|=----------------------------------------------------------------------------=| |=----------------------=[ Modern Binary Exploitation ]=----------------------=| |=------------------------=[ CSCI 4968 - Spring '15 ]=------------------------=| |=----------------------------------------------------------------------------=| |=------------------------------=[ by RPISEC ]=-------------------------------=| |=---------------------------=[ contact@rpis.ec ]=----------------------------=| |=----------------------------------------------------------------------------=| |=----------------------------------------------------------------------------=| |=-----------------=[ Course materials available on GitHub ]=-----------------=| |=----------------------------------------------------------------------------=| +=======+======================================================================+ | Date | Class Notes | +=======+======================================================================+ | 01/27 | --[ Syllabus and Review | | | ----------------------------------- | | | A quick overview of the syllabus, course, and what students can | | | expect to learn. Some course terminology is covered along with a | | | brief refresher of the background material required for the course. | | | | | | Lecture Slides: PDF | | | Course Syllabus: Syllabus | | | RPISEC IRC: getting on IRC | | | | | | A more complete course rundown along with contact information can be | | | found in the syllabus. Please be sure to at least read through it | | | once to understand the mechanics of the course. | | | | | | Finally, class office hours will be held at RPISEC's hack nights! | | | WHERE: Sage 3101 | | | WHEN: Wednesdays, 7-10pm | +-------+----------------------------------------------------------------------+ | 01/30 | --[ Tools and Basic Reverse Engineering | | | ----------------------------------- | | | We covered some of the most basic tools and their usage in reverse | | | engineering. We covered mostly static tools today, and will go more | | | in depth with dynamic tools as used in the typical reverse | | | engineering workflow next class. | | | | | | Lecture Slides: PDF | | | Intro Crackmes: challenges.zip | +-------+----------------------------------------------------------------------+ | 02/03 | --[ Extended Reverse Engineering | | | ----------------------------------- | | | This class revolved around using IDA for static analysis in parallel | | | with assembly level debugging in gdb & edb. We took a look at the | | | crackmes from last class with this reversing workflow, along with | | | the RPI & CMU bomb crackmes. | | | | | | Lecture Slides: PDF | | | Bomb Crackmes: bombs.zip | +-------+----------------------------------------------------------------------+ | 02/06 | --[ Reverse Engineering Lab | | | ----------------------------------- | | | Our first lab focuses on basic reverse engineering. While we won't | | | be doing any heavy reverse engineering in this class, being able to | | | debug at the assembly level is a necessary skill in exploit | | | development. | | | | | | Labs will typically consists of three graded challenges of | | | increasing difficulty. You are expected to complete the C problem | | | (the easiest one) by the end of each lab period or you will take a | | | grade penalty as specified in the syllabus. The rest are typically | | | due by the start of class exactly one week later. | | | | | | Due: 2/13/2015 1:59PM EST | | | Lab: lab1.zip | | | | | | Your solutions to the lab must be submitted individually to the | | | email mbespring2015 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 02/10 | --[ Introduction to Memory Corruption | | | ----------------------------------- | | | Memory corruption is typically at the heart of binary exploitation | | | and is fundamental to the course. This lecture focused on classical | | | stack smashing and demonstrating the possible effects of meaningful | | | corruption. | | | | | | Lecture Slides: PDF | | | VM: http://www.nostarch.com/hackingCD.htm | | | Other Materials: lectures/5/ | | | Suggested Reading: Hacking: The Art of Exploitation | | | chapters 0x320, skim 0x330-0x342 | | | | | | Be sure to visit office hours if you have any questions, want to | | | review, or want help with the reversing lab. | +-------+----------------------------------------------------------------------+ | 02/13 | --[ Memory Corruption Lab | | | ----------------------------------- | | | The Warzone is an in-house wargame that we've introduced as a self | | | contained learning environment for this course. Most of the | | | exercises and labs will take place on this server for the remainder | | | of the course. | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab2C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, February 20th | | | | | | levels are in /levels/lab2/ - Start with /levels/lab2/lab2C | | | | | | Solve the challenge, get a shell, cat /home/lab2B/.pass | | | Then SSH into the Warzone with the account lab2B with that password. | | | Repeat for lab2B, then lab2A, then lab2end | | | | | | To submit, send the passwords, a description of your exploit, and | | | copy of your script or payload to mbespring2015+lab2 [at] gmail.com | | | | | | Reminder: the bonus flag does not count toward your grade | +-------+----------------------------------------------------------------------+ | 02/20 | --[ Shellcoding | | | ----------------------------------- | | | Today's class introduced the concept shellcode and how it is used in | | | classical exploitation when injecting arbitrary code into exploited | | | processes. We'll be moving into more modern uses of shellcode as we | | | get deeper into the course. | | | | | | We also cover some simple techniques to write your own shellcode, as | | | well as some tools we use to make shellcoding a more pain free | | | process. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 02/24 | --[ Shellcoding Lab | | | ----------------------------------- | | | Lab today will focus on your ability to use shellcode in | | | exploitation, and your ability to write custom shellcode tailored to | | | the constraints of a given scenario. | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab3C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Tuesday 1:59pm, March 3rd | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab3 [at] gmail.com | | | | | | Lab Slides: PDF | +-------+----------------------------------------------------------------------+ | 02/27 | --[ Format Strings | | | ----------------------------------- | | | Format string based vulnerabilities are less common nowadays, but | | | they are an important bug class that can be tricky to exploit. | | | | | | This lecture covers uncontrolled format string vulnerabilities and | | | how they can be abused to leak information or take control of a | | | vulnerable application. | | | | | | We will be having a format string based lab next week. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 03/03 | --[ Format String Lab | | | ----------------------------------- | | | SSH: warzone.rpis.ec 22 | | | Username: lab4C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Tuesday 1:59pm, March 10th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab4 [at] gmail.com | | | | | | Lab Slides: PDF | +-------+----------------------------------------------------------------------+ | 03/10 | --[ DEP and ROP | | | ----------------------------------- | | | Data Execution Prevention is one of the pillars of modern exploit | | | mitigation technologies. Understanding how DEP works and how it can | | | be bypassed is important in exploiting real world targets. | | | | | | This lecture covers DEP and how it can be bypassed through Return | | | Oriented Programming. We talk about some of the tools, workflow, and | | | constraints of writing ROP. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 03/13 | --[ ROP Lab | | | ----------------------------------- | | | SSH: warzone.rpis.ec 22 | | | Username: lab5C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, March 20th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab5 [at] gmail.com | | | | | | Lab Slides: PDF | +-------+----------------------------------------------------------------------+ | 03/17 | --[ Secure Systems and Game Console Exploitation | | | ----------------------------------- | | | As we already have a lab assigned and project one due directly after | | | spring break, we don't want to dive into the next subject until we | | | get back. | | | | | | To mix things up, we'll be taking a peek behind the curtain at some | | | of the bugs that brought down game consoles of our generation. | | | | | | Game consoles are among the most secure off the shelf products | | | consumers can buy, so it's interesting to look at the techincal | | | aspects of the exploits and bugs that cracked them open. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 03/20 | --[ Project One Lab | | | ----------------------------------- | | | Being the Friday of spring break, we will be hosting a lab period | | | for project one. If anyone wants help or has questions, they're | | | encouraged to ask for any final help before we move into break. | | | | | | We have also released a grading rubric for the first project in case | | | you would like some guidance on what to turn in. | | | | | | Project One Rubric: PDF | | | | | | Due: Tuesday 1:59pm, March 31st | | | | | | You must submit your writeup as either a link to a blog post, or as | | | a PDF equivalent. Here is a sample CTF Writeup that we would expect | | | your project writeup to resemble. | | | | | | Submit your final writeup links and/or work to | | | mbespring2015+project1 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 03/31 | --[ Address Space Layout Randomization | | | ----------------------------------- | | | ASLR is the second big pillar in modern exploit mitigation | | | technologies. It's designed to mitigate exploits that rely on | | | hardcoded code/stack/heap addresses by randomizing the layout of | | | memory for every execution. | | | | | | This lecture covers ASLR and how it can be bypassed through info | | | leaks, partial overwrites, bruteforcing, and utilizing your crash | | | state. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 04/03 | --[ ASLR Lab | | | ----------------------------------- | | | The labs are harder this week with the bugs being less trivial to | | | spot in source and more tricky to exploit. The challenges will also | | | have more scenario and context to make them feel a bit more real. | | | | | | To mix things up even more, lab6B is a remote exploitation | | | challenge. You can expect more remote exploitation challenges as we | | | move into the final few lab sets in the course. | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab6C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Because of the delay with getting lab6B up, we have extended the due | | | time till MIDNIGHT Friday rather than by class. | | | | | | Due: Friday 11:59pm, April 10th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab6 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 04/07 | --[ Heap Exploitation | | | ----------------------------------- | | | Many exploits found in the wild today likely touch on the heap in | | | some form. As stack based memory corruption has grown harder to | | | utilize, the bug hunt has continued into the heap space and brought | | | rise to new classes of vulnerabilities and techniques. | | | | | | This lecture covers how the heap can be abused in exploitation | | | through heap based overflows, use after frees, heap spraying, and a | | | brief mention of allocator metadata corruption. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 04/10 | --[ Heap Exploitation Lab | | | ----------------------------------- | | | There are only two lab challenges this week. Lab 7A is a bit tricky | | | and will be a remote challenge. | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab7C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, April 17th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab7 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 04/14 | --[ Misc Concepts & Stack Canaries | | | ----------------------------------- | | | Smaller points and concepts that we meant to cover in the week | | | before spring break. | | | This includes a basic breakdown of common integers issues, | | | interesting things with file descriptors, and details surrounding | | | stack canaries. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 04/17 | --[ Misc & Canaries Lab | | | ----------------------------------- | | | Three lab challenges focusing on misc concepts and canaries. Lab 8A | | | is a remote challenge. | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab8C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, April 24th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab8 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 04/21 | --[ C++ Concepts and Differences | | | ----------------------------------- | | | C++ adds a number of conviences that C lacks. Some of these | | | additions help mitigate common exploitation avenues that we are used | | | to such as string mishandling. It's harder to mess up things when | | | you have a nice std::string instead of char *'s being thrown around. | | | | | | But with C++ adding more high level structures, it also opens new | | | attack surfaces to the application, e.g. classes+vtables. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 04/24 | --[ C++ Concepts Lab | | | ----------------------------------- | | | This week there's only two lab challenges and they will focus on | | | exploiting C++ based binaries. Both challenges will be remote | | | services! | | | | | | SSH: warzone.rpis.ec 22 | | | Username: lab9C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, May 1st | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab9 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 04/28 | --[ Kernel Exploitation | | | ----------------------------------- | | | Kernel Exploitation is the process of attacking the operating system | | | itself. Vulnerabilities in the Kernel can result in full takeover of | | | a system and are among the most powerful bugs we can find. | | | | | | This lecture is an introduction to the world of kernel exploitation. | | | It covers basic kernel exploitation techniques such as NULL | | | dereferences and jump-to-userland, as well as kernel land | | | mitigations such as mmap_min_addr and SMEP/SMAP. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 05/01 | --[ Kernel Exploitation Lab | | | ----------------------------------- | | | We've reached the system core, but can you get root? There are two | | | lab challenges this week. | | | | | | This week we've brought a separate server online to spin up personal | | | QEMU images for you to work in and break. Unlike the Warzone, this | | | server will only be accessible from campus so you will need to VPN | | | in if you're trying to work from off campus. | | | | | | SSH: warzone-kernel.rpis.ec 22 | | | Username: lab10C | | | Password: [DISTRIBUTED IN CLASS] | | | | | | Due: Friday 1:59pm, May 8th | | | | | | Submit your final command/payload for each level and a short | | | description to mbespring2015+lab10 [at] gmail.com | +-------+----------------------------------------------------------------------+ | 05/04 | --[ Final Project Lab | | | ----------------------------------- | | | Class today will be a dedicated lab session to get help on the Final | | | Project. We'll be releasing a few hints and tips to help for those | | | that attend. It's wise to ask any questions or ask for help if | | | you're stuck. | | | | | | Checkpoint #2 is due by Friday 11:59pm, May 8th | | | The entire project is due by Friday 1:59pm, May 15th | | | | | | We sent the rubric out a week or two ago via email, but here it is | | | for anyone that missed it. | | | | | | Final Project Rubric: PDF | +-------+----------------------------------------------------------------------+ | 05/08 | --[ Exploitation on 64bit, ARM, Windows | | | ----------------------------------- | | | This course has focused exclusively on owning 32bit linux binaries, | | | but how does exploitation differ on AMD64? What about on ARM? or | | | even on a different OS like Windows? | | | | | | This lecture explores and contrasts some of the differences found on | | | the other popular architectures and operating systems we see around | | | us today. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+ | 05/12 | --[ Automation & The Future of Exploitation | | | ----------------------------------- | | | You've learned how leverage bugs to pwn binaries and bypass many of | | | the modern mitigation technologies seen today. But how can we do | | | these things faster, and where is the field going? | | | | | | This lecture talks a bit about fuzzing as well as a few more | | | interesting and advanced tools in vulnerability research. It ends | | | the course with a brief look into the future of binary exploitation | | | and what to expect of the field in the near future. | | | | | | Lecture Slides: PDF | +-------+----------------------------------------------------------------------+