Tuesday, 13 November 2018

Craziest thing I did as a freelancer?

Craziest thing I did as a freelancer? I rejected my placement offer to join the other company.

Long story: Back in my last semester of college I was contacted by a guy from US who was CEO of a storage device startup. He wanted me to develop a compiler for their in-house built micro-controller. I was new to freelancing, but work was too amazing to say no. I accepted it. Thus the contract was made and both parties agreed on work to be delivered. It was somewhere around 15-20 weeks contract. I had ton of work to do so I started.

Thing was going smother than I was expecting, as the guy was very friendly and always clear on the requirements. Obviously, there was some issues with working in 12 hr difference in timezone but it all worked out.

I completed the compiler code, tested it and finally delivered on time. Their engineering team completed testing and as I was expecting, I passed all the requirements / tests which they were expecting. Their team liked my work a lot and I received a ton of appreciation. Things couldn't be better. Finally payment was made and contract was ended.

So what could possibly go wrong? Well a second contract was made just in case some issue happens in the compiler in future then I will have to be available to fix it. That's totally fine, as duration of that contract wasn't that long. we all agreed.

One day I was randomly playing around with compiler and ran few tests. Guess what? It crashed badly with no sign of easy patch to fix it. I did a mistake while developing parser. There was no easy fix; even though it isn't easy to hit that case but there is no workaround too fix it. I wasn't sure what should I do. Should I report it immediately? I wasn't sure, I tried working on it, but it was taking too much time to fix it. I didn't had that much time. Contract was about to end, I was soon going to join a company after my finals in college. I have to prepare for the finals too >.<

On the other hand, my contractor was so happy from my work that he wanted to hire me and work on some other projects. Why hire? because I wouldn't be available as a freelancer after joining the other company. I wasn't sure that time, if I want to leave my current offer to join this company. On the other hand I knew there was a major bug in the code that I have to fix, I can't leave it hanging and wait until it becomes a big issue. Oh! I forget to tell that my joining date to other company was in less than 3 weeks.

I still thought I can pull off the work in 3 weeks and deliver the patch; And on the other hand my contractor wanted to hire me at any cost. You can't make a decision in pressure right? He might have guessed that, he asked me to meet visit Bangalore office. I flew to Bangalore on the other day and visited company's office to talk to engineering team. That was one hell of impressive trip! I have never seen people so passionate about the work they are doing.

And so, I happily accepted the offer and joined the company. First thing I did? Fixed the compiler, obviously. Since then I feel excited everyday to work on the things I have been assigned, It is simply amazing!

I ❤ coding!

Saturday, 17 February 2018

Buffer overflow vulnerability

Stack overflow and Buffer overflow are very interesting vulnerabilities, basically if exploited correctly; Hacker could gain complete access to program or machine. This class of vulnerability is also hard to exploit.

Today, In this post I will show few examples of buffer vulnerability, take an example program and then exploit it. Let's first jump to what is buffer overflow?

 void echo()  
   char msg[100];  
   scanf("%s", msg);  
   printf("echo: %s\n", msg);  

Looks good right? How can someone hack this program? And even if they can, what can they do with it?

scanf doesn't know the size of buffer, if a user enters a string more than 100 chars (or even 100), code will corrupt program's stack. So what? program might crash? yep, it will. But a perfect exploit can a do lot with this. Let me give you an example, you have a webserver running an echo service something like that. Because most of time webservers are running as a root program. Hacker can enter a malicious message that let hacker control your root "shell". Hacker will run arbitrary commands on your web server with root privilege. Woah! Practically, Hacker can do anything after that.

How the hackers do that? To understand working of the concept we need to jump into machine's code. I am assuming intel x86 cpu (32bit).

     push    ebp  
     mov    ebp, esp  
     sub    esp, 136  
     lea    eax, [ebp-108]  
     mov    DWORD PTR [esp+4], eax            ; *msg
     mov    DWORD PTR [esp], OFFSET FLAT:LC0  ; "%s\0"
     call    _scanf  
     lea    eax, [ebp-108]  
     mov    DWORD PTR [esp+4], eax            ; *msg
     mov    DWORD PTR [esp], OFFSET FLAT:LC1  ; "echo: %s\12\0"
     call    _printf  
command: gcc -S main.c -m32 -masm=intel

As expected, compiler make room for "char msg[100]" on stack and then pass pointer to this array on stack along with pointer to format string and then call "_scanf" function. Let's look at user's stack

 <-- caller's program counter -->  
 <--       EBP (4 bytes)      -->    ; push ebp  
 <--  empty room (136 bytes)  -->    ; sub esp, 136  

It looks like compiler allocated extra space on stack for optimization reason (stack alignment). Next instruction in series is interesting because it tell us about location of "msg" on stack.

 lea  eax, [ebp-108]  

lea stands for load effective address, so basically "eax = ebp - 108", eax contains pointer to msg because this is passed as the second argument while calling _scanf. Great! so we know out of 136 bytes, higher 108 bytes is for msg. Now our stack looks something like this

 <-- caller's program counter -->  
 <--       EBP (4 bytes)      -->  
 <--      msg (108 bytes)     -->  
 <--  empty room (28 bytes)   -->  

if a user enters 108 bytes of data in input, it will overwrite EBP pointer on the stack which will crash program later but what if we overwrite caller's program counter? Look at last few instructions


"leave" is short-hand for:
     mov esp, ebp  
     pop ebp  
exactly opposite of first few instruction where we copy esp to ebp and push ebp.

so if we have corrupted saved ebp on stack then we can control the value of ebp register after execution of "leave" instruction.

Next instruction we have is "ret", it simply pop "callers instruction pointer" and make a jump there. This is where things go interesting. We can corrupt stack and corrupt caller's saved pointer. so effectively we can control program counter and ebp (base pointer). controlling program counter is like making a jump instruction in the program with the privilege program is running with.

So, here's the exploit; we write machine code in memory that will execute "shell" using execv system call. then we corrupt base pointer and instruction pointer and make it jump to our shellcode. Awesome! after doing that we will be running a shell inside this program.