cc++ security by tim chew
TRANSCRIPT
-
8/3/2019 CC++ Security by Tim Chew
1/27
C/C++: I just shot myself in the foot
Tim Chew
ConsultantArch Signal Sdn Bhd
-
8/3/2019 CC++ Security by Tim Chew
2/27
-
8/3/2019 CC++ Security by Tim Chew
3/27
Quotes
C++ and Java, say, are presumably growing faster than plain C, but I bet C will
still be around.
-
8/3/2019 CC++ Security by Tim Chew
4/27
Quotes
For infrastructure technology, C will be hard to displace.
-
8/3/2019 CC++ Security by Tim Chew
5/27
Quotes
C is quirky, flawed, and an enormous success.
-
8/3/2019 CC++ Security by Tim Chew
6/27
Quotes
C has the power of assembly language and the convenience of...
assembly language.
-
8/3/2019 CC++ Security by Tim Chew
7/27
Quotes
When I read commentary about suggestions for where C should go, I often think
back and give thanks that it wasn't developed under the advice of a worldwidecrowd.
-
8/3/2019 CC++ Security by Tim Chew
8/27
Agenda
How you shoot yourself in the foot
C/C++ code analysis
How you get pwned Injection
Buffer Overflow
-
8/3/2019 CC++ Security by Tim Chew
9/27
Demo #1Demo #1C/C++ Code AnalysisC/C++ Code Analysis
-
8/3/2019 CC++ Security by Tim Chew
10/27
How you get pwned
Q. How to get your code into a process?
A. DLL Injection
-
8/3/2019 CC++ Security by Tim Chew
11/27
DLL Injection
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress, __in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);
-
8/3/2019 CC++ Security by Tim Chew
12/27
DLL Injection
DWORD WINAPI ThreadProc(
__in LPVOID lpParameter);
-
8/3/2019 CC++ Security by Tim Chew
13/27
DLL Injection
HMODULE WINAPI LoadLibrary(
__in LPCTSTR lpFileName);
-
8/3/2019 CC++ Security by Tim Chew
14/27
DLL Injection
My Process
MyDLL.dll
Target Process
C:\MyDLL.dll
Kernel32.dll
LoadLibraryW()
MyDLL.dll
-
8/3/2019 CC++ Security by Tim Chew
15/27
Demo #2Demo #2DLL InjectionDLL Injection
-
8/3/2019 CC++ Security by Tim Chew
16/27
Buffer Overflow
Know what kills you. ~ Dr. Ang
-
8/3/2019 CC++ Security by Tim Chew
17/27
A Little History
November 2, 1988
MIT
Cornell UniversityRobert Tappan Morris (rtm)
-
8/3/2019 CC++ Security by Tim Chew
18/27
RTM
-
8/3/2019 CC++ Security by Tim Chew
19/27
The Morris Worm Generally considered the first computer
worm One of the first worms to spread via the
internet
Attacked UNIX systems
Exploited buffer overflow in fingerd (the
finger daemon)
-
8/3/2019 CC++ Security by Tim Chew
20/27
The Stack
Lower Memory
Higher Memory..
Param 2
Param 1
Return Address
Frame Pointer (EBP)
Locals
-
8/3/2019 CC++ Security by Tim Chew
21/27
Buffer OverflowLower Memory
Higher Memory..
Param 2
Param 1
Return Address
Frame Pointer (EBP)
BYTE buff[8]BYTE content[16]
BYTE buff[8]+8
LPBYTE
16
-
8/3/2019 CC++ Security by Tim Chew
22/27
Buffer Overflow
int WINAPI MessageBox(
__in_opt HWND hWnd,
__in_opt LPCTSTR lpText,__in_opt LPCTSTR lpCaption,
__in UINT uType
);
-
8/3/2019 CC++ Security by Tim Chew
23/27
Overwriting The StackLower Memory
Higher Memory
..
Param 2
Param 1
Return Address
Frame Pointer (EBP)
Locals
Return Address
MessageBoxA
MessageBoxA
Pwned
0
_lpszMessage
_lpszTitleMB_OK | MB_ICONSTOP
-
8/3/2019 CC++ Security by Tim Chew
24/27
Stack Buffer Overflow Exploit
Pwned()
MessageBoxA()
BuggyCallProc()
Return to
Return to
InfiltratorLib.dllCall
InfiltratorLib.dll BuggyLib.dll user32.dll
-
8/3/2019 CC++ Security by Tim Chew
25/27
Demo #3Demo #3Stack Buffer OverflowStack Buffer Overflow
-
8/3/2019 CC++ Security by Tim Chew
26/27
References banned.h: http://msdn.microsoft.com/en-us/library/bb288454.aspx
Strsafe.h: http://msdn.microsoft.com/en-us/library/windows/desktop/ms647466(v=vs.85).aspx
SAL Annotations: http://msdn.microsoft.com/en-
us/library/ms235402(v=vs.80).aspx
-
8/3/2019 CC++ Security by Tim Chew
27/27
Thank YouThank YouQ&AQ&A