Skip to content

Bypassing Mitigations

Jump to bottom
Rares Visalom edited this page Jul 22, 2020 · 1 revision

Bypassing Mitigations

Throughout the workshop we have seen different ways of exploiting binary executables (or binaries for short). We have also seen defense mechanisms employed to defend against attacks (or at least make it more difficult for the attack to complete successfully).

This session is a wrap up of everything we have explored so far. We will provide a top-level review of the attacks, their mitigations and any potential bypasses for those mitigations. Afterwards, you will have a set of challenges to complete.

Assessing Defense Mechanisms

The organization is simple. We start from a defense mechanism and list any attack method that bypasses it. For each attack method we aim to list any requirements, restrictions and any other defenses (referred to as "bypass X", where X is another defense mechanism).

  1. Executable Space Protection, a.k.a Data Execution Prevention (DEP), a.k.a NX. Prevents code injection by disallowing execution of code located in certain memory regions.
    • Attack: ret-2-plt
      • requirement: ability to overwrite code pointer
    • Attack: ret-2-libc
      • requirement: ability to overwrite code pointer
      • restriction: ASLR makes things more difficult
      • bypass ASLR: divert execution with one of the options below
        • Attack: Brute-force
        • Attack: Nop-sled (for shellcodes)
        • Attack: jmp esp
        • Attack: Entropy restriction (huge dummy environment variables on the stack)
        • Attack: Partial Overwrite of GOT
          • restriction: FULL RELRO
          • bypass FULLRELRO: binary-dependent, use other overwritable code pointers.
        • Attack: Information Leak (leak absolute address from libc) + GOT Overwrite
          • restriction: FULL RELRO
          • bypass FULLRELRO: binary-dependent, use other overwritable code pointers.
    • Attack: mprotect()
      • requirement: ability to overwrite code pointer
      • restriction: mprotect() must be used by the original executable.
      • bypass NX: call mprotect() with the PROT_EXEC flag and make the stack executable.
    • Attack: mmap()
      • requirement: ability to overwrite code pointer
      • restriction: mmap() must be used by the original executable.
      • bypass DEP/NX: call mmap() to allocate a new readable, writable and executable memory region, write the shellcode in that memory region and execute it.
    • Attack: ROP
      • requirement: ability to overwrite code pointer, ability to place data on stack or pivot the stack to a mapping containing user-controlled data
      • restriction: restrictions from ret-2-plt and ret-2-libc apply (that means ASLR), the need to have certain gadgets present in the original executable and PIE.
      • bypass almost anything: perform information leaks to leak the PIE base and any absolute address to defeat ASLR+PIE.
  2. seccomp. Sandboxes syscalls, which basically means filtering them.
    • highly dependent on the binary
    • only exploitable if misconfiguration is present in the seccomp filters.
Clone this wiki locally