BSidesKC | April 26-27, 2019 | Plexpod Westport: 300 E 39th St, Kansas City, MO 64111

Basic Memory Corruption: Introduction to Stack-based Exploitation

Friday: 9am-5pm

This is a course on basic stack-based exploitation. We’ll begin with a review of how memory management works within an IA32 architecture, before diving headfirst into classic attacks such as buffer overflows, format string exploits, and DTOR/GOT overwrites. We’ll also learn how to write shellcode and bypass non-executable stacks using return-to-libc attacks. Finally, we’ll go over some basic mitigations to the techniques we’ve learned.
This is meant to be a foundational course that can serve as jumping off point for students wishing to learn more advanced topics such as ROP chains, heap sprays, use after free, and defeating ASLR.

Workshop Outline:

I. Basic Concepts

I.1. Memory Management
I.2. Assembly
I.3. Recognizing C and C++ Code Constructs in Assembly

II. The IA32 Call Stack

II.1. Buffers
II.2. Lab Exercise: Buffer Overrun
II.3. The Call Stack
II.4. Lab Exercise: Watching the Call Stack in Action
II.5. Functional Control Flow
II.6. Lab Exercise: Functional Control Flow

III. Buffer Overflows

III.1. Basic Buffer Overflows
III.2. Overwriting the Return Address
III.3. Lab Exercise: Overwriting the Return Address
III.4. Taking Control of Execution
III.5. Lab Exercise: Taking Control of Execution
III.6. Executing Arbitrary Code
III.7. NOP Sleds
III.8. Lab Exercise: Privilege Escalation Exploit
III.9. Return to libc: Defeating Non-Executable Stacks
III.10 Lab Exercise: Return to libc Attack

IV. Introduction to Shellcode

IV.1. System Calls
IV.2. Lab Exercise: System Calls
IV.3. Making Our Shellcode Injectable
IV.4. Lab Exercise: Making Our Shellcode Injectable
IV.5. Spawning a Shell
IV.6. Lab Exercise: Spawning a Shell

V. Format String Exploits

V.1. Format Strings
V.2. Format String Bugs
V.3. Format String Denial of Service (DoS) Attacks
V.4. Lab Exercise: Format String Denial of Service (DoS) Attacks
V.5. Format String Information Disclosures
V.6. Lab Exercise: Format String Information Disclosures
V.7. Exploiting Format String Bugs to Execute Arbitrary Code
V.8. Lab Exercise: Exploiting Format String Bugs to Execute Arbitrary Code

Student Requirements:

  • A laptop equipped with VMWare or VirtualBox and provisioned with at least 25GB of disk space and 8GB of memory.
  • Prior exposure to C programming, assembly, and basic memory management concepts are highly recommended in order to benefit from this course.

Presenter:

Gabriel Ryan is a researcher and security consultant with a passion for wireless and infrastructure testing. He currently serves a principal security consultant at Digital Silence, a Denver-based consulting firm that specializes in impact driven penetration testing and red team engagements. Prior to joining Digital Silence, Gabriel worked as a penetration tester and researcher for Gotham Digital Silence, contributing heavily to their wireless security practice and regularly performing large scale infrastructure assessments and red teams for Fortune 500 companies. Some of Gabriel’s most recent work includes the development of EAPHammer, an 802.11ac focused tool for breaching WPA/2-EAP networks. In his spare time, he enjoys producing music, exploring the outdoors, and riding motorcycles.