This document discusses binary exploitation techniques, specifically buffer overflows. It begins with an overview of program memory sections like the stack, heap, data, and text. It then covers security options like RELRO, stack canaries, and ASLR that aim to prevent exploits. Finally, it dives into buffer overflows, explaining how overflowing a buffer can overwrite the return address on the stack to redirect program flow and potentially execute shellcode to get remote code execution. The goal of "pwn" techniques is to leverage program vulnerabilities to gain control of the target system.

1. redhung@hung.red
TA-LESSON @ INFORMATION SECURITY
— BINARY EXPLOITATION ( PWN )

2. >_ ECHO `WHOAMI`
Interning at CHT Security Co., Ltd.
CTF Player
Woof Woof Pwning dog 🐶
Focusing on Reversing, Pwning

3. >_ CAT ./OVERVIEW
What Is
Pwn
Program
Section
Security
Options
Buffer
Overflow
0x0
0x1
0x2
0x3

4. What is Pwn

5. >_ WHAT IS PWN
Start EndInput Output
簡單來說，控制程式流程，進而達到我們的目的，稱之為Pwn
藉由使用者輸入(Input)的地方來輸入偽造好的Payload
藉由螢幕輸出(Output)的地方來Leak程式資訊

6. >_ WHAT IS PWN
Start
Segmetation
FaultInput Output
藉由惡意的輸入來導致程式Crash
則代表此程式有⼈人為疏漏的地⽅方，例例如陣列列邊界超越、指標釋放後未清除
攻擊者則藉由這些漏洞洞來來構造完整的Payload進⾏行行攻擊

7. >_ WHAT IS PWN
Start
Get
Shell !!
Input Output
攻擊者想要的並不只是讓程式Crash
攻擊者的最終⽬目的是藉由程式漏洞洞來來獲取運⾏行行程式的主機控制權
經由⼀一個漏洞洞來來讓我們串串起攻擊鍊鍊，從運⾏行行程式突破到主機內部

8. Program Section

9. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
Stack
Heap
BSS
Data
Text

10. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
Text
存放程式碼
可讀、不可寫、可執⾏行行
( r - x )

11. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
Data
存放初始化過的
全域變數或區域靜態變數
E.g. int i = 1;

12. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
BSS
存放未初始化過的
全域變數或區域靜態變數
E.g. int i;

13. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
Heap
動態分配的記憶體空間
Malloc()、Free()
由低位址往⾼高位址長

14. >_ PROGRAM SECTION
Stack
Heap
BSS
Data
Text
Stack
存放區域變數、
參參數、return address
由⾼高位址往低位址長

15. >_ PROGRAM SECTION
Stack Frame
Local variables
saved rbp
canary
return address
Stack存放了了許多重要資訊
因此在Pwn的領域中
玩轉Stack是⼀一項非常重要
的技術

16. >_ PROGRAM SECTION
Stack Frame
0x0 (num)

17. >_ PROGRAM SECTION
Stack Frame
0x0 (num)
return address (num = num+1)

18. >_ PROGRAM SECTION
Stack Frame
0x0 (num)
return address (num = num+1)
saved rbp
canary

19. >_ PROGRAM SECTION
Stack Frame
0x0 (num)
return address (num = num+1)
saved rbp
canary

20. >_ PROGRAM SECTION
Stack Frame
0x0 (num)

21. Security Options

22. >_ SECURITY OPTIONS
RELRO
Stack Canary
NX ( No-Execute )
PIE
ASLR

23. >_ SECURITY OPTIONS
RELRO — RELocation Read Only
Level : No / Partial / Full
No RELRO — Link map 可寫 、 GOT 可寫
Partial RELRO — Link map 不可寫、GOT可寫
Full RELRO — Link map 不可寫、GOT不可寫

24. >_ SECURITY OPTIONS
Stack Canary
在 SAVED RBP 之前塞⼀一個隨機的值，
在 return 前檢查是否⼀一致，
不⼀一致的話則將此次 input abort，並結束程式

25. >_ SECURITY OPTIONS
NX — No execute
⼜又稱 DEP (Data Execution Prevention)
可寫的不可執⾏行行，可執⾏行行的不可寫

26. >_ SECURITY OPTIONS
PIE — Position Independent Executable
開啟時，Data段以及Text段位址隨機化
關閉時，Data段以及Text段位址固定

27. >_ SECURITY OPTIONS
ASLR — Address Space Layout Randomization
記憶體位址隨機變化
每次執⾏行行時，Stack、Heap、libc的位址都不⼀一樣
ASLR是系統設定，並不是程式設定

28. Buffer Overflow

29. >_ BUFFER OVERFLOW
當程式沒有限制使⽤用者輸入，
⽽而使⽤用者輸入超出字元陣列列的範圍，
即造成Buffer Overflow

30. >_ BUFFER OVERFLOW
Local variables
saved rbp
canary
return address

31. >_ BUFFER OVERFLOW
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
saved rbp
canary
return address

32. >_ BUFFER OVERFLOW
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA

33. >_ BUFFER OVERFLOW
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
CRASHED

34. >_ BUFFER OVERFLOW
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
System(/bin/sh)

35. >_ BUFFER OVERFLOW
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
AAAAAAAAAAAAA
System(/bin/sh)
GET SHELL !!

36. LAB

37. THANK YOU!
redhung@hung.red
r3dhun9 @r3dhun9 Philip Chen