introduction to binary exploitation
TRANSCRIPT
An Intro to Binary Exploitation
An Intro to
Binary Exploitation
Aswin M Guptha@aswinmguptha
$whoami
BTech 2nd year UndergraduateAmrita University
Regular CTF PlayerTeam bi0s
Focus on Binary Exploitation, Web Exploitation
Aim
Give you a better understanding of mechanism of software exploitation
Prepare you to identify the vulnerabilities in program source codes
Help you understand HOW and WHY of exploit mitigation technologies
We will cover a few key concepts deeply
Course Outline
Basic Stack overflows
Shell code injection
Other vulnerability scenarios
Recognizing vulnerability
Exploit mitigation technologies
Why?
Found by the late 90s
Still relevent?2016 scenario
Your weakness, my strength
Lets get down to business
What is our Goal?
Arbitrary code execution
Example
Forcing binary to give root access over the internet!
Forcing a administrator privileged process to execute normally
First Attempt,
But this worked in movies...
Real life
We dont know the password, and really hard to guess it too.
There is a function which gives shell.
What if we could change the flow of execution and execute that function ?
means what???
Process Memory Organization
Content of an assembly fileExecutable section: TEXTThe actual code that will be executed
Initialized data: DATAGlobal variables
Uninitialized data: BSS
Local variables
x86 Review
Function call
Returning after a function call
Instruction pointer
Stack
The Stack
The Stack
The Stack
....10.push j11.push i12. call add13. add esp, 0x820.add:21.mov eax, [esp+0x4]22.mov ebx, [esp+0x8]23.add eax, ebx24.ret
Memory
0XDEADBEEF
Buffer Overflow
Buffer Overflow
#includeint main(){ char buffer[16]; int var;}
buffer
var
sfp
ret
Bottom of memoryTop of stack
Bottom of stackTop of memory
16
4
4
4
Buffer Overflow
Lets do some challenges#1 overwrite
#2 validate
Buffer Overflow
void function(char *str){ char buffer[16]; strcpy(buffer, str);}int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++){ large_string[i] = A; } function(large_string);}
Buffer Overflow
AAAAAAAAAAAAAAAAAAAAA
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
AAAAAAAABuffer
sfp
ret
*str
4
16
4
4
The return address is overwritten with AAAA (0x41414141)
Thus the function exits and goes to execute the instruction at 0x41414141
This results in a SegFault.
So what???
Bottom of memoryTop of stack
Bottom of stackTop of memory
Buffer Overflow
We have seen how to crash our own program by overwriting the return address of a function.
What if we could overwrite the return address with valid address ?
Lets start walking from where we stopped!!!
Buffer Overflow
Is anyone mad enough to put a function which give shell so easily ?
So what is the use of this ?
There come the shellcode injection
Shellcode
Shellcode
List of crafted instructions
Executed once the code is injected to a running application.
Shellcode
Properties of a shell code?Should be small enough to fit in the buffer
Shouldnt contain any null charecters
Shouldnt refer to data section
Shellcode
Whats next?Okay, we know what is a shell code, now what?Put a shell code into buffer
Fill the rest of buffer with junk
Overwrite saved eip to point to buffer
Shellcode
Ready, Set, Go
The battle continues...
RET2LIBC
ROP
Format String Vuln.
Heap Vuln.And so...
Whats next?
Google is your best friend!
Smashing The Stack For Fun And ProfitBy Aleph One
And YES, CTFs!
In a nutshell
Changing flow of executionBuffer overflow
Injecting your vuln codeShellcode Injection
Vuln detection and prevention
Rest I leave to you,
Good luck!
Queries?
Ping @aswinmguptha
Becoming Stronger!
NXSegments are either executable or writeable, but NOT both
ASLRAddress Space Layout Randomization
Canary, PIEStack protectors