| description | cover | coverY |
|---|---|---|
07/20/2023 |
0 |
Binary exploitation is the act of performing static and dynamic analysis on binaries (programs) and searching for vulnerabilities within them to gain access to a system.
The ultimate goal is to have some sort of cyber effect that will occur on the target/victim program. It can sometimes result in leaking information or Remote Code Execution (RCE). It's very common to see vulnerabilities occurring on the stack which is a lightning-quick region of memory that has a fixed size and is managed by the OS and memory manager. Whereas the heap is a slower region of memory that is programmer-controlled and its size is dependent on the programmer post-compilation.
We can do this a few different ways and there are many different techniques of doing this in order to circumvent memory protections and gain access to the system we are attacking.
When a new function gets called, a stack frame becomes developed and a memory address in the called function gets pushed onto the stack. This stack frame is a system that gets created so the program knows where to return once the called function finishes execution.
The stack is a contiguous block of memory with a fixed starting point and will grow/shrink according to stack frames and functions called.
It follows a Last-In-First-Out (LIFO) order. This means the last item in is the first to come out. Think of this system as a stack of plates or shopping carts. The easiest to grab is always the last one on top (plates) or the last cart in the line.
The stack pointer (SP) is a special purpose register. This will ALWAYS point to the top of the stack and it gets updated automatically as items are pushed onto or popped off the stack.
The stack frame pointer or base pointer (BP) will point to the base, or bottom of the current stack frame.
When a function gets called, a new stack frame will then be created.
- This means that a return address is pushed onto the stack
- BP is pushed onto the stack to save the caller's BP address
- The SP is adjusted accordingly to allocate proper space for local variables and function parameters
- The BP then replaces the SP
Upon function return...
- When a function returns, the return value (if any) is then placed in a pre-defined register. This is probably RAX (x86-64)
- The SP is reset to the BP
- The old BP is then popped off the stack
- The ret address is popped off the stack, the instruction pointer (RIP -- x86-64) or program counter (pc -- ARM) is then granted the return address within the register and execution will resume
- Buffer Overflows (BOFs)
- return-2-libc
- Return oriented programming on x86
ROP Emporium General Bug Hunting Advice:
- Each binary has the same vulnerability
- A user-provided string is copied into a stack-based buffer with no bounds checking
- This allows a function’s saved return address to be overwritten
- Since this overflow occurs directly on the stack, you can stick your ROP chain right there and the program will dutifully return through it
- Focus on how you design your ROP chains
Problems you will run into:
{% embed url="https://ropemporium.com/guide.html" %}
- Certain restrictions will be put in place; manipulating how you have to design your ROP chain to be successful
- Dealing with bad characters
- Limited or obscure access to a set of gadgets
Debugging Once you have planned your ROP chain, a debugger can make things much clearer and highlight any errors you have made early on. Pwntools can launch binaries via GDB and radare2 features a powerful debugger. Debugging can give you a good indication of whether your chain will work in practice.
I follow this every single time I want to attack a binary:
{% content-ref url="binary-exploitation-methodology.md" %} binary-exploitation-methodology.md {% endcontent-ref %}
{% embed url="https://ir0nstone.gitbook.io/notes/" %}
{% embed url="https://guyinatuxedo.github.io/" %}