1
00:00:00,570 --> 00:00:06,970
Welcome to a module an application attacks this module will deal with typical threats that are representative

2
00:00:06,970 --> 00:00:09,890
of the perils that jeopardize modern applications.

3
00:00:13,560 --> 00:00:18,730
First we'll take a look at three of the most widespread attacks.

4
00:00:18,970 --> 00:00:26,600
The first exploits a buffer overflow vulnerability this type of attack aims to take control over or

5
00:00:26,600 --> 00:00:34,490
control the execution of a program run by a user and exploits a flaw of an application causing it to

6
00:00:34,490 --> 00:00:39,300
react in ways that were not provided for by the developers when entering some types of input.

7
00:00:40,870 --> 00:00:47,680
The second class of the most prevailing application attacks is as a query manipulation or as fuel injection

8
00:00:49,520 --> 00:00:56,500
most modern applications are in fact databased the majority of them store configuration data or working

9
00:00:56,500 --> 00:00:59,660
data that is subsequently processed on servers.

10
00:00:59,740 --> 00:01:04,260
We're not talking here strictly about databases.

11
00:01:04,340 --> 00:01:10,430
The servers don't even have to be separate services in process servers servers that are launched by

12
00:01:10,430 --> 00:01:15,090
an application itself have gained popularity.

13
00:01:15,190 --> 00:01:20,850
There are still however classed as database servers and still communications are performed as well.

14
00:01:22,770 --> 00:01:25,370
The third type is cross-site scripting.

15
00:01:25,410 --> 00:01:28,960
This attack has been ranked as the most popular threat for years now.

16
00:01:30,440 --> 00:01:36,600
Cross-site scripting relies on inserting a code on a Web site or in a modified link to a Web site in

17
00:01:36,600 --> 00:01:41,890
hopes that visitors will run the code this hope is not without grounds.

18
00:01:41,890 --> 00:01:48,900
Since web browsers follow a protocol according to the protocol browsers should interpret all the data

19
00:01:48,960 --> 00:01:52,820
that a web server sense to them and execute or render them in the correct way.

20
00:01:55,100 --> 00:02:01,420
The data can also include code that is not directly stored on a page.

21
00:02:01,550 --> 00:02:05,040
We'll start with the buffer overflow.

22
00:02:05,040 --> 00:02:11,180
The general idea for this attack is that it should enable attackers to take control over a program a

23
00:02:11,180 --> 00:02:17,650
perfect scenario would include the program executing an attackers code the attacker doesn't need to

24
00:02:17,650 --> 00:02:20,560
have access to the program source code.

25
00:02:20,560 --> 00:02:22,150
This would be the best solution.

26
00:02:24,100 --> 00:02:29,920
Not only to modify the program but also force it to execute arbitrary operations prepared by attackers

27
00:02:32,480 --> 00:02:34,770
some questions seem to come up at this point.

28
00:02:37,240 --> 00:02:42,710
First how can you change the operation of a program that is compiled.

29
00:02:42,820 --> 00:02:48,190
We're referring here to languages like C and C plus plus the languages where the code is first compiled

30
00:02:48,190 --> 00:02:54,850
to a binary version and only then is a distributed.

31
00:02:54,930 --> 00:02:59,180
You can't change the code of such programs directly but you can control its execution.

32
00:03:01,230 --> 00:03:07,560
This is possible because for an operating system for a PC or a processor program code is not different

33
00:03:07,560 --> 00:03:09,250
from data.

34
00:03:09,490 --> 00:03:12,860
It's simply strings of zeros and ones loaded into memory somewhere.

35
00:03:15,350 --> 00:03:18,230
It's interpretation of the zeros and ones that matters.

36
00:03:21,360 --> 00:03:24,840
A buffer overflow attack might take the following form.

37
00:03:24,870 --> 00:03:27,700
We have a compiled program for example.

38
00:03:27,690 --> 00:03:37,060
Any X-C file and want to run it the program has to be loaded into memory an operating system allocates

39
00:03:37,060 --> 00:03:45,390
a place on the stack for the program since it has to control the program in some way.

40
00:03:45,620 --> 00:03:49,700
The stack will contain the program's function headers and control register values.

41
00:03:50,870 --> 00:03:56,650
The registers will include AS-P were the address of a currently executed function will be located and

42
00:03:56,760 --> 00:04:01,270
V.I.P which indicates the data buffer of a currently executed function

43
00:04:04,040 --> 00:04:05,310
as we'll see in a moment.

44
00:04:05,390 --> 00:04:14,700
Apart from the program data a stack includes also data pertaining to program execution.

45
00:04:14,710 --> 00:04:20,380
It also contains the values of local variables and function call arguments.

46
00:04:20,390 --> 00:04:22,940
This is crucial.

47
00:04:23,040 --> 00:04:30,610
Note that program structures and use a data structures meet in one buffer area user data is the input

48
00:04:30,610 --> 00:04:34,060
stored into a program.

49
00:04:34,060 --> 00:04:39,940
Let's take a look at a graphical representation of this.

50
00:04:39,980 --> 00:04:47,310
We have a sample function that anticipates a string and will operate on the pointer of that string.

51
00:04:47,370 --> 00:04:53,900
The length of the string is specified which could cause problems and assumption is that this link will

52
00:04:53,900 --> 00:04:58,030
be 128 bytes.

53
00:04:58,140 --> 00:05:06,220
What will happen though if the data exceeds the size we've prepared 128 bytes of space in the stack.

54
00:05:07,190 --> 00:05:10,650
What's going to happen if the user will submit a longer string than assumed.

55
00:05:12,230 --> 00:05:16,630
The data will overflow the buffer and consequently overwrite the other stack areas.

56
00:05:18,590 --> 00:05:22,630
A stack is a FIFO structure.

57
00:05:22,660 --> 00:05:28,570
What's important in the image above is that a given area has been allocated and the data located there

58
00:05:28,570 --> 00:05:30,910
is too much.

59
00:05:31,140 --> 00:05:39,370
The data needs to be placed somewhere it overrides adjacent areas that are behind them in the stack.

60
00:05:39,440 --> 00:05:46,840
The areas were reserved for other data for example for functions that control execution.

61
00:05:47,030 --> 00:05:52,180
If a program's execution reaches the point pictured above which means that the function completes him

62
00:05:52,190 --> 00:05:55,200
will try to return control to the original program.

63
00:05:55,250 --> 00:06:01,520
You will have to know the address of the function that called it and assumption is that this address

64
00:06:01,520 --> 00:06:04,020
is in the location pictured.

65
00:06:04,030 --> 00:06:10,420
This is not true as it turns out the area is now overwritten with other data.

66
00:06:10,590 --> 00:06:14,960
The type of data depends on the length of the input string and the data that was contained in the input

67
00:06:17,400 --> 00:06:19,160
as a consequence.

68
00:06:19,170 --> 00:06:24,810
Once the function ceases to operate execution controlling for a given program does not return to the

69
00:06:24,810 --> 00:06:28,590
call function but is instead located in some other place.

70
00:06:29,970 --> 00:06:38,760
The question is what place in the easiest case the code parameter is not a simple string but a fragment

71
00:06:38,760 --> 00:06:44,720
of code that an attacker wanted to run the location of the code was specially selected to overwrite

72
00:06:44,720 --> 00:06:47,580
control registers.

73
00:06:47,810 --> 00:06:54,820
At this point the program we run executes a malicious code supplied by an attacker.

74
00:06:54,940 --> 00:06:58,570
Consider this potential attack scenario.

75
00:06:58,620 --> 00:07:06,990
Step one to exploit a buffer overflow flaw is to locate insertion points a program's interface has to

76
00:07:06,990 --> 00:07:12,720
be able to receive data from US and return information on handling the data.

77
00:07:12,780 --> 00:07:14,900
For example prompt error messages

78
00:07:19,430 --> 00:07:26,640
once we've located such insertion points restart checking if they're vulnerable to buffer overflow attack.

79
00:07:26,760 --> 00:07:32,370
We don't do this on a victim's computer however since we don't have control over the program and consequently

80
00:07:32,370 --> 00:07:38,360
can't monitor live events and reactions to various types of input.

81
00:07:38,530 --> 00:07:44,170
This would be both time consuming and easy to detect although it would not prove much of a real problem.

82
00:07:46,330 --> 00:07:50,120
If the software is typical for example it's an FPP server.

83
00:07:50,590 --> 00:07:58,160
We only need to install on our local PC the same version of the server connection will be established

84
00:07:58,160 --> 00:08:04,860
through a debugger that will give us access to all required data overriding control registers that managed

85
00:08:04,860 --> 00:08:06,440
program execution.

86
00:08:06,600 --> 00:08:10,590
For example IP register is the key stage of this attack

87
00:08:13,870 --> 00:08:21,710
a function's return address is the value that will be overwritten the so-called opcode standard operation

88
00:08:21,710 --> 00:08:26,100
codes will be a valuable aid in this making use of them.

89
00:08:26,150 --> 00:08:33,790
We won't need to check for our location to override an address manually by trial and error instead will

90
00:08:33,800 --> 00:08:40,000
find a table that specifies that a given DML holds IP register addresses at a specific system address

91
00:08:41,820 --> 00:08:44,630
opcode documentation's are publicly available.

92
00:08:46,280 --> 00:08:49,100
At any rate we need to find the end of a stack.

93
00:08:49,130 --> 00:08:53,770
How much has been allocated for a program in the stack.

94
00:08:53,900 --> 00:08:59,100
The selected program should at all times be held in the same location in main memory.

95
00:08:59,100 --> 00:09:03,470
Ideally the software should always be running on a victim's computer.

96
00:09:03,480 --> 00:09:13,910
This is how system services operate as well as operating system fragments and so on.

97
00:09:13,960 --> 00:09:18,350
You can improve your odds by padding a buffer with no operation instructions.

98
00:09:18,730 --> 00:09:25,360
In this way even if you failed to find the exact desired address space the address that has the beginning

99
00:09:25,360 --> 00:09:31,480
of your malicious code ACP will go through the instructions one after another until it slides to your

100
00:09:31,480 --> 00:09:32,850
executable code.

101
00:09:34,170 --> 00:09:41,630
This technique is known as a slide up slide is a fairly common method used to increase the chance of

102
00:09:41,630 --> 00:09:44,510
successfully running buffer overflow attacks.

103
00:09:47,150 --> 00:09:51,780
The last step is to insert malicious code up to this point.

104
00:09:51,790 --> 00:09:59,350
We have successfully controlled or monitored program execution we know which memory address holds return

105
00:09:59,350 --> 00:10:05,000
addresses and we know the locations of other addresses that we want to overwrite.

106
00:10:05,090 --> 00:10:11,890
Once you enter an address in this location the new address we submitted should hold a fragment of code.

107
00:10:12,080 --> 00:10:14,230
We need to add a payload to the.