cs6447

Exam Cheat Sheet

2019-08-21T00:00:00+00:00

Exploitation

Shellcode

Launch /bin/sh (no null bytes) 25 bytes

xor eax, eax
push eax
push 0x68732f2f    ; //sh
push 0x6e69622f    ; /bin
mov ebx, esp
push eax

push SYS_execve
pop eax
xor ecx, ecx
xor edx, edx

int 0x80

Read/Write to FD 56 bytes

; create 16 byte buffer on stack
push 0x61616161
push 0x61616161
push 0x61616161
push 0x61616161

; Read
mov eax, 0x03
mov ebx, 1000 ; fd
mov ecx, esp  ; buf
mov edx, 20   ; count

int 0x80

; Write
mov eax, 0x04
mov ebx, 1   
mov edx, 20  

int 0x80

ROP

Write Primative

At some point, you may need to write to somewhere in memory, and then reference this address (e.g. if you need a pointer to a string).

Find a rw memory segment (objdump -t binary | grep bss)
Find a gadget of the form mov [e?x], e?x; ret;
- This gadget can be used to write data from second register into the address pointer to in the first register

Heap

Exploit Checklist

Use After Free
Double Free
Heap Buffer Overflow
Use of Uninitialised Memory

Controlling Malloc Behaviour

malloc_hook and free_hook are function pointers that can be changed at runtime (i.e. if you want to use your own malloc implementation)

/* __malloc_hook */
void *function (size_t size, const void *caller)

/* __free_hook */
void function (void *ptr, const void *caller)

Heap Data Structures

struct malloc_chunk {

  INTERNAL_SIZE_T      mchunk_prev_size;  /* Size of previous chunk (if free).  */
  INTERNAL_SIZE_T      mchunk_size;       /* Size in bytes, including overhead. */

  struct malloc_chunk* fd;                /* double links -- used only if free. */
  struct malloc_chunk* bk;

  /* Only used for large blocks: pointer to next larger size.  */
  struct malloc_chunk* fd_nextsize;       /* double links -- used only if free. */
  struct malloc_chunk* bk_nextsize;
};

Visualisation:

Note: the ‘Red’ region is the data chunk. When the chunk is allocated, the data will overwrite this region

Source: Azeria Labs

Reverse Engineering

Data and Control Patterns

Arrays & Structs

The size of offset constants and register usage can provide information about the size of the data structures in the array/struct.
Structs are usually accessed via an offset into the struct (e.g. [eax+4h]). The first item in the struct will just be at the address of the struct

Modular Arithmetic

Calculating the modulo from the magic number:

m = 2³² / magic number
If the line sar edx, arg exists, multiply m by 2^arg

Examples:

Modulo	Assembly	2³² / Magic Number
6		5.9999…
7		1.7499…
9		4.4999…

x86 Architecture

Registers

Source: flint.cs.yale.edu/cs421/papers/x86-asm/asm.html

Flags

Subset of relevant flags

Flag	Purpose
`CF`	Carry
`PF`	Parity
`ZF`	Zero
`SF`	Sign

Instructions

Frequent, Obscure and confusing instructions

Instruction	Purpose
`cmp` a1, a2	Result = a2 - a1 (so if equal, zero flag set)
`test` a1, a2	a1 AND a2 (so if equal, result is NOT zero - zero flag clear). Commonly used to test whether a value is zero (since `test a, a` sets ZF iff a = 0)
`imul` a1	Signed Multiply. With one operand, multiplies a1 with the value in EAX. Result is stored in EDX:EAX.
`lea` & `mov` with `[]` dereferencing	The square brackets are equivalent to dereferencing a pointer (i.e. ``). So `mov eax, [ebx]` will move the value pointed to by the address ebx into eax). Common arithmetic trick: `lea eax, [ebx4]` will move the result of the ebx*4 expression into eax.
`sar` a1	Part of the ‘Shift’ family. Shift Arithmetic Right. SAR sets the most significant bit to correspond to the sign bit of the original value.

Source Code Auditing

Bug Classification

Bad API Usage
- Incorrect arguments
  - E.g. mixing up arguments for memset() resulting in writing to 0 memory locations!
- Use of Dangerous Functions
  - gets() is just bad (buffer overflow)
  - strcpy() and strcat() are just bad (buffer overflow)
  - strncpy() does not add a null terminator
  - printf() format strings
Logic Bugs
- Paths in the program that lead to privileged access of some kind that were unintended
Data Types and Type ~Conversion~ Confusion
- Integer Overflows
- Implicit Type Conversions resulting in overflow/underflow
- Pointer Arithmetic
Race Conditions
Heap Vulnerabilities:
- Use After Free
- Malloc return value not checked (allocate/use null!)
- Double Frees

Tutorial 9 Revision

2019-07-30T12:00:00+00:00

Reversing other languages

C++

Functions have really stupid names
Still similar to C, with prelogue and epilogue pushing/popping etc.
Still have get_pc_thunk

Objects

Geeks::Geeks
- Class called ‘Geeks’, containing a funtion called ‘Geeks’
this operator
- Pointer to a struct that has:
  - A collection of variables and function pointers
  - This is the current object, and the struct defines the functions/vars of this object
- Usually some register is selected, and will be used with very strange offsets
  - This register is probably this
  - Just assume this is an argument to a function when reversing back into C
Vectors
- Arrays on the heap (that can be expanded using realloc)

Go

Many of the functions will be error handling etc.
Try to ignore all the confusing stuff, and just identify the function calls
- Try to work out the contents by looking for global variables and function calls

Partial Overwrites

Function returning

 -------------------
|   [small buffer]  | < esp
|                   |
|     saved ebp     | < ebp
|        ret        |
|-------------------|
|  prev func stack  |
|           frame   |
|                   |
|   [big buffer]    |
|                   |
|                   |
|     saved ebp     |
|        ret        |
 -------------------

leave instruction:
- mov esp, ebp; pop ebp;
If we overflow the small buffer one byte into saved ebp, then esp will move into our big buffer
Now esp is pointing to our big buffer, so when that function ends, we will return to gadgets in big buffer

Lecture 9 Revision

2019-07-29T12:00:00+00:00

REvision

REP instruction (repeat). E.g. if in ecx (count), it will count down until it’s 0.
- often used in strcpy, initialising array to all 0’s etc.
ESP vs EBP offsets
- ESP continually changes, EBP is constant for the entire function
Structs
- Offsets and the way variables are used (e.g. use of 1-byte registers imply char, dereferencing vs. not dereferencing).
- Char would be mov byte (not mov dword) etc.
Arrays
- all operations on the array will be the same size (unlike structs)

Tooling: strace (syscall tracing), ltrace (library call tracing)

Shellcode

mprotect to change memory region permissions
- Jump to PLT (lookup) to call functions
- Use rop to mprotect, then run your own shellcode
Avoid '\0x0a' and '\x00'

Partial Return Address Overwrite

ASLR only really randomises the middle of the address
- All pages start at 000, and the upper byte is usually the same too.
Since the number is stored in little endian, it’s very easy to just overwrite the lower byte
- And the offsets will be the same for the lower few bytes, so you can work out where functions are and jump to them (relative)

Source Code Auditing

Bad API Usage
- With strncpy if you put exactly n characters, it won’t put the null byte in.
Heap
- Use after free, double free etc.
- Custom malloc implementations
Integer overflow/underflow
- look at how the number is later used and what this could do
Type Conversions
Incorrect use of sizeof() (returns size of pointer)
Pointer arithmetic
- Can crop up in for loops
Forgetting to kill after checking permissions etc.
Race conditions

ROP

Chaining functions
- To ensure yo ucan call another function, you need a gadget such as pop pop ret to tidy up the stack after the function call.
  - CDECL: caller does housekeeping

Stack Pivots

$ ropper -f file --stack-pivot

‘Stack Pivot instructions’: changes ESP somehow
- E.g. xchng e?x, esp, add esp, x, ret x
Moving the stack frame

Tutorial 8 Heap Practical

2019-07-23T12:00:00+00:00

Tooling

pwndbg vis_heap_chunks is broken unless you specify the address and length (for wargame challenges - compilationerror or something)

Notes for Challenges

The vulnerability will be one of:
- Double Free
- Use after Free
- Buffer Overflow
- Use of uninitialised memory
Random chunks that weren’t allocated - probably something in libc using malloc
Fast bins never update the ‘prev in use’ bit - because it doesn’t do checks to merge. The purpose of this bit is to check whether it should merge

Lecture 8 Heap Exploitation

2019-07-22T12:00:00+00:00

Introduction to Heap

Heap is extremely dependent on the implementation, OS, specific implementation details
Is a modern exploitation technique
Need to understand the structure of the heap and how it works
Heap exploitation is basically mixing data and control
Harder to identify
- called malloc in certian order, or called free twice etc.
Attacking the implentation of the heap, not programmers

What is the Heap?

OS provides memory (through malloc API) in multiples of 0x1000
Different libraries, OS etc. use different heap management implementations
Heap exploitation is hard
- You can’t just ‘guess and check’.
- need to understand the program to solve any heap challenge

Malloc Implentations

There are several different malloc implementations

dlmalloc: general purpose, no threads, very old
ptmalloc2 (glibc): fast for single-threaded applications, and fast for very small allocations. Also supports multithreading
Chrome and Firefox have their own malloc implentations (tcmalloc, jemalloc) for more specialised
- There is a malloc_hook function (ptr) that allows you to specify your own memory allocator

How does Malloc Work?

Dynamic memory allocator
Allocates a large chunk of memory (through a syscall), and then
- returns struct malloc_chunk
‘First Fit’ allocator (usually)
- What’s to return the first chunk that will fulfill the request
- Each chunk stores metadata on either side of it (see struct malloc_chunk contents)
Maintains a ‘free’ list so it can quickly jump through free blocks
Some fields of the struct are only used if the chunk is free
size includes the metadata
fd is what is returned to the malloc user (and the following addresses are in bk). But if the block is free, it is a pointer to the next chunk.
On the first allocation, a large chunk is allocated. The first n bytes are the requested bytes from malloc, and the remaining region is the top chunk. We then break off the top of the top chunk each time we need more.
Global variable in libc called main_arena describes the heap

How does Free work?

Free needs to be fast. (Fast Code = low security)
The free chunks are divided into different sizes
- and within the size classes, the chunks are sorted into bins (bucket sort)
- So essentially an O(1) to return a chunk of a certain size
- Bins are arrays of linked lists of chunks
- The nodes in the linked lists are old chunks
Fast Bins are multiples of 8.
- Array of linked lists of chunks of certian sizes
- Always take first off the list - so O(1) retrieval
- Never merge bins
Small Bins
- Faster than large bins
- Each bin maintains a doubly linked list (FIFO)
- Each bin has chunks of same size.
- There are more small bins
- When you free two chunks adjacent to each other: then the chunks are coalesced into one larger chunk
Unsorted Bin
- Initially a free chunk is put into an unsorted bin
- When a new chunk is allocated, it loops through this list and sorts the chunks until the correct size is found.
tcache
- Very simliar to fast bins, except they removed all the security checks
- The only check it does is to ensure that there aren’t already max chunks in the tcache.

Reference: Azeria Labs

Exploits

It’s hard to exploit a program with only one of these vulnerabilities. You usually need a few to perform exploitation.

Use after free
- You can overwrite the forward pointer, and corrupt the free list struture
- Can also provide leaks
Double free
- In fastbins, it will check that the free request is not the first item in the free list already (tcache doesn’t). To get double free, need to have something in between the frees so that the check passes
Leaking with small chunks
- The small bins point back into the main arena (in libc).
  - (The first element’s backward pointer points into libc)
- If you can print the first thing in smallbin list, you have an address leak into libc!
Forging chunks
- Corrupt the free structure to forge a chunk wherever you like in memory
Heap Spray

Usually the goal is to get two chunks to overlap and overwrite data in another chunk.

ROP is hard on with heap (because you can’t control the stack), so one_gadget is the saviour.

pwndbg Commands

Command	Purpose
`heap`	Shows all chunks allocated, and their types
`bins`	Shows type of bins
`vis_heap_chunks`	Visualise the heap chunks

Need to make sure using the same libc library

LD_PRELOAD allows you to force a program to use a different libc version
Need to do this in case the algorithms are different in different versions.

Lecture 7 Rop

2019-07-15T00:00:00+00:00

Return Oriented Programming

Using Buffer Overflow to call 2 functions

 ----------------
|                |
|                |
|                |
|                | f2 arg2
|   f1 arg 2     | f2 arg 1
|   f1 arg 1     | Expected return for f2
|return addr f1()| <- manipulate to be f2
|address of f1() | <- original return address of overflow function,
|AAAAAAAAAAAAAAAA|                 now overwritten with address of f()
|AAAAAAAAAAAAAAAA|
|AAAAAAAAAAAAAAAA|
|      ...       |
|                |
 ----------------

We can’t do it and preserve arguments

Where can we redirect execution (when other protections in place)?

Static Libraries
Lib
Pops the last item off the stack and jumps to eip

ROP Gadgets

Find a few instructions followed by ret somewhere in an executable region

E.g.

pop
pop
ret

Some instuctions can be found by changing the offset on bytes (so it will treat the bytes differently).
- In GDB x/12i 0xdeadbeef will display memory interpreted as assembly
We can then jump to this to perform desired actions (e.g. to push the appropriate arguments onto the stack to call two functions at once)

Finding Gadgets

Pwntools

  code = ELF('./mybinary')
  gadget = code.search(asm())

ROPgadget
ROPPER

N.B. Don’t use automated tools blindly to generate payloads! Use them to find instructions

RET to Libc

In some programs (e.g. small programs), it’s hard to find the instructions you need.
libc must be somewhere on the machine, so all libraries are there (we just don’t know where they are)
- we can use gadgets within libc in exactly the same way as using gadgets within the program
Where is libc? (in memory - what’s the offset etc.)
- GOT table: leak libc address.
- How do you leak??
```
puts(*puts);
```
- Execute puts with puts got offset and it will print the libc address of puts
What version of libc?
- Leak the address: and then calculate offset to desired libc function (or gadget)
- Libc DB

Extensions

ROP chains can become very large, and you may not be able to fit them all in your buffer overflow
Can move stack somewhere else that is -wx
Use partial/complete overwrite of esp to move stack
Use a ret sled and jump back to your own buffer (make sure you return to a 4-byte aligned address)
one gadget is a series of instructions that result in a shell (usually requires some registers to be set up correctly beforehand)
- useful if you have limited space or only space to execute one gadget
- one_gadget program will find them in libc

Midsem Exam Recap

2019-07-09T00:00:00+00:00

Mid-Sem Summary

Finding Function Locations

For non-PIE binaries, can get address of functions using objdump.

objdump -t bunary | grep func

or alternatively, with pwntools:

p.elf.symbols["func"]

Avoid Null-bytes in Shellcode

Instead of mov eax, SYS_execve, use mov al, SYS_execve (there iwll be no null padding)
pwntools shellcraft tries to avoid nulls and newlines (however can be long)
Sometimes payload needs to be only ASCII

My Shellcode (created post-exam)

    xor eax, eax
    push eax        
    push 0x68732f2f  
    push 0x6e69622f  
    mov ebx, esp 
    push eax 

    push SYS_execve
    pop eax
    xor ecx, ecx
    xor edx, edx

    int 0x80

Lecture 5 Rootkits

2019-07-01T00:00:00+00:00

What is a Rootkit?

Achieve root access on a system
May want to persist
Aim to hide presence to the system user

Userland Kits

Changing widely used programs (e.g. ls)
often to hide other aspects
infect some process and run from them

Kernel Kits

Hooking Redirect code execution to your own code

Type 1

Syscall Table

Array of function pointers (syscall id is an index into this table)
Can easily replace syscalls to perform extra checks and run your own code on calls

Interrupt Descriptor Table

Used for handling different types of interrupts
Div0 handler, pagefault handler

Changing these are simple, and easy to detect

Type 2

Manipulate internal kernel data structures
Hook special files (such as /proc and /dev) - these call functions when read (and they are dynamic)

Detection

Userland: signature everything
Kernel: check addresses are in sane locations
- Check data structures vs what a process tells you about something (e.g. files in dir)
- tasklist: in linux, every new process will have one, so the rootkit will have one of these
  - Look for things that the rootkit author can’t destroy

Lecture 5 Source Code Auditing

2019-07-01T00:00:00+00:00

Motivation

Much easier to find bugs when reading C code (not assembly)
Need to understand the purpose of the program in order to find the bugs

Classifications of Bugs

Bad API usage
Logic Bugs
Integer overflows
- Most real-world buffer overflows are caused by overflow in buff size calculations
Type ~~Conversion~~ Confusion (can lead to overflow)
Operators
Pointer Aithmetic
Race conditions
Heap Overflows:
- Use After Free
- Failed malloc not checked (can allocate null, so that it gets dereferenced and used!)
- Double Frees

Many of these are down to programmer error

Dangerous Functions

gets()
printf() when misused
strcpy()
strncpy() - doesn’t add null terminator
memset() - people mix up the arguments!

Lecture 4 Format Strings

2019-06-24T00:00:00+00:00

Format Strings

The format string specifies how subsequent arguments are converted to output

~ Man Page

%n: Writes number of characters written so far to the argument (i.e. not to the output stream)

To avoid null byte problem, put the data at the end, and ensure all format arguments are at the beginning (so that they get executed before the printing terminates)

Where is libc?

PLT: Process Linkage Table

Call external functions whose addresses are loaded in dynamically

GOT: Global Offset Table

‘Refernce Table’ for where various libc functions can be found
Initially, entirely populated with pointers back to PLT.
- Jump to ld.so (Dynamic linker/loader), which then finds and loads the required function
We can manipulate the GOT to point to our own functions instead of library functions
- GOT should not be writable, but it is (because things aren’t linked at launch, they are dynamically linked at runtime).

cs6447

Exam Cheat Sheet

Exploitation

Shellcode

ROP

Heap

Heap Data Structures

Reverse Engineering

Data and Control Patterns

x86 Architecture

Registers

Flags

Instructions

Source Code Auditing

Bug Classification

Tutorial 9 Revision

Reversing other languages

C++

Go

Partial Overwrites

Lecture 9 Revision

REvision

Shellcode

Source Code Auditing

ROP

Tutorial 8 Heap Practical

Tooling

Notes for Challenges

Lecture 8 Heap Exploitation

Introduction to Heap

What is the Heap?

Malloc Implentations

How does Malloc Work?

How does Free work?

Exploits

pwndbg Commands

Need to make sure using the same libc library

Suggested Reading

Lecture 7 Rop

Return Oriented Programming

Using Buffer Overflow to call 2 functions

Where can we redirect execution (when other protections in place)?

ROP Gadgets

Finding Gadgets

RET to Libc

Midsem Exam Recap

Mid-Sem Summary

Lecture 5 Rootkits

What is a Rootkit?

Userland Kits

Kernel Kits

Type 1

Type 2

Detection

Lecture 5 Source Code Auditing

Motivation

Classifications of Bugs

Dangerous Functions

Lecture 4 Format Strings

Format Strings

Where is libc?