This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:10 [2020/07/14 16:08] Silvia Pripoae [Resources] |
session:10 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | = 0x09. Defense Mechanisms | + | ====== 0x09. Defense Mechanisms |
- | == Resources | + | ===== Resources |
[[http:// | [[http:// | ||
Line 8: | Line 8: | ||
- | == Tutorials | + | ===== Tutorials |
The previous sessions ([[: | The previous sessions ([[: | ||
Line 25: | Line 25: | ||
</ | </ | ||
- | == Tools | + | ===== Tools ===== |
The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | The **checksec** command-line tool is a wrapper over the functionality implemented in pwntools' | ||
Line 48: | Line 48: | ||
- | === Executable Space Protection | + | ==== Executable Space Protection |
The **executable space protection** is an instance of the **principle of least privilege**, | The **executable space protection** is an instance of the **principle of least privilege**, | ||
Line 70: | Line 70: | ||
There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | There are of course other implementations in different hardening-oriented projects such as: OpenBSD [[http:// | ||
- | ==== Walk-through | + | === Walk-through |
The Linux kernel provides support for managing memory protections in the '' | The Linux kernel provides support for managing memory protections in the '' | ||
Line 197: | Line 197: | ||
</ | </ | ||
- | ==== Bypassing NX | + | === Bypassing NX === |
**ret-to-plt/ | **ret-to-plt/ | ||
Line 205: | Line 205: | ||
**Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | **Return Oriented Programming (ROP).** This is a generalization of the ret-to-* approach that makes use of existing code to execute almost anything. As this is probably one of the most common types of attacks, it will be discussed in depth in a future section. | ||
- | === Address Space Layout Randomization | + | ==== Address Space Layout Randomization |
Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | Address Space Layout Randomization (ASLR) is a security feature that maps different memory regions of an executable at random addresses. This prevents buffer overflow-based attacks that rely on known addresses such as the stack (for calling into shellcode), or dynamically linked libraries (for calling functions that were not already linked with the target binary). Usually, the sections that are randomly mapped are: the stack, the heap, the VDSO page, and the dynamic libraries. The code section can also be randomly mapped for [[http:// | ||
Line 235: | Line 235: | ||
</ | </ | ||
- | === Bypassing ASLR | + | ==== Bypassing ASLR ==== |
**Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | **Bruteforce.** If you are able to inject payloads multiple times without crashing the application, | ||
Line 259: | Line 259: | ||
**Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | **Information leak.** The most effective way of bypassing ASLR is by using an information leak vulnerability that exposes randomized address, or at least parts of them. You can also dump parts of libraries (e.g., '' | ||
- | === Tutorial: Chaining Information Leaks with GOT Overwrite | + | ==== Tutorial: Chaining Information Leaks with GOT Overwrite |
In this tutorial we will exploit a program that is similar to '' | In this tutorial we will exploit a program that is similar to '' | ||
Line 367: | Line 367: | ||
</ | </ | ||
- | === RELRO | + | ==== RELRO ==== |
**RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | **RELRO** (**Rel**ocation **R**ead-**O**nly) defends against attacks which overwrite data in relocation sections, such as the GOT-overwrite we showed earlier. | ||
Line 378: | Line 378: | ||
This is not a game-over in terms of exploitation, | This is not a game-over in terms of exploitation, | ||
- | == seccomp | + | ==== seccomp |
**seccomp** is a mechanism though which an application may transition into a state where the system calls it performs are restricted. The policy, which may act on a whitelist or blacklist model, is described using [[https:// | **seccomp** is a mechanism though which an application may transition into a state where the system calls it performs are restricted. The policy, which may act on a whitelist or blacklist model, is described using [[https:// | ||
Line 414: | Line 414: | ||
</ | </ | ||
- | == Challenges | + | ===== Challenges |
- | === 01-04. Challenges - rwslotmachine[1-4] | + | ==== 01-04. Challenges - rwslotmachine[1-4] |
All of the challenges in this section are intended to be solved with **ASLR enabled**. However, you are free to disable it while developing your exploit for debugging purposes. You are provided with the needed shared libraries from the remote system. | All of the challenges in this section are intended to be solved with **ASLR enabled**. However, you are free to disable it while developing your exploit for debugging purposes. You are provided with the needed shared libraries from the remote system. | ||
Line 440: | Line 440: | ||
- | === 05. Bonus - rwslotmachine5 | + | ==== 05. Bonus - rwslotmachine5 |
This challenge is similar to '' | This challenge is similar to '' |