Reverse Engineering and Binary Exploitation Series

This is a series of articles on Reverse Engineering and Binary Exploitation. The first few articles will help you reverse engineer small programs using gdb, objdump, readelf. Most of the articles focus on Binary Exploitation. As of now, I have written about the famous Buffer Overflow vulnerability, different methods to exp loit like Traditional shellcode Injection, Return-To-Libc, Return Oriented Programming in detail with hands-on examples. I will be discussing different vulnerabil ities like Format String vulnerability, problems with GOT and PLT(dynamic linking). I also plan to discuss how presence of more than one vulnerability can help us rip apart the Operating System’s security measures with the help of these exploits.

Though these are old vulnerabilities, they are still found in embedded systems(outdated kernels), even if firmware updated, the security feature is kept off for g od knows what reason. There are lot of such possibilities. Many routers lack basic security measures like ASLR, DEP, RELRO which can make them too vulnerable to e xploits we discuss.

This is the offensive side of security, damn exciting isn’t it?!

Happy pwning!

1. Internals of Compiling - Journey from C/C++ program to an Executable : This post discusses the beautiful journey of how a C/C++ program we write is converted into an executable which we can run. It discusses different stages of the conversion process like preprocessing, compiling, assembling, linking in good detail.

2. What does an Executable contain? - Internal Structure of an ELF Executable - Part1 : This post explores the Executable and Linkable Format(ELF) by dissecting with the help of man-pages and writing a tool like readelf to understand the contents of an ELF file.

3. Introduction to x86 Assembly Programming : This post introduces x86 assembly language. It starts with Von-Neumann architecture and links it with the type of instructions needed to use a system. This by no means is a proper text book for assembly programming, but can act as a good primer.

4. Memory Layout of a Process : This post discusses how the memory layout of a process looks like. When you run a program(a dead file), it comes live when it is loaded onto the main memory and it run. This shows the main memory of a process, it’s structure, what are the different segments it has.

5. Program Execution Internals - Part1 : This post discusses how a C-language constructs like if, for, while, struct, pointers etc., are translated into assembly code. Along with this, it discusses what a StackFrame is, how are local variables stored and more. This can be used a simple tutorial for gdb.

6. Program Execution Internals - Part2 : This post discusses really interesting concepts like Function Calling mechanisms in 32-bit and 64-bit programs. How is a function called by another function, how are arguments passed to the function being called(at assembly level), what are the differences between mechanisms used in 32-bit and 64-bit and more.

   NOTE: The above posts have covered the required concepts to get into binary exploitation. The next few posts are on Buffer Overflow Vulnerability, Control Flow Hijacking, different exploit methods like shellcode injection, Ret2Libc, Return Oriented Programming, Defense mechanisms used by the OS to protect itself, methods to break those mechanisms etc.,

7. Buffer Overflow Vulnerability - Part1 : This post starts by discussing what a Vulnerability is, what an exploit is. It then takes examples to demonstrate and discuss the awesome Buffer Overflow Vulnerability. It ends by showing how the program SegFaults for certain crafted inputs.

8. Buffer Overflow Vulnerability - Part2 : Starts by discussing the amazing concept of Control Flow Hijacking. It takes a simple example and demonstrates Control Flow Hijacking.

9. Exploitation using Code Injection - Part1 : This post discusses the legendary concept of shellcode, what it is, what it is capable of doing. It takes a detour to explain system calls, a super important operating system mechanism to know to understand and write better shellcode. It takes various examples and discusses how to write shellcode. It ends with discussing shellcode is written for exit() system call.

10. Exploitation using Code Injection - Part2 : This is a level up from previous post. This post discusses what execve() system call is, how to use it, how powerful it is. It presents a systematic method to write shellcode. It discusses the complete process of writing standard no-null byte execve shellcode. It ends with discussing the essence of writing no-null byte shellcode, what is reliable shellcode is, how the length of shellcode might affect the whole exploit.

11. Exploitation using Code Injection - Part3 : I didn’t want to stop just with standard shellcode. So, wrote this post. This is a detailed tutorial to write No-NULL byte Reverse TCP Shellcode in a systematic manner. It starts with discussing the system calls used for a network connection to happen, demonstrates the system calls with C program and then get into writing shellcode. It generates a 89-byte No-NULL byte Reverse-TCP Shellcode.

12. Buffer Overflow Vulnerability - Part3 : The last 3 articles were about writing effective shellcode, different types of shellcode. In this post, the Buffer Overflow Vulnerability is exploited using the Shellcode Injection exploit method. It demonstrates 2 things. One is how dangerous it is have a BOF and other is how even more dangerous and effective shellcode injection exploit method is.

13. How does the Operating System defend itself? : This post discusses 3 most famous and effective security measures that is administered in an Operating System - Stack Canaries, Write XOR Execute and Address Space Layout Randomization(ASLR). It discusses each security technique, it’s functionality, what does it protect the OS against and against what it doesn’t.

14. Bypassing Write XOR Execute! - Ret2Libc - Part1 : This post discusses one of the best exploit techniques used to bypass W^X - the Return-To-Libc technique. It discusses the complete process of building a Return-To-Libc exploit. At the end of this post, you would have learnt an amazing technique to bypass W^X and get a shell!

15. Defeating Write XOR Execute! - Ret2Libc - Part2 : This post demonstrates the power of Return-To-Libc exploit technique. It helps you build an exploit which not only bypass but defeat W^X. You see bypassing and defeating are two different things and you have more power over something when you confront it and defeat it. And that is what is demonstrated in this post.

16. Return Oriented Programming - Part1 : This post introduces the legendary and handsdown one of the best exploit techniques I have ever played around with, the Return Oriented Programming(ROP). It aims to defeat W^X. It is a paradigm shift I must say. It discusses what ROP is, why it is designed the way it is designed, why is it amazingly wierd but super powerful!

17. Return Oriented Programming - Part2 : This post gives a practical angle to ROP. 2 vulnerable executables are taken and the concept of ROP is discussed by building ROP exploits and by exploiting them. It also gives an insight into how important system calls are while developing effective exploits and how they can be used to achieve the unthinkable.

18. Return Oriented Programming - Part3 : I have not written it yet.

19. Sigreturn Oriented Programming - An Introduction: An introduction to SROP - an amazing exploit technique. It explores the basic concept of signals, how signals work internally, looking at relevant data structures like rt_sigframe, ucontext, sigcontext. Then it goes on to confirm the vulnerability described in the paper. Finally, we write simple exploits to get a flavor of SROP.

20. Sigreturn Oriented Programming - Writing Exploits: Yet to be written. This part is intended to cover Section 6 of the paper - which describes a technique to use pure SROP to execute any system call we want. This will be covering the crux of the paper.

The next few posts will be about Loading, Dynamic Linking, how exactly does program execution happen etc., Understanding these concepts will help us delve into a new class of vulnerabilities.

1. Understanding the Loader - Part1 - How does an executable get loaded to memory?: A program is just a dead piece of software lying in your hard-drive. But, when you do ./a.out, an instance of the program(a process) is spawned and the program comes alive. The program, necessary libraries are loaded onto main memory. But how does this loading exactly happen? The program might need libraries, how are they loaded? This post will answer all these questions.