loud or maybe on my bass, but but here's an explanation. It will have a dialog, ask questions, and I hope this explanation get better when you compile it. I have to have something to look up. So these two tables, this is the procedure, oh gosh, mini game, mini game. >> Okay? >> This is the procedure linkage table. >> And this is two, what this will have in it is an address where I can call something related to F gets. And when the program begins, it of course doesn't know about the function f gets. >> The program has its standalone executable. >> So the way the dynamic linking is going to work is it's going to put in here essentially a stub program. >> In the stub, that program has just a tiny little bit of assembly that's going to >> Called the GO T. >> This is the global offset table. In this has addresses to the global offset table has addresses. And again, we've got like addresses for each of these functions. But what the address is do is they are going to give me a place I can go to reliably to find that function that I need. Okay, fine. >> So because we have position independent execution where we're going to randomize or address faces every time when I compile this thing. >> You know, computers don't do random, right? Computers don't do random. So how is it that my executables and a go? And every time it runs, it's going to find the correct random address for the Walmart of lib C functionality. In this case, what we gotta do is we've got a, we've got what we what we choose to do is we put a stub address in. >> And the stub address is going to be an address to a function that looks up the correct address. >> So if you go to this standard in, what it's gonna do is I wrote a function that looks up where is standard and on this particular like randomized execution and replace itself in this table with the real thing. So this is lazy loading. And you can see that here this is called like how does lazy, lazy binding where the first time an external functions called, it's going to resolve. And it's going to resolve by running the stub in PLT, which will then do the look up NGO t, replace the address NGO t from the fake address that it begins with the real address of the thing and the actual library. >> Then replace the stub in PLT with something that calls that function there. >> So I can either call it through this or I can go straight to the address and GIZ. >> But before I use the PLT to execute the address and gt The addressing GO T is updated from a fake address, which just takes you to a place to look up the real address and then it gets replaced with the real address. Alright, that's, that's my leg explanation of how those two are used to do dynamic linking to a library. When I'm randomizing all my address spaces. >> It's clever. >> It's like it's, it's lazy loading because it only actually looks up what it needs to look up in real time, roughly. >> Okay, so in this first problem, all I want to demonstrate is the following. >> When I do this LD preload and I give it a library, what this command is going to do before I go to execute, that is say, hey, when you got to look anything up, look in this library before you look at any other libraries. So this is going to say prioritize this library that a user just wrote over the system libraries. So in this case, to solve this problem, you've gotta overwrite one of those functions that it needs. Now, I was going to let you do it the easy way, which is just to include the help flag. So, so make a binary that if you link to the binary and execute been true with a help flag, it will give you a reverse shell and then kind of compete with each other for the smallest number of bytes to do that. And you'd have to do that by overriding like basically writing a function that overwrites one of the methods used in that thing. >> I think I did an L trace with the help, you can pick any of these things, which are places where it's going out to a library function and just string com, for instance. >> And you could overwrite string comp in your library. And what string comp will do is just consume two strings and instead give a reverse shell rather than do anything useful. And so, so that's the essence of that one, which is to say if you can control the shared library, then you can overwrite any function you'd like. But to some extent, this kind of shows you the power of the dynamic linking. The dynamic linking is to say it doesn't actually have to exist in my binary, it's going to exist somewhere else. >> And if you can control that somewhere else than you. When questions, concerns on that, I call up my guinea pigs today. >> Guinea pig is confused. >> Yep. >> Start using words. >> Helped me out. >> I don't think it's possible that really articulate. >> I came kind of late. I haven't zoom issues. I see. All right. I need another guinea pig for today. >> Then I have a question. >> Yeah, so once we say We are already string comparably taken, like the dash, dash, dash, dash help lead you. >> Arguments will be pointing to the address of like been SH. >> With that, just do it. >> Yeah, right? So, so if I were to write that exploit here kind of on the fly, I can kinda, and you guys should probably just go do this. >> I think you could, more or less you can just, right, we'd have to look at the string C code. I just want to see the declaration. >> Well, that's an all caps, right? >> So it's going to take and stuff. >> And here just to exact VE been SH 0-0 will define damage string come from uppercase to lowercase. >> Did they do it define them? Yes. >> Back. Okay. >> Yes, I totally would. >> What is going on? >> I think I'm having a red line issue. >> Yeah. >> I would probably also want to include the header where the thing is defined. >> So let us say this is Get Int String r-star exec the ns h 0. I don't know why this is getting so typically like a one control plus it'll get better and then exactly e plus one. >> Okay? >> So this program and then compile it. >> I think I need a flag, the flag GPIO, crap like that there. So I could compile this into a shared library with these flattens and it'll complain, but it's there. And so now if I were to do LD preload equals what I call it lib test and then been true dash dash help. >> What I got instead was a reverse shell. So basically it looks like what you're doing is you're forcing a program to use your library preferentially and you just kind of overload it with something that, with what you want. >> That's exactly right, that's exactly right. That's nuts that it lets you do that. >> Well, I mean, it seems like nuts because we have a security mindset on, right? We're like, Why would you know? >> But you could do anything with that, like programming lives. >> That's, that's really cool is the only reason that works is because it's already trying to call a function called string count. >> And that's why does that, right, like for instance, when I did my L trace on been true, it didn't call anything. >> But if I did help. >> I could see that it called string comp. And so this is just telling me every place where you're dynamically linking to something printed to the screen. And so here I can see every place where it's calling an external library. And I can just pick one that I want to overwrite an overwrite that instead. >> Like would it be smart to like not completely break the code to do string comp anyway, but also gave you the option to opponent. Yeah, so I mean, if you guys want to start writing your own malware, Yeah. >> So if you replace somebody's if it's like a Windows thing, you replace their DLL with your DLL and you just do the thing, but you open up like a crazy backdoor. >> Yes, you'd want to do that quietly and, and, and that kind of gets you into the hole like miter attack framework, which is to do a kill chain. >> You've gotta How are you going to get on? How do you get them to execute it? I think actually, if I just do a Control F or DLL, all these things that are DLL are places where you are hijacking like a Windows library and replacing it with your own? Does it dynamically linked libraries and Windows? And this is our sort of see version, right? What would they be able to like detect crap like this if you like, there's some kind of fault in a way that is the expected behavior. Well, the reason I'm showing this, I did not expect to be showing this today, but I think it's really valuable from a cyber education perspective or whatever. You get in, somehow they install a program and it says, you know, type in your address to install this thing from Bank of America, cuz they click on a phishing email and they install it, the first thing you do is you get them to execute it by making some leg. I don't know. There's like a help script or whatever on your OS. And you can like overwrite file with that help script and it'll execute the thing that you said. So, so you, you get them to execute it without even realizing it. This is, this is like how the malware works from kind of end-to-end. You figure out how to make it so that every time that computer starts back up, yeah, it's back to executing malicious code quietly. So like in your persistence, you can update it in the Bash RC or into the startup scripts or put it into DLLs that are used everywhere. So like ones, you can overwrite something that is going to get executed every time they turn on a computer, then you can get it to execute your code every time they turn on the computer. Then can you figure out how to kind of elevate your account from the Guest user to root. >> Once you're down there in those library areas, then can you figure out how to avoid detection, right? >> So what are the ways that you can get all this done while being really hard to spot what you're up to. And so these are all sorts of known methods people use to, to avoid being detected. >> But for instance, putting their stuff in the middle of bigness. >> The other things that are are completely normal. >> Then finding out inside of there, wherever credentials are great. Moving around inside the network are just discovering what the network looks like, looks like, and all the other things that are on it and where all the goodies are for that particular computer or that system. Jumping from the computer in the DLLs that you're on to other things on the network, moving into other stuff from box to box to box, if you can, are you going to gather up all that data and store it without the users paying attention. And then how are you going to let your remote code execution happens? So you build your back door in. And how is it that I'm going to tell you what to do remotely while you're running on that device somewhere in Utah or whatever where I have my malware has worked. And then how many to get the data back out. And then anybody to tackling them getting the data back out. And then at the end of the day, what is it that I'm going to do as the bad guy that dictates kind of why I did all these things. >> So like, seriously, that last bit, like hardly seems worth it. Oh, well, what is it that you're doing to go through? >> Aww, it sounds like a huge pain. >> Yeah. >> It's like yes. >> If you were to write it all from scratch, it's a huge pain in the US history. And, and honestly to write it all from scratch in a really clever way that nobody's ever done before. That is something that we PhD level folks would do for nation states, right? So like that's the, that's kinda the international, These are the nuclear weapons of the modern age, is to do it for the first time. But once it's been done once in code, It's not hard to copy pasta. You know, like, like once you've got something that's currently working, its spreads like crazy through people who will just like download it from dark web forums or whatever else and, and, and say, OK, I'm just going to try this and scattershot it, Oliver, everything, right? >> So like artisanal malware writing, that's, that is typically like countries screwing with each other and you know, the CIA exists, CIA exists and exists in theory. I'm from fifties era, Cold War kind of stuff going on that protects the economy, right? Like it said. >> So yes, most of the time the script kitties just want some cash, but sometimes you're just trying to like destabilise the government. These things happen. >> I lost my chocolate. >> That's, that's kind of ridiculous. >> Like, well, I don't see why people would want to take part in this level of ridiculousness. Well, I don't know why people troll on do it. I wouldn't I don't wanna be that mean to other people that I don't know. >> But lots of people are mean on the internet and those are just like normal people without even really that messed up, uh, lives. So any anyway, why am I saying all this where we add, we're IA, ok? So one problem you could do with this would be tempted to say, OK, we've done this now you guys, should I compete with each other to see who can make it the smallest? So I just kind of did this shared library thing and this was a real problem for the weekend. Two things different from the version I did versus the version from the weekend, but not that different. >> My thing here was 7,904 bytes. >> In the code golf example, they would only accept your upload if it is less than 1024 bytes. So, so this was a problem and making like a tiny executable. And I think if I go to the score board, the smallest one was a 136 bytes. And I really want to know what they did to do that. And I'd imagine it's like writing it yourself and things like that and whatever else. >> So here's But when it started, there was none beneath a 1024. >> There was like two and n. >> So throughout the course of the weekend, people kinda push themselves and each other and get it smaller, smaller, smaller, smaller, which is one. >> Which is one. >> Okay. >> I have one more question actually. Yeah. Yeah. Yeah. >> Aquifer. >> So we wrote that for the bin. True thing. If we wanted to do it for the Got Milk who we do it on any function that gets imported from a library at all, right, soon got milk. >> They provide this lib, my lib. >> So And these are the symbols that they have in the lib, my lib. >> And the ones that we care about is they have lose and win and lose and the when are really close to each other. >> So the essence of this problem is that if I look at what's Linked In Got Milk, it links to the lose function. >> And it's going to link to the lose function. But I would rather overwrite their version of the lose function with the library function in their library called win, because I'd rather win lose. So the essence of the problem is just a super 0 in on using a small, I'm calling this pointer subterfuge. So if you have an address, just change a few bytes of the address to redirect traffic to a place you want to go rather than a place you don't want to go. So the essence of the Got Milk, oh, I need to link it to the library. Actually, I can do exactly what I did just a second ago. >> I think when I ran this before, I just copied glib my lib down to like us. >> So when I start this problem, I do a percent p, I can recognize that it's a string format vulnerability and that they're leaking information. So a couple of things that will be true in this is that if I start putting with how many arguments back is my payload, like we were doing before, you'll discover pretty quickly that I think it's around seven bank that I can find my payments. >> So I can do an arbitrary right of up to four bytes at this thing back here. >> Or I can leak an address from the lib myelin dot. >> So But I can't do both at the same time. >> So one of the problems with this problem is that I have a string format problem I can identify and address. >> I can do an arbitrary writes, an arbitrary place. >> And but I need to know where to write and what to write in order to, instead of calling lose, which I'm gonna presume says no flag for you. >> I'm gonna call when, which will, you know, show me a flag. So to pull that off, I need to leak an address from the library and then go back and write another address. I'm going to have to control the flow of the program in order to which to me says, hey, there's probably also a stack smashing there. Or if not a stack smash me the I can overwrite something to do with like the return address or something, but I need to leak an address and redirect. So I'm going to have to do some, some WACC and just like that. But the part of the actual lecture that I want to get to here, like as an intellectual concept is the following. So here I don't get to provide a library. I wanted to show the providing library just to kind of get you thinking like dynamic, dynamic loading. But this I can overwrite, if I can get an address here, I can overwrite a value in the GO T like this is an address where it's going to look for the right address. >> So if I can essentially take the address for Lewes and overwrite it just a little bit to make it the address for when then I can win the game. >> And so that's the essence of it. And now I want you to go and try it as a homework. >> And you can, and you can look at like you'll have to look at Got Milk CTF write-up to look to see a pleasant write-up of kind of how, how, how somebody did it live. >> And but in order to get it, you kind of have to get that there's a PLT, there's a DLT, there's you gotta connect to link, redirect, do some stuff. But you can take advantage of this slag percent seven business a couple of times until you until you win, obviously that's not enough for you to do it. You gotta go and practice it and try it. But I like, I want to show you one other thing before I let you loose with that is like a homework. But I, I said that on Friday and I was like, hey, go solve this problem over the weekend and he can, nobody really did so, which is finite people who are going to be active like do the CTF sub s. >> And but if I asked you guys to give kind of 45 minutes to an hour to like working through right up on this problem. Would you or could I ask you to do that for winston? What if we have very little like confidence in our ability to actually effectively do anything. >> Perhaps grab a person and say, Hey, does anybody want to do this as a writing? >> Yeah. Okay. Due by Friday. >> That sounds great. And it also hotline com specific instructions like on your websites where you can just go there, click you didn't like, you know, yeah, spoon, please feed. Yeah, that's cool. That's cool. So solve problems seven, going to hourly, CD6, soft git checkout, everything through this or any other right up that you can find out. >> Okay, I wanted to show you one other thing. >> So we did zip line together a little while ago and I zip line is great. >> And it was about like kind of learning how it was about learning House, 32-bit calling architecture's work and things like that or whatever else. >> I looked at a write-up of zip line problem. I think it's so cool that we'll do in a class. This file I wasn't good enough to do this last time I taught this class. >> This one, take a look at this crazy ride. This blew my mind because in zip line we got all those addresses and we, and we like loaded up arguments, we called things whatever else. But look at this person who took advantage of this PLT, GET insight to just sort of solve the problem immediately. >> So the first thing they did once they found that there was a stack smash, is look up the address in the procedure linkage table. So, so where's it gonna load up puts, then go back to Maine and, and then go to the address inputs, GO T. >> So this is basically creating their own, their own stack smash where they can then just put shell code straight on and like, okay, so once I've done that one, so I'm going to do it again. I'm just gonna go back domain. But now I've loaded puts in the GO T. So I have an address for Puts where I can then just write like shell code and go execute bin SH. So they completely ignored the fact that there was all these like Minecraft scenarios and objects and everything else like that. They like, oh, you're leaking. I'm gonna do it this other way by taking advantage of the fact that there's like a more advanced exploit that you guys didn't lock down because it was an easier problem. So something about this just like really made my little heart go a flutter where it's like, oh wow, it is completely disregarded the entirety of what the problem was. Intending to do it this other way, which is using the lesson from today's class, which is again, poorly done. >> I'll, I'll grant you that, but I think you gotta kinda have to dive in and then come back and ask some questions. >> So I encourage you to try both of these problems. But you can adapt the golf that. So like you can do the golf, the Nessa without an argument, but then you have to overwrite like exit or start. Or you can do it with the help arguments and make it smaller. And then try the PLT, GO T n. And if you want to work in a, in a little group, I think it's a good idea. I think that because we've done so much quoting, I think that for the next assignment what I'll have you do is work in a small team to take one of these problems from, let's say like three to ten and look at write-ups online, work through whatever else, thoroughly understand it. And then writes a really high-quality right up so that somebody else can go through the write up, do it, and understand what's going on conceptually. So this practice agenda, GOD will help you with the next assignment that I'll, I'll give probably, yeah, I'm going to have you make a right up from one of the problems three and above by working through it. And you can find write-ups on line or whatever else. And just like wrap your head around it well enough to explain it to somebody else. >> Because I think that's a really good way to learn right. Thoughts, questions, concerns to your sighing. >> A group project >> All projects you can work solo or you can work with people. The more people you work with, probably the more, if you're work in a healthy group, you're like helping each other out and you're chatting. And I loved to soundboard with people and like if I let's just do this by Friday, no, no, no. This project, like just solve the GIT problem by Friday. Like I'm saying that do let's say May seventh or something will be a write up of one of the other ones. I'll formalize that for wind. >> Say I'll make like the formal specs of the problem. >> I'm just saying that the process of going through right up on Got milk will be Get your head right for project two. >> Ok? >> Because I think class is over now. I was kinda hoping to like hear how people feel about that, but nervous. >> Okay. >> Sounds pretty good. Yeah. How how would you be assigning which one we would be doing? So is it just we just go pick one or we just so all everyone doesn't do like baby boy, I don't I wouldn't be out for Wednesday. >> But to some extent whenever I give any project, people who have come in with years of coding experience, like they push themselves a bit or whatever. So like I know that you know how to solve a lot of these. You should you personally should probably partner up with Chris because the two of you, you've been gone through like the Po1 schools with me and do one of the ones that you don't know how to do, like a heap exploit that you haven't done before it, Right? And even, even land and should like make a beautiful right up for like T cache poisoning or something like that. Up at problem 16 or 17, pika, for instance, on Friday we were doing House of force on like which is number 19 in the advanced phone school. So like if I were you, I'd ever maybe I'll just do for myself all try to write the house to force right up. >> Yeah. I wanted to look at that one Anyway. >> That's what Landon was going over, right? >> I think, yeah, there's some extent this is because grades are dumb. >> You're adults and you're like, I want to learn a skill set. >> So like louis is feeling nervous. >> Alright, Lewis, work on write-up for number three. >> Great. >> But if that goes fast, you're like that was actually really satisfying them, then maybe do problem for also for extra credit or whatever. And so he's like, yeah, okay, I've had some of this stuff before, whatever else, but something I've never done. So that's, that's on you to like pick a thing that helps. I'll try to formulize that for Wednesday to see if I can come up with a system. >> Yeah, unfortunately, you're the coolest teacher, but like and think grades are done, but nobody else really seems to agree. So yeah, I okay. >> I I think it's bad advice. Say grades are dumb, but it's good. Like it's a, it's a thing that has to be heard and in the right sort of subtle way, which is that the right way to tackle any class is to think, can I use this in ten years? How can I imagine myself differently? So it is a really valuable skill. And, and can I get enthusiastic about the topic enough to like, try to juice it for everything. >> It's worked for my personal growth, right? >> Like you want to come in saying, I'm here to gain as much as I can from this class and this course work and so on versus, okay, you're gonna give me assignments that like I'm gonna do. And if I do well on those, you'll give me a grade and that will give me the degree which will give me like social credibility and things like that, like that is you is like a weird passive recipient as opposed to like a shopper. Like I see it as a shopper at a store and you're grabbing out stuff that you want and you're like, I'd like that I'd like to be better at coding. >> I'd like to be better at doing command-line stuff. >> I'd like to be better at writing libraries, like to be better at coding. I'd like to be better Understanding Malware. I'd like to get into malware analysis, right? >> So anything that you'd like to do, great, but you don't have to put some hours towards it. >> And so like I'll be here to help you do those hours end. But if it's a required class and they're saying, hey, you're required to do this and this, and this and this. And then you do that. You're going to do the minimum possible every time you do anything. So what I'm saying is that you as an individual, thinking about grades are going to like always undermined the actual quality of education by always just jumping over some bare minimum bar that's set by somebody else. >> So I think if you do it my ideal way, like as a really great like Scout, an Eagle Scout type person. >> He's like, hey, I'm here to help out the community or whatever you're going to, you're going to have good grades because you're just enthusiastic. >> Just seems like a lot of that's highly dependent upon that barnett Being arbitrarily obfuscated and time intensive in the discussion of what the **** they even are. >> You know, that didn't make any sense to me. >> You say bare minimum of effort to jump over the bar. But it's I feel like a lot of times the bar is obfuscated for no discernible reason in a normal classroom. My class, a lot of classes, not yours. >> So it's like you spend half your time just figuring out what the **** they're even want. And then you do that. >> And then you've got like a bit of time left to actually get something out of it. Yeah. >> Yeah. So I guess my subtle advices just the if you a disregard all of that and say, hey, I'm here to pick up signals and symbols. >> Then you can look at the syllabus and be like. >> So what would mastery of signals and symbols look like? >> Or signals, Let's just signal, whatever signal processing, what mastery of signal processing look like. >> But I should be able to know this really well, that really well, this really well. >> But I know those three things and I know signal processing. Alright? >> Do I know this? No, I need some problems to solve to help me learn that. Prof. helped me out understanding how I can feel like I've mastered that thing, right? Like that's the right sort of back and forth relationship with the professor. >> Might become professor. >> Yeah, I can show you a few emails like two any dash. And I send them to
Andy Novocin's Personal Meeting Room
From Andrew Novocin April 20, 2020
28 plays
28
0 comments
0
You unliked the media.