An Introduction to Modern Binary Exploitation

This four-day training will teach students without prior experience how to develop exploits for modern binary software, taking them from 1990s style stack buffer overflows through contemporary exploitation of use-after-frees in programs protected by DEP and ASLR. The training will focus on exploiting Linux user mode x86/x64 binaries, but the lessons learned from the class are widely applicable to other platforms and architectures. The course is taught by two RPISEC alumni who were involved in the initial development and teaching of RPISEC’s Modern Binary Exploitation course ( https://github.com/rpisec/mbe ), but the material for this course is all new.

Instruction will focus on teaching students how to reason about the fundamental structures that give rise to software vulnerabilities, underlie various exploitation techniques, and drive mitigation development. Students will leave with hands-on experience writing real exploits, and the theoretical knowledge necessary to approach exploiting novel 0day vulnerabilities and bypassing anti-exploitation mitigations.

While the class will mainly focus on software exploitation, it will also give students a chance to work with the new GHIDRA reverse engineering tool when identifying binary software vulnerabilities and developing exploits. Software vulnerabilities will be identified in both C/C++ source code and via decompiler/disassembler analysis of compiled binary software.

This training is designed to teach exploitation to individuals with little to no prior background in the field. Students with prior experience writing exploits are welcome to attend, but may find one of REcon’s more targeted trainings more interesting.

Teaching

Course instruction will be conducted primarily through hands-on-keyboard exercises rather than lecturing. The course will use CTF-style exploitation challenges to give students real-time feedback. The entire class will regularly sync up as a group, and the instructors will discuss concepts, problems, and solutions.

Student Outcomes

• Students will learn about vulnerabilities in C/C++ code, and how to take these vulnerabilities from crash to arbitrary code execution
• Students will gain experience writing software exploits, from 1990s stack buffer overflows to contemporary use-after-frees
• Students will develop and deploying shellcode/ROP payloads for their exploits
• Perhaps most importantly, students will come away from the class with a firm grasp of the fundamental principles that underlie software vulnerabilities and anti-exploitation mitigations. Students will have the skills to reason about how they might go about exploiting new 0-day vulnerabilities, creating effective mitigations against exploitation, and evaluating and bypassing novel mitigations.

Class outline

Day 1: Fundamentals

• Program structure
• Disassembly and Debugging with IDA Pro and GDB
• x86 refresher
• Targets for exploitation - privileged binaries and processes, remote services, kernels, hypervisors, etc
• Basic bug classes
• Hijacking control flow
• Stack overflows
• The Linux syscall interface

Day 2: Classic Exploitation and Shellcoding

• Stack cookies
• Corrupting application data
• Shellcoding
• Corrupting function pointers
• Arithmetic and integer errors
• DEP
• Ret2libc
• Intro to ROP

Day 3: Modern Mitigations and Techniques

• ASLR
• Heap overflows
• UAF
• Heap grooming
• C++ bug classes and exploitation

Day 4: Putting It All Together

• Combining primitives
• Reasoning about mitigations and bypasses
• Exploitation on other platforms and architectures
• Continuity of execution
• Weird machines

Prerequisites

Students will be provided with VMs to run class materials. After the class, students will given a path to continue learning outside the classroom using publicly available challenges and exercises.

Students are expected to have a solid grasp of programming in C or C++, and basic to intermediate knowledge of the Linux command line and Linux programming. Prior experience with reverse-engineering and/or reversing x86/x64 assembly, and debugging with GDB are nice to have, but not required.

Software requirements:

• VMWare to run a Linux VM (all exercises will be in a Linux VM)
• Disassembler/Debugger of choice, IDA Pro strongly recommended
• Decompiler recommended - GHIDRA (free) or Hex-Rays Decompiler for IDA Pro are both sufficient

Instructors will use IDA Pro on Windows with remote debugging to the Linux VM for disassembly and debugging, and GHIDRA for decompilation

Bio

Alexei Bulazel (@0xAlexei) is an independent security researcher. He has previously presented at venues such as REcon (Montreal and Brussels), SummerCon, Black Hat, and DEFCON, among many others, and has published scholarly work at the USENIX Workshop on Offensive Technologies and the Reversing and Offensive-Oriented Trends Symposium. Alexei is a proud alumnus of RPISEC.

Jeremy Blackthorne (0xJeremy) is co-founder and lead instructor of the Boston Cybernetics Institute (@BosCybernetics). He is a former researcher of MIT Lincoln Laboratory, specifically the Cyber System Assessments group, where his research focused on building and breaking cybersecurity solutions for the military. Before that, Jeremy served in the United States Marine Corps and completed three tours in Iraq. He is currently a PhD candidate in computer science at RPI focusing on anti-analysis techniques in computer programs and is a proud alumnus of RPISEC.