Binaries, shellcoding, bug hunting, ROP gadgets and more at Blackhoodie@TR19

We have the most amazing trainers this year lined up for Blackhoodie at Troopers 2019. We have Thais, Silvia, Lisa and Ninon going to give workshops on various interesting topics! Below are some of the workshop contents:

64-bit shellcoding and introduction to buffer overflow exploitation on Linux by Silvia Väli

64-bit shellcoding and introduction to buffer overflow exploitation on Linux is a 3 hour workshop which is essentially divided into 3 parts:

Introduction to 64-bit architecture in order to get familiar with registers, stack, calling conventions described in the Intel 64 (x86-64) architecture manual and the most common assembly instructions and syscalls which we will later use to write our shellcodes.
Shellcoding where we try different techniques to write the shellcode and of course you gonna get to greet the shellcoding world with your own Hello World shellcode in addition to reverse shell which we will use later on in part 3
Introduction to buffer overflows, so you can put your newly received know-how about stack into practise right away. Shellcode without being used is a wasted shellcode! Part 3 ends with a buffer overflow challenge where your goal is to use your reverse shellcode to get a connection back to your machine.

Objectives:

Get familiar with command line tools like nasm, objdump, ld, ausyscall, and gdb
Learn how to find global and local variables using gdb and identify the corresponding sections; navigating in functions and examining memory in gdb
Learn the basics of assembly language instructions and how to write your own assembly programs
Get familiar with the basics of x86-64 architecture, using syscalls in shellcoding, JMP technique when writing shellcode
Introduction to stack based buffer overflows

Requirements:

Participants are expected to either build their own Ubuntu 16.04 VM-s per given instructions or simply download the ready made machine provided for them and import it to Virtualbox.

Bug hunting with SMT solvers by Thais

This class is designed to introduce students to the state of the art of code verification. The current tools available for automated bug hunting based on SMT solvers and symbolic execution as well as crash / dump analysis tools will be presented. It will be focused on practical applications and real world code examples. The theory behind the technology and implementation used in vulnerability research, exploit development and general reverse engineering tasks will also be covered.

The foundations of problem modelling for SMT solvers will be explained in a first part. The goal is to experiment with diverse software testing / analysis tools like angr, manticore and miasm, and see in which case one tool is more appropriate, what are its shortcomings or which technique is used internally. In a second part, the basics of fuzzing will be addressed, to better understand how concolic testing and tainted execution can be useful in specific cases.

Automation of the tests and crash analysis will be performed using Python. Vulnerabilities and bugs will be covered in the introduction.

Objectives:

Ability to model problems with SMT solvers
Software exploration with Symbolic execution
Understand the value of static analysis for bug hunting
Whitebox fuzzing using Z3 Python APIs
Usage of open-source and free symbolic execution tools

Requirements:

VMware Workstation (at least version 12) (no VirtualBox)
At least 40GB of free disk space
At least 8GB of RAM
A laptop with administrative privileges

Introduction to Return Oriented Programming by Lisa

This 3 hour workshop aims to be fitting for people with varying background, as it starts easy and with detailed explanation on hands-on exercises but increases difficulty over time. In the shellcoding workshop by Silvia Väli we learn how to write shellcode to exploit a stack based buffer overflow. In order to prevent these attacks security mechanisms like Data Execution Prevention were developed. This protection prevents the stack from being executed. How can we get a shell if the stack is not executable? Return Oriented Programming (ROP) is a neat technique to defeat this protection and it enables us to write shellcode again.

The basic idea of ROP is to use code snippets that are already in the binary. This way, we can put the shellcode together like we would tinker a blackmailing letter from old newsletters, putting the fitting pieces one after another, until we get the payload we want. We will work on Linux (64 Bit), get to know the libc, and debug the process. By observing the stack and registers, we will see how choosing code snippets that end with a ‘return’ (ROP-gadgets) plays out.

The workshop contains 3 exercises of different stages.

Exploring the challenge together to get an easy start and to get to know the environment, commands and tools.
Explore the exploit on your own, with my assistance when needed.
Solve the challenge with ASLR turned on (without PIE). This will get us a longer ROP-Chain, we will have a look on other useful segments like the Global Offset Table and how to use this for exploitation.

Objectives:

Understanding the basic principles of Return Oriented Programming
Using information about the Global Offset Table to develop an exploit
Get familiar with tools and extensions like gdb(with peda), pwntools, ropper and other useful linux command line tools

Requirements:
Some sort of hypervisor (e.g. Virtualbox or VMWare) to import a provided VM (.ova) or build your own with provided instructions. To save disk space and effort the VM will be the same as the VM for the 64 bit shellcoding Workshop by Silvia Väli

This is not all. We have even more topics where the students get to explore much more areas in the low level world! If you are going to be an attendee, be ready to delve deep into the hands on sessions! Don’t be intimidated if this is your first time. We are all here to help you. I am sure you will have so much fun learning!

Taking this opportunity to thank our wonderful trainers for coming up with such amazing workshops. Thank you girls! You rock! 🙂

Priya