# Understanding programs in memory
http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
http://duartes.org/gustavo/blog/post/journey-to-the-stack/
http://duartes.org/gustavo/blog/post/epilogues-canaries-buffer-overflows/
# Intro to Assembly
http://www.securitytube.net/groups?operation=view&groupId=5
# Intro to Buffer Overflows
https://www.youtube.com/watch?v=1S0aBV-Waeo
# YouTube Channels
https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w
EAX - Accumulator
Holds return value usually
EBX - Accumulator
Base Calculations (Arrays, Pointers into Arrays of objects)
ECX - Count / Accumulator
EDX - Data I/O Pointer
ESI - Source index
for source of string / array operands
EDI - Destination index
for dest of string / array opperands
EIP - Instruction Pointer
Points to next instruction
ESP - Stack Pointer
Points to the top of the stack
EBP - Stack Base Pointer
Points to the base of the stackmov - define
jmp - jump to address
call - jump to address and push exec address to stack
ret - pop the first value off stack and jumps to it
push - decrements stack pointer and saves new operand
pop - sets the operand to the value of the stack, then incremenetsCheck ASLR/DEP
# Linux
Kali> checksec filename
# Windows
https://github.com/PowerShellMafia/PowerSploit
C:\> Get-PESecurity -file "filename"Disable/Enable ASLR
# Linux
Kali> echo 0 > /proc/sys/kernel/randomize_va_space
Kali> echo 2 > /proc/sys/kernel/randomize_va_space
# Windows
https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
http://icompile.eladkarako.com/disable-aslr/See what libraries a program uses
# Linux
Kali> ldd filename
# Windows
TODOFind hex addresses of functions/libraries within a program
# Linux
Kali> readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
Kali> strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/shInteger-based
TODO
# Sources
https://www.youtube.com/watch?v=d6BU8DWxb3cStack-based
Overflow input to overwrite EIP with return address that leads to payload
# Sources
https://www.youtube.com/watch?v=1S0aBV-Waeo
https://www.youtube.com/watch?v=4HxUmbOcN6Y (part 1)
https://www.youtube.com/watch?v=MMm0I2Dj51A (part 2)
https://www.youtube.com/watch?v=KGzHcqJV-QM (part 3)
http://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
http://ch3rn0byl.com/intro-to-buffer-overflows/
http://www.thegreycorner.com/2010/01/beginning-stack-based-buffer-overflow.html
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/SEH-Based
Overflow input to overwrite SEH, NEXT SEH, and perform pop pop ret
# Sources
http://www.thegreycorner.com/2010/01/seh-stack-based-windows-buffer-overflow.html
http://ch3rn0byl.com/stacks-and-handlers-and-python/Egghunting Sorcery
The art of searching memory
# Sources
http://ch3rn0byl.com/egghunting-sorcery/
http://www.thegreycorner.com/2010/02/windows-buffer-overflow-tutorial.html
Heap-based
Overflow input to overwrite heap with dummy data, 2nd chunk overwrite forward link with destination and backwards link with value
# Sources
https://www.youtube.com/watch?v=HPDBOhiKaD8
https://www.youtube.com/watch?v=TfJrU95q1J4
https://github.com/shellphish/how2heap
http://www.fuzzysecurity.com/tutorials/mr_me/2.html
http://www.thegreycorner.com/2010/01/heap-spray-exploit-tutorial-internet.htmlDouble-Free
Memory freed twice. corrupts heap memory manager.
1) chunk must be isolated ( no freed adjacent chunks )
2) destination free list bin must be empty
Forward/Backward pointers both point to base of heap, and the heap points back to the node (self referential) infinite loop. (unlink fails)
deprecated but still works with some creativity
If heap falls into this state you may be able to use after free or another buffer overflow.
# Sources
https://www.youtube.com/watch?v=ZHghwsTRyzQ
https://www.youtube.com/watch?v=gL45bjQvZSU
https://www.youtube.com/watch?v=HWhzH--89UQ
https://www.youtube.com/watch?v=sJPhsE_XeKI
https://www.youtube.com/watch?v=ANIoQXAoyr0Argument-based
Pass an arbitrary number of arguments until it leaks into the registrars leading to a stack overflow
# Sources
TODOMemory Corruption
Using memory corruption to leak sensitive data
Fuzz the inputs and observe all possible changes in the program
Note any oddities and changes (Especially a dump of bytes! ;))
# Sources
https://www.youtube.com/watch?v=SstD1O4_kwc
Stack Canaries/Cookies
Terminator canaries
Random canaries
Random XOR canaries
# Sources
https://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries
https://www.rapid7.com/resources/mitigating-buffer-overflow-attacks-with-stack-cookies/
https://www.youtube.com/watch?v=4HxUmbOcN6Y
https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
NX/DEP
Let's get ropped up.
As far as DEP or NX you can try to run shell out of the context of the stack with ret2libc
If that's not possible you can also perform a pop ret with suid shellcode to run after using mprotect to re-enable data execution
Note that the number of pops is proportional to the number of arguments that have to be removed
Pseudocode:
payload += mprotect_addr
payload += pop_pop_pop_retr
payload += top_of_stack
payload += length_of_stack
payload += rwx
# Sources
https://www.youtube.com/watch?v=yS9pGmY_xuo
https://www.youtube.com/watch?v=m17mV24TgwY
https://en.wikipedia.org/wiki/Executable_space_protection
https://en.wikipedia.org/wiki/Return-oriented_programming
https://reverseengineering.stackexchange.com/questions/9336/can-mprotect-set-the-stack-itself-as-executable
https://www.youtube.com/watch?v=5FJxC59hMRY
http://shell-storm.org/talks/ROP_course_lecture_jonathan_salwan_2014.pdf
https://www.exploit-db.com/docs/28479.pdf
http://security.cs.rpi.edu/courses/binexp-spring2015/lectures/11/07_lecture.pdf
http://nicholas.carlini.com/papers/2014_usenix_ropattacks.pdf
There are several tools to find rop gadgets for ELFs: ropper, ROPgadget. If you use radare2 you can also search for gadgets using the command /R
ASLR
Pesky security!
In 32-bit space you can bypass ASLR with a for loop to try all possbilities in a brute force fashion
# Sources
https://en.wikipedia.org/wiki/Address_space_layout_randomization
http://www.abatchy.com/2017/06/exploit-dev-101-bypassing-aslr-on.html
https://decoder.cloud/2017/06/15/simple-aslrnx-bypass-on-a-linux-32-bit-binary/
%d, %i - signed decimal
%u - unsigned decimal
%o - unsigned octal
%x - unsigned hexadecimal int
%X - unsigned hexadecimal int (UPPERCASE)
%f - decimal float
%e - scientific notation
%a - hexadecimal floating point
%c - char
%s - string
%p - pointer address
%n - writes bytes to memory address
will pop off stack until all are satisfied or segfault
# printf
prints values on the stack in hex
printed in human friendly in little-endian
view arbitrary memory locations
move argument pointer far enough forward to point within the string (%x chain)
printf("\xd3\x4d\xb3\x3f%x%x%x%x%s")
dereferences so you get string form
printf("hello%n\n", (int *)&i); // write 5 to i
printf("\xd3\x4d\xb3\x3f%x%x%x%150x%n"); // write 150 to it
# Sources
https://www.youtube.com/watch?v=MBz5C9Wa6KM
https://www.youtube.com/watch?v=XuzuFUGuQv0
https://www.youtube.com/watch?v=t1LH9D5cuK4
https://www.youtube.com/watch?v=fRgNtGXDMlY
https://www.youtube.com/watch?v=0WvrSfcdq1I
Large OOP (Modules, Shared Objects, Libraries, Frameworks, Engines)
Pointer points to an object of an incompatible type.
think can't concatenate str with int on crack.
"intended referent":"what data type is it meant to be?"
# Sources
TODO
PHP
# Sources
https://www.youtube.com/watch?v=_Zj0B4D4TYc
TODO
# Sources
https://www.youtube.com/watch?v=v78bAn1-vqA
TODO
# Sources
https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/