Binary Exploitation: Libraries, ASLR/PIE, ret2libc

Overview of PaperclipMill NLC Breach

• Investigation into the VPN endpoint and potential memory corruption exploit.
• Slack messages indicate internal focus shift away from the breach.

Review of Exploitation Techniques

• Buffer Overflows:
  • ret2win: Requires a specific win function.
  • ret2stack: Needs a jmp esp/rsp gadget and executable stack.
  • ROP (Return Oriented Programming): Requires useful gadgets to control registers.

Basic Binary Example

• C source code provided showcasing a vulnerable gets() usage.
• Python solve script using pwn library to exploit buffer overflow.

ELF Libraries and Usage

• PATH Variable: Determines execution path on Linux.
• Dynamically Linked Binaries:
  • Utilize loaders and library search paths.
  • ldd command can list libraries.
• patchelf:
  • Alter library paths and interpreter settings for a binary.
• GDB with gef: Used to print mapped segments.

Mitigation: ASLR and PIE

• ASLR: Randomizes memory addresses to protect against exploits.
• PIE (Position Independent Executable):
  • Works with ASLR for binaries compiled with PIE.
  • Libraries usually compiled with PIE.

Exploitation Technique: ret2libc

• Concept: Similar to ret2win but targeting library functions.
• Example Program with a leak showing the address of system().
• Abuses libc functions like system, printf, etc.
• Finding libc Base:
  • Use leaks to determine the base address of libc.

Creating Leaks

• Leaks reveal memory addresses that should be secret.
• Exploit Plan:
  • Control rdi register.
  • Locate string /bin/sh in libc.
  • Use system() to execute it.

pwntools ELF

• pwntools can dynamically handle ELF symbols.
• Example: Setting base address to adjust library function addresses.

Highlight: Cool Security People

• Notable individuals in the field of binary exploitation.

Creating Leaks in Binary

• Simplified C program for GOT leak example.
• Global Offset Table (GOT):
  • Can be used to leak libc function pointers.

Other Buffer Overflow Concepts

• Bad Bytes: Certain functions have restrictions on input bytes.
• Stack Cookies: Protect against buffer overflows by detecting altered stack values.
  • Weaknesses include partial function protection, potential leaks, and brute force vulnerabilities.

Assignment 7

• Focused on applying learned exploitation techniques.

Next Steps

• Upcoming topics include secure coding practices and automated bug finding (fuzzing/symbolic execution).