Chapter 6 - Exploit Development

Security risks at the application level are among the most significant, pervasive categories of security problems impacting organizations today. But traditional IT security focuses on network and perimeter-based protection, not on the application code itself.And while most development teams test their applications for functionality, performance, and integration, the lack of security testing early in the development process can have serious consequences. Failure to address security throughout the application lifecycle can result in embarrassment—or catastrophic damages like the loss of intellectual property, money, or data.

— Buffer Overflow Attacks: Detect, Exploit, Prevent, page 403

Resources

Understanding programs in memory

Anatomy of a program in memory

Journey to the stack

Epilogue: Canaries and Buffer Overflows

Intro to Assembly

Writing ARM Assembly Part 1

Assembly - SkullSecurity

x86 Assembly Crash Course

Assembly Language MegaPrimer for Linux

Intro to Buffer Overflows

Intro to Buffer Overflows - Computerphile

Getting cozy with Exploit Development

Courses

Course materials for Modern Binary Exploitation by RPISEC

Resources

From Buffer Overflows to “Weird Machines” and Theory of Computation

Breaking the x86 Instruction Set

LiveOverflow's YouTube Channel

radare2 as an alternative to gdb-peda

Trampolines in x64

Exploit Mitigation Kill Chain

Stack Smashing Protector

Unusual Bugs

Exploit tips & techniques

Differential Slicing: Identifying Casual Execution Differences

Shellcoding for Linux & Windows Tutorial

Writing Shellcode by Hand

Understanding JIT Spraying

Interpreter Exploitation: Pointer inference and JIT spraying

Writing JIT-Spray Shellcode for fun and profit

Bypassing memory protections: the future of exploitation

Intel

Registers

EAX - Accumulator
    Holds return value usually
EBX - Accumulator
    Base Calculations (Arrays, Pointers into Arrays of objects)
ECX - Count / Accumulator
EDX - Data I/O Pointer
ESI - Source index
    for source of string / array operands
EDI - Destination index
    for dest of string / array opperands
EIP - Instruction Pointer
    Points to next instruction
ESP - Stack Pointer
    Points to the top of the stack
EBP - Stack Base Pointer
    Points to the base of the stack

Instructions

mov - define
jmp - jump to address
call - jump to address and push exec address to stack
ret - pop the first value off stack and jumps to it
push - decrements stack pointer and saves new operand
pop - sets the operand to the value of the stack, then increments

Buffer Overflows

Setup & Information

Check ASLR/DEP

Linux

Kali> checksec filename

Windows

C:\> Get-PESecurity -file "filename"

PowerSploit

Disable/Enable ASLR/DEP

Linux

Kali> echo 0 > /proc/sys/kernel/randomize_va_space
Kali> echo 2 > /proc/sys/kernel/randomize_va_space

Windows

The Enhanced Mitigation Experience Toolkit

Disable ASLR

See what shared libs a program uses

Linux

Kali> ldd filename

Find hex addresses of functions/libs within a program

Linux

Kali> readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
Kali> strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

Attack Vectors

Integer-based

Socket Programming in Python and Integer Overflow

Stack-based

Overflow input to overwrite EIP with return address that leads to payload

Intro to Buffer Overflows - ch3rn0byl

Beginning Stack Based Buffer Overflows - The Grey Corner

Exploit Writing Tutorial Part 1 Stack Based Overflows

Smash Stack Revived

Smashing the Stack for Fun & Profit : Revived

Are Buffer Overflows on a modern system impossible?

Identifying another exploit mitigation and finding a bypass

Brute-force 32bit stack cookie

Exploiting SLMail

Introduction to Exploit Development - FuzzySecurity

Introduction to Linux Exploit Development - FuzzySecurity

Windows Buffer Overflow Tutorial: Dealing with Character Translation - The Grey Corner

SEH-based

Overflow input to overwrite SEH -> next SEH -> Pop pop ret

SEH Stack based buffer overflows - The Grey Corner

Stacks & Handlers & Python, oh my! - ch3rn0byl

Exploit Tutorial: Buffer Overflow – SEH Bypass

Heap-based

Overflow input to overwrite heap with dummy data, 2nd chunk overwrite forward link with destination and backwards link with value

Heap Exploitation

Heap Exploitation - GitHub

Heap Spraying Exploit Tutorial

Exploit Writing Tutorial Heap Spraying Demystified - corelan

Walking the heap using pydbg

Tracking down heap overflows with RR

The Heap: What does malloc() do?

The Heap: How to exploit a Heap Overflow

how2heap - GitHub

Heap Overflows for Humans 101

Double-free

Memory freed twice. corrupts heap memory manager.

1) chunk must be isolated ( no freed adjacent chunks )

2) destination free list bin must be empty

Forward/Backward pointers both point to base of heap, and the heap points back to the node (self referential) infinite loop. (unlink fails)

deprecated but still works with some creativity

If heap falls into this state you may be able to use after free or another buffer overflow.

The Heap: How do use-after-free exploits work?

The Heap: Once upon a free()

The Heap: dlmalloc unlink() exploit

Exploring pwnable with ltrace and gdbinit script - Exploitation part 1/2

Use-after-free and overwrite entry in GOT - Exploitation part 2/2

Memory Corruption

Using memory corruption to leak sensitive data Fuzz the inputs and observe all possible changes in the program Note any oddities and changes (Especially a dump of bytes! ;))

Blind Buffer Overflow exploitation to leak secret data

Return to libc

libc database - GitHub

Return-to-libc

Doing ret2libc with a Buffer Overflow because of restricted return pointer

BUFFER OVERFLOW PRIMER PART 8 (RETURN TO LIBC THEORY)

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)

Understanding glibc malloc

Cheating the ELF

PLT and GOT - the key to code sharing and dynamic libraries

Bitflip

Rowhammer Attacks: An Extended Walkthrough Guide

Exploiting the DRAM rowhammer bug to gain kernel privileges

flipfloyd - GitHub

SIGRETURN Oriented Programming

Sigreturn Oriented Programming is a real Threat

Jump Oriented Programming

Jump-Oriented Programming: A New Class of Code-Reuse Attack

Return Oriented Programming

64-bit Linux Return-Oriented Programming

Return Oriented Exploitation (ROP)

An introduction to the Return Oriented Programming and ROP chain generation

Return-Oriented-Programming (ROP FTW)

DEP & ROP: Modern Binary Exploitation

ROP is Still Dangerous: Breaking Modern Defenses

Return oriented programming - Wikipedia

Introduction to return oriented programming (ROP)

The need for a POP POP RET instruction sequence

Intro to ROP: ROP Emporium — Split

ROP Emporium

OptiROP: hunting for ROP gadgets in style

Introduction to return oriented programming (ROP)

SROP | Signals, you say?

Return-Oriented Programming without Returns

Blind Return Oriented Programming (BROP)

EggHunting

The art of searching memory

EggHunting Sorcery - ch3rn0byl

Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump

HackSysTeam - EggHunter

Security Mechanisms

Stack Canaries/Cookies

Buffer Overflow Protections (Canaries) - Wikipedia

Mitigating Buffer Overflow Attacks with Stack Cookies

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Linux GLibC Stack Canary Values

PLAYING WITH CANARIES

NX/DEP

Executable Space Protection - Wikipedia

Can MPROTECT set the stack itself as executable? - StackExchange

ASLR

ASLR - Wikipedia

Exploit Dev 101: Bypassing ASLR on Windows

Simple ASLR/NX bypass on a Linux 32 bit binary - Decoder's Blog

Linux ASLR integer overflow: Reducing stack entropy by four

Bypassing ASLR by predicting a process’ randomization

Information Disclosure

Format Strings

Resources

%d, %i - signed decimal
%u - unsigned decimal
%o - unsigned octal
%x - unsigned hexadecimal int
%X - unsigned hexadecimal int (UPPERCASE)
%f - decimal float
%e - scientific notation
%a - hexadecimal floating point
%c - char
%s - string
%p - pointer address
%n - writes bytes to memory address

will pop off stack until all are satisfied or segfault

# printf
prints values on the stack in hex
printed in human friendly in little-endian
view arbitrary memory locations
move argument pointer far enough forward to point within the string (%x chain)
printf("\xd3\x4d\xb3\x3f%x%x%x%x%s")
dereferences so you get string form

printf("hello%n\n", (int *)&i); // write 5 to i
printf("\xd3\x4d\xb3\x3f%x%x%x%150x%n"); // write 150 to it

Remote format string exploit in syslog()

Format String to dump binary and gain RCE

Format String Exploit and overwrite the Global Offset Table

Format string exploit on an arduino

A simple Format String exploit example

From Format String Vulnerability to Remote Code Execution

Format String Exploitation-Tutorial

Fun with Info-Leaks

Deserialization

PHP

Resources

Exploiting PHP7 unserialize

Remote code execution via PHP [Unserialize]

Java

Resources

2017 - Practical Serialization Attacks by Nicky Bloor

nodejs

Resources

Exploiting Node.js deserialization bug for Remote Code Execution