Exploit Development

112-CCTC31

Terminal Learning Objectives/Learning Domains

Action:
Explain how exploit development may result from, or be a part of, the reverse engineering process
Condition:
In a training environment, with appropriate graphical training aids, various learning constructs, and peer and instructor feedback
Standard:
Students will be able to explain the Exploit Development methodology

Learning Domains/Level of Learning:

Congnitive:
Knowledge, Comprehension
Affective:
Receiving, Responding, Valuing

Army General Learning Outcomes:
7,8,14

Safety Requirements:
No major considerations
Risk Assessment Level:
LOW
Environmental Considerations:
NONE
Evaluation:
Check on learning questions

Rationale

Exploit development is a potential phase or outcome of reverse engineering. When performing exploit development, a cyber actor actively digs into a target object with the aim of understanding how it works better than its creators. As the cyber actor gains more understanding of the object, they may find unintended functionality or vulnerabilities that the creators did not mitigate. These unknown vulnerabilities are particularly dangerous as they can be actively exploited by attackers. Alternatively, they can be mitigated by defenders if found before attackers exploit them.

Buffer Overflow Common Terms

Heap

Memory that can be allocated and deallocated

Stack

A contiguous section of memory used for passing arguments

Registers

Storage elements as close as possible to the central processing unit (CPU)

Instruction Pointer (IP)

a.k.a Program Counter (PC), contains the address of next instruction to be executed

Stack Pointer (SP)

Contains the address of the next available space on the stack

Base Pointer (BP)

The base of the stack

Function

Code that is separate from the main program that is often used to replace code the repeats in order to make the program smaller and more efficient

Shellcode

The code that is executed once an exploit successfully takes advantage of a vulnerability

Buffer Overflow Common Terms

+---------------------+
|       Stack         |  <-- grows downward
|   NOP sled          |  <-- NOP instructions padding
|   Shellcode         |  <-- Shellcode
| - Return addresses  |
+---------------------+
|   Free Memory       |
+---------------------+
|       Heap          |  <-- grows upward
+---------------------+

Binary Exploitation

Heap Overflow:

  • Is a type of bufferflow that occurs in the heap region a programs memory

Buffer Overflow:

  • Is a software vulnerability that occurs when a program writes more data to a fixed memory buffer than it is allocated to hold.

Buffer Overflow Defenses

  • Non executable (NX) stack

  • Address Space Layout Randomization (ASLR)

  • Data Execution Prevention (DEP)

  • Stack Canaries

  • Position Independent Executable (PIE)

Technical Help

Utilizing tools such as:

  • IDA, GHIDRA

  • GDB, MONA, IMMUNITY

  • BASH, PYTHON

GDB Uses

Installation of Peda Plugin
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
Common Commands
disass <FUNCTION>   #   Disassemble portion of the program
info <...>  #   Supply info for specific stack areas
x/256c $<REGISTER>  #   Read characters from specific register
break <address>  #   Establish a break point

Determine Vulnerable Code

What are functions?

How can a function be vulnerable?

C Code Example:

gets() -> fgets()
strcpy() -> strncpy()
strcat() -> strncat()
sprintf() -> snprintf()

Questions?