April 21, 2013
I have been working on courseware I am releasing for free on exploiting modern userland applications in Linux. I got far enough to pre-release the material for everyone who’s been asking. This requires foundational knowledge about stack overflows, format strings, borrowed code chunks (ROP/JOP/whatever-OP), and etc. For example, it won’t talk about foundations of a stack overflow, but you should be able to write one or you’ll get lost immediately. The only real good guides I found on x64 exploitation either disabled ASLR or used hardcoded libc addresses (looking at you mov rdi,rsp person). I also got tired of trainings breeding people who, for example, think partial overwrites are only useful if your buffer’s at ESP (OSCE material). I call these the jmp esp crowd and we need to get rid of this template exploitation crowd and preach exploring binaries and our environment. Instead of just complaining about these issues, I wrote something I hope alleviates some issues.
1.) Modern Defenses
First, modern defenses are covered to detail I haven’t seen in talks or presentations. There’s a lot of fun nuances, you don’t hear about much. For example, did you know the linker dies on RELRO options and continues without warning on IA-64 platforms? No, we won’t use architecture specific bypasses like that, it’s just fun to know. This will often get into code and provide in-depth understanding of the defenses as we run into them and need to work around them.
2.) Bypassing D_FORTIFY_SOURCE while writing first public exploit for Sudo format string (CVE-2012-0809)
Then, we will jump into bypassing format string protection mechanisms in glibc’s D_FORTIFY_SOURCE by chaining the nargs int overflow (CVE-2012-0864) to write the first public exploit, that I’m aware of, for the sudo_debug format string exploit (CVE-2012-0809). Many fun things are going to be covered here when working to get reliable exploitation.
3.) Modern memcpy() exploits in the x64 world
Finally, modern exploitation in x64 userland applications will be covered. This starts with an example fork server and we recompile with more security options as we bypass them. Remote exploitation will be covered (but samples will be bound to localhost for ease), so no odd local exploitation tricks are covered here. The protection mechanisms are added sequentially by the amount of applications using these protections on most current unstable kernel (3.8.8) for x64 Fedora. The more applications that use the protection, the quicker we get to them. Having said that, we start with system-wide ASLR and NX (the default), break through stack canaries (actually exploiting through it), and then hopping over partial RELRO. When finished, full relro and PIE will be covered.
4.) Misc Techniques
I wanted to share techniques that have been public forever, yet mostly ignored. LD_PRELOAD, vsyscall (kind of like pre-Windows 8 ke_user_shared_data style) tricks, and more are covered. Pay close attention for fun lots of people seem to ignore except the phrack/STS crowd.
This course is currently unfinished. All current python exploit code and sample software is shared. Unfortunately, a full ROP chain in the small application is not yet finished. Most syscalls can be used given we arbitrarily control RAX and know static syscall instruction location(s), but generic RCE has not been finished due to lack of getting pointer to controlled string longer than 8 bytes. You’ll understand when you get to the end. Current ROP chain is provided for you all to play with as I will continue to do so in my spare time.
No, a lot of bypasses covered will not bypass PAX protection. I would like this to be used as ammunition as to why PAX is so incredibly important. Sorry Spender.
Courseware? As in training?
With the style and format, the plan is to finish this off and give free webcasts out to anyone who wants to follow along. I don’t believe that just because I’ve put months into something, immediately I should charge ridiculous money for it. So I’m giving mine out for free in hopes others might do the same. I will announce these free webcasts when the time comes.
Not that I can think of! The exploit codes and sample server is available in this post. The presentation is in ODP format, so it would be best to not use Microsoft Office to view it or you’ll mess layouts up. If I get an overwhelming request for ppt format, I’ll rewrite it for you guys. Also, if anyone wants to contribute (make it look more professional, help me with content/the chain), send me fan/hate mail (please know this is more for training rather than a pdf guide through examples), please send an email to firstname.lastname@example.org. If anyone would like the Fedora 16 VM I created for the Sudo exploit, please let me know and give me a decent spot to upload it to (6.0G).
Tyler Borland (TurboBorland)