Binary Exploitation
10101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010
Quick
i386-32-little
RELRO stands for Relocation Read-Only, which makes the global offset table (GOT) read-only after the linker resolves functions to it. The GOT is important for techniques such as the ret-to-libc attack. https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro.
Stack canaries are tokens placed after a stack to detect a stack overflow. These were supposedly named after birds that coal miners brought down to mines to detect noxious fumes. Canaries were sensitive to the fumes, and so if they died, then the miners knew they needed to evacuate. On a less morbid note, stack canaries sit beside the stack in memory (where the program variables are stored), and if there is a stack overflow, then the canary will be corrupted. This allows the program to detect a buffer overflow and shut down. You can read more about stack canaries here: https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/.
NX is short for non-executable. If this is enabled, then memory segments can be either writable or executable, but not both. This stops potential attackers from injecting their own malicious code (called shellcode) into the program, because something in a writable segment cannot be executed. On the vulnerable binary, you may have noticed the extra line RWX that indicates that there are segments which can be read, written, and executed. Look into Ret2Lib https://en.wikipedia.org/wiki/Return-to-libc_attack
https://en.wikipedia.org/wiki/Executable_space_protection
PIE stands for Position Independent Executable. This loads the program dependencies into random locations, so attacks that rely on memory layout are more difficult to conduct. This also means that it won't be affected by ASLR. https://access.redhat.com/blogs/766093/posts/1975793
Address space layout randomization (ASLR)
Address space layout randomization is a technique involved in preventing exploitation of memory by randomly arranging the address space positions of key data areas of processes and the positions of the stack, heap and libraries.
0 – No randomization. Everything is static.
1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO and heap are randomized.
2 – Full randomization. In addition to elements listed in the previous point, memory managed through brk() is also randomized.
https://securityetalii.es/2013/02/03/how-effective-is-aslr-on-linux-systems/
Global Offset Table (GOT)
The global offset table is a section inside a program that holds addresses of dynamically linked functions.
Most programs don't include every function they use to reduce binary size. Instead, common functions, like those in libc, are "linked" into the program.
All dynamic libraries are loaded into memory along with the main program at launch; however, functions aren't mapped to their actual code until they're first called.
After these functions are called for the first time, their real addresses are "saved" in the section of the program called .got.plt.
ASLR Bypass - Ret2lib
First is to leak the address of any function which is in libc and is being used in our binary (so it'll be saved in .got.plt). We need some function that can print values and can take a pointer as an argument. The perfect functions for this are puts and printf.
So what we can do now is to call puts and, as an argument, pass a pointer to any function that's inside .got.plt.
If we call puts and as an argument, we pass the address of the setbuf function inside of .got.plt section, then we should have leaked the real address of the sefbuf function inside a libc. And when we have this leak, we can calculate the base address of the libc.
Libc base address => Start of the c library in memory
Every time the binary is being run, the address is the same as it would have been when ASLR was turned off, and from that, we can calculate offsets for every function inside of libc.
Steps
find buffer overflow
ghidra
Find leak function
program trees -> software -> .got.plt
Find a function address used in libc or any interesting dynamic library
ROP leak chain
Popping the $RDI register for our argument
Filling the $RDI register with the address of the gets function
Executing the puts function with loaded argument
Returning to the main program with already leaked function
Buffer Overflow
Example outputs of pwntools checksec on a binary:
RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled
RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments
RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)
While fuzzing, if you see any Segmentation Fault or Stack Smashing, chances are you found a buffer overflow vulnerability. Finding it is nice but exploiting it is really the fun part.
Find overflow - Cyclic patterns
Cyclic patterns are heavily used to find buffer overflows. It helps calculating the offset easily.
Python script - Cyclic pattern + injection
Use the following python code to create a cyclic pattern, breaking at the buffer overflow, then injecting our payload (return address to arbitrary function)
The following code will do the same using TCP
Shellcode
We want to execute /bin/sh, but we want to pass 'sh' and '-p' into the argv array. We can use shellcraft to create execve shellcode with"/bin/sh" and "['sh', '-p'] Use -f s to output as an hex formatted string ready for 1nj3ct10n, us -f a for asm output
Use this code to overflow a local binary and interact with an executed shellcode
Last updated
