An Intro to Binary Exploitation

An Intro to
Binary Exploitation

Aswin M Guptha@aswinmguptha

$whoami

BTech 2nd year UndergraduateAmrita University

Regular CTF PlayerTeam bi0s

Focus on Binary Exploitation, Web Exploitation

Aim

Give you a better understanding of mechanism of software exploitation

Prepare you to identify the vulnerabilities in program source codes

Help you understand HOW and WHY of exploit mitigation technologies

We will cover a few key concepts deeply

Course Outline

Basic Stack overflows

Shell code injection

Other vulnerability scenarios

Recognizing vulnerability

Exploit mitigation technologies

Why?

Found by the late 90s

Still relevent?2016 scenario

Your weakness, my strength

Lets get down to business

What is our Goal?

Arbitrary code execution

Example

Forcing binary to give root access over the internet!

Forcing a administrator privileged process to execute normally

First Attempt,

But this worked in movies...

Real life

We dont know the password, and really hard to guess it too.

There is a function which gives shell.

What if we could change the flow of execution and execute that function ?

means what???

Process Memory Organization

Content of an assembly fileExecutable section: TEXTThe actual code that will be executed

Initialized data: DATAGlobal variables

Uninitialized data: BSS

Local variables

x86 Review

Function call

Returning after a function call

Instruction pointer

Stack

The Stack

The Stack

The Stack

....10.push j11.push i12. call add13. add esp, 0x820.add:21.mov eax, [esp+0x4]22.mov ebx, [esp+0x8]23.add eax, ebx24.ret

Memory

0XDEADBEEF

Buffer Overflow

Buffer Overflow

#includeint main(){ char buffer[16]; int var;}

buffer

var

sfp

ret

Bottom of memoryTop of stack

Bottom of stackTop of memory

16

4

4

4

Buffer Overflow

Lets do some challenges#1 overwrite

#2 validate

Buffer Overflow

void function(char *str){ char buffer[16]; strcpy(buffer, str);}int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++){ large_string[i] = A; } function(large_string);}

Buffer Overflow

AAAAAAAAAAAAAAAAAAAAA

A

A

A

A

A

A

A

A

A

A

A

A

A

A

A

AAAAAAAABuffer

sfp

ret

*str

4

16

4

4

The return address is overwritten with AAAA (0x41414141)

Thus the function exits and goes to execute the instruction at 0x41414141

This results in a SegFault.

So what???

Bottom of memoryTop of stack

Bottom of stackTop of memory

Buffer Overflow

We have seen how to crash our own program by overwriting the return address of a function.

What if we could overwrite the return address with valid address ?

Lets start walking from where we stopped!!!

Buffer Overflow

Is anyone mad enough to put a function which give shell so easily ?

So what is the use of this ?

There come the shellcode injection

Shellcode

Shellcode

List of crafted instructions

Executed once the code is injected to a running application.

Shellcode

Properties of a shell code?Should be small enough to fit in the buffer

Shouldnt contain any null charecters

Shouldnt refer to data section

Shellcode

Whats next?Okay, we know what is a shell code, now what?Put a shell code into buffer

Fill the rest of buffer with junk

Overwrite saved eip to point to buffer

Shellcode

Ready, Set, Go

The battle continues...

RET2LIBC

ROP

Format String Vuln.

Heap Vuln.And so...

Whats next?

Google is your best friend!

Smashing The Stack For Fun And ProfitBy Aleph One

And YES, CTFs!

In a nutshell

Changing flow of executionBuffer overflow

Injecting your vuln codeShellcode Injection

Vuln detection and prevention

Rest I leave to you,
Good luck!

Queries?
Ping @aswinmguptha

Becoming Stronger!

NXSegments are either executable or writeable, but NOT both

ASLRAddress Space Layout Randomization

Canary, PIEStack protectors