This document provides an introduction to binary exploitation. It outlines the course, which will cover basic stack overflows, shellcode injection, and exploit mitigation technologies. It explains how buffer overflows can be used to overwrite the return address and change the flow of execution. By injecting shellcode into the buffer and overwriting the return address to point to it, arbitrary code can be executed to gain unauthorized access. Modern defenses like ASLR and NX are discussed, as well as future topics like return-oriented programming and format string vulnerabilities. The overall goal is to understand software exploitation and how to identify vulnerabilities in programs.
3. Aim
●
Give you a better understanding of mechanism of software
exploitation
●
Prepare you to identify the vulnerabilities in program
source codes
●
Help you understand HOW and WHY of exploit mitigation
technologies
●
We will cover a few key concepts deeply
7. What is our Goal?
●
Arbitrary code execution
●
Example
●
Forcing binary to give root access over the internet!
●
Forcing a administrator privileged process to execute
normally
9. Real life
●
We don’t know the password, and really hard to guess it
too.
●
There is a function which gives shell.
●
What if we could change the flow of execution and execute
that function ?
means what???
10. Process Memory Organization
Content of an assembly file
● Executable section: TEXT
– The actual code that will
be executed
● Initialized data: DATA
– Global variables
● Uninitialized data: BSS
● Local variables
18. Buffer Overflow
void function(char *str){
char buffer[16];
strcpy(buffer, str);
}
int main(){
char large_string[256];
int i;
for (i = 0; i < 255; i++){
large_string[i] = ‘A’;
}
function(large_string);
}
19. Buffer Overflow
AAAAAAAAAAAAAAAA AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAA
Buffer sfp ret *str
416 4 4
● The return address is overwritten with ‘AAAA’ (0x41414141)
● Thus the function exits and goes to execute the instruction
at 0x41414141
● This results in a SegFault.
So what???
Bottomofmemory
Topofstack
Bottomofstack
Topofmemory
20. Buffer Overflow
●
We have seen how to crash our own program by
overwriting the return address of a function.
●
What if we could overwrite the return address with valid
address ?
Lets start walking from where we stopped!!!
21. Buffer Overflow
●
Is anyone mad enough to put a function which give
shell so easily ?
●
So what is the use of this ?
●
There come the shellcode injection
24. Shellcode
Properties of a shell code?
– Should be small enough to fit in the buffer
– Shouldn’t contain any null charecters
– Shouldn’t refer to data section
25. Shellcode
Whats next?
– Okay, we know what is a shell code, now what?
●
Put a shell code into buffer
●
Fill the rest of buffer with junk
●
Overwrite saved eip to point to buffer
28. Whats next?
●
Google is your best friend!
●
Smashing The Stack For Fun And Profit
– By Aleph One
●
And YES, CTFs!
29. In a nutshell
●
Changing flow of execution
– Buffer overflow
●
Injecting your vuln code
– Shellcode Injection
●
Vuln detection and prevention
Rest I leave to you,
Good luck! Queries?
Ping @aswinmguptha
30. Becoming Stronger!
●
NX
– Segments are either executable or writeable, but NOT
both
●
ASLR
– Address Space Layout Randomization
●
Canary, PIE
– Stack protectors