1. Reverse Engineering
Linux binary exploitation
"the process of analyzing a subject system to identify the system's components
and their interrelationships, and to create representations of the system in another
form or at a higher level of abstraction"
IEEE
Arcangelo Saracino
2. Who am I ?
Arcangelo Saracino
Third year Computer Science student, at Uniba.
Participant of cyberchallenge course.
Work experiences(Full-stack Web developer):
● Aryma
● Enterprise Digital Solutions
Cybersecurity and Linux appasionate.
Linux Day Bari 2019 speaker, on October26h
3. Pre-Requisites
● An Understanding of x86-64 Assembly
● Familiarity with GDB
● Familiarity with C and Python
● Familiarity with the Standard Jump to
Shellcode Exploits
● Rop (return oriented programming)
4. Assembly Language
An assembly language is any low-level
programming language in which there is a very
strong correspondence between the
instructions in the language and the
architecture's machine code instructions.
5. Assembly Language - 2
A program written in assembly language
consists of a series of mnemonic processor
instructions and meta-statements (known
variously as directives, pseudo-instructions
and pseudo-ops), comments and data.
Assembly language instructions usually
consist of an opcode mnemonic followed by a
list of data, arguments or parameters.
6. What is GDB?
GDB, the GNU Project debugger,
allows you to see what is going on
`inside' another program while it
executes -- or what another program
was doing at the moment it crashed.
7. What GDB can do ?
GDB can do four main kinds of things (plus other
things in support of these) to help you catch bugs in
the act:
● Start your program, specifying anything that might
affect its behavior.
● Make your program stop on specified conditions.
● Examine what has happened, when your program
has stopped.
● Change things in your program, so you can
experiment with correcting the effects of one bug
and go on to learn about another.
8. What GDB can do ? - 2
Note :
Those programs might be executing
on the same machine as GDB (native),
on another machine (remote), or on a
simulator. GDB can run on most
popular UNIX and Microsoft Windows
variants, as well as on Mac OS X.
9. Peda
PEDA - Python Exploit Development
Assistance for GDB
● Enhance the display of gdb: colorize
and display disassembly codes,
registers, memory information during
debugging.
● Add commands to support debugging
and exploit development
10. C and Python Language
Why C language is so important?
It was designed to be compiled using a relatively
straightforward compiler to provide low-level access to
memory and language constructs that map efficiently to
machine instructions, all with minimal runtime support.
Why Python in reverse engineering ?
Pwntools is the answer !
11. The Standard Jump to Shellcode
Exploits
You need to control EIP and you want
to jump to your shellcode.
Each technique has different
conditions and see if you can make it
work to reach your shellcode.
Src: https://www.abatchy.com/2017/05/jumping-to-
shellcode.html
12. Return Oriented Programming
Return-oriented programming (ROP) is
a computer security exploit technique
that allows an attacker to execute
code in the presence of security
defenses such as executable space
protection and code signing.
15. Classic Exploitation Technique
The binary is compiled without stack
protection, therefore the stack is
executable.
The ASLR is turned off.
gcc -m32 -fno-stack-protector -zexecstack -o
./build/1_vulnerable ./src/1_vulnerable.c
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
17. ASLR
Address Space Layout Randomization
is a memory-protection process for
operating system(OSes) that guards
against buffer-overflow attack by
randomizing the location where
system executables are loaded into
memory
18. NX
No Execute Bit is a technology used in
CPUs to segregate areas of memory
for use by either storage of processor
instructions or for storage of data.
In OSes the technique is known as
executable space protection, is used
to prevent certain types of malicious
software
19. Stack Canary
Stack Canaries are used to detect a stack
buffer overflow before execution of malicious
code can occur.
This method works by placing a small integer,
the value of which is randomly chosen at
program start, in memory just before the
stack return pointer. The canary value must
also be overwritten. This value is checked to
make sure it has not changed before a
routine uses the return pointer on the stack.
20. Bypass NX with Rop
Ropchain : chain made with gadgets
(chunk ) of code instruction inside
libraries, to exec syscall or call library
function.
Tools: ropgadget , ropper
21. Bypass ASLR/NX with Ret2PLT
PLT stands for Procedure Linkage
Table which is, put simply, used to call
external procedures/functions whose
address isn't known in the time of
linking, and is left to be resolved by
the dynamic linker at run time.
22. Bypass ASLR/NX with GOT
Overwrite
GOT stands for Global Offsets Table
and is similarly used to resolve
addresses.