This document provides an introduction to binary exploitation. It outlines the course, which will cover basic stack overflows, shellcode injection, and exploit mitigation technologies. It explains how buffer overflows can be used to overwrite the return address and change the flow of execution. By injecting shellcode into the buffer and overwriting the return address to point to it, arbitrary code can be executed to gain unauthorized access. Modern defenses like ASLR and NX are discussed, as well as future topics like return-oriented programming and format string vulnerabilities. The overall goal is to understand software exploitation and how to identify vulnerabilities in programs.

1. An Intro to
Binary Exploitation
Aswin M Guptha
@aswinmguptha

2. $whoami
●
BTech 2nd
year Undergraduate
●
Amrita University
●
Regular CTF Player
●
Team bi0s
●
Focus on Binary Exploitation, Web Exploitation

3. Aim
●
Give you a better understanding of mechanism of software
exploitation
●
Prepare you to identify the vulnerabilities in program
source codes
●
Help you understand HOW and WHY of exploit mitigation
technologies
●
We will cover a few key concepts deeply

4. Course Outline
●
Basic Stack overflows
●
Shell code injection
●
Other vulnerability scenarios
●
Recognizing vulnerability
●
Exploit mitigation technologies

5. Why?
●
Found by the late 90s
●
Still relevent?
●
2016 scenario
●
Your weakness, my strength

6. Lets get down to business

7. What is our Goal?
●
Arbitrary code execution
●
Example
●
Forcing binary to give root access over the internet!
●
Forcing a administrator privileged process to execute
normally

8. First Attempt,
But this worked in movies...

9. Real life
●
We don’t know the password, and really hard to guess it
too.
●
There is a function which gives shell.
●
What if we could change the flow of execution and execute
that function ?
means what???

10. Process Memory Organization
Content of an assembly file
● Executable section: TEXT
– The actual code that will
be executed
● Initialized data: DATA
– Global variables
● Uninitialized data: BSS
● Local variables

11. x86 Review
●
Function call
●
Returning after a function call
●
Instruction pointer
●
Stack

12. The Stack

13. The Stack

14. The Stack
…....
10. push j
11. push i
12. call add
13. add esp, 0x8
……
20. add:
21. mov eax, [esp+0x4]
22. mov ebx, [esp+0x8]
23. add eax, ebx
24. ret
Memory
0XDEADBEEF

15. Buffer Overflow

16. Buffer Overflow
#include<stdio.h>
int main(){
char buffer[16];
int var;
}
buffer var sfp ret
Bottomofmemory
Topofstack
Bottomofstack
Topofmemory
16 4 4 4

17. Buffer Overflow
Lets do some challenges
●
#1 overwrite
●
#2 validate

18. Buffer Overflow
void function(char *str){
char buffer[16];
strcpy(buffer, str);
}
int main(){
char large_string[256];
int i;
for (i = 0; i < 255; i++){
large_string[i] = ‘A’;
}
function(large_string);
}

19. Buffer Overflow
AAAAAAAAAAAAAAAA AAAA
AAAA
AAAA
AAAA
AAAAAAAAAAAA
Buffer sfp ret *str
416 4 4
● The return address is overwritten with ‘AAAA’ (0x41414141)
● Thus the function exits and goes to execute the instruction
at 0x41414141
● This results in a SegFault.
So what???
Bottomofmemory
Topofstack
Bottomofstack
Topofmemory

20. Buffer Overflow
●
We have seen how to crash our own program by
overwriting the return address of a function.
●
What if we could overwrite the return address with valid
address ?
Lets start walking from where we stopped!!!

21. Buffer Overflow
●
Is anyone mad enough to put a function which give
shell so easily ?
●
So what is the use of this ?
●
There come the shellcode injection

22. Shellcode

23. Shellcode
●
List of crafted instructions
●
Executed once the code is injected to a running
application.

24. Shellcode
Properties of a shell code?
– Should be small enough to fit in the buffer
– Shouldn’t contain any null charecters
– Shouldn’t refer to data section

25. Shellcode
Whats next?
– Okay, we know what is a shell code, now what?
●
Put a shell code into buffer
●
Fill the rest of buffer with junk
●
Overwrite saved eip to point to buffer

26. Shellcode
Ready, Set, Go

27. The battle continues...
●
RET2LIBC
●
ROP
●
Format String Vuln.
●
Heap Vuln.
And so...

28. Whats next?
●
Google is your best friend!
●
Smashing The Stack For Fun And Profit
– By Aleph One
●
And YES, CTFs!

29. In a nutshell
●
Changing flow of execution
– Buffer overflow
●
Injecting your vuln code
– Shellcode Injection
●
Vuln detection and prevention
Rest I leave to you,
Good luck! Queries?
Ping @aswinmguptha

30. Becoming Stronger!
●
NX
– Segments are either executable or writeable, but NOT
both
●
ASLR
– Address Space Layout Randomization
●
Canary, PIE
– Stack protectors