Useful
Contents
Useful Things
Other Links
(From my COMP6447 tutoring page)
Memory
old_ebp
is the old ebp addressebp+4
is the return address- i.e. a buffer at
ebp-0x108
needs to have0x108 + 4
bytes of padding before the overwrite return address
Defeating Protection Mechanisms
RELRO
- Partial RELRO - Overwrite GOT entry
- Full RELRO - Use a function hook (malloc_hook)
Stack Canary
- Custom - Overwrite the canary
- Proper - Leak the canary, then overwrite
No eXecute Bit
- ROP (ret2libc,
one_gadget
) - Could try to unlock the memory region
- ROP (ret2libc,
PIE
- Leak an address in the memory region
- The offsets within each library are always the same
Triage Steps
We want to find the nature of the exploit.
Buffer overflow?
Print format vulnerability?
Canary override?
Heap exploitation?
Shell code?
ROP chain?
NOP sled?
RET sled?
1) checksec
2) Check for vulnerable buffer
functions (gets, fgets)
3) Check for vulnerable printf
functions
4) Check for vulnerable free
routines
Source Auditing Checklist
- Check types
- Check the subtraction instructions done as arguments to function calls - can it be negative? overflow?
- Check the checks (pre-increment or post-increment)
- Check indexes of arrays
- Check negatives
Programs
gropper
-ropper
withgrep
1
gropper () { ropper -f "$1" --nocolor | grep "$2"; }
checksec
- security protection checkone_gadget
pwndbg
context
vis_heap_chunks
bins
b ____
- break at____
ni
- next instructionstep
continue
finish
frame
vmmap
Python / pwntools
p.sendline(line)
p.sendlineafter(token, line)
p32(int)
-> 4_byteu32(4_byte)
-> intfit / flat ({ map }, filler=b'\0')
shellGen(assembly)
- function_shellGen.pygenFmtStr(byte4, where, stackStart)
- function_genFmtStr.pyp.elf
.address = base_address
.symbols['name']
.plt['name']
.search()
Other
- Syscall Table - https://featherbear.cc/UNSW-COMP6447/syscall/
sys_execve("/bin//sh")
- shellcode_execve_binsh.asm- Egg hunter - shellcode_execve_binsh.asm
Useful bash things
alias binja=/opt/binaryninja/binaryninja
gropper () { ropper -f "$1" --nocolor | grep "$2"; }
alias banana=/syncDir/UNSW/UNSW-COMP6447/startPwnDocker.sh