Tweet
Exploit Development for Beginners
Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.
After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.
We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and learn how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.
Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.
All materials and challenges are freely available at https://samsclass.info, and will remain available after the workshop ends.
Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.
Detailed Outline:
The workshop is structured as a series of challenges, with a live CTF-style scoreboard. We will demonstrate and explain each challenge, and then help particpants through them. Each challenge has an easy portion with complete instructions, so beginners can succeed, and harder tasks to challenge advanced participants.
All materials, including the running CTF scoreboard, are in the public domain and will remain available after the workshop for the participants to use.
Topics:
I: Why are exploits possible?
A: The fundamental problem
1. Data and code use the same bytes
2. Code is processed by distinct modules
3. A module passes data on to another modules, losing context
4. Developers make inaccurate assumptions about data structure
5. Attackers send input which is accepted as data, but misunderstood by later modules and executed as code
B: Command Injection
1. User input used to construct a command line
2. Router network test pages
3. Injecting bash commands with a semicolon
4. Injecting PowerShell commands on a vulnerable Windows web server form
5. ImageMagick exploitation with injected commands in a crafted malicious image
6. Exploiting Kubernetes severs with a malicious Web request including injected commands
C: SQL Injection
1. User input included in a SQL command
2. PHP operating correctly sends the command to a SQL server
3. The SQL server operates correctly and executes the command
4. Crafted code steals data
5. Uploading a PHP shell to gain unlimited remote code execution
D: How programs use memory
1. Memory segments: text, stack, and heap
2. Registers
3. The Jasmin x86 emulator
4. Writing simple assembly code and stepping through it
E: Compiling C code on Linux
1. Using gcc to compile programs
2. Using objdump and gcc to examine the compiled code
3. Recognizing C constructs in assembly: loops, branches, library calls, and function calls
4. Data storage: stack, heap, .data section, strings, and null terminators
5. Stack frames, function prologue and epilogue
F: Stack overflows on Linux
1. Buffer overflow to change EIP and redirect execution within a program
2. Using a debugger and breakpoints to understand the overflow
3. Injecting shellcode
4. Turning off stack protections for this portion of the course
5. Using a NOP sled
6. Creating shellcode with msfvenom
7. Types of shellcode: bind shell, reverse shell, metasploit
8. The complete process of exploit development:
a. Fuzzing to find a crash
b. Analyzing the crash in a debugger to find the root cause
c. Sending a nonrepeating pattern of characters to target the EIP
d. Testing all bytes to identify bad characters
e. Generating an encoded payload without bad characters
f. Sending a complete exploit against a target in a debugger
g. Adjusting the exploit to work outside the debugger
G: Heap overflows on Linux
1. Heap usage and structure: linked lists
2. malloc() and free()
3. Heap overflow overwriting forward and reverse pointers
4. free() crashes on an invalid write operation
5. Attacker gains control of a single write operation
6. Gaining code execution from a write: targeting the Procedure L:inkage Table (PLT)
H: Format string vulnerabilities
1. Reading from the stack: information disclosure
2. Writing with %n to cause denial of service
3. Writing to the PLT to gain code execution
I: Hacking Windows EXEs with Immunity
1. Running PuTTY in a debugger
2. Finding stored strings
3. Modifying code
4. Saving changes
5. Adding a new segment with LordPE
6. Adding Trojan code
J: Stack overflows on Windows
1. Complete exploit development process for "vulnerable server"
2. Exploiting "Easy RM to MP3 Converter"
K: Understanding Windows defenses
1. Compiling simple test cases with Visual C++ Build Tools
2. Viewing security cookie implementation in IDA Pro
3. Controlling Address Space Layout Randomization (ASLR)
4. Using Immunity to exploit a buffer overflow without ASLR
5. Viewing ASLR weaknesses: limited entropy and non-randomized segments
L: Overcoming Windows defenses
1. Return-Oriented Programming (ROP) and why it works: the .text section does not randomize
2. Using trampoline code to find the stack, defeating ASLR
3. Constructing ROP chains with Mona to make Windows API calls
4. Defeating Data Execution Prevention (DEP) with ROP chains
5. Finding unprotected modules with Mona
6. Using a heap spray to defeat ASLR
M: Exploiting the Structured Exception Handler (SEH) on Windows
1. How Windows processes exceptions
2. Finding an overflow that corrupts the SEH
3. Using a stack pivot to find injected code
4. Making a complete exploit with shellcode
5. Overcoming SEHOP protection
N: Exploiting 64-Bit Systems
1. 64-bit addressing: the swindle of 48 bits
2. 64-bit registers
3. Writing 64-bit assembly code
4. Exploiting a buffer overflow on a 64-bit system
O: Exploiting ARM Systems
1. ARM assembly code
2. The different role of registers
3. Using the Azeria Raspberry Pi emulator
4. Debugging on ARM
5. Exploiting a stack overflow on ARM
Learn how to take control of Windows and Linux servers running vulnerable software, in a hands-on CTF-style workshop. We begin with easy command injections and SQL injections, and proceed through binary exploits incuding buffer overflows on the stack and the heap, format string vulnerabilities, and race conditions.
After this workshop, you will understand how memory is used by software, and why computers are so easily tricked into executing bytes as code that entered the system as data.
We will exploit 32-bit and 64-bit Intel systems, and also ARM-based systems. We will examine modern Windows defenses in detail and learn how to defeat them, including ASLR, DEP, stack cookies, and SEHOP.
Previous experience with C and assembly language is helpful but not required. Participants will need a laptop that can run VMware or VirtualBox virtual machines.
All materials and challenges are freely available at https://samsclass.info, and will remain available after the workshop ends.
Sam Bowne is an instructor at City College San Francisco, and has been teaching hacking and security classes for ten years. He has presented talks and workshops at Defcon, HOPE, RSA, BSidesLV, BSidesSF, and many other conferences. He has a CISSP and a PhD and is a DEF CON Black Badge co-winner.
Elizabeth Biddlecome is a consultant and a part-time instructor at City College San Francisco, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to scripting languages in cybersecurity competitions, hackathons, and CTFs.
Detailed Outline:
The workshop is structured as a series of challenges, with a live CTF-style scoreboard. We will demonstrate and explain each challenge, and then help particpants through them. Each challenge has an easy portion with complete instructions, so beginners can succeed, and harder tasks to challenge advanced participants.
All materials, including the running CTF scoreboard, are in the public domain and will remain available after the workshop for the participants to use.
Topics:
I: Why are exploits possible?
A: The fundamental problem
1. Data and code use the same bytes
2. Code is processed by distinct modules
3. A module passes data on to another modules, losing context
4. Developers make inaccurate assumptions about data structure
5. Attackers send input which is accepted as data, but misunderstood by later modules and executed as code
B: Command Injection
1. User input used to construct a command line
2. Router network test pages
3. Injecting bash commands with a semicolon
4. Injecting PowerShell commands on a vulnerable Windows web server form
5. ImageMagick exploitation with injected commands in a crafted malicious image
6. Exploiting Kubernetes severs with a malicious Web request including injected commands
C: SQL Injection
1. User input included in a SQL command
2. PHP operating correctly sends the command to a SQL server
3. The SQL server operates correctly and executes the command
4. Crafted code steals data
5. Uploading a PHP shell to gain unlimited remote code execution
D: How programs use memory
1. Memory segments: text, stack, and heap
2. Registers
3. The Jasmin x86 emulator
4. Writing simple assembly code and stepping through it
E: Compiling C code on Linux
1. Using gcc to compile programs
2. Using objdump and gcc to examine the compiled code
3. Recognizing C constructs in assembly: loops, branches, library calls, and function calls
4. Data storage: stack, heap, .data section, strings, and null terminators
5. Stack frames, function prologue and epilogue
F: Stack overflows on Linux
1. Buffer overflow to change EIP and redirect execution within a program
2. Using a debugger and breakpoints to understand the overflow
3. Injecting shellcode
4. Turning off stack protections for this portion of the course
5. Using a NOP sled
6. Creating shellcode with msfvenom
7. Types of shellcode: bind shell, reverse shell, metasploit
8. The complete process of exploit development:
a. Fuzzing to find a crash
b. Analyzing the crash in a debugger to find the root cause
c. Sending a nonrepeating pattern of characters to target the EIP
d. Testing all bytes to identify bad characters
e. Generating an encoded payload without bad characters
f. Sending a complete exploit against a target in a debugger
g. Adjusting the exploit to work outside the debugger
G: Heap overflows on Linux
1. Heap usage and structure: linked lists
2. malloc() and free()
3. Heap overflow overwriting forward and reverse pointers
4. free() crashes on an invalid write operation
5. Attacker gains control of a single write operation
6. Gaining code execution from a write: targeting the Procedure L:inkage Table (PLT)
H: Format string vulnerabilities
1. Reading from the stack: information disclosure
2. Writing with %n to cause denial of service
3. Writing to the PLT to gain code execution
I: Hacking Windows EXEs with Immunity
1. Running PuTTY in a debugger
2. Finding stored strings
3. Modifying code
4. Saving changes
5. Adding a new segment with LordPE
6. Adding Trojan code
J: Stack overflows on Windows
1. Complete exploit development process for "vulnerable server"
2. Exploiting "Easy RM to MP3 Converter"
K: Understanding Windows defenses
1. Compiling simple test cases with Visual C++ Build Tools
2. Viewing security cookie implementation in IDA Pro
3. Controlling Address Space Layout Randomization (ASLR)
4. Using Immunity to exploit a buffer overflow without ASLR
5. Viewing ASLR weaknesses: limited entropy and non-randomized segments
L: Overcoming Windows defenses
1. Return-Oriented Programming (ROP) and why it works: the .text section does not randomize
2. Using trampoline code to find the stack, defeating ASLR
3. Constructing ROP chains with Mona to make Windows API calls
4. Defeating Data Execution Prevention (DEP) with ROP chains
5. Finding unprotected modules with Mona
6. Using a heap spray to defeat ASLR
M: Exploiting the Structured Exception Handler (SEH) on Windows
1. How Windows processes exceptions
2. Finding an overflow that corrupts the SEH
3. Using a stack pivot to find injected code
4. Making a complete exploit with shellcode
5. Overcoming SEHOP protection
N: Exploiting 64-Bit Systems
1. 64-bit addressing: the swindle of 48 bits
2. 64-bit registers
3. Writing 64-bit assembly code
4. Exploiting a buffer overflow on a 64-bit system
O: Exploiting ARM Systems
1. ARM assembly code
2. The different role of registers
3. Using the Azeria Raspberry Pi emulator
4. Debugging on ARM
5. Exploiting a stack overflow on ARM
Comment