1. The document outlines an agenda for a workshop on advanced ARM exploitation. The agenda includes introductions to memory corruption, buffer overflows, format string exploitation, and techniques for bypassing exploit mitigations like DEP using return-oriented programming (ROP).
2. Practical demonstrations are provided on topics like visualizing stack corruption from buffer overflows, overwriting the instruction pointer to hijack execution, injecting and executing shellcode payloads, reading and writing arbitrary memory with format strings, and creating ROP chains to bypass DEP.
3. The speakers are introduced as security researchers and instructors specializing in areas like exploit development, malware, rootkits, and reverse engineering. Attendees are encouraged to contact
2. #whoami
● Ravi Rajput
● Chapter Lead of Null Ahmedabad
● Author at 1daylabs.ml
● Passionate and working in binary exploitation
● Ping me @infosecRavi
3. #whoami
● Himanshu Khokhar Jaat
● Independent Security Researcher
● Speaker, Instructor
● Love Exploit Development, Malwares, Rootkits
and RE
● Ping me @pwnrip
4. Agenda
1. Introduction to Memory Corruption
2. Taxonomy of Vulnerabilities
3. Introduction to Buffer Overflow
4. Practical Buffer Overflow Exploitation
5. Format String Exploitation
6. DEP Bypass and ROP
6. Memory Corruption
● “Memory corruption occurs in a computer program when the contents of a memory location are
modified due to programmatic behavior that exceeds the intention of the original programmer or
program/language constructs; this is termed violating memory safety. The most likely cause of
memory corruption is programming error.” - Wikipedia
● Usually, the software crashes as the state of execution has been corrupted.
● In some cases, it can be leveraged to control execution of the program.
● This is what we are going to do today. :)
8. Taxonomy of Vulnerabilities
● Software bugs come in many shapes and sizes, and flavors too.
● Most commonly seen bugs are:
○ Buffer Overflows
■ Stack based buffer overflow
■ Heap based buffer overflow
○ Uninitialized variable exploitation
○ Use After Free
○ Format String bugs
○ Command Injection
○ Integer Overflows
10. Introduction to Buffer Overflow
● “A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a
buffer, overruns the buffer's boundary and overwrites adjacent memory locations.” - Wikipedia
● One of the most common (and perhaps, most exploited) memory corruption bug.
● First research on exploitation of buffer overflows in 1996 by AlephOne
● Simplest case scenario is when a function does not check the size of data that is being written to
memory.
13. Exploit Mitigation Techniques on Linux
● As exploitation became more and more common, it was expected that developers will use some
kind of mitigation techniques - to either shut down the vulnerability classes or to make it harder to
exploit.
● Most common exploit mitigation techniques are:
○ SSP/ Stack Canaries - Places a random value before return address and if that is modified, aborts the process.
○ ASLR - Changes memory mapping randomly, on each execution.
○ NX/DEP - Disables code execution from memory which is not marked as executable.
○ RELRO - Relocation Read Only - Resolves dynamic symbols before execution and marks GOT as non-writable
○ PIE - makes the whole binary as Position Independent.
15. Practical Buffer Overflow Exploitation
● As we saw, we can overwrite adjacent memory location with the data of our choice.
● Since PC is saved on the stack during function calls, we can overwrite is through buffer overflow.
● If we write long enough, we will overwrite the Program Counter, which points to the next
instruction to get executed.
● Note: PC must point to a valid area in memory or the process will crash.
17. Practical Buffer Overflow Exploitation
● So far, we control the flow of execution.
● But what if we want to execute our own shellcode?
18. Practical Buffer Overflow Exploitation
● So far, we control the flow of execution.
● But what if we want to execute our own shellcode?
● We need to inject our shellcode along with the input data and then point PC to it.
21. Introduction to Format Strings
● A format string is a string that consists of format specifiers which directs the interpretation of input.
● Used by a family of functions, usually the printf family. For eg: printf, sprintf, vprintf, snprintf, etc.
23. Introduction to Format String Vulnerability
● A format string vulnerability occurs when strings are not sanitized properly and are passed to
function that use format strings.
● Attacker can craft a format string which can then be used to read data from stack, memory or write
arbitrary values in memory to control execution.
25. Reading Arbitrary Memory using Format Strings
● As we saw, we can read data from stack using %x.
● But what if the data that we intend to read is not on the stack?
● We will leverage other format specifiers to read data from specific memory locations.
27. Writing Arbitrary Memory using Format Strings
● Reading is nice, but it doesn’t let us control anything.
● What if we could change anything in memory?
● Fortunately, %n lets us write to memory, though not as simple as it seems.
30. Buffer Overflows revisited
● We already saw how to exploit buffer overflows.
● But usually, there are mitigations that protect applications from such attacks.
● DEP is one of the most common mitigation that is on by default.
● Let’s see how DEP affects our exploitation strategy.
32. DEP Bypass Strategy
● As we confirmed, we cannot execute our payload from stack.
● DEP does not allow execution of content from non-executable memory.
33. DEP Bypass Strategy
● As we confirmed, we cannot execute our payload from stack.
● DEP does not allow execution of content from non-executable memory.
● But we can still corrupt the stack.
● How can we get a shell if we cannot execute anything from stack?
35. Return Oriented Programming
● ROP works on the very simple fact that we can still control PC.
● Since we control the stack, we control PC.
● The idea is to find gadgets and use them to control execution of process.
● A gadget is a sequence of instructions followed by a return statement, pop {pc} in ARM context.