Talk is meant to be an overview of various security flaws you find in software and how to exploit them in a Capture The Flag context. Meant to cover each vulnerablity class quickly to get the general idea of what they are looking for.
I'd like to accompany this with some exploit dev examples.
This is meant to be the precursor for running our own Capture the Flag.
Probably at least 2 lectures worth of material here.
Quite Linux focused. Most of the techniques work on Windows but you have to consider how they structure things.
Should add some BSD based resources.
A lot of people think this stuff needs crazy tools, but in reality we are basically using debuggers and python scripts.
GDB is the standard debugger most Linux users end up using. You'll want to install the plugin GEF.
Allows you to track what syscalls a program is making.
Allows you to find ASCII text in binaries.
Part of the GNU binutils.
Awesome Python framework for developing exploits.
Exploit framework written in Ruby, known for providing public exploits in a nice usable tool for pentesters.
When writing memory corruption exploits, you often need to get a ROP chain going. I found these tools pretty good for that.
Lets you check what exploitation mitigations are enabled on a binary, part of pwntools.
Probably one of the most important ideas. Too many people focus to much on the exact bug they have and can't see the bigger picture on how to use it. Taking your overflow and turning it into a arbitary write is the aim. You can often even turn arbitary writes into memory leaks by just removing the null byte off the end of a C string and then triggering a read of this string.
Commonly misunderstood. People tend to think that all bugs are alike, but in reality how reliablely you can exploit it without say triggering a crash varies. In use-after-frees, you are always relying on luck to get your object placed where the old one was. What seperates how reliable they can be is how much you know about how the heap allocations are done to get it appearing where you want (the size of the buffer you are allocating, how frequenctly, etc matter).
Userland just refers to normal procesesses running under standard accounts.
Kernelland is a higher privellenge level, often targeted locally to gain increase privs.
These are the architectures you will generally care about.
64 bit extentsion to x86.
Memory corruption is one of the more interesting and difficult areas of exploitation. You need to consider where you are corrupting memory and how.
You want to consider what interesting meta data is nearby. (For stack overflows, the base pointer and instruction pointer are the ones you generally care about)
Injecting and modifying existing SQL queries based on unsafe query construction.
Making the server request resources that it shouldn't.
Downloading files from the target can be often very useful, expecially as it can be used to leak secrets that can later be used to attack deserialization in certain languages (Ruby, Java, etc)
Generally PHP specific.
The best bug you can find. These are 100% reliable remotes.
In general, look for Cryptography where they aren't using a MAC (Message Authetication Code). You'll be able to preform active attacks, which are the more interesting ones.
... Ideas Here ...
CTurt's BSD Kernel uninitalized mem leaks are good examples.
- http://phrack.org/
- http://www.uninformed.org/
- https://www.bottomupcs.com/
- https://lwn.net/
- https://www.corelan.be/
- https://fail0verflow.com/blog/
- http://pwnable.kr/
- https://ropemporium.com/
- http://overthewire.org/wargames/
- http://smashthestack.org/
- https://cryptopals.com/