|
| 1 | +# Exploiting BOF Vulnerability |
| 2 | + |
| 3 | +An exploit is a **piece** of software or a sequence of commands designed to take **advantage** of a **vulnerability** in a system, application, or software component. The goal of an exploit is to **trigger** **unintended** behavior or gain **unauthorized** access to a computer system, network, or application. Exploits are used by security **researchers**, penetration testers, and hackers to **identify** and **demonstrate** vulnerabilities and **weaknesses** in software and systems. |
| 4 | + |
| 5 | +### Related Terms |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +#### Vulnerability |
| 10 | + |
| 11 | +A vulnerability is a **weakness** in a software application, system, or configuration that can be **exploited** to **compromise** the integrity, availability, or confidentiality of the system. Vulnerabilities can include buffer overflows, SQL injection, cross-site scripting (XSS), and more. |
| 12 | + |
| 13 | +#### Exploit Payload |
| 14 | + |
| 15 | +The payload is the **portion** of the exploit that contains the **code** to be **executed** once the **vulnerability** is **exploited**. Payloads can range from simple actions like **displaying** a message to executing arbitrary **commands**, spawning a remote **shell**, or gaining administrative **privileges**. |
| 16 | + |
| 17 | +#### Exploitation |
| 18 | + |
| 19 | +The process of exploitation involves crafting a payload that takes **advantage** of a **specific** vulnerability. This often involves **manipulating** memory, input data, or system behavior to cause the **desired** outcome. |
| 20 | + |
| 21 | +#### Zero-Day Exploit |
| 22 | + |
| 23 | +A zero-day exploit **targets** a vulnerability that is not **publicly** known or patched by the software vendor. These exploits can be **highly** **valuable** to attackers, as **defenders** haven't had a chance to **address** the vulnerability. |
| 24 | + |
| 25 | +#### Ethical Hacking |
| 26 | + |
| 27 | +Ethical hackers and penetration testers use exploits to **identify** security **weaknesses** in systems and applications. They follow ethical guidelines and work within **legal** **boundaries** to help organizations improve their **security** posture. |
| 28 | + |
| 29 | +#### Black Hat and Malicious Use |
| 30 | + |
| 31 | +Black hat hackers, also known as **malicious** **hackers**, use exploits for **unauthorized** and often **illegal** activities. Their motives might include financial gain, data theft, or causing **disruption**. |
| 32 | + |
| 33 | +#### Mitigation |
| 34 | + |
| 35 | +Organizations deploy **security** measures to mitigate the **risk** of exploitation. These measures include patching vulnerabilities, implementing intrusion detection systems, firewalls, and applying security best **practices**. |
| 36 | + |
| 37 | +### Exploiting Vulnerability |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +#### Part I |
| 42 | + |
| 43 | +Find and understand the vulnerability in the program |
| 44 | +Give it an input string such that the control of flow move to some |
| 45 | +piece of code of our choice within the code section. |
| 46 | + |
| 47 | + |
| 48 | + |
| 49 | +#### Part II |
| 50 | + |
| 51 | +- Write / Get the shellcode |
| 52 | +- Craft the input string such that the control of flow shifts to your |
| 53 | +shellcode residing on the stack. |
| 54 | +- Inject the shellcode by giving this input string to the vulnerable program. |
| 55 | +- Test it inside the debugger. |
| 56 | +- Test it outside the debugger. |
| 57 | + |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +### Code Integrity Protection |
| 62 | + |
| 63 | +--- |
| 64 | + |
| 65 | +By default **protections** by **OS** |
| 66 | + |
| 67 | +- The code integrity property is ensured by making the process |
| 68 | +**stack, heap, and data** sections as **non**-**executable** and the text |
| 69 | +section as **non**-**writable**, which is the default settings in most |
| 70 | +modern operating systems. |
| 71 | +- To make the stack **executable** we can set the **NX** (Non- |
| 72 | +Executable) bit in x86. A programmer can set this bit during |
| 73 | +linking phase by giving the **-z noexecstack** option to gcc. |
| 74 | +- The text section is also by default non-writable, and this is also |
| 75 | +enforced by **memory** access **permissions** using **virtual** memory (in |
| 76 | +the page table). |
| 77 | + |
| 78 | +### Bypassing Code Integrity Protection |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +- You can bypass Code Integrity Protection by using a class of |
| 83 | +attacks known as **return-to-libc**, in which you **divert** the |
| 84 | +control flow to C library function **system**() with the /bin/sh |
| 85 | +**parameter**. The fact that the vast **majority** of programs are linked |
| 86 | +with the C library makes this pretty easy. This technique of |
| 87 | +attacks is also known as **Return-Oriented-Programming (ROP)**, in |
| 88 | +which you reuse existing code in the program, the attacker may |
| 89 | +reuse small pieces of program code called “**gadgets**” to execute |
| 90 | +**arbitrary** **(turing-complete)** operations. |
| 91 | +- You can bypass Code Integrity Protection by making the stack |
| 92 | +executable at run-time, e.g., by calling **mprotect**(), which is |
| 93 | +used to change the access protections for the **calling process's** |
| 94 | +memory page containing the **stack**. |
| 95 | + |
| 96 | +### Address Space Layout Randomization (ASLR) |
| 97 | + |
| 98 | +--- |
| 99 | + |
| 100 | +ASLR **randomizes** the address of stack, heap and hared library sections in a |
| 101 | +process address space. Every time a program executes it is given different |
| 102 | +addresses, thus preventing an attacker from reliably jumping to an **exploited** |
| 103 | +function in memory. |
| 104 | + |
| 105 | +- Linux allows 3 options for its ASLR implementation that can be configured |
| 106 | +in **/proc/sys/kernel/randomize_va_space** file. Writing 0, 1, or |
| 107 | +2 to this will results in the following behaviors |
| 108 | + - 0: deactivated |
| 109 | + - 1: random stack, vdso, libraries; data is after code section |
| 110 | + - 2: random data too |
| 111 | + - The stack is easily **randomizable**, as all stack addresses are relative to rsp or rbp. Similarly data section can also be randomized, if address of data segment is set to a random value. |
| 112 | + |
| 113 | +- The Code can only be **randomized** by compiling the program as Position |
| 114 | +**Independent** Code/Position Independent Executable. This is the default for |
| 115 | +shared libraries, but otherwise executable code is usually placed at **fixed** |
| 116 | +addresses. |
| 117 | + |
| 118 | +*Note that **randomization** occurs at **load-time**, which means that the **segment** addresses do not change while the **process** is running.* |
| 119 | + |
| 120 | +### Bypassing - Address Space Layout Randomization |
| 121 | + |
| 122 | +--- |
| 123 | + |
| 124 | +- **Bruteforce**. If the attacker is able to inject payloads **multiple** times without |
| 125 | +crashing the application, they can **bruteforce** the address they are interested |
| 126 | +in (e.g., a target in libc). Otherwise, they can just run the **exploit** multiple |
| 127 | +times until they guess the **correct** target. |
| 128 | +- **NOP sled**. In the case of shellcodes, a longer NOP sled will maximize the |
| 129 | +chances of **jumping** inside it and eventually reaching the **exploit** code even if |
| 130 | +the stack address is **randomized**. |
| 131 | +- **Restrict entropy**. There are various ways of **reducing** the entropy of the |
| 132 | +**randomized** address. For example, the attacker can decrease the **initial** stack |
| 133 | +size by setting a huge amount of dummy **environment** variables. |
| 134 | +- **Information leak**. The most effective way of bypassing **ASLR** is by using |
| 135 | +an information leak **vulnerability** that exposes a **randomized** address, or at |
| 136 | +least parts of it. The attacker can also dump parts of libraries (e.g., libc) if |
| 137 | +they are able to create an exploit that reads them. This is useful in remote |
| 138 | +attacks to infer the version of the library, downloading it from the web, and |
| 139 | +thus knowing the right GOT offsets for other functions (not originally linked |
| 140 | +with the binary). |
| 141 | + |
| 142 | +### Stack Protection (Canaries) |
| 143 | + |
| 144 | +--- |
| 145 | + |
| 146 | +- A stack **canary** is a known value or word that is placed just below the **return** |
| 147 | +address on the **stack** to monitor buffer overflow. A copy of this word is |
| 148 | +saved some where else as well. When the hacker overwrites the return |
| 149 | +address using a buffer overflow the **canary** will also be **overwritten**. When a |
| 150 | +function calls return this canary value is **compared** with a a **saved** else where copy and a **mismatch** indicates that the **stack** is over wirtten. To disable this security option we can compile the program using **-fno-stack-protector** option to **gcc**. |
| 151 | +- Stack canaries only **protect** against buffer overflows. **Arbitrary** memory |
| 152 | +writes (e.g. to offsets that can be controlled by the attacker) may be **crafted** |
| 153 | +so that they do not touch the canary value. **Guessing** the canary value, e.g. |
| 154 | +through an **information leak or through brute force**, is **possible** and will |
| 155 | +bypass the attack. Search out more options that can be used to override |
| 156 | +this protection mechanism. |
| 157 | + |
| 158 | + |
| 159 | + |
| 160 | +### Links |
| 161 | + |
| 162 | +- [Defenses BOF](https://cseweb.ucsd.edu/classes/wi22/cse127-a/scribenotes/3-bufferoverflowdefenses-notes.pdf) |
| 163 | +- [Stack Canary](https://edk2-docs.gitbook.io/a-tour-beyond-bios-mitigate-buffer-overflow-in-ue/stack_canaries) |
0 commit comments