How does exploitation of a vulnerability change when a program is compiled with different mitigations?
This repository contains a single vulnerable source program vuln.c
compiled
with incrementally more exploit mitigations. Each compilation has an associated
exploit script that achieves arbitrary code execution against the program.
This is a companion repository to a presentation titled "Binary Software Exploitation by Example".
The solution scripts work with the compiled binaries in this repository. If you recompile the vulnerable program, you will need to adjust any hard-coded offsets and addresses in the scripts. They were compiled on an Ubuntu 18.04 system, and libc addresses and offsets are taken from libc-2.27.so.
Note that the ASLR mitigation is handled 'notionally': rather than encouraging you to modify system settings to disable ASLR system wide, the binaries will print out stack and function addresses. Some exploits will use this information (when ASLR is 'disabled') while others will ignore this information and instead craft information leaks from the vulnerable program in order to bypass the randomized protections. Alternatively, you may (and are encouraged) to execute these programs in a virtual machine where you may toggle ASLR on and off, system wide, with reduced risk.
Scripts are written using pwntools:
$ pip3 install --user pwntools
If you wish to recompile the vulnerable programs, you may do so using the following compilation flags:
# No mitigations - executable stack, no canary, no PIE
gcc vuln.c -o vuln1 -fno-stack-protector -z execstack -no-pie
# Stack canary
gcc vuln.c -o vuln2 -z execstack -no-pie
# Stack canary, W^X
gcc vuln.c -o vuln3 -no-pie
# Stack canary, W^X, ASLR
gcc vuln.c -o vuln4 -no-pie
# Stack canary, W^X, ASLR, PIE
gcc vuln.c -o vuln5
- Distribute a Ubuntu 18.04 Dockerfile with libc-2.27.so.
- Refactor solution scripts for clarity.