Chapter 6 - Exploit Development
Security risks at the application level are among the most significant, pervasive categories of security problems impacting organizations today. But traditional IT security focuses on network and perimeter-based protection, not on the application code itself.And while most development teams test their applications for functionality, performance, and integration, the lack of security testing early in the development process can have serious consequences. Failure to address security throughout the application lifecycle can result in embarrassment—or catastrophic damages like the loss of intellectual property, money, or data.
— Buffer Overflow Attacks: Detect, Exploit, Prevent, page 403
Resources
Understanding programs in memory
Anatomy of a program in memory
Epilogue: Canaries and Buffer Overflows
Intro to Assembly
Assembly Language MegaPrimer for Linux
Intro to Buffer Overflows
Intro to Buffer Overflows - Computerphile
Getting cozy with Exploit Development
Courses
Course materials for Modern Binary Exploitation by RPISEC
Resources
From Buffer Overflows to “Weird Machines” and Theory of Computation
Breaking the x86 Instruction Set
LiveOverflow's YouTube Channel
radare2 as an alternative to gdb-peda
Differential Slicing: Identifying Casual Execution Differences
Shellcoding for Linux & Windows Tutorial
Interpreter Exploitation: Pointer inference and JIT spraying
Writing JIT-Spray Shellcode for fun and profit
Bypassing memory protections: the future of exploitation
Intel
Registers
EAX - Accumulator
Holds return value usually
EBX - Accumulator
Base Calculations (Arrays, Pointers into Arrays of objects)
ECX - Count / Accumulator
EDX - Data I/O Pointer
ESI - Source index
for source of string / array operands
EDI - Destination index
for dest of string / array opperands
EIP - Instruction Pointer
Points to next instruction
ESP - Stack Pointer
Points to the top of the stack
EBP - Stack Base Pointer
Points to the base of the stack
Instructions
mov - define
jmp - jump to address
call - jump to address and push exec address to stack
ret - pop the first value off stack and jumps to it
push - decrements stack pointer and saves new operand
pop - sets the operand to the value of the stack, then increments
Buffer Overflows
Setup & Information
Check ASLR/DEP
Linux
Kali> checksec filename
Windows
C:\> Get-PESecurity -file "filename"
Disable/Enable ASLR/DEP
Linux
Kali> echo 0 > /proc/sys/kernel/randomize_va_space
Kali> echo 2 > /proc/sys/kernel/randomize_va_space
Windows
The Enhanced Mitigation Experience Toolkit
See what shared libs a program uses
Linux
Kali> ldd filename
Find hex addresses of functions/libs within a program
Linux
Kali> readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
Kali> strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
Attack Vectors
Integer-based
Socket Programming in Python and Integer Overflow
Stack-based
Overflow input to overwrite EIP with return address that leads to payload
Intro to Buffer Overflows - ch3rn0byl
Beginning Stack Based Buffer Overflows - The Grey Corner
Exploit Writing Tutorial Part 1 Stack Based Overflows
Smashing the Stack for Fun & Profit : Revived
Are Buffer Overflows on a modern system impossible?
Identifying another exploit mitigation and finding a bypass
Brute-force 32bit stack cookie
Introduction to Exploit Development - FuzzySecurity
Introduction to Linux Exploit Development - FuzzySecurity
Windows Buffer Overflow Tutorial: Dealing with Character Translation - The Grey Corner
SEH-based
Overflow input to overwrite SEH -> next SEH -> Pop pop ret
SEH Stack based buffer overflows - The Grey Corner
Stacks & Handlers & Python, oh my! - ch3rn0byl
Exploit Tutorial: Buffer Overflow – SEH Bypass
Heap-based
Overflow input to overwrite heap with dummy data, 2nd chunk overwrite forward link with destination and backwards link with value
Heap Spraying Exploit Tutorial
Exploit Writing Tutorial Heap Spraying Demystified - corelan
Tracking down heap overflows with RR
The Heap: What does malloc() do?
The Heap: How to exploit a Heap Overflow
Double-free
Memory freed twice. corrupts heap memory manager.
1) chunk must be isolated ( no freed adjacent chunks )
2) destination free list bin must be empty
Forward/Backward pointers both point to base of heap, and the heap points back to the node (self referential) infinite loop. (unlink fails)
deprecated but still works with some creativity
If heap falls into this state you may be able to use after free or another buffer overflow.
The Heap: How do use-after-free exploits work?
The Heap: dlmalloc unlink() exploit
Exploring pwnable with ltrace and gdbinit script - Exploitation part 1/2
Use-after-free and overwrite entry in GOT - Exploitation part 2/2
Memory Corruption
Using memory corruption to leak sensitive data Fuzz the inputs and observe all possible changes in the program Note any oddities and changes (Especially a dump of bytes! ;))
Blind Buffer Overflow exploitation to leak secret data
Return to libc
Doing ret2libc with a Buffer Overflow because of restricted return pointer
BUFFER OVERFLOW PRIMER PART 8 (RETURN TO LIBC THEORY)
The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)
PLT and GOT - the key to code sharing and dynamic libraries
Bitflip
Rowhammer Attacks: An Extended Walkthrough Guide
Exploiting the DRAM rowhammer bug to gain kernel privileges
SIGRETURN Oriented Programming
Sigreturn Oriented Programming is a real Threat
Jump Oriented Programming
Jump-Oriented Programming: A New Class of Code-Reuse Attack
Return Oriented Programming
64-bit Linux Return-Oriented Programming
Return Oriented Exploitation (ROP)
An introduction to the Return Oriented Programming and ROP chain generation
Return-Oriented-Programming (ROP FTW)
DEP & ROP: Modern Binary Exploitation
ROP is Still Dangerous: Breaking Modern Defenses
Return oriented programming - Wikipedia
Introduction to return oriented programming (ROP)
The need for a POP POP RET instruction sequence
Intro to ROP: ROP Emporium — Split
OptiROP: hunting for ROP gadgets in style
Introduction to return oriented programming (ROP)
Return-Oriented Programming without Returns
Blind Return Oriented Programming (BROP)
EggHunting
The art of searching memory
EggHunting Sorcery - ch3rn0byl
Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump
Security Mechanisms
Stack Canaries/Cookies
Buffer Overflow Protections (Canaries) - Wikipedia
Mitigating Buffer Overflow Attacks with Stack Cookies
Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
Linux GLibC Stack Canary Values
NX/DEP
Executable Space Protection - Wikipedia
Can MPROTECT set the stack itself as executable? - StackExchange
ASLR
Exploit Dev 101: Bypassing ASLR on Windows
Simple ASLR/NX bypass on a Linux 32 bit binary - Decoder's Blog
Linux ASLR integer overflow: Reducing stack entropy by four
Bypassing ASLR by predicting a process’ randomization
Information Disclosure
Format Strings
Resources
%d, %i - signed decimal
%u - unsigned decimal
%o - unsigned octal
%x - unsigned hexadecimal int
%X - unsigned hexadecimal int (UPPERCASE)
%f - decimal float
%e - scientific notation
%a - hexadecimal floating point
%c - char
%s - string
%p - pointer address
%n - writes bytes to memory address
will pop off stack until all are satisfied or segfault
# printf
prints values on the stack in hex
printed in human friendly in little-endian
view arbitrary memory locations
move argument pointer far enough forward to point within the string (%x chain)
printf("\xd3\x4d\xb3\x3f%x%x%x%x%s")
dereferences so you get string form
printf("hello%n\n", (int *)&i); // write 5 to i
printf("\xd3\x4d\xb3\x3f%x%x%x%150x%n"); // write 150 to it
Remote format string exploit in syslog()
Format String to dump binary and gain RCE
Format String Exploit and overwrite the Global Offset Table
Format string exploit on an arduino
A simple Format String exploit example
From Format String Vulnerability to Remote Code Execution
Format String Exploitation-Tutorial
Deserialization
PHP
Resources
Remote code execution via PHP [Unserialize]
Java
Resources
2017 - Practical Serialization Attacks by Nicky Bloor
nodejs
Resources
Exploiting Node.js deserialization bug for Remote Code Execution