WEBVTT 1 00:00:00.160 --> 00:00:03.080 Welcome to the deep dive. Today, we're diving into the 2 00:00:03.080 --> 00:00:07.639 world of AR exploitation. Ooh exciting using Beginner's Guide to 3 00:00:07.679 --> 00:00:11.480 Exploitation on Arm Volume two by Billy Ellis. 4 00:00:11.759 --> 00:00:13.039 Oh yeah, I've heard of that one. 5 00:00:13.080 --> 00:00:14.400 It's going to get pretty technical. 6 00:00:14.599 --> 00:00:16.120 Yeah, this book gets right into it. 7 00:00:16.160 --> 00:00:19.399 But even if you're not a programmer, you know, understanding 8 00:00:19.399 --> 00:00:23.079 these concepts I think is absolutely super important for cybersecurity. 9 00:00:23.280 --> 00:00:25.399 It is. Yeah, so like learning to think like the 10 00:00:25.519 --> 00:00:26.280 enemy exactly. 11 00:00:26.359 --> 00:00:29.320 Yeah, like reading the Attacker's playbook. Yeah, so this is 12 00:00:29.440 --> 00:00:32.920 volume two. It builds on concepts from the first book. 13 00:00:33.039 --> 00:00:33.280 Right. 14 00:00:33.359 --> 00:00:36.280 It assumes that you have some basic knowledge. 15 00:00:36.439 --> 00:00:37.759 Yeah, it kind of jumps right in. 16 00:00:37.920 --> 00:00:40.880 Programming and memory corruption and that it does. It gives 17 00:00:40.920 --> 00:00:45.000 you all these like real world code examples and exercises. 18 00:00:45.079 --> 00:00:46.880 You can really get your hands dirty with this one. 19 00:00:46.960 --> 00:00:49.159 Oh yeah, and I see it also mentions that you 20 00:00:49.200 --> 00:00:51.159 need a jail broken arm device. 21 00:00:51.280 --> 00:00:53.399 Yeah, you need a way to actually test this stuff out. 22 00:00:53.240 --> 00:00:54.840 To really try out the exercises. 23 00:00:54.920 --> 00:00:56.280 Right, But even if you're not going to do any 24 00:00:56.280 --> 00:00:59.280 actual hacking, it's still so valuable to understand how these 25 00:00:59.320 --> 00:00:59.840 things work. 26 00:01:00.039 --> 00:01:01.240 Okay, so let's take a look at some of the 27 00:01:01.240 --> 00:01:03.799 stuff that we're going to be covering, right, Integer overflows 28 00:01:04.200 --> 00:01:06.680 off by one errors. Oh yeah, I'm a classic double 29 00:01:06.680 --> 00:01:10.680 free conditions stack pivoting stackpivoty is always fun to hijack 30 00:01:10.799 --> 00:01:11.959 program execution. 31 00:01:12.560 --> 00:01:13.480 That's the goal, right. 32 00:01:13.879 --> 00:01:14.959 It sounds intense. 33 00:01:15.079 --> 00:01:16.959 It is intense, but also super fascinating. 34 00:01:17.000 --> 00:01:20.159 So let's start with integer overflows. Chapter one dives right in, 35 00:01:20.280 --> 00:01:23.920 as does with this program called into overflow dot C. Okay, 36 00:01:24.200 --> 00:01:27.120 and it's pretty simple. It's checking if input data is 37 00:01:27.200 --> 00:01:28.519 less than thirty two bytes. 38 00:01:28.760 --> 00:01:31.400 Sounds simple enough, Yeah, what could go wrong? 39 00:01:31.560 --> 00:01:34.840 But the problem is the data type that's used to 40 00:01:34.879 --> 00:01:38.560 store the length. Ah, it's an unsigned chart, which can 41 00:01:38.599 --> 00:01:41.200 only hold values from zero to two fifty five. 42 00:01:41.359 --> 00:01:44.000 Right, so if you exceed that what happens? Then that's 43 00:01:44.000 --> 00:01:44.959 where the fun begins. 44 00:01:45.040 --> 00:01:46.400 Yeah? Does it throw an error? 45 00:01:46.799 --> 00:01:50.040 Well not exactly, Okay, it causes this wrap around effect 46 00:01:50.159 --> 00:01:53.159 wrack around. Yeah. If you've ever seen those old school odometers, 47 00:01:53.280 --> 00:01:55.359 Oh yeah, like the ones that roll back to zero 48 00:01:55.439 --> 00:01:58.879 after hitting nine hundred and ninety nine miles. Okay, it's 49 00:01:58.959 --> 00:01:59.560 kind of like that. 50 00:02:00.120 --> 00:02:03.439 You exceed the maximum value and then those bits. 51 00:02:03.239 --> 00:02:06.599 And reset yep, leading to a really small number okay, and. 52 00:02:06.560 --> 00:02:08.639 The book actually has a really cool diagram that shows 53 00:02:08.639 --> 00:02:09.319 this visually. 54 00:02:09.400 --> 00:02:10.919 Oh yeah, they use the eight bits of a char 55 00:02:11.120 --> 00:02:12.000 to illustrate it. 56 00:02:11.840 --> 00:02:16.240 It's super helpful. So this wrap around allows an attacker 57 00:02:16.319 --> 00:02:20.680 to kind of bypass that size check, right because. 58 00:02:20.439 --> 00:02:22.919 The program thinks the data is smaller than it actually. 59 00:02:22.639 --> 00:02:26.840 Is, okay, and write more data into the buffer than intended. 60 00:02:26.520 --> 00:02:29.000 Leading to you guessed it a buffer overflow. 61 00:02:29.199 --> 00:02:30.759 And then the example in the book shows how this 62 00:02:30.840 --> 00:02:32.319 leads to a segmentation fault. 63 00:02:32.439 --> 00:02:34.639 Right, the program just crashes because it can't handle all 64 00:02:34.639 --> 00:02:35.520 that extra data. 65 00:02:35.599 --> 00:02:40.199 So essentially, a tiny coding mistake yep, can cause a 66 00:02:40.199 --> 00:02:42.680 full blown stack buffer overflow. 67 00:02:42.639 --> 00:02:44.840 Which can have some serious consequences. 68 00:02:44.960 --> 00:02:46.120 Yeah, it's a little bit scary. 69 00:02:46.240 --> 00:02:48.280 It is a good reminder that security starts at the 70 00:02:48.319 --> 00:02:48.879 code level. 71 00:02:49.039 --> 00:02:52.560 Yeah, okay, so let's move on to chapter two. Okay, 72 00:02:52.879 --> 00:02:54.120 one byte overflows. 73 00:02:54.159 --> 00:02:55.120 One bite overflows. 74 00:02:55.439 --> 00:02:57.879 My first thought was how much damage can one byte 75 00:02:58.000 --> 00:02:58.639 really do? 76 00:02:58.960 --> 00:03:03.319 Right? It doesn't sound like much, but as this chapter shows, yeah, 77 00:03:03.560 --> 00:03:07.599 even a single byte can be extremely dangerous. It's all 78 00:03:07.599 --> 00:03:09.240 about precision and targeting. 79 00:03:09.319 --> 00:03:12.520 So the example uses two strucks to store data on 80 00:03:12.599 --> 00:03:16.080 the heap and I like how the book provides this 81 00:03:16.319 --> 00:03:18.840 visual representation of the heat layout. 82 00:03:19.039 --> 00:03:22.400 Yeah, those visuals are super helpful. Yeah, for understanding how 83 00:03:22.400 --> 00:03:23.439 the exploit works. 84 00:03:24.080 --> 00:03:24.479 It is. 85 00:03:24.599 --> 00:03:27.719 So the vulnerability here is in this line of code 86 00:03:28.280 --> 00:03:31.560 that copies data from the command line into a buffer, 87 00:03:32.199 --> 00:03:35.879 and it's the loop condition. Okay, less than are equal 88 00:03:35.919 --> 00:03:38.759 to sixteen, that's the problem. Okay, it ends up copying 89 00:03:38.800 --> 00:03:40.479 seventeen bytes instead of sixteen. 90 00:03:40.639 --> 00:03:43.680 That one extra bite. What does that overrite? 91 00:03:44.039 --> 00:03:47.439 That one byte overwrites a function pointer, a function pointer, 92 00:03:47.560 --> 00:03:49.280 and that's where things get really interesting. 93 00:03:49.560 --> 00:03:54.000 So an attacker can like carefully craft their input to 94 00:03:54.159 --> 00:03:58.159 change this pointer to point to their malicious code, and 95 00:03:58.560 --> 00:04:02.159 the book shows this in action. The program's execution is 96 00:04:02.240 --> 00:04:05.199 redirected to through a bunch of bees zero by forty two, 97 00:04:05.520 --> 00:04:07.479 forty two four. 98 00:04:07.400 --> 00:04:10.560 Yeah, b's and hexadecimal after the exploit. It's a classic 99 00:04:10.639 --> 00:04:14.080 demonstration of how manipulating just one. 100 00:04:13.879 --> 00:04:15.680 Bite it's pretty powerful. 101 00:04:15.680 --> 00:04:18.399 You give you complete control, Yeah, over a program. 102 00:04:18.480 --> 00:04:21.959 Okay, So chapter three shifts gears to double free. 103 00:04:22.199 --> 00:04:23.639 Ah, double free? 104 00:04:23.759 --> 00:04:24.720 What's that all about? 105 00:04:25.240 --> 00:04:27.240 This is where we get into the dangers of freeing 106 00:04:27.279 --> 00:04:30.319 the same block of memory twice. Okay, The book uses 107 00:04:30.360 --> 00:04:32.720 some nice step by step diagrams to explain this. I 108 00:04:32.759 --> 00:04:35.519 do like the diagram They're super helpful for visualizing what's 109 00:04:35.560 --> 00:04:35.959 going on. 110 00:04:36.040 --> 00:04:38.120 So you can see how the heap is divided into 111 00:04:38.160 --> 00:04:42.480 blocks bite, and how functions like Malik and free manage memory. 112 00:04:42.279 --> 00:04:45.399 Exactly, and how a double free can create this weird 113 00:04:45.439 --> 00:04:49.160 situation where two pointers are pointing to the same memory location. 114 00:04:50.160 --> 00:04:52.560 That's a dangling pointer, right, that's right. It's like having 115 00:04:52.639 --> 00:04:55.720 a key. It is to a room that's not yours anymore. 116 00:04:55.399 --> 00:04:57.920 Exactly, a key to a room that doesn't even exist anymore. 117 00:04:58.000 --> 00:05:01.040 Okay, So if an attacker can put their controlled data 118 00:05:01.639 --> 00:05:05.279 into that free memory, right, then they can control they. 119 00:05:05.120 --> 00:05:07.959 Can control what those dangling pointers are pointing to. Okay, 120 00:05:08.040 --> 00:05:10.720 so potentially leading to arbitrary code execution. 121 00:05:11.160 --> 00:05:13.839 And the example program they use HEAP level three dot 122 00:05:13.879 --> 00:05:18.120 C Hmmm, it has some security checks to prevent use. 123 00:05:18.000 --> 00:05:20.319 After free, right, they try to make it a little 124 00:05:20.360 --> 00:05:20.759 bit harder. 125 00:05:20.800 --> 00:05:21.680 But there's another bug. 126 00:05:21.759 --> 00:05:23.040 There's always another bug. 127 00:05:22.879 --> 00:05:25.120 Related to free austraya that can be exploited. 128 00:05:25.439 --> 00:05:26.319 Of course, there is. 129 00:05:26.519 --> 00:05:29.920 Why is exploiting the double free in this particular program. 130 00:05:30.240 --> 00:05:32.959 Yeah, so in this case, the key it's because the 131 00:05:33.000 --> 00:05:35.680 attacker has to get two pointers yeah, to point to 132 00:05:35.720 --> 00:05:38.560 the same memory location, which is a bit harder because 133 00:05:38.600 --> 00:05:41.000 of the limited functionality of the example program. 134 00:05:41.120 --> 00:05:42.519 Okay, but in the. 135 00:05:42.439 --> 00:05:47.079 Real world, double free vulnerabilities can often be exploited much 136 00:05:47.079 --> 00:05:47.759 more liably. 137 00:05:47.839 --> 00:05:50.360 So this is like a simplified example. It is, yeah, 138 00:05:50.480 --> 00:05:54.160 to illustrate the concept exactly. Okay, let's talk about stack pivoting. 139 00:05:54.279 --> 00:05:55.600 Oh yes, stack pivoting. 140 00:05:55.800 --> 00:05:58.000 Chapter four is all about this technique. 141 00:05:58.120 --> 00:05:58.959 This is a good one. 142 00:05:59.000 --> 00:06:01.680 It sounds cool, but honestly, the details are a little 143 00:06:01.680 --> 00:06:02.240 fuzzy for me. 144 00:06:02.279 --> 00:06:05.680 Okay. So imagine the stack like a pile of plates, okay, 145 00:06:05.720 --> 00:06:08.519 with the stack pointer pointing to the top plate. 146 00:06:08.680 --> 00:06:08.920 Okay. 147 00:06:09.120 --> 00:06:12.519 Stack pivoting is like grabbing that whole pile of plates 148 00:06:12.839 --> 00:06:16.399 and moving it to a different location that's under the 149 00:06:16.439 --> 00:06:17.319 attacker's control. 150 00:06:17.439 --> 00:06:21.839 So you're redirecting the program's execution flow exactly to like 151 00:06:22.040 --> 00:06:23.279 their own custom stack. 152 00:06:23.439 --> 00:06:24.240 That's the idea. 153 00:06:24.399 --> 00:06:26.879 Okay. So why is this useful for an attacker? 154 00:06:27.120 --> 00:06:32.040 So sometimes the space available on the stack is too small, 155 00:06:32.360 --> 00:06:34.959 okay for them to inject their entire malicious payloads. 156 00:06:34.959 --> 00:06:35.680 They need more room. 157 00:06:35.759 --> 00:06:36.439 They need more. 158 00:06:36.360 --> 00:06:39.000 Room, so they pivot to a different section of memory that's. 159 00:06:38.959 --> 00:06:41.839 Larger exactly, and they control that memory. Okay, so they 160 00:06:41.879 --> 00:06:42.839 have more space to work with. 161 00:06:43.040 --> 00:06:45.959 So the book uses this challenge called ROPL level six 162 00:06:46.439 --> 00:06:47.279 to illustrate this. 163 00:06:47.360 --> 00:06:47.920 It's a good one. 164 00:06:47.959 --> 00:06:52.000 It's a classic heat based buffer overflow. But the twist 165 00:06:52.120 --> 00:06:55.160 is you only get a single gadget, a single gadget 166 00:06:55.240 --> 00:06:57.399 to gain control of R fifteen PC. 167 00:06:58.120 --> 00:07:02.360 Ah. Yes, the program, the key to controlling the program. 168 00:07:02.600 --> 00:07:04.639 So the challenge is to find. 169 00:07:04.560 --> 00:07:08.600 Find that stack pivot gadget, a stack pivot gadget. Luckily, 170 00:07:08.639 --> 00:07:10.319 it's provided in the gadget library. 171 00:07:10.600 --> 00:07:12.800 Okay for this example, So let's take a look at 172 00:07:12.839 --> 00:07:13.319 this gadget. 173 00:07:13.319 --> 00:07:13.600 All right. 174 00:07:13.759 --> 00:07:18.360 It uses two instructions, two instructions MOVs spr five and 175 00:07:18.600 --> 00:07:20.160 pop R four PC. 176 00:07:20.360 --> 00:07:23.959 All right. So the first instruction, the mov spr five. Yeah, 177 00:07:24.199 --> 00:07:26.639 that's the key to the pivot. Okay. It moves the 178 00:07:26.720 --> 00:07:30.160 value of register R five into the stack pointer okay, 179 00:07:30.319 --> 00:07:33.879 which effectively sets the stack pointer to the memory location 180 00:07:34.040 --> 00:07:34.560 pointed to. 181 00:07:34.560 --> 00:07:36.759 By R five, which is controlled by the attacker. 182 00:07:36.839 --> 00:07:38.439 It's controlled by the attacker exactly. 183 00:07:38.519 --> 00:07:39.199 That's the pivot. 184 00:07:39.360 --> 00:07:40.120 That's the pivot. 185 00:07:40.240 --> 00:07:41.279 And then the second instruction. 186 00:07:41.639 --> 00:07:43.920 So the pop R four PC pops. 187 00:07:43.600 --> 00:07:45.920 Two values off the stack it does. The first goes 188 00:07:45.959 --> 00:07:48.800 into R four right, and the second goes into the PC. 189 00:07:48.759 --> 00:07:49.560 The program counter. 190 00:07:50.040 --> 00:07:53.240 So since the attacker has already set the stack to 191 00:07:53.279 --> 00:07:57.240 point to their controlled memory, they can cracked these values, 192 00:07:57.800 --> 00:08:00.959 and in this challenge, that popped value for the PC 193 00:08:01.800 --> 00:08:04.240 leads to the execution of a secret function. 194 00:08:04.759 --> 00:08:07.000 It's a classic stack pivoting technique. 195 00:08:07.079 --> 00:08:09.160 It's very clever, it is, but. 196 00:08:09.160 --> 00:08:11.639 It requires a lot of knowledge about the target program 197 00:08:12.079 --> 00:08:14.160 and the ability to find the right gadgets. 198 00:08:14.240 --> 00:08:17.360 Okay, so that's stack pivoting, that's stat pivoting. Definitely more 199 00:08:17.360 --> 00:08:21.600 advanced than your typical buffer overflow. Oh yeah, this is 200 00:08:21.800 --> 00:08:22.319 getting real. 201 00:08:22.480 --> 00:08:26.199 This is advanced stuff. But that's what attackers use in 202 00:08:26.240 --> 00:08:26.759 the real world. 203 00:08:26.800 --> 00:08:28.319 All right, So let's talk about defenses. 204 00:08:28.560 --> 00:08:28.879 Okay. 205 00:08:29.000 --> 00:08:32.440 Chapter five introduces stack canaries. 206 00:08:32.960 --> 00:08:34.279 Stack canaries. 207 00:08:34.360 --> 00:08:36.159 It sounds kind of cute. It does sound cu for 208 00:08:36.200 --> 00:08:37.960 such a serious security feature. 209 00:08:38.279 --> 00:08:39.480 Don't let the name fool you. 210 00:08:39.639 --> 00:08:40.679 So what are they all about? 211 00:08:40.919 --> 00:08:45.559 So, stack canaries are designed to detect buffer overflows and 212 00:08:45.679 --> 00:08:50.360 prevent arbitrary code execution. Think of it like the canary 213 00:08:50.360 --> 00:08:51.080 in the coal mine. 214 00:08:51.159 --> 00:08:52.440 Okay, so how do they work? 215 00:08:52.600 --> 00:08:54.879 So basically they sing. They don't actually sing. 216 00:08:55.200 --> 00:08:56.200 When there's an overflow. 217 00:08:56.279 --> 00:08:58.600 No, but I like the way you think. It's more 218 00:08:58.639 --> 00:09:01.679 like a trip wire. So a stack canary is a 219 00:09:01.759 --> 00:09:05.000 random value. Okay, let's place on the stack between you 220 00:09:05.000 --> 00:09:06.799 seeing a buffer and the return address. 221 00:09:06.919 --> 00:09:09.759 The book has a really cool visual representation of this. Yeah, 222 00:09:09.759 --> 00:09:11.960 the visual really helps to help you see how it works. 223 00:09:12.039 --> 00:09:12.600 Absolutely. 224 00:09:12.679 --> 00:09:16.559 So before a function returns, right, the program checks the 225 00:09:16.559 --> 00:09:18.440 canary's value exactly, and if. 226 00:09:18.279 --> 00:09:21.320 It's changed, then it knows something's wrong. 227 00:09:21.440 --> 00:09:25.320 It means there's been a buffer overflow most likely yes, 228 00:09:25.639 --> 00:09:28.639 and then the program just terminates gracefully. 229 00:09:28.200 --> 00:09:31.240 Yep, instead of allowing the attacker to run their malicious code. 230 00:09:31.480 --> 00:09:32.200 That's pretty clever. 231 00:09:32.799 --> 00:09:33.720 It is pretty clever. 232 00:09:33.840 --> 00:09:36.039 But I'm sure attackers have figured out ways to get 233 00:09:36.080 --> 00:09:39.879 around this, right of course, like what well. 234 00:09:39.879 --> 00:09:42.639 One common method is to try and leak the canary value. 235 00:09:43.159 --> 00:09:45.519 So if they can figure out what that random value 236 00:09:45.759 --> 00:09:49.759 is exactly, they can just overwrite it with the correct value. 237 00:09:49.519 --> 00:09:51.879 Mm hm and make it look like nothing happened. 238 00:09:51.559 --> 00:09:52.639 During their exploit. 239 00:09:52.840 --> 00:09:53.039 Right. 240 00:09:53.159 --> 00:09:53.799 That's sneaky. 241 00:09:53.919 --> 00:09:54.399 It is sneak. 242 00:09:54.519 --> 00:09:57.120 So the book walks through an example of defeating a 243 00:09:57.159 --> 00:10:00.000 stack canary in this program called canary dot com. 244 00:10:00.120 --> 00:10:02.960 See, yeah, they show you how an attacker would actually 245 00:10:03.000 --> 00:10:04.440 do this. That's pretty interesting. 246 00:10:04.600 --> 00:10:06.919 So they show how to find the instructions that are 247 00:10:06.960 --> 00:10:10.080 responsible right for placing and checking the canary. 248 00:10:10.159 --> 00:10:11.080 They use a debugger. 249 00:10:11.159 --> 00:10:14.320 Yeah, using a debugger like GDB. So our stack canary 250 00:10:14.399 --> 00:10:15.000 is useless. 251 00:10:15.039 --> 00:10:18.000 Then no, not at all. Yeah, there's still a valuable 252 00:10:18.039 --> 00:10:18.799 security feature. 253 00:10:18.960 --> 00:10:19.279 Okay. 254 00:10:19.360 --> 00:10:22.039 They make exploitations significantly. 255 00:10:21.320 --> 00:10:23.879 Harder, so they raise the bar a little bit exactly 256 00:10:23.960 --> 00:10:24.559 for attackers. 257 00:10:24.559 --> 00:10:28.080 They forced attackers to be more sophisticated. Okay, And that's 258 00:10:28.080 --> 00:10:29.639 what defense and depth is all about. 259 00:10:29.759 --> 00:10:32.120 So it's just one layer of protection. It's one layer 260 00:10:32.159 --> 00:10:35.320 in a well secured system exactly. Okay. So let's talk 261 00:10:35.360 --> 00:10:36.919 about heap fung shoe. 262 00:10:37.639 --> 00:10:39.159 Heap fung shoe. 263 00:10:38.879 --> 00:10:40.720 Chapter six is all about this. 264 00:10:41.000 --> 00:10:41.960 This is a fun one. 265 00:10:42.000 --> 00:10:43.559 It sounds surprisingly zen. 266 00:10:43.840 --> 00:10:47.120 It does right hacking technique like arranging furniture for optimal 267 00:10:47.240 --> 00:10:50.480 energy flow, but in memory. But in memory exactly. 268 00:10:50.600 --> 00:10:52.240 So what is heap fung shoe? 269 00:10:52.440 --> 00:10:56.000 So it's all about manipulating the layout of the heap okay, 270 00:10:56.039 --> 00:11:00.679 to make heap based exploits more reliable. Okay, and it 271 00:11:00.720 --> 00:11:03.840 does kind of involve thinking about the arrangement. 272 00:11:03.399 --> 00:11:05.120 Of things like playing tetris with memory. 273 00:11:05.200 --> 00:11:07.000 Yeah, like tetris with memory, trying to get. 274 00:11:06.840 --> 00:11:07.600 Things to line up. 275 00:11:07.879 --> 00:11:08.320 You got it. 276 00:11:08.519 --> 00:11:10.159 The book uses some diagrams. 277 00:11:10.200 --> 00:11:13.480 Again, the diagrams are super helpful for visualizing this. 278 00:11:13.639 --> 00:11:16.399 So they show the initial layout of the heap, and 279 00:11:16.440 --> 00:11:16.960 then they. 280 00:11:16.879 --> 00:11:19.679 Show and then they show how an attacker. 281 00:11:19.799 --> 00:11:21.840 How an attacker can create these. 282 00:11:21.639 --> 00:11:26.919 Holes by strategically allocating and deallocating blocks. 283 00:11:26.519 --> 00:11:30.039 Of memory so they can get their target object allocated 284 00:11:30.080 --> 00:11:34.759 into a specific hole exactly sandwich between controlled data sandwich. 285 00:11:34.919 --> 00:11:35.840 I love that analogy. 286 00:11:35.960 --> 00:11:38.600 And then they can use that controlled data to overwrite 287 00:11:38.639 --> 00:11:40.200 important values. 288 00:11:40.120 --> 00:11:41.879 Like function pointers for example. 289 00:11:42.159 --> 00:11:44.720 And then they walk through an example of attacking the 290 00:11:44.759 --> 00:11:48.080 program heap level three using this technique. They do so 291 00:11:48.120 --> 00:11:50.519 they manipulate the program to fragment the heap. 292 00:11:50.639 --> 00:11:53.879 They do a bunch of allocations and de allocations. 293 00:11:53.360 --> 00:11:57.399 And then, with careful timing, right timing is key, they 294 00:11:57.440 --> 00:12:02.080 allocate a string object and a device object. Okay, so 295 00:12:02.120 --> 00:12:05.960 that the device object ends up between two string objects. 296 00:12:06.000 --> 00:12:07.120 All right, they made their sandwich. 297 00:12:07.159 --> 00:12:09.360 So they've made the sandwich. Yes, Now, how does this 298 00:12:09.480 --> 00:12:10.720 lead to an exploit. 299 00:12:10.919 --> 00:12:15.679 So this layout allows the attacker to overflow a nearby 300 00:12:15.759 --> 00:12:21.200 string object okay, and that overflow data overwrites the function 301 00:12:21.320 --> 00:12:23.120 pointer of the device object. 302 00:12:22.799 --> 00:12:24.600 And then boom, they've got control and. 303 00:12:24.559 --> 00:12:26.200 They control the execution flow. 304 00:12:26.519 --> 00:12:28.919 It's amazing how they can set this up just right. 305 00:12:29.279 --> 00:12:31.639 It's all about setting up the heap for that exploit. 306 00:12:31.840 --> 00:12:35.279 So developers can actually use this knowledge to build more 307 00:12:35.399 --> 00:12:36.440 robust defenses. 308 00:12:36.679 --> 00:12:39.759 By understanding how attackers might manipulate the heap, you can 309 00:12:39.799 --> 00:12:40.840 implement safeguards. 310 00:12:40.879 --> 00:12:46.159 So that's integer overflows, one byte overflows, double free stack, pivoting, 311 00:12:46.240 --> 00:12:49.879 stack canaries. We've covered a lot of ground heap fung shui. 312 00:12:50.120 --> 00:12:52.200 It's amazing how much you can do with memory. 313 00:12:52.360 --> 00:12:54.120 It's a lot, and it's pretty exciting. 314 00:12:54.399 --> 00:12:56.600 It is. It's a fascinating area of security. 315 00:12:56.799 --> 00:12:59.559 But we've only just scratched the surface we have. There's 316 00:12:59.600 --> 00:13:02.120 so much more to explore, So in part two of 317 00:13:02.159 --> 00:13:05.080 our deep dive, we're going to continue exploring some of 318 00:13:05.120 --> 00:13:06.639 the more advanced techniques. 319 00:13:06.639 --> 00:13:08.759 We're going to get into some real world stuff. 320 00:13:08.399 --> 00:13:11.720 Outlined in this book, absolutely including an example of building 321 00:13:11.720 --> 00:13:14.919 an ROP chain on an actual and not an actual 322 00:13:14.960 --> 00:13:17.960 target system. So stay tuned and we'll be back soon. 323 00:13:18.080 --> 00:13:18.679 We'll be back. 324 00:13:19.440 --> 00:13:20.960 Welcome back to the deep dive. 325 00:13:21.240 --> 00:13:22.200 It's great to be back. 326 00:13:22.320 --> 00:13:25.200 In part one, we went through some pretty wild stuff. 327 00:13:25.279 --> 00:13:29.039 Oh we did dodging buffer overflows, playing Tetris with the. 328 00:13:28.960 --> 00:13:32.320 Heap stack pivoting, fun times stack pivoting. 329 00:13:32.360 --> 00:13:35.759 It was like a crash course. It was in memory corruption. 330 00:13:35.639 --> 00:13:38.960 Absolutely, But that was just the warm up, just the basics. 331 00:13:39.000 --> 00:13:41.960 Now we're going deeper, deeper into the rabbit hole. 332 00:13:41.960 --> 00:13:44.519 Into the world of return oriented programming. 333 00:13:44.679 --> 00:13:48.200 Oh yes, ROP or ROP. This is where things get 334 00:13:48.240 --> 00:13:48.840 really interesting. 335 00:13:49.039 --> 00:13:53.039 So Chapter seven of Beginner's Guide to Exploitation on Air, 336 00:13:53.600 --> 00:13:57.000 Volume two is going to be our guy roadmap. Yeah, 337 00:13:57.120 --> 00:14:01.080 our roadmap for this adventure. And we're going to be 338 00:14:01.080 --> 00:14:05.600 looking at how attackers build ROP chains on real. 339 00:14:05.360 --> 00:14:08.759 Systems, real world stuff, targeting the kernel, the heart of 340 00:14:08.799 --> 00:14:09.519 the operating side. 341 00:14:09.759 --> 00:14:12.720 So before we get lost in the assembly jungle. 342 00:14:12.519 --> 00:14:14.080 It can be a juggle out there, let's make sure 343 00:14:14.080 --> 00:14:14.399 we're all. 344 00:14:14.360 --> 00:14:18.799 On the same page. Okay, what exactly is an ROP gadget? 345 00:14:18.919 --> 00:14:21.440 That's an ROP gadget and why are they so important? 346 00:14:21.720 --> 00:14:25.480 Is a pre existing snippet of code? Okay, within a 347 00:14:25.519 --> 00:14:29.879 program that ends with a return instructions okay, and attackers 348 00:14:30.639 --> 00:14:34.159 use these gadgets to indirectly achieve their goals. 349 00:14:34.279 --> 00:14:35.960 So they're not actually writing their own. 350 00:14:35.840 --> 00:14:38.279 Code, right, They can't just inject their own code directly, 351 00:14:38.639 --> 00:14:40.039 so they have to use what's already there. 352 00:14:40.120 --> 00:14:42.720 So they're piecing together existing instructions exactly. 353 00:14:42.720 --> 00:14:45.440 It's like creating a Frankenstein's Monster of code. 354 00:14:45.519 --> 00:14:47.440 It's like a puzzle. It is a puzzle where they 355 00:14:47.480 --> 00:14:49.039 have to find the right pieces, yeah, and. 356 00:14:49.000 --> 00:14:51.600 Fit them together in just the right way to get 357 00:14:51.600 --> 00:14:52.559 the desired outcome. 358 00:14:52.720 --> 00:14:54.240 So why is this so powerful? 359 00:14:54.519 --> 00:14:58.840 Well, because it allows attackers to bypass security mechanisms. Okay, 360 00:14:59.159 --> 00:15:01.519 they try to prevent vent the execution. 361 00:15:01.159 --> 00:15:04.480 Of data by essentially using legitimate code. 362 00:15:04.759 --> 00:15:06.799 Exactly, they're reusing code that's already there. 363 00:15:06.919 --> 00:15:09.519 It's pretty sneaky, is very sneaky, But it sounds like 364 00:15:09.559 --> 00:15:12.120 you need to be pretty skilled to pull this off. 365 00:15:12.679 --> 00:15:15.919 You need a deep understanding of the target system. You 366 00:15:15.960 --> 00:15:20.159 need to know how memory is laid out, what gadgets 367 00:15:20.159 --> 00:15:20.840 are available. 368 00:15:20.960 --> 00:15:25.200 So when we talk about kernel level exploitation, that puzzle 369 00:15:25.360 --> 00:15:26.759 gets even more complex. 370 00:15:26.879 --> 00:15:29.039 Oh yeah, the kernel has a lot of security mechanisms 371 00:15:29.039 --> 00:15:29.399 in place. 372 00:15:29.440 --> 00:15:33.279 So like the iOS kernel that prevents non position independent 373 00:15:33.919 --> 00:15:35.799 binaries from executing. 374 00:15:35.279 --> 00:15:37.000 So attackers need to find ways around that. 375 00:15:37.320 --> 00:15:39.679 Okay, So let's say we have that information, like what 376 00:15:39.720 --> 00:15:42.559 we know the memory layout, where do we even begin 377 00:15:42.639 --> 00:15:43.919 to look for these gadgets? 378 00:15:44.000 --> 00:15:47.200 So there are a few tools and techniques that attackers use. 379 00:15:47.879 --> 00:15:51.759 One common approach is to use a disassembler. A disassembler, yeah, 380 00:15:51.799 --> 00:15:53.320 like Hopper or idea pro. 381 00:15:53.600 --> 00:15:55.519 So they're manually looking through code. 382 00:15:55.840 --> 00:15:58.600 They are, but it can be very tedious. 383 00:15:58.279 --> 00:16:00.799 Especially when you're dealing with something like the iOS kernel. 384 00:16:00.960 --> 00:16:02.840 Yeah, that's a lot of code to sift through. 385 00:16:03.440 --> 00:16:04.960 So are there any shortcuts? 386 00:16:06.559 --> 00:16:12.440 There are? Luckily rules there are tools called ROP gadget finders. 387 00:16:12.840 --> 00:16:14.519 ROP gadget finders. 388 00:16:14.639 --> 00:16:20.200 These tools automatically scan the binary code and extract potential gadgets. 389 00:16:19.759 --> 00:16:22.279 So it makes the process a lot easier, much easier. 390 00:16:22.320 --> 00:16:24.360 Are there any specific gadget finders. 391 00:16:25.320 --> 00:16:27.360 There are a few out there that you would recommend. 392 00:16:27.399 --> 00:16:30.559 The book Mentions one created by Jonathan sall One, Okay, 393 00:16:30.639 --> 00:16:31.840 which you can find on GitHub. 394 00:16:32.000 --> 00:16:34.559 So we've got our gadget finding tools, We're ready to go. 395 00:16:34.679 --> 00:16:36.759 What kind of gadgets are we actually looking for? 396 00:16:36.840 --> 00:16:38.919 So the specific gadgets you need. 397 00:16:39.120 --> 00:16:41.080 What should we be keeping an eye out for. 398 00:16:41.240 --> 00:16:44.399 Depend on your goal, okay, But some common types include 399 00:16:44.759 --> 00:16:47.919 write what whear gadget right what where? These allow you 400 00:16:47.960 --> 00:16:50.879 to write data to a specific memory address. 401 00:16:51.120 --> 00:16:53.159