FM
Uploaded byFlorian Müller
258 views

[DSC] Introduction to Binary Exploitation

This document provides an introduction to concepts in computer security, focusing on exploitation techniques such as stack and heap overflows, as well as protections against these vulnerabilities. It covers technical details of memory and CPU architecture, various forms of exploits, and their corresponding countermeasures. Additionally, it offers resources for further learning and opportunities in the field of security engineering.

Embed presentation

Proprietary Carl Svensson/2020-01-28 An Introduction to
Proprietary Proprietary ● MSc in Computer Science, KTH ● Security Engineer @ Google - Offensive Security ● CTF Player: HackingForSoju ● Email: zetatwo@google.com / Twitter: @zetatwo Biography
Proprietary Agenda ● Background ● Stack-based Exploitation ● Protections and bypasses ● Heap-based exploitations ● Next steps
Proprietary Proprietary Background
Proprietary Proprietary ● Programmer ● Security Interested ● Basic knowledge of some low-level language, e.g. C or C++ ● Basic understanding of operating systems Who Are You?
Proprietary Proprietary What is an Exploit? ● Unintended behaviour ● State machine ○ Initial state ○ Reachable state ○ Invalid state ● Vulnerability ○ Unintended transition (bug) ○ Enabling an exploit ● Exploit ○ Transition to an Invalid state ○ "Dangerous" subset
Proprietary Proprietary A Note on Data ● We organize bits into groups - nibble, byte, word, dword, qword ● Bits are interpreted as integers, text, code, addresses, etc. ● Same data, different interpretations - Context determines ● Remember endianness - Little vs big 65, 66, 67, 68 "ABCD" inc ecx; inc edx; inc ebx; inc esp 0x44434241 = 1145258561 Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11
Proprietary Proprietary Where are We? ● Physics - Maxwell’s equations ● Circuits - Gates, flip-flops, wires ● Micro-architecture - Internals of CPU ● Machine code - Assembly translated to bytes ● Low-level code - C, Rust ● Mid-level code - Java, C# ● High-level code - Python, Javascript
Proprietary Proprietary x86 Basics
Proprietary Proprietary ● Virtual memory ● Stack ● Heap ● Code - Text x86 Memory
Proprietary Proprietary ● General purpose ○ RAX, RBX, RCX, RDX ○ RDI, RSI, R8, R9 ● Special purpose ○ RIP, RBP, RSP ● ...and a few hundred more x86 Registers
Proprietary Proprietary ● Architecture specific ● x86, 32 bit, 64 bit ● Arguments ○ 32 bit: stack in reverse order ○ 64 bit: first few in registers ● Stack frame - base pointer x86 Calling convention call 0xCAFEC0DE ... push eip+5 jmp 0xCAFEC0DE call rip+0x1337 ... push rip+5 jmp rip+0x1337 ret pop eip ret pop rip f(a, b) push b; push a call f f(a, b) mov rdi a; mov rsi b; call f
Proprietary Proprietary Stack-based Exploits
Proprietary Proprietary ● Unchecked write ● Overwrite adjacent memory ● Overwrite return address Stack buffer Overflow void vuln() { long local1; char buf[16]; fgets(buf); } Program received signal SIGSEGV, Segmentation fault. 0x4B4B4B4B4A4A4A4A in example1 () [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [AAAABBBBCCCCDDDD] [EEEEFFFF] [GGGGHHHH] [JJJJKKKK]
Proprietary Proprietary ● Code that launches a shell ● Can also do other things ● Mostly written in C or ASM ● Needs to be location independent Shellcode xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall 0x48 0x31 0xd2 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x48 0xc1 0xeb 0x08 0x53 0x48 0x89 0xe7 0x50 0x57 0x48 0x89 0xe6 0xb0 0x3b 0x0f 0x05
Proprietary Proprietary ● No protections present ● No longer viable ● A simple attack ○ Inject code ○ Overwrite return address with shellcode location Stack buffer overflow -96 void vuln() { long local1; char buf[16]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] 0x00007FFFDEADC0DE: [0x48 0x31 0xd2 0x48 ...] [...] [... 0x3b 0x0f 0x05] [0x00007FFFDEADC0DE]
Proprietary Proprietary ● Shellcode can be moved around ● For example further down the stack ● If exact location is unknown ○ NOP sled Shellcode placement void vuln() { long local1; char buf[12]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (12 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x00007FFFDEADC0DE: [...] [...] [...] [0x00007FFFDEADC102] [0x48 0x31 0xd2 …]
Proprietary Proprietary ● Address Space Layout Randomization ● Randomize location of stack and heap ○ 32 bit: 12 bit entropy ○ 64 bit: 28 bit entropy ● So far code location still known ● Location of buffer now unknown ● Code reuse ○ Gadgets Protection: ASLR -01 0x00007FFFCAFECAFE: jmp rsp $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x????????: [...] [...] [...] [0x00007FFFCAFECAFE] [0x48 0x31 0xd2 …]
Proprietary Proprietary ● Adds permission bits to memory ○ Code: RX ○ Heap+Stack: RW ● Shellcode on stack not possible ● Code location know ● Gadgets ○ Return-oriented programming Protection: NX/DEP -97 0x4000104A: ... pop eax ret 0x4000106A: ... pop ebx pop ecx ret 0x????????: [AAAA...DDDD] [EEEE] [FFFF] [0x4000104A] [0xDEADBEEF] [0x4000106A] [0xCAFEBABE] [0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D
Proprietary Proprietary ● Catch the overflow before damage ● Canary - random secret value ● The crash becomes controlled ● Relies on canary being secret ○ Memory leak ○ Forking servers Protection: StackGuard -98 void vuln() { long local1; char buf[12]; fgets(buf); } *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= SECRET = ??? [...] [...] [SECRET] [saved bp (8 bytes)] [return address (8 bytes)] [...] [...] [0x4141414141414141] [0x4141414141414141] [0x00007FFFDEADC0DE] void vuln() { push_cookie(); long local1; char buf[12]; fgets(buf); check_cookie(); }
Proprietary Proprietary ● Program Linkage Table, PLT ● Global Offset Table, GOT ● PLT contains stubs with jumps ● GOT contains addresses to libraries ● Overwrite GOT entry and call function GOT/PLT Overwrite ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFDEADDEAD ...
Proprietary Proprietary ● RELocation Read Only, RELRO ● “Partial RELRO” ○ GOT before BSS ● Full RELRO ○ Actually Read Only ○ Handled by loader Protection: RELRO ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFC0DECAFE ...
Proprietary Proprietary ● Stack frames - linked list ● Misalign stack frame ○ Modify local variables ○ Modify stack pointer ● Partial overwrite ○ Shift stack frame Base Pointer Overwrite
Proprietary Proprietary ● Control Flow Guard ● Control Flow Integrity ● Intended to prevent code-reuse attacks ● Bypass example: JIT Protection: CFG (-14)
Proprietary Proprietary ● Pointer Authentication Code ● Reuse unused bits for MAC ● Hardware support ● ARM64, Apple iOS ● Bypass: signing oracle ○ Project Zero blog Protection: PAC (-17)
Proprietary Proprietary ● Calls to printf-like functions ● Control over first argument ● Variable number of arguments ● Read direct: %x/%d ● Read indirect: %s ● Write: %n ● Copy: %0*x, %n ● Skip: %4$x Format String Vulnerability int printf ( const char * format, ... ); printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable
Proprietary Proprietary Heap-based Exploits
Proprietary Proprietary ● Physical ● Virtual ● Pages ● Memory allocator ○ malloc/free ○ glibc ○ jemalloc A Refresher on Memory
Proprietary Proprietary ● Heap overflow ● Use after free ● Type confusion ● Heap spraying Heap corruption: app layer
Proprietary Proprietary ● Corrupt allocator metadata ● Linked lists ● Requires understanding of allocator ○ Slabs ○ Bins ○ Cache ● glibc - House of X Heap corruption: allocator
Proprietary Proprietary Proprietary Next Steps
Proprietary Want to try it out? Capture the Flag Wargames Community https://capturetheflag.withgoogle.com https://ctftime.org https://picoctf.com https://github.com/zardus/wargame-nexus https://pwnable.kr https://overthewire.org CTF players Discord: https://discord.gg/ArjWjvctft
Proprietary Further Materials Videos Tools Learning https://securitycreators.video https://www.youtube.com/GynvaelEN https://www.youtube.com/ZetaTwo https://www.youtube.com/LiveOverflow Python + Pwntools gdb + gef IDA, Binary Ninja, Ghidra https://pwn.college https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap
Proprietary Interested in Google? Internships and full-time positions: https://careers.google.com/students Questions about working at Google, specifically security: Email zetatwo@google.com or Twitter @zetatwo
Proprietary Thank You

More Related Content

PDF
Specializing the Data Path - Hooking into the Linux Network Stack
byKernel TLV
 
PDF
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
PDF
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
PDF
Thrfit从入门到精通
by炜龙 何
 
ODP
Sysprog17
byAhmed Mekkawy
 
PDF
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
PDF
Nmap5.cheatsheet.eng.v1
byArduino Aficionado
 
PDF
Flowchart - Building next gen malware behavioural analysis environment
byisc2-hellenic
 
Specializing the Data Path - Hooking into the Linux Network Stack
byKernel TLV
 
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
Ctf hello,world!
byHacks in Taiwan (HITCON)
 
Thrfit从入门到精通
by炜龙 何
 
Sysprog17
byAhmed Mekkawy
 
AllBits presentation - Lower Level SW Security
byAllBits BVBA (freelancer)
 
Nmap5.cheatsheet.eng.v1
byArduino Aficionado
 
Flowchart - Building next gen malware behavioural analysis environment
byisc2-hellenic
 

What's hot

PDF
Android ndk
byKuban Dzhakipov
 
PDF
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
byRootedCON
 
PDF
DConf 2016: Keynote by Walter Bright
byAndrei Alexandrescu
 
PDF
My talk about Tarantool and Lua at Percona Live 2016
byKonstantin Osipov
 
PDF
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 
PDF
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
byeurobsdcon
 
PDF
Tensor Core
byMindos Cheng
 
PDF
Linux Binary Exploitation - Return-oritend Programing
byAngel Boy
 
PDF
Exploring the x64
byFFRI, Inc.
 
PPTX
Defeating the entropy downgrade attack
bySeth Wahle
 
PDF
How to write rust instead of c and get away with it
byFlavien Raynaud
 
PDF
Pwning in c++ (basic)
byAngel Boy
 
PPTX
Terminals and Shells
byHoffman Lab
 
PDF
Pledge in OpenBSD
byGiovanni Bechis
 
PDF
ROP 輕鬆談
byhackstuff
 
PDF
Pf: the OpenBSD packet filter
byGiovanni Bechis
 
PDF
Return Oriented Programming - ROP
byMihir Shah
 
PPTX
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
PDF
Asynchronous single page applications without a line of HTML or Javascript, o...
byRobert Schadek
 
PDF
Compromising Linux Virtual Machines with Debugging Mechanisms
byRussell Sanford
 
Android ndk
byKuban Dzhakipov
 
Sergi Álvarez + Roi Martín - radare2: From forensics to bindiffing [RootedCON...
byRootedCON
 
DConf 2016: Keynote by Walter Bright
byAndrei Alexandrescu
 
My talk about Tarantool and Lua at Percona Live 2016
byKonstantin Osipov
 
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...
byArea41
 
Making OpenBSD Useful on the Octeon Network Gear by Paul Irofti
byeurobsdcon
 
Tensor Core
byMindos Cheng
 
Linux Binary Exploitation - Return-oritend Programing
byAngel Boy
 
Exploring the x64
byFFRI, Inc.
 
Defeating the entropy downgrade attack
bySeth Wahle
 
How to write rust instead of c and get away with it
byFlavien Raynaud
 
Pwning in c++ (basic)
byAngel Boy
 
Terminals and Shells
byHoffman Lab
 
Pledge in OpenBSD
byGiovanni Bechis
 
ROP 輕鬆談
byhackstuff
 
Pf: the OpenBSD packet filter
byGiovanni Bechis
 
Return Oriented Programming - ROP
byMihir Shah
 
08 - Return Oriented Programming, the chosen one
byAlexandre Moneger
 
Asynchronous single page applications without a line of HTML or Javascript, o...
byRobert Schadek
 
Compromising Linux Virtual Machines with Debugging Mechanisms
byRussell Sanford
 

Similar to [DSC] Introduction to Binary Exploitation

PPTX
Software to the slaughter
byQuinn Wilton
 
PPT
[CCC-28c3] Post Memory Corruption Memory Analysis
byMoabi.com
 
PDF
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
PDF
Davide Berardi - Linux hardening and security measures against Memory corruption
bylinuxlab_conf
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PPTX
Bypassing ASLR Exploiting CVE 2015-7545
byKernel TLV
 
PPT
Dc 12 Chiueh
bywollard
 
PDF
Scale17x buffer overflows
byjohseg
 
PDF
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
PDF
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
PPT
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
PDF
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
PDF
Buffer overflow tutorial
byhughpearse
 
PPT
Software Exploits
byKevinCSmallwood
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
[Kiwicon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
Hacklu11 Writeup
bynkslides
 
PDF
Fuzzing - Part 1
byUTD Computer Security Group
 
Software to the slaughter
byQuinn Wilton
 
[CCC-28c3] Post Memory Corruption Memory Analysis
byMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
Davide Berardi - Linux hardening and security measures against Memory corruption
bylinuxlab_conf
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
Exploitation Crash Course
byUTD Computer Security Group
 
Bypassing ASLR Exploiting CVE 2015-7545
byKernel TLV
 
Dc 12 Chiueh
bywollard
 
Scale17x buffer overflows
byjohseg
 
CNIT 127 14: Protection Mechanisms
bySam Bowne
 
Software Vulnerabilities in C and C++ (CppCon 2018)
byPatricia Aas
 
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
CNIT 127 Ch 4: Introduction to format string bugs
bySam Bowne
 
Buffer overflow tutorial
byhughpearse
 
Software Exploits
byKevinCSmallwood
 
Dive into exploit development
byPayampardaz
 
[Kiwicon 2011] Post Memory Corruption Memory Analysis
byMoabi.com
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Hacklu11 Writeup
bynkslides
 
Fuzzing - Part 1
byUTD Computer Security Group
 

Recently uploaded

PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
PPTX
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PDF
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
PDF
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
PPTX
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 2
byVICTOR MAESTRE RAMIREZ
 
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
So You Want to Work at Google | DevFest Seattle 2025
byMargaret Maynard-Reid
 
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 

[DSC] Introduction to Binary Exploitation

  • 1.
  • 2.
    Proprietary Proprietary ● MSc inComputer Science, KTH ● Security Engineer @ Google - Offensive Security ● CTF Player: HackingForSoju ● Email: zetatwo@google.com / Twitter: @zetatwo Biography
  • 3.
    Proprietary Agenda ● Background ● Stack-basedExploitation ● Protections and bypasses ● Heap-based exploitations ● Next steps
  • 4.
  • 5.
    Proprietary Proprietary ● Programmer ● SecurityInterested ● Basic knowledge of some low-level language, e.g. C or C++ ● Basic understanding of operating systems Who Are You?
  • 6.
    Proprietary Proprietary What is anExploit? ● Unintended behaviour ● State machine ○ Initial state ○ Reachable state ○ Invalid state ● Vulnerability ○ Unintended transition (bug) ○ Enabling an exploit ● Exploit ○ Transition to an Invalid state ○ "Dangerous" subset
  • 7.
    Proprietary Proprietary A Note onData ● We organize bits into groups - nibble, byte, word, dword, qword ● Bits are interpreted as integers, text, code, addresses, etc. ● Same data, different interpretations - Context determines ● Remember endianness - Little vs big 65, 66, 67, 68 "ABCD" inc ecx; inc edx; inc ebx; inc esp 0x44434241 = 1145258561 Little: 0x44332211 = 0x11 0x22 0x33 0x44 Big: 0x44332211 = 0x44 0x33 0x22 0x11
  • 8.
    Proprietary Proprietary Where are We? ●Physics - Maxwell’s equations ● Circuits - Gates, flip-flops, wires ● Micro-architecture - Internals of CPU ● Machine code - Assembly translated to bytes ● Low-level code - C, Rust ● Mid-level code - Java, C# ● High-level code - Python, Javascript
  • 9.
  • 10.
    Proprietary Proprietary ● Virtual memory ●Stack ● Heap ● Code - Text x86 Memory
  • 11.
    Proprietary Proprietary ● General purpose ○RAX, RBX, RCX, RDX ○ RDI, RSI, R8, R9 ● Special purpose ○ RIP, RBP, RSP ● ...and a few hundred more x86 Registers
  • 12.
    Proprietary Proprietary ● Architecture specific ●x86, 32 bit, 64 bit ● Arguments ○ 32 bit: stack in reverse order ○ 64 bit: first few in registers ● Stack frame - base pointer x86 Calling convention call 0xCAFEC0DE ... push eip+5 jmp 0xCAFEC0DE call rip+0x1337 ... push rip+5 jmp rip+0x1337 ret pop eip ret pop rip f(a, b) push b; push a call f f(a, b) mov rdi a; mov rsi b; call f
  • 13.
  • 14.
    Proprietary Proprietary ● Unchecked write ●Overwrite adjacent memory ● Overwrite return address Stack buffer Overflow void vuln() { long local1; char buf[16]; fgets(buf); } Program received signal SIGSEGV, Segmentation fault. 0x4B4B4B4B4A4A4A4A in example1 () [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [AAAABBBBCCCCDDDD] [EEEEFFFF] [GGGGHHHH] [JJJJKKKK]
  • 15.
    Proprietary Proprietary ● Code thatlaunches a shell ● Can also do other things ● Mostly written in C or ASM ● Needs to be location independent Shellcode xor rdx, rdx mov qword rbx, '//bin/sh' shr rbx, 0x8 push rbx mov rdi, rsp push rax push rdi mov rsi, rsp mov al, 0x3b syscall 0x48 0x31 0xd2 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 0x48 0xc1 0xeb 0x08 0x53 0x48 0x89 0xe7 0x50 0x57 0x48 0x89 0xe6 0xb0 0x3b 0x0f 0x05
  • 16.
    Proprietary Proprietary ● No protectionspresent ● No longer viable ● A simple attack ○ Inject code ○ Overwrite return address with shellcode location Stack buffer overflow -96 void vuln() { long local1; char buf[16]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] 0x00007FFFDEADC0DE: [0x48 0x31 0xd2 0x48 ...] [...] [... 0x3b 0x0f 0x05] [0x00007FFFDEADC0DE]
  • 17.
    Proprietary Proprietary ● Shellcode canbe moved around ● For example further down the stack ● If exact location is unknown ○ NOP sled Shellcode placement void vuln() { long local1; char buf[12]; fgets(buf); } $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (12 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x00007FFFDEADC0DE: [...] [...] [...] [0x00007FFFDEADC102] [0x48 0x31 0xd2 …]
  • 18.
    Proprietary Proprietary ● Address SpaceLayout Randomization ● Randomize location of stack and heap ○ 32 bit: 12 bit entropy ○ 64 bit: 28 bit entropy ● So far code location still known ● Location of buffer now unknown ● Code reuse ○ Gadgets Protection: ASLR -01 0x00007FFFCAFECAFE: jmp rsp $ uname -a Linux pwnbox 5.4.0-12.15-generic... [buf (16 bytes)] [local1 (8 bytes)] [saved bp (8 bytes)] [return address (8 bytes)] [prev frame (? bytes)] 0x????????: [...] [...] [...] [0x00007FFFCAFECAFE] [0x48 0x31 0xd2 …]
  • 19.
    Proprietary Proprietary ● Adds permissionbits to memory ○ Code: RX ○ Heap+Stack: RW ● Shellcode on stack not possible ● Code location know ● Gadgets ○ Return-oriented programming Protection: NX/DEP -97 0x4000104A: ... pop eax ret 0x4000106A: ... pop ebx pop ecx ret 0x????????: [AAAA...DDDD] [EEEE] [FFFF] [0x4000104A] [0xDEADBEEF] [0x4000106A] [0xCAFEBABE] [0xFEEDF00D] eax = 0xDEADBEEF ebx = 0xCAFEBABE ecx = 0xFEEDF00D
  • 20.
    Proprietary Proprietary ● Catch theoverflow before damage ● Canary - random secret value ● The crash becomes controlled ● Relies on canary being secret ○ Memory leak ○ Forking servers Protection: StackGuard -98 void vuln() { long local1; char buf[12]; fgets(buf); } *** stack smashing detected ***: ./a.out terminated ======= Backtrace: ========= SECRET = ??? [...] [...] [SECRET] [saved bp (8 bytes)] [return address (8 bytes)] [...] [...] [0x4141414141414141] [0x4141414141414141] [0x00007FFFDEADC0DE] void vuln() { push_cookie(); long local1; char buf[12]; fgets(buf); check_cookie(); }
  • 21.
    Proprietary Proprietary ● Program LinkageTable, PLT ● Global Offset Table, GOT ● PLT contains stubs with jumps ● GOT contains addresses to libraries ● Overwrite GOT entry and call function GOT/PLT Overwrite ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFDEADDEAD ...
  • 22.
    Proprietary Proprietary ● RELocation ReadOnly, RELRO ● “Partial RELRO” ○ GOT before BSS ● Full RELRO ○ Actually Read Only ○ Handled by loader Protection: RELRO ... call printf@plt ... printf@plt: jmp [printf@got] printf@got: 0x7FFFC0DECAFE printf@got: 0x7FFFDEADDEAD … call printf@plt -> 0x7FFFC0DECAFE ...
  • 23.
    Proprietary Proprietary ● Stack frames- linked list ● Misalign stack frame ○ Modify local variables ○ Modify stack pointer ● Partial overwrite ○ Shift stack frame Base Pointer Overwrite
  • 24.
    Proprietary Proprietary ● Control FlowGuard ● Control Flow Integrity ● Intended to prevent code-reuse attacks ● Bypass example: JIT Protection: CFG (-14)
  • 25.
    Proprietary Proprietary ● Pointer AuthenticationCode ● Reuse unused bits for MAC ● Hardware support ● ARM64, Apple iOS ● Bypass: signing oracle ○ Project Zero blog Protection: PAC (-17)
  • 26.
    Proprietary Proprietary ● Calls toprintf-like functions ● Control over first argument ● Variable number of arguments ● Read direct: %x/%d ● Read indirect: %s ● Write: %n ● Copy: %0*x, %n ● Skip: %4$x Format String Vulnerability int printf ( const char * format, ... ); printf("Name: %s, age: %d", name, age); // Ok printf(name); // Vulnerable
  • 27.
  • 28.
    Proprietary Proprietary ● Physical ● Virtual ●Pages ● Memory allocator ○ malloc/free ○ glibc ○ jemalloc A Refresher on Memory
  • 29.
    Proprietary Proprietary ● Heap overflow ●Use after free ● Type confusion ● Heap spraying Heap corruption: app layer
  • 30.
    Proprietary Proprietary ● Corrupt allocatormetadata ● Linked lists ● Requires understanding of allocator ○ Slabs ○ Bins ○ Cache ● glibc - House of X Heap corruption: allocator
  • 31.
  • 32.
    Proprietary Want to tryit out? Capture the Flag Wargames Community https://capturetheflag.withgoogle.com https://ctftime.org https://picoctf.com https://github.com/zardus/wargame-nexus https://pwnable.kr https://overthewire.org CTF players Discord: https://discord.gg/ArjWjvctft
  • 33.
    Proprietary Further Materials Videos ToolsLearning https://securitycreators.video https://www.youtube.com/GynvaelEN https://www.youtube.com/ZetaTwo https://www.youtube.com/LiveOverflow Python + Pwntools gdb + gef IDA, Binary Ninja, Ghidra https://pwn.college https://github.com/RPISEC/MBE https://github.com/shellphish/how2heap
  • 34.
    Proprietary Interested in Google? Internships andfull-time positions: https://careers.google.com/students Questions about working at Google, specifically security: Email zetatwo@google.com or Twitter @zetatwo
  • 35.