rpisec - rensselaer polytechnic institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · –...
TRANSCRIPT
Setup
• YOU NEED AN SSH CLIENT – DO THIS NOW
• If on Windows– Download PuTTY (google it)
• If on Linux– You probably already have an SSH client, so chill
RPISEC - 10/17/2014 Intro to Binary Exploitation 1
RPISEC
Intro to Binary Exploitation
Fall 2014
RPISEC - 10/17/2014 Intro to Binary Exploitation 2
Binary Exploitation
• The simplest definition – To change data theprogram uses in ways that were not intendedby the programmer
• In CTFs - Pwn(ables)/Exp(loitation)
• Very technical, insanely gratifying– Intimate knowledge of language/machine
RPISEC - 10/17/2014 Intro to Binary Exploitation 3
WELCOME TO THE WARZONElet’s pwn some stuff
RPISEC - 10/17/2014 Intro to Binary Exploitation 4
warzone.rpis.ec
ssh username/password
intro01:intro01
RPISEC - 10/17/2014 Intro to Binary Exploitation 5
Tips to get started
• cd /levels
• ./intro01– AAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
• python –c ‘print “A”*20’
• gdb ./intro01– run
• In GDB:– Info functions
– Info registers• i r
– disassemble <function>• disas main
– breakpoint <function>• b main
– breakpoint * <address>• b * 0x08048455
RPISEC - 10/17/2014 Intro to Binary Exploitation 6
Stack Overview
• The stack is a region of memory for a program to maintain function variables and stuff during execution
• This is main()’s stack ------->
RPISEC - 10/17/2014 Intro to Binary Exploitation 7
Understanding the Stack
RPISEC - 10/17/2014 Intro to Binary Exploitation 8
Understanding the Stack
RPISEC - 10/17/2014 Intro to Binary Exploitation 9
Corrupting the Stack
RPISEC - 10/17/2014 Intro to Binary Exploitation 10
PWNING the Stack
RPISEC - 10/17/2014 Intro to Binary Exploitation 11
Endianess – How data is stored in memory
• Endianess – How data is stored in memory
• Modern computers are generally little endian– ‘little end in’
• Endianess can be confusing, and I don’t want to get into the details– 0x41424344 stored as 0x44, 0x43, 0x42, 0x41– 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde
RPISEC - 10/17/2014 Intro to Binary Exploitation 12
Intro01 Exploit
(python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01
RPISEC - 10/17/2014 Intro to Binary Exploitation 13
UNDERSTANDING CONTROL FLOWBend it like Beckham
RPISEC - 10/17/2014 Intro to Binary Exploitation 14
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 15
Runtime Memory
Stack
ELF Executable
.text segment
.data segment
Heap
0x00000000 – Start of memory
0xFFFFFFFF – End of memory
0x08048000 – Start of .text Segment
0xbfff0000 – Top of stack
Libraries (libc)
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 16
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 17
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 18
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segmentEIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 19
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 20
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 21
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segmentEIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 22
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 23
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 24
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 25
Runtime Memory
Stack
Heap
Executable code
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
.text segment
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 26
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
EIP
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 27
EIP
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 28
EIP
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 29
EIP
…
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 30
EIP
…
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 31
EIP
…
How Calling Works
RPISEC - 10/17/2014 Intro to Binary Exploitation 32
EIP …
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 33
…
EIP
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 34
…
EIP
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 35
…
EIP
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 36
…
EIP
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 37
…
EIP
OWNING CONTROL FLOWNow that you know how it works …
RPISEC - 10/17/2014 Intro to Binary Exploitation 38
Stack Smashing
RPISEC - 10/17/2014 Intro to Binary Exploitation 39
…EIP
Stack Smashing
RPISEC - 10/17/2014 Intro to Binary Exploitation 40
…EIP
Stack Smashing
RPISEC - 10/17/2014 Intro to Binary Exploitation 41
…
EIP
Returning
RPISEC - 10/17/2014 Intro to Binary Exploitation 42
…
EIP
Returning home
RPISEC - 10/17/2014 Intro to Binary Exploitation 43
…
EIP SEGFAULT0x41414141
“If your program simply segfaulted, consider yourself lucky.”
-Chuck Stewart
RPISEC - 10/17/2014 Intro to Binary Exploitation 44
Redirecting Control Flow
RPISEC - 10/17/2014 Intro to Binary Exploitation 45
…
EIP
Overwrite witha code address
warzone.rpis.ec
SSH in as intro02use the password you got from solving intro01
RPISEC - 10/17/2014 Intro to Binary Exploitation 46
Example ELF / EXE in Memory
RPISEC - 10/17/2014 Intro to Binary Exploitation 47
Runtime Memory
Stack
Heap
Libraries (libc)
ELF Executable
.text segment
.data segment
• What if there’s no easy function to pop a shell like intro02?– No easy ‘win’ function
• Make our own exec() function in a buffer on the stack, and redirect control flow to it!
INJECTING CODEShellcode and other antics
RPISEC - 10/17/2014 Intro to Binary Exploitation 48
PWNING the Stack
RPISEC - 10/17/2014 Intro to Binary Exploitation 49
Put x86 in buffer on the stack
Overwrite Return
Intro03 & Additional Reading
• There are multiple ways to solve intro03, we would like to see you use shellcode to solve it
• http://insecure.org/stf/smashstack.html
• We’ll cover writing shellcode & more advanced forms of exploitation later this year
RPISEC - 10/17/2014 Intro to Binary Exploitation 50