CS计算机代考程序代写 python dns c/c++ compiler Java c++ 5. Cyberattack 2 – Network Attacks and BOF

5. Cyberattack 2 – Network Attacks and BOF

Cyberattack 2:
Network Attacks and
Buffer Overflow (BOF)

CITS3004
Alvaro Monsalve

1

1. Network Attacks
1.1. Sniffing (Eavesdropping)
1.2. Spoofing and hijacking
1.3. Remote access
1.4. Denial of Service

2. Buffer overflow

Agenda

2

• There are vulnerabilities in network functionalities
• Attackers can exploit these to bypass security solutions
• This section, we will explore some of the basic and common

ways of exploiting the network functionalities

3

1. Network Attacks

Application Layer

Transport Layer

Internet Layer

Network Access Layer

4

Crash Course on TCP

Data

Data

DataTCP

DataTCPIP

DataTCPIPMAC

0010011101111…

Data

Data

DataTCP

DataTCPIP

DataTCPIPMAC

0010011101111…

Datagram

Packet

Frame

Bit

See CITS3002 Network and Security for more details

5

Crash Course on TCP

Repeat data transfer
until end of
communication

• Sniffing is a passive attack
• Captures network traffic between two

communicating nodes
• Cannot detect such attacks, as the attack does not

leave any traces in the system
• Can be mitigated easily using encryption

6

1.1. Sniffing

• However, establishing a secure channel to
communicate is important

• As well as the coverage of the channel

7

Sniffing

Alice Bob

Eve

Not secure

Secure channel

• There are a list of tools for sniffing
– E.g., Wireshark, tcpdump, Windows Message Analyzer etc.

• Chrome will notify users that ‘http’ is no longer secure*

8

Sniffing

https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html

Spoofing is a form of “lying”, to claim that you are
someone (or something) else
– i.e., masquerading

• By spoofing, you can progress into hijacking

9

1.2. Spoofing

I am Bob

• Many types of spoofing attacks
– IP spoofing
– MAC spoofing
– DNS spoofing
– ARP spoofing
– Website spoofing
– Email address spoofing etc…

10

Spoofing

Let us have a look at this one

11

TCP Spoofing

Client Server

SYN, ACK

Attacker

SYN

ACK

Data

SYN, ACK The attacker acting as
the client

12

TCP Spoofing

Client Server
SYN

SYN, ACK

ACK

Data

Attacker

SYN

ACK

Data

Normal Reset

SYN, ACK

The attacker guesses
the sequence number
– TCP Spoofing

First, we need to reset
the existing
connection

• Once TCP session has been reset, we can easily spoof
the IP address by modifying the IP packet header
– IPv4 is vulnerable as it does not check for integrity
– IPv6 can also be spoofed*

• This is especially easy for inside attackers, as you
don’t have to bypass firewall filtering

13

IP Spoofing

sylkie: IPv6 Address Spoofing

14

IP Spoofing

What can we do now?

We can launch other attacks
– Hijacking (next)
– SYN flood attack (later)
– ICMP redirects
– Ping-O-Death
– Etc.

15

IP Spoofing

• TCP session hijacking is used in conjunction with TCP and
IP spoofing attacks

• Can be used to take over TCP applications
– E.g., Telnet, FTP, rlogin

• Once attacker has TCP segment sequence, they can hijack
the connection

• The legitimate user can no longer communicate with the
server, as the sequence number is no longer valid

16

TCP Session Hijack

• Hijacking can bypass some authentication
– E.g., one-time passwords
– Hijack already authenticated communication (what else do you need?)

• ISP has some packet filtering based on IP address range
– i.e., “this IP address cannot come from the source subnet!”

• Trusted hosts should only be used with authentication and
encryption
– E.g., remote hosts

• Update and maintain the firewall regularly
17

Prevention Methods

What shell we do?
– Allows execution of commands on the system

• E.g., create/modify/remove files and folders, fetch data, launch
applications etc.

– Remote shell is doing the shell commands remotely from the
network

– Malicious users who gain access to the remote shell can conduct
activities to damage the system
• E.g., delete all files on the system

18

1.3. Remote Access

• Normal communication between the user and the server
requires establishing a connection
– Typically using a TCP connection

• To establish a connection, you also need to mutually agree on
the socket

• Socket defines which port to communicate through
– If TCP/IP is identifying the road to travel, socket is choosing the right

garage

19

Remote Access

20

Remote Access

Port 80
HTTP Only Port 23

Telnet Only
Port 443

HTTPS Only
Port 25

SMTP Only

• Two different directions to gain the access through
the remote shell
– Forward shell

• Client hacking Server
– Reverse shell

• Server hacking Client

21

Remote Access

• Hackers (disguised as clients) can exploit the remote
connection vulnerability

• Requires vulnerable server setup with access to both
input and output of the server
– Either by discovery, or
– To plant the vulnerability

• E.g., Duplicate Open File Descriptor Dup2()
• Dup2 function allows clients to access duplicated files

– But if input and output descriptors are duplicated, clients
(hackers) can access shell!

22

Forward Shell

• The system assigns file descriptions sequentially
– Duplicate an existing file descriptor immediately after our

connection to get the same file descriptor of the socket
associated with the connection

– Execute shell on the server, then
– All the input and output will be redirected to the socket,

which is to the shell!

23

Forward Shell

Mitigation the Problem:
• Blocking forward shell is straight-forward
– Use Firewall
– Authenticate connections
– Drop unknown connections
– Block incoming TCP SYN packets from external network
– Allow outgoing TCP packets from internal network

24

Forward Shell

This brings us to the next problem (or solution)

• Reverse shell allow server to act as a malicious user
• Server will lure clients (victims) to connect
• To lure victims, the malicious server may distribute

malicious code (e.g., using phishing)
– Waiting for the victim to start the TCP handshake

• Once the connection is established, the malicious
server can send commands

25

Reverse Shell

• Little more tricky than forward shell
– Easier to craft the client’s code
– Client initiates the connection, so difficult to filter bad

connections
– Authentication may provide certain degree of prevention
– Use malware detection to minimise the exposure to such

vulnerabilities

26

Reverse Shell

• “an action that prevents or impairs the authorized use of
networks, systems, or applications by exhausting resources
such as central processing units (CPU), memory, bandwidth,
and disk space.” – NIST

• Spoofing is often used to make tracing difficult
– But we have packet tracing using stamps for traceability

• Distributed DoS (DDoS) makes it even harder to pin-point the
original source of an attack

27

1.4. Denial of Service

• There are many types of denial of service attack
– Volume based, protocol, and application layer

28

Denial of Service

Volume (bandwidth)

• Exhaust the bandwidth
of the target

• Flooding (UDP, ICMP
and other packet-based
etc)

Protocol

• Exploits protocol
vulnerabilities and
misuse

• SYN floods, packet
fragmentation, Ping-O-
Death, Smurf DDoS etc

Application

• Exploits application
layer communication
vulnerabilities

• HTTP POST, server
exploitations (e.g.,
Apache, Windows etc)

• E.g., Ping-O-Death
– A classic DoS attack
– Floods the ping command to the target
– Once the capacity of the bandwidth exceeds, the

(legitimate) packets are discarded
– Avoid location identification using spoofing

29

Volume-based

ping

ping ping

ping
ping

ping

ping

ping

ping

ping

ping

ping

ping

• E.g., SYN flooding
– Volume attack exploiting the protocol design flaw
– Commonly used DoS
– Continuously sending crafted SYN packets to the target
– The server will send back the ACK, but the attacker never

replies
– Legitimate SYN packets have to wait while other malicious

SYN packets are processed

30

Protocol Exploit

31

Protocol Exploit

The ACK is sent back, but is directed
to non-existant client, or the client
discard the ACK packets as it did not
instantiate the connection

32

DDoS

DoS DDoS

• Use of multiple systems to carry out DoS attack
• Exploit system vulnerabilities to gain access to zombie

computers
– E.g., See last week’s lectures

• One attacker controls all the zombie computers
– Named botnet

• There may be more hierarchies in controlling zombies

33

DDoS

• We can also use legitimate servers as
an intermediate step to carry out
DDoS attack

• Spoof the packets with the target
address, and send it to intermediate
servers

• Intermediate servers will “reply” back
to the target

• If enough packets are generated, the
target will be denied of service to
legitimate requests

34

Reflection attack

35

Reflection attack

Hacker
controlled
zombies

Legitimate
servers

Victim’s spoofed IP Flooding
SYN/ACK
packets

• Core idea is to use the broadcast function of the
network

• The zombies send spoofed messages with the target
IP address to the broadcast IP address

• All systems in that subnet will reply to the victim
– Flooding response messages!

36

Amplification attack

• Example: Smurf Amplification DoS attack

37

Amplification attack

• Difficult due to identification of legitimate to false traffic data
– Is this high volume real or DoS?

38

DoS Prevention

Prevention and
preemption

Detection and
filtering

Trace-back and
identification Reaction

Patch known
vulnerabilities

and flaws

Update
Firewall rules

and IDS

Conduct
forensics and

analysis

Review security
controls and

update

• Software programs are not monolithic*
• One module calls another module, which may call other

modules, etc.
• Control is transferred from one module to another

• E.g., From main module to getInput module, to processInput module, to
displayOutput module)

• Issue: how to maintain state of temporarily-suspended
modules?

• Solution: the system (or program) stack

39

2. Buffer Overflow

*formed of a single large block of stone.

40

Memory Layout of Stack

0x00400000

0x10000000

0x7FFFFFFF

Reserved

Text
segment

Data
segment

Stack
segment

The Stack refers to
the memory space
available to the
program to store
information
during execution
(such as variables,
return addresses
etc).

• Main program calls other routines
– User-defined routines
– System library routines (e.g. math, input/output)

• The main program has a block of information on the stack
• When a call is made to another module, a block of

information for that module goes on the stack
– Module arguments (information used for that module)
– Space for local variables for module (or in registers…)
– Return value (if module calculates one)
– Return address (where to go in previous module)

41

Buffer Overflow

• This process may be continued for many modules
– Module A calls Module B, which calls Module C, which calls

Module D, etc.
– Module A can re-call itself with different module

arguments (recursion)

• Note: a stack contains a finite amount of space

42

Buffer Overflow

Buffer – general category of a storage structure that holds
some data
Array – a homogeneous structure, holding multiple instances
of one data type
– E.g. Array of integers could hold test scores for class
– E.g. Array of characters is a string

• Usually terminated with a special ‘0’ (null) character in C / C++
• Strings are used often in applications – e.g. Usernames, passwords,

filenames, …

43

Arrays and Buffers

• We have a series of characters c of size 4 (i.e.,
holds 4 characters).

• c copies another string s (assuming it is declared),
using a strcpy function (string copy function).

44

Simplified Example

short i;
char c[4];
strcpy (c, s);
printf (“%d\n”, i);

• C and C++ languages do not check array
boundaries
– E.g. If array has 10 elements, can write 11 values into array
– What happens?

• Value is written into adjoining memory location
• If you own that memory location, you write over whatever was

there before
• Usually not good!
• If you don’t own that memory location, system will flag error

(i.e., segment fault)

45

BOF Details

• Now, what happens if s had a value
“ABCDEF”?

46

Back to Example

short i;
char c[4];
strcpy (c, s);
printf (“%d\n”, i);

The value of i will be overwritten with
0x4546 (“EF”).

To understand this further, we will
draw the stack diagram (soon).

• Compiler does not check whether programmer
is writing within specified array

• C language provides many routines that do not
check array limits

• Examples:
– strcpy (destination, source) – copy src to dst
– strcat (destination, source) – concatenate src onto dst
– sprintf – formatted printing into string
– Many others…

47

C/C++ Vulnerability

48

List of Dangerous C
Routines

• strcpy()
• strcat()
• sprintf()
• scanf()
• sscanf()
• fscanf()
• vfscanf()

• vsprintf()
• vscanf()
• vsscanf()
• streadd()
• strecpy()
• strtrns()
• Etc…

• If the buffer overflows occur accidentally (i.e., bad
memory management), then the program will throw
a segmentation fault.

• If the program was given an input carefully directed
to overrun the return address by manipulating the
stack, arbitrary code may be injected.

49

The Exploit Steps

• Write a small program that starts a shell window: use
something like system(“/bin/sh”)
– Just like the remote shell attacks

• Translate the program into machine code, modifying
individual bytes as needed

• Write the machine code into a buffer, followed by the
address of the start of that buffer, repeated many times

• Will overwrite the return address (on the stack) of the
server’s buffer handler routine

50

The Exploit Steps

• Get a copy of the operating system to be attacked
• Analyse the system stack layout for that operating

system and hardware platform
• Put the “shell window” machine code into a buffer
• Send your buffer to a program on the target

operating system (maybe one that runs as “root”)
that takes a buffer as input, makes a copy of that
buffer, and don’t check its bounds

51

The Exploit Steps

52

BOF Example
Lets take a look at an example.

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

This is stack

Stack grows up

Text segment for program
1

53

BOF Example
The program begins from the main function.

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

sp

bp
Note: bp – Base pointer sp – Stack pointer

Text segment for program
1

Memory for b

Memory for a

We need to
allocate memory
for the variable
junks in the
function foo.

54

BOF Example
Now we call function foo.

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp

bp

When foo is
finished, we need to
go back to the main
function, which we
need to return to the
correct place where
we executed foo.

55

BOF Example
We allocate memory space for foo components.

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for junks

Prior value of bp
Correct return address

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp
bp

In the foo
function, assume
it takes input
from the user to
assign junks
variable.

• If the input is within 7 bytes, the program will run
as normal

• But the user can also allocate more than 7 bytes for
the variable junks, because there is no boundary
checks
– E.g., input provided is 54354325432523

• What happens now?
56

BOF Example

57

BOF Example
It is possible that junks may overwrite the return address as
well.

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for junks

Prior value of bp
Correct return address

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp
bp Memory for

junks
overflows in the

stack

What happens
when foo function
finishes?

• If the return address is overwritten, then the
instruction pointer will jump to some random
address
– This will likely cause a segmentation fault

• If these series of events are caused on purpose,
it is called a buffer overflow attack
– It is also known as stack smashing

58

BOF Example

59

BOF Example
This will likely give a segmentation fault error, but…

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for junks

Prior value of bp
Correct return address

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp
bp Memory for

junks
overflows in the

stack

60

BOF Example
Imagine junks contain some executable code!

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for junks

Prior value of bp
Correct return address

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp
bp Executable code!

New return address

If you know exactly
where the return
address is suppose
to be, then you can
craft your buffer
overflow attack.

61

BOF Example
Imagine junks contain some executable code!

void foo(int x, float y)
{

char junks[7];
(more code)

}

int main()
{

int a = 77;
float b = 3.145;
foo(a, b);
a = a + 2;
(more code)

}

Text segment for program
1

Memory for junks

Prior value of bp
Correct return address

Memory for 1st argument

Memory for 2nd argument

Memory for b

Memory for a

sp
bp Executable code!

New return address

New return address

New return address
Maybe
it was
here

Sometimes, the
return address
can be guessed.

• Do not use suspect C/C++ routines
• Instead, use newer routines that check boundaries
– E.g. strncpy(dest, source, limit) – will write no more than

limit characters from source to destination
– Still problems with such routines

• E.g. Can end up with non-terminated strings
– One suggestion: manually set 0/null byte into each

destination string
• Use safer programming languages
– Java, Python etc boundary checks are done by the language

62

BOF Prevention

• Still, some applications are better written in C/C++
• Need to check all legacy code for buffer overflow

vulnerabilities
• Problems still being found in Oracle, other large software

systems
• Check for:
• Programmer use of suspect routines
• Use of code libraries where suspect routines were used
• Use of code libraries that use code libraries …

63

BOF Prevention

• Security controls
– Use latest security controls
– E.g., non-executable stacks (Data Execution

Prevention (DEP))
– E.g., Address Space Layout Randomisation (ASLR)

64

BOF Prevention

• Policies
– Important part of software security

• Avoid problems in advance
– Development teams and organisations need to

develop appropriate policies for code
development
• Safer language usage
• Safer library routine usage
• Library usage and positioning in application

65

BOF Prevention

• Sniffing tools
– http://sectools.org/tag/sniffers/

• Forward Shell
– https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440

• Websocket Hijacking
– https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
– Tutorial:

https://medium.com/@sharan.panegav/account-takeover-using-cross-site-
websocket-hijacking-cswh-99cf9cea6c50

• Buffer Overflow
– http://insecure.org/stf/smashstack.html

66

Additional Items

http://sectools.org/tag/sniffers/
https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440
https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html
https://medium.com/@sharan.panegav/account-takeover-using-cross-site-websocket-hijacking-cswh-99cf9cea6c50
http://insecure.org/stf/smashstack.html