04.ExploitDev_107.pdf
(
1196 KB
)
Pobierz
Exploit Development 107
W. Owen Redwood, Ph.D.
Offensive Computer Security 2.0
www.hackallthethings.com
Modern Binary Exploitation Challenges
●
Advanced Exploitation Topics
○
Format Strings
○
Heap Spray
Clang
○
Recent Adoption
○
Clang stack vs GCC stack
○
How it affects exploitation
○
Exploiting the clang stack
Exploit Mitigation Suites
○
EMET
■
EMET bypassing
○
GRSEC / PAX / KERNHEAP
●
●
Advanced Format String Exploitation
%6$s addresses the 6th parameter in string format.
Depending on the number of args (n) passed to the format string
function (e.g. printf() ), after addressing
n
parameters, the
first value from the buffer is read as a pointer
●
%5$s… %6$s… %7$s… etc
Determining number of params for a format string vuln:
●
Use known sled (AAAAAAAAAA%p%p%p%p%p… %p%p%p%p)
○
N = # of many pointers before %p addresses
Heap Spray Tactics
Common addresses that are used in heap sprays:
0x0a040a04;
0x0a0a0a0a;
0x0b0b0b0b;
0x0c0c0c0c;
0x0d0d0d0d;
0x0e0e0e0e;
0x04040404;
0x05050505;
0x06060606;
0x07070707;
0x08080808;
0x09090909;
0x20202020;
0x14141414;
These are all mitigated by EMET 5.1+ Heap Spray Protection
●
Simply pre-allocates dummy blocks at these addresses so they can’t be used in heap spray.
CLANG
http://clang.llvm.org/
Clang is a C, C++, Objective C, and
Objective C++ front end compiler for
the LLVM compiler platform.
Features:
●
Faster compiles with lower memory
use
○
(but slower code performance in
some cases…)
Recent Adoption by *nix
Distros:
●
●
●
Ubuntu, Xubuntu, etc
Redhat
BSD
●
●
Better diagnostics
More Security “features”
○
ASAN!
Plik z chomika:
kufel_007
Inne pliki z tego folderu:
01.ExploitDev_104.pdf
(626 KB)
02.ExploitDev_105.pdf
(2332 KB)
03.ExploitDev_106.pdf
(886 KB)
04.ExploitDev_107.pdf
(1196 KB)
04.HW9.pdf
(82 KB)
Inne foldery tego chomika:
01.Intro
02.SecureC
03.Code_Auditing
04.Linux
05.Windows
Zgłoś jeśli
naruszono regulamin