Binary ExploitationPWN Types of Binaries StaticallyLinked standalone binaries
Binary Exploitation/PWN
Types of Binaries • Statically-Linked – standalone binaries without any external dependencies • Dynamically-Linked – binaries that depend on system libraries for full functionality • Default when compiling a binary with gcc • C function implementations provided by libc, the GNU libc library • Common for standard functions to be dynamically linked into a program to be saved on disk and reused
Global Offset Table (GOT) • Program section that contains addresses for dynamically-linked functions • Libraries are loaded into memory at the program’s launch, but individual functions are not resolved to code until specifically called • GOT saves the address of the functions after the first call to avoid repeated searches through shared libraries • The location of these libraries change due to Address Space Layout Randomization (ASLR) • ASLR: randomization of address space of program, shared libraries, stack, and heap to make it more difficult to exploit a given program • GOT is writable, lending to an exploit technique called Return Oriented Programming (ROP)
Return-Oriented Programming (ROP) • A technique that involves using the call stack to control flow and execute chains of small assembly sequences already present in memory • Defeats data execution prevention (DEP) by manipulating return addresses of existing functions rather than injecting malicious code • Return-to-libc: most common ROP exploitation technique, usually starting with a buffer overflow in which a subroutine return address on the call stack is replaced by subroutine address that is already present in the process’ executable memory (most often a libc function) • Libc is always linked to a given C program • Libc provides powerful system calls that can be used to get an interactive shell on the system • Return-to-plt: ROP exploitation technique in which the attacker uses Procedure Linkage Table (PLT) functions, rather than libc functions
Procedure Linkage Table (PLT) • Contains “stub” functions to be resolved with a dynamic linker • The linker, “when it sees a call-type relocation for a symbol that's not resolved locally and that requires runtime linking, generates a PLT entry that loads the address from the GOT and makes an indirect jump to it”(1) 1: https: //stackoverflow. com/questions/20486524/what-is-the-purpose-of-the-procedure-linkage-table
Stack Exploit Mitigation Techniques • Address Space Layout Randomization (ASLR) • Data Execution Prevention (DEP) • Uses a hardware bit (NX Bit) to set certain program sections as non -executable, preventing malicious shellcode stored on the stack or in a global variable from being executed • Stack Canaries • Secret value placed on stack that is checked before a function return; if modified, the program terminates • Relocation Read-Only (RELRO) • Marks the GOT as read-only, so that it cannot be overwritten by an attacker exploiting a vulnerability like a buffer overflow 1: https: //stackoverflow. com/questions/20486524/what-is-the-purpose-of-the-procedure-linkage-table
Tools ▫ gdb - peda - pwndbg ▫ python - pwntools ▫ radare 2
Resources ▫ https: //anee. me/intro-to-pwn-65876 c 0 cb 558 ▫ https: //systemoverlord. com/2017/03/19/got-and-pltfor-pwning. html ▫ https: //pwndevils. com/hacking/howtwohack. html Challenges can be found in CTFs or in wargames, like: ▫ Over the Wire ▫ Smash the Stack ▫ Exploit Exercises ▫ Pwnables. Kr
- Slides: 8