![The Stack
…....
10. push j
11. push i
12. call add
13. add esp, 0x8
……
20. add:
21. mov eax, [esp+0x4]
22. mov ebx, [esp+0x8]
23. add eax, ebx
24. ret
Memory
0XDEADBEEF](https://image.slidesharecdn.com/introtobinaryexploitation-170227102155/85/Introduction-to-Binary-Exploitation-14-320.jpg)
![Buffer Overflow
#include<stdio.h>
int main(){
char buffer[16];
int var;
}
buffer var sfp ret
Bottomofmemory
Topofstack
Bottomofstack
Topofmemory
16 4 4 4](https://image.slidesharecdn.com/introtobinaryexploitation-170227102155/85/Introduction-to-Binary-Exploitation-16-320.jpg)
![Buffer Overflow
void function(char *str){
char buffer[16];
strcpy(buffer, str);
}
int main(){
char large_string[256];
int i;
for (i = 0; i < 255; i++){
large_string[i] = ‘A’;
}
function(large_string);
}](https://image.slidesharecdn.com/introtobinaryexploitation-170227102155/85/Introduction-to-Binary-Exploitation-18-320.jpg)
Introduction to Binary Exploitation
- 1. An Intro to Binary Exploitation Aswin M Guptha @aswinmguptha
- 2. $whoami ● BTech 2nd year Undergraduate ● Amrita University ● Regular CTF Player ● Team bi0s ● Focus on Binary Exploitation, Web Exploitation
- 3. Aim ● Give you a better understanding of mechanism of software exploitation ● Prepare you to identify the vulnerabilities in program source codes ● Help you understand HOW and WHY of exploit mitigation technologies ● We will cover a few key concepts deeply
- 4. Course Outline ● Basic Stack overflows ● Shell code injection ● Other vulnerability scenarios ● Recognizing vulnerability ● Exploit mitigation technologies
- 5. Why? ● Found by the late 90s ● Still relevent? ● 2016 scenario ● Your weakness, my strength
- 6. Lets get down to business
- 7. What is our Goal? ● Arbitrary code execution ● Example ● Forcing binary to give root access over the internet! ● Forcing a administrator privileged process to execute normally
- 8. First Attempt, But this worked in movies...
- 9. Real life ● We don’t know the password, and really hard to guess it too. ● There is a function which gives shell. ● What if we could change the flow of execution and execute that function ? means what???
- 10. Process Memory Organization Content of an assembly file ● Executable section: TEXT – The actual code that will be executed ● Initialized data: DATA – Global variables ● Uninitialized data: BSS ● Local variables
- 11. x86 Review ● Function call ● Returning after a function call ● Instruction pointer ● Stack
- 12. The Stack
- 13. The Stack
- 14. The Stack ….... 10. push j 11. push i 12. call add 13. add esp, 0x8 …… 20. add: 21. mov eax, [esp+0x4] 22. mov ebx, [esp+0x8] 23. add eax, ebx 24. ret Memory 0XDEADBEEF
- 15. Buffer Overflow
- 16. Buffer Overflow #include<stdio.h> int main(){ char buffer[16]; int var; } buffer var sfp ret Bottomofmemory Topofstack Bottomofstack Topofmemory 16 4 4 4
- 17. Buffer Overflow Lets do some challenges ● #1 overwrite ● #2 validate
- 18. Buffer Overflow void function(char *str){ char buffer[16]; strcpy(buffer, str); } int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++){ large_string[i] = ‘A’; } function(large_string); }
- 19. Buffer Overflow AAAAAAAAAAAAAAAA AAAA AAAA AAAA AAAA AAAAAAAAAAAA Buffer sfp ret *str 416 4 4 ● The return address is overwritten with ‘AAAA’ (0x41414141) ● Thus the function exits and goes to execute the instruction at 0x41414141 ● This results in a SegFault. So what??? Bottomofmemory Topofstack Bottomofstack Topofmemory
- 20. Buffer Overflow ● We have seen how to crash our own program by overwriting the return address of a function. ● What if we could overwrite the return address with valid address ? Lets start walking from where we stopped!!!
- 21. Buffer Overflow ● Is anyone mad enough to put a function which give shell so easily ? ● So what is the use of this ? ● There come the shellcode injection
- 22. Shellcode
- 23. Shellcode ● List of crafted instructions ● Executed once the code is injected to a running application.
- 24. Shellcode Properties of a shell code? – Should be small enough to fit in the buffer – Shouldn’t contain any null charecters – Shouldn’t refer to data section
- 25. Shellcode Whats next? – Okay, we know what is a shell code, now what? ● Put a shell code into buffer ● Fill the rest of buffer with junk ● Overwrite saved eip to point to buffer
- 27. The battle continues... ● RET2LIBC ● ROP ● Format String Vuln. ● Heap Vuln. And so...
- 28. Whats next? ● Google is your best friend! ● Smashing The Stack For Fun And Profit – By Aleph One ● And YES, CTFs!
- 29. In a nutshell ● Changing flow of execution – Buffer overflow ● Injecting your vuln code – Shellcode Injection ● Vuln detection and prevention Rest I leave to you, Good luck! Queries? Ping @aswinmguptha
- 30. Becoming Stronger! ● NX – Segments are either executable or writeable, but NOT both ● ASLR – Address Space Layout Randomization ● Canary, PIE – Stack protectors