This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:10 [2020/07/13 04:11] Silvia Pripoae [Bypassing ASLR] |
session:10 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | = 0x09. Defense Mechanisms | + | ====== 0x09. Defense Mechanisms |
- | == Resources | + | ===== Resources |
- | [[http:// | + | [[http:// |
- | [[https://security.cs.pub.ro/summer-school/res/arc/09-defense-mechanisms-skel.zip|Activities archive]] | + | Get the tasks by cloning |
- | == Tutorials | + | |
+ | ===== Tutorials | ||
The previous sessions ([[: | The previous sessions ([[: | ||
Line 24: | Line 25: | ||
</ | </ | ||
- | == Tools | + | ===== Tools ===== |
The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | ||
Line 47: | Line 48: | ||
- | === Executable Space Protection | + | ==== Executable Space Protection |
The **executable space protection** is an instance of the **principle of least privilege**, | The **executable space protection** is an instance of the **principle of least privilege**, | ||
Line 69: | Line 70: | ||
There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | ||
- | ==== Walk-through | + | === Walk-through |
The Linux kernel provides support for managing memory protections in the '' | The Linux kernel provides support for managing memory protections in the '' | ||
Line 196: | Line 197: | ||
</ | </ | ||
- | ==== Bypassing NX | + | === Bypassing NX === |
**ret-to-plt/ | **ret-to-plt/ | ||
Line 204: | Line 205: | ||
**Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | **Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | ||
- | === Address Space Layout Randomization | + | ==== Address Space Layout Randomization |
Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | ||
Line 234: | Line 235: | ||
</ | </ | ||
- | === Bypassing ASLR | + | ==== Bypassing ASLR ==== |
**Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | **Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | ||
Line 258: | Line 259: | ||
**Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | **Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | ||
- | === Tutorial: Chaining Information Leaks with GOT Overwrite | + | ==== Tutorial: Chaining Information Leaks with GOT Overwrite |
In this tutorial we will exploit a program that is similar to '' | In this tutorial we will exploit a program that is similar to '' | ||
Line 366: | Line 367: | ||
</ | </ | ||
- | === RELRO | + | ==== RELRO ==== |
**RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | **RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | ||
Line 377: | Line 378: | ||
This is not a game-over in terms of exploitation, | This is not a game-over in terms of exploitation, | ||
- | == seccomp | + | ==== seccomp |
**seccomp** is a mechanism though which an application may transition into a state where the system calls it performs are restricted. The policy, which may act on a whitelist or blacklist model, is described using [[https:// | **seccomp** is a mechanism though which an application may transition into a state where the system calls it performs are restricted. The policy, which may act on a whitelist or blacklist model, is described using [[https:// | ||
Line 413: | Line 414: | ||
</ | </ | ||
- | == Challenges | + | ===== Challenges |
- | === 01-04. Challenges - rwslotmachine[1-4] | + | ==== 01-04. Challenges - rwslotmachine[1-4] |
All of the challenges in this section are intended to be solved with **ASLR enabled**. However, you are free to disable it while developing your exploit for debugging purposes. You are provided with the needed shared libraries from the remote system. | All of the challenges in this section are intended to be solved with **ASLR enabled**. However, you are free to disable it while developing your exploit for debugging purposes. You are provided with the needed shared libraries from the remote system. | ||
Line 439: | Line 440: | ||
- | === 05. Bonus - rwslotmachine5 | + | ==== 05. Bonus - rwslotmachine5 |
+ | This challenge is similar to '' | ||
+ | |||
+ | <note tip> | ||
+ | You can find a table describing x86 syscalls [[http:// | ||
+ | </ |