Logo
RSS Feed

👈🏼 Back to
Binary Attacks

⚙️ Exploits

Binary Vulnerabilities And Exploits

In this article I will collect common binary vulnerability (expept for the bufferoverflow which has its own dedicated article) … .

Exploit Development

Process

Steps Overview

  1. Fuzz and fins unusual behaviour
  2. Detect any possibility to overwrite crucial parts:
    1. EIP
    2. SEH
    3. Acces violations/invalid memory addresses
    4. etc
  3. Hijack Execution
  4. Eliminate bad characters
  5. Write PoC, spawning a reverse or bind shell, RAT or move to other systems.

Bad Characters

All characters from 0 to 255 (decimal) represented in a hex format like this: /0x00/0x01....

📕 RTFM

msf-pattern_create -l 1400
echo "POST"$(mapstr) | nc -nv 127.0.0.1:8080
msf-pattern_offset -q <part of mapstr in EIP>

http://docs.pwntools.com/en/stable/index.html and an example of use - https://www.megabeets.net/a-journey-into-radare-2-part-2/.

Return- and jump-oriented Programming

Return-oriented programming is an exploit technique that can bypass several binary defence mechanisms.

👉🏼 Use-After-Free

This article is about use-after-free vulnerability, its mechanics and how it can be used for evil things. Several things could be done by using this vulnerability, for example, reading sensitive info or arbitrary code execution. The exploitation often requires the presence of some other vulnerability as well, for example, buffer overflow (not always).

Meltdown & Spectre

Several years ago, the internet was flooded with news about two famous vulnerabilities: Meltdown and Spectre. It took me some time to understand how both of them work, but here are the results of my attempt. To understand the mechanics of these two vulnerabilities, one needs to understand the basics that I’ve tried to explain in the article here.

Oracle Access Manager Pre-Auth RCE

Vulnerability’s code - CVE-2021–35587.

📚 Intel SA 00086

Intel ME (former south bridge) - mediator between the PC and all other devices (USBs, for example).

1

Alloc8

So, there are some prerequisites that one needs to have in order to get this exploit. These are what are BootROM, NOR, malloc(), NULL and heap.

About BootROM you can read here. Briefly speaking, it’s a Read Only Memory (thus ROM, not to be confused with RAM which stands for Randomly Accessed Memory, i.e. RAM and refers to the chip that’s being freed of any charge when the power is off). ROM only means that this part of the device cannot be in any way modified once it was produced: neither by the user, not by the manufacturer himself. Mobile devices use ROM to store the first step of CPU launch.

Buffer Overflow

Checkm8

Expand… https://belkasoft.com/checkm8_glossary https://belkasoft.com/checkm8-troubleshooting https://belkasoft.com/checkm8