Scribd
Upload
26 views33 pages

Binary Exploitation

The document discusses binary exploitation techniques, focusing on finding and exploiting bugs in low-level languages like C/C++. It covers various exploitation methods such as buffer overflows, format string vulnerabilities, and return-oriented programming (ROP), along with real-world applications and mitigation strategies like ASLR and canaries. The document also provides references and resources for further learning and exercises in binary exploitation.

Uploaded by

Ahlam Boumehdi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views33 pages

Binary Exploitation

The document discusses binary exploitation techniques, focusing on finding and exploiting bugs in low-level languages like C/C++. It covers various exploitation methods such as buffer overflows, format string vulnerabilities, and return-oriented programming (ROP), along with real-world applications and mitigation strategies like ASLR and canaries. The document also provides references and resources for further learning and exercises in binary exploitation.

Uploaded by

Ahlam Boumehdi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Binary Exploitation

Julian Gremminger | 11.05.2023

1/33 11.05.2023 KITCTF: Binary Exploitation kitctf.de


Overview

Finding and exploiting bugs in a binary/executable


Programs written in low-level language
Reverse engineering often mandatory first step
Memory corruption vs logic bugs

2/33 11.05.2023 KITCTF: Binary Exploitation


Binary Exploitation in CTFs

Often C/C++ binaries written for the competition


Sometimes real world targets with introduced bugs
Chrome: Google CTF 2021 Fullchain [1]
Firefox: 33c3 CTF Feuerfuchs [2]
Objective: Remote Code Execution on challenge server
Linux: call system(”/bin/sh”)

3/33 11.05.2023 KITCTF: Binary Exploitation


Binary Exploitation in the „Real World“

Memory-unsafe languages still widely used


Browsers
Hypervisors
Web servers
Even the „best“ codebases contain exploitable bugs

4/33 11.05.2023 KITCTF: Binary Exploitation


Binary Exploitation in the „Real World“

5/33 11.05.2023 KITCTF: Binary Exploitation


Linux Process Layout

6/33 11.05.2023 KITCTF: Binary Exploitation


Buffer Overflows

1 # i n c l u d e < s t d i o . h>
2

3 i n t main ( i n t argc , char * argv [ ] ) {


4 i n t var = 0;
5 char b u f [ 1 0 ] ;
6 gets ( buf ) ;
7 i f ( var != 0) {
8 p r i n t f ( "%s " , " success ! " ) ;
9 }
10 return 0;
11 }

7/33 11.05.2023 KITCTF: Binary Exploitation


Stack Frames

8/33 11.05.2023 KITCTF: Binary Exploitation


Overflowing the Buffer

9/33 11.05.2023 KITCTF: Binary Exploitation


RIP-Control?

RIP-Control after execution of ret instruction (RIP = 0x4343434343434343)

10/33 11.05.2023 KITCTF: Binary Exploitation


Format String Bugs

1 # i n c l u d e < s t d i o . h>
2

3 i n t main ( i n t argc , char * argv [ ] ) {


4 p r i n t f ( " r s i=% l l x r d x=% l l x r c x=% l l x r 8=% l l x r 9=% l l x "
5 " a rg _f r om _s t ac k [0]=% l l x a rg _ fr om _ st ac k [1]=% l l x . . . \ n" ) ;
6 }

No arguments supplied to printf


What happens?

11/33 11.05.2023 KITCTF: Binary Exploitation


Format String Bugs

12/33 11.05.2023 KITCTF: Binary Exploitation


Format String Bugs

1 # i n c l u d e < s t d i o . h>
2

3 # d e f i n e SIZE 0x100
4

5 i n t main ( i n t argc , char * argv [ ] ) {


6 char b u f [ SIZE ] ;
7 f g e t s ( buf , SIZE , s t d i n ) ;
8 p r i n t f ( buf ) ;
9 return 0;
10 }

User-controlled format string


Can we exploit this?

13/33 11.05.2023 KITCTF: Binary Exploitation


Format String Exploitation Building Blocks

%n Write amount of already printed bytes to an address


This address will be taken from the „argument stream“
If our buffer resides on the stack we can choose this address (put address in the format string)
There might be interesting pointers on the stack already
Writes of different sizes possible
%n => *(int *) write
%hn => *(short int *) write
%hhn => *(char *) write

14/33 11.05.2023 KITCTF: Binary Exploitation


Format String Exploitation Building Blocks

Meaningful stuff in „already printed bytes“?


printf(”AAAAAAAA%hhn”) results in *(char *)$rsi = 0x8

Shortcut for setting „already printed bytes“: %<Padding>c


printf(”%255c%hhn”) results in *(char *)$rsi = 0xff

15/33 11.05.2023 KITCTF: Binary Exploitation


Format String Exploitation Building Blocks

How to access supplied addresses in the format string?


Positional parameters: %_$
%4$x will access the same value as the last %x in %x%x%x%x
Full arbitrary 8-byte write to given address:
1 %{ s h o r t _ w r i t e _ v a l } c%10$hn%11$hn%12$hn%13$hn { addr + 0 } { addr + 2 } { addr + 4 } { addr + 6 }
2

3 With addr = 0x4141414141414141 and s h o r t _ w r i t e _ v a l = 0x7777


4 %30551c%10$hn%11$hn%12$hn%13$hn AAAAAAAACAAAAAAAEAAAAAAAGAAAAAAA
5

6 *( short int * ) ( 0 x4141414141414141 + 0) = 0x7777


7 *( short int * ) ( 0 x4141414141414141 + 2) = 0x7777
8 *( short int * ) ( 0 x4141414141414141 + 4) = 0x7777
9 *( short int * ) ( 0 x4141414141414141 + 6) = 0x7777

16/33 11.05.2023 KITCTF: Binary Exploitation


Integer Bugs
Overflows and Underflows
2147483647 + 1 == -2147483648
-2147483648 - 1 == 2147483647
Comparison bugs
Explicit or implicit casts of values can lead to unexpected behavior
1 # i n c l u d e < s t d i o . h>
2

3 i n t main ( i n t argc , char * argv [ ] ) {


4 char b u f [ 0 x f f ] ;
5 i n t size = 0;
6

7 s c a n f ( "%d " , &s i z e ) ;


8 i f ( size < 0 x f f ) {
9 read ( 0 , &buf , s i z e ) ;
10 } else {
11 puts ( " I n v a l i d size " ) ;
12 }
13 return 0;
14 }

17/33 11.05.2023 KITCTF: Binary Exploitation


Use-after-free

Pointer to memory not cleared after free => Dangling pointer


If this memory gets reallocated type confusions might occur
Heap metadata corruption

18/33 11.05.2023 KITCTF: Binary Exploitation


RIP-control to shell
Shellcode: Inject our own code into memory and jump to it
Shellcode collection: http://shell-storm.org/

19/33 11.05.2023 KITCTF: Binary Exploitation


What’s the catch?

Mitigations
NX-Bit (No eXecute) / DEP
Page is writable XOR executable
Consequently stack not executable
Injected shellcode can’t be executed

20/33 11.05.2023 KITCTF: Binary Exploitation


What’s the catch?

Mitigations
NX-Bit (No eXecute) / DEP
Page is writable XOR executable
Consequently stack not executable
Injected shellcode can’t be executed

21/33 11.05.2023 KITCTF: Binary Exploitation


No need for own code1 (Code Reuse Attacks)

Instead of injecting own code, use existing code


Reuse code in binary or libraries
For stack-based buffer overflow example:
Overwrite return address with pointer to existing code snippet („gadget“)
Gadgets can be chained together if they end in ret
=> Return-oriented programming (ROP)
ropper [3] and ROPGadget [4] find gadgets and can even build full ROP-chains

1
Requirements: Gadget addresses need to be known and useful gadgets have to exist

22/33 11.05.2023 KITCTF: Binary Exploitation


ROP

Executed ROP-chain leads to call to system(”/bin/sh”)

23/33 11.05.2023 KITCTF: Binary Exploitation


Mitigate Code Reuse Attacks

So far we assumed we
know addresses of
gadgets, functions, libraries
and stack

24/33 11.05.2023 KITCTF: Binary Exploitation


Mitigate Code Reuse Attacks

So far we assumed we
know addresses of
gadgets, functions, libraries
and stack
Breaking this assumption
breaks our attack

25/33 11.05.2023 KITCTF: Binary Exploitation


ASLR and PIE

Address Space Layout Randomization


Randomize memory layout on every execution
Linux ASLR is based on 5 randomized (base) addresses
Stack, Heap, mmap-Base, vdso
Random base address for executable only if PIE is enabled

Leak of 1 library address derandomizes all libraries


Leak of 1 address in our binary breaks PIE
Forked processes share layout with parent

26/33 11.05.2023 KITCTF: Binary Exploitation


Canaries
Prevent stack-based buffer overflows
7 random bytes with least significant byte zero
Set up in function prologue and verified in epilogue
Invalid canary value leads to SIGABRT

27/33 11.05.2023 KITCTF: Binary Exploitation


Canaries

Canary leak necessary


Overwrite with correct value possible with leak

28/33 11.05.2023 KITCTF: Binary Exploitation


Heap Exploitation

Overflows and other bugs not bound to stack


Some heap specific bugs exist (e.g. double free)
General approach
Use bug to abuse allocator behavior (metadata corruption)
Use bug to corrupt objects on the heap

glibc-heap exploitation techniques: how2heap [5]

29/33 11.05.2023 KITCTF: Binary Exploitation


Combining everything

30/33 11.05.2023 KITCTF: Binary Exploitation


Tools

gdb
pwndbg [6]
python
pwntools [7]
checksec [8]

31/33 11.05.2023 KITCTF: Binary Exploitation


Exercises

https://github.com/kitctf/www/tree/master/files/pwn.zip

http://overthewire.org/wargames/narnia/
https://picoctf.com/
https://exploit.education/protostar/
https://pwnable.kr/
https://pwnable.tw/

32/33 11.05.2023 KITCTF: Binary Exploitation


References

[1] https://github.com/google/google-ctf/tree/master/2021/quals/pwn-fullchain/challenge.

[2] https://archive.aachen.ccc.de/33c3ctf.ccc.ac/challenges/index.html.

[3] https://github.com/sashs/Ropper.

[4] https://github.com/JonathanSalwan/ROPgadget.

[5] https://github.com/shellphish/how2heap.

[6] https://github.com/pwndbg/pwndbg.

[7] https://docs.pwntools.com/en/stable/.

[8] https://github.com/slimm609/checksec.sh.

33/33 11.05.2023 KITCTF: Binary Exploitation

You might also like