Welcome to the deep dive. Today, we're diving into the world of AR exploitation. Ooh exciting using Beginner's Guide to Exploitation on Arm Volume two by Billy Ellis.
Oh yeah, I've heard of that one.
It's going to get pretty technical.
Yeah, this book gets right into it.
But even if you're not a programmer, you know, understanding these concepts I think is absolutely super important for cybersecurity.
It is. Yeah, so like learning to think like the enemy exactly.
Yeah, like reading the Attacker's playbook. Yeah, so this is volume two. It builds on concepts from the first book.
Right.
It assumes that you have some basic knowledge.
Yeah, it kind of jumps right in.
Programming and memory corruption and that it does. It gives you all these like real world code examples and exercises.
You can really get your hands dirty with this one.
Oh yeah, and I see it also mentions that you need a jail broken arm device.
Yeah, you need a way to actually test this stuff out.
To really try out the exercises.
Right, But even if you're not going to do any actual hacking, it's still so valuable to understand how these things work.
Okay, so let's take a look at some of the stuff that we're going to be covering, right, Integer overflows off by one errors. Oh yeah, I'm a classic double free conditions stack pivoting stackpivoty is always fun to hijack program execution.
That's the goal, right.
It sounds intense.
It is intense, but also super fascinating.
So let's start with integer overflows. Chapter one dives right in, as does with this program called into overflow dot C. Okay, and it's pretty simple. It's checking if input data is less than thirty two bytes.
Sounds simple enough, Yeah, what could go wrong?
But the problem is the data type that's used to store the length. Ah, it's an unsigned chart, which can only hold values from zero to two fifty five.
Right, so if you exceed that what happens? Then that's where the fun begins.
Yeah? Does it throw an error?
Well not exactly, Okay, it causes this wrap around effect wrack around. Yeah. If you've ever seen those old school odometers, Oh yeah, like the ones that roll back to zero after hitting nine hundred and ninety nine miles. Okay, it's kind of like that.
You exceed the maximum value and then those bits.
And reset yep, leading to a really small number okay, and.
The book actually has a really cool diagram that shows this visually.
Oh yeah, they use the eight bits of a char to illustrate it.
It's super helpful. So this wrap around allows an attacker to kind of bypass that size check, right because.
The program thinks the data is smaller than it actually.
Is, okay, and write more data into the buffer than intended.
Leading to you guessed it a buffer overflow.
And then the example in the book shows how this leads to a segmentation fault.
Right, the program just crashes because it can't handle all that extra data.
So essentially, a tiny coding mistake yep, can cause a full blown stack buffer overflow.
Which can have some serious consequences.
Yeah, it's a little bit scary.
It is a good reminder that security starts at the code level.
Yeah, okay, so let's move on to chapter two. Okay, one byte overflows.
One bite overflows.
My first thought was how much damage can one byte really do?
Right? It doesn't sound like much, but as this chapter shows, yeah, even a single byte can be extremely dangerous. It's all about precision and targeting.
So the example uses two strucks to store data on the heap and I like how the book provides this visual representation of the heat layout.
Yeah, those visuals are super helpful. Yeah, for understanding how the exploit works.
It is.
So the vulnerability here is in this line of code that copies data from the command line into a buffer, and it's the loop condition. Okay, less than are equal to sixteen, that's the problem. Okay, it ends up copying seventeen bytes instead of sixteen.
That one extra bite. What does that overrite?
That one byte overwrites a function pointer, a function pointer, and that's where things get really interesting.
So an attacker can like carefully craft their input to change this pointer to point to their malicious code, and the book shows this in action. The program's execution is redirected to through a bunch of bees zero by forty two, forty two four.
Yeah, b's and hexadecimal after the exploit. It's a classic demonstration of how manipulating just one.
Bite it's pretty powerful.
You give you complete control, Yeah, over a program.
Okay, So chapter three shifts gears to double free.
Ah, double free?
What's that all about?
This is where we get into the dangers of freeing the same block of memory twice. Okay, The book uses some nice step by step diagrams to explain this. I do like the diagram They're super helpful for visualizing what's going on.
So you can see how the heap is divided into blocks bite, and how functions like Malik and free manage memory.
Exactly, and how a double free can create this weird situation where two pointers are pointing to the same memory location.
That's a dangling pointer, right, that's right. It's like having a key. It is to a room that's not yours anymore.
Exactly, a key to a room that doesn't even exist anymore.
Okay, So if an attacker can put their controlled data into that free memory, right, then they can control they.
Can control what those dangling pointers are pointing to. Okay, so potentially leading to arbitrary code execution.
And the example program they use HEAP level three dot C Hmmm, it has some security checks to prevent use.
After free, right, they try to make it a little bit harder.
But there's another bug.
There's always another bug.
Related to free austraya that can be exploited.
Of course, there is.
Why is exploiting the double free in this particular program.
Yeah, so in this case, the key it's because the attacker has to get two pointers yeah, to point to the same memory location, which is a bit harder because of the limited functionality of the example program.
Okay, but in the.
Real world, double free vulnerabilities can often be exploited much more liably.
So this is like a simplified example. It is, yeah, to illustrate the concept exactly. Okay, let's talk about stack pivoting.
Oh yes, stack pivoting.
Chapter four is all about this technique.
This is a good one.
It sounds cool, but honestly, the details are a little fuzzy for me.
Okay. So imagine the stack like a pile of plates, okay, with the stack pointer pointing to the top plate.
Okay.
Stack pivoting is like grabbing that whole pile of plates and moving it to a different location that's under the attacker's control.
So you're redirecting the program's execution flow exactly to like their own custom stack.
That's the idea.
Okay. So why is this useful for an attacker?
So sometimes the space available on the stack is too small, okay for them to inject their entire malicious payloads.
They need more room.
They need more.
Room, so they pivot to a different section of memory that's.
Larger exactly, and they control that memory. Okay, so they have more space to work with.
So the book uses this challenge called ROPL level six to illustrate this.
It's a good one.
It's a classic heat based buffer overflow. But the twist is you only get a single gadget, a single gadget to gain control of R fifteen PC.
Ah. Yes, the program, the key to controlling the program.
So the challenge is to find.
Find that stack pivot gadget, a stack pivot gadget. Luckily, it's provided in the gadget library.
Okay for this example, So let's take a look at this gadget.
All right.
It uses two instructions, two instructions MOVs spr five and pop R four PC.
All right. So the first instruction, the mov spr five. Yeah, that's the key to the pivot. Okay. It moves the value of register R five into the stack pointer okay, which effectively sets the stack pointer to the memory location pointed to.
By R five, which is controlled by the attacker.
It's controlled by the attacker exactly.
That's the pivot.
That's the pivot.
And then the second instruction.
So the pop R four PC pops.
Two values off the stack it does. The first goes into R four right, and the second goes into the PC.
The program counter.
So since the attacker has already set the stack to point to their controlled memory, they can cracked these values, and in this challenge, that popped value for the PC leads to the execution of a secret function.
It's a classic stack pivoting technique.
It's very clever, it is, but.
It requires a lot of knowledge about the target program and the ability to find the right gadgets.
Okay, so that's stack pivoting, that's stat pivoting. Definitely more advanced than your typical buffer overflow. Oh yeah, this is getting real.
This is advanced stuff. But that's what attackers use in the real world.
All right, So let's talk about defenses.
Okay.
Chapter five introduces stack canaries.
Stack canaries.
It sounds kind of cute. It does sound cu for such a serious security feature.
Don't let the name fool you.
So what are they all about?
So, stack canaries are designed to detect buffer overflows and prevent arbitrary code execution. Think of it like the canary in the coal mine.
Okay, so how do they work?
So basically they sing. They don't actually sing.
When there's an overflow.
No, but I like the way you think. It's more like a trip wire. So a stack canary is a random value. Okay, let's place on the stack between you seeing a buffer and the return address.
The book has a really cool visual representation of this. Yeah, the visual really helps to help you see how it works.
Absolutely.
So before a function returns, right, the program checks the canary's value exactly, and if.
It's changed, then it knows something's wrong.
It means there's been a buffer overflow most likely yes, and then the program just terminates gracefully.
Yep, instead of allowing the attacker to run their malicious code.
That's pretty clever.
It is pretty clever.
But I'm sure attackers have figured out ways to get around this, right of course, like what well.
One common method is to try and leak the canary value.
So if they can figure out what that random value is exactly, they can just overwrite it with the correct value.
Mm hm and make it look like nothing happened.
During their exploit.
Right.
That's sneaky.
It is sneak.
So the book walks through an example of defeating a stack canary in this program called canary dot com.
See, yeah, they show you how an attacker would actually do this. That's pretty interesting.
So they show how to find the instructions that are responsible right for placing and checking the canary.
They use a debugger.
Yeah, using a debugger like GDB. So our stack canary is useless.
Then no, not at all. Yeah, there's still a valuable security feature.
Okay.
They make exploitations significantly.
Harder, so they raise the bar a little bit exactly for attackers.
They forced attackers to be more sophisticated. Okay, And that's what defense and depth is all about.
So it's just one layer of protection. It's one layer in a well secured system exactly. Okay. So let's talk about heap fung shoe.
Heap fung shoe.
Chapter six is all about this.
This is a fun one.
It sounds surprisingly zen.
It does right hacking technique like arranging furniture for optimal energy flow, but in memory. But in memory exactly.
So what is heap fung shoe?
So it's all about manipulating the layout of the heap okay, to make heap based exploits more reliable. Okay, and it does kind of involve thinking about the arrangement.
Of things like playing tetris with memory.
Yeah, like tetris with memory, trying to get.
Things to line up.
You got it.
The book uses some diagrams.
Again, the diagrams are super helpful for visualizing this.
So they show the initial layout of the heap, and then they.
Show and then they show how an attacker.
How an attacker can create these.
Holes by strategically allocating and deallocating blocks.
Of memory so they can get their target object allocated into a specific hole exactly sandwich between controlled data sandwich.
I love that analogy.
And then they can use that controlled data to overwrite important values.
Like function pointers for example.
And then they walk through an example of attacking the program heap level three using this technique. They do so they manipulate the program to fragment the heap.
They do a bunch of allocations and de allocations.
And then, with careful timing, right timing is key, they allocate a string object and a device object. Okay, so that the device object ends up between two string objects.
All right, they made their sandwich.
So they've made the sandwich. Yes, Now, how does this lead to an exploit.
So this layout allows the attacker to overflow a nearby string object okay, and that overflow data overwrites the function pointer of the device object.
And then boom, they've got control and.
They control the execution flow.
It's amazing how they can set this up just right.
It's all about setting up the heap for that exploit.
So developers can actually use this knowledge to build more robust defenses.
By understanding how attackers might manipulate the heap, you can implement safeguards.
So that's integer overflows, one byte overflows, double free stack, pivoting, stack canaries. We've covered a lot of ground heap fung shui.
It's amazing how much you can do with memory.
It's a lot, and it's pretty exciting.
It is. It's a fascinating area of security.
But we've only just scratched the surface we have. There's so much more to explore, So in part two of our deep dive, we're going to continue exploring some of the more advanced techniques.
We're going to get into some real world stuff.
Outlined in this book, absolutely including an example of building an ROP chain on an actual and not an actual target system. So stay tuned and we'll be back soon.
We'll be back.
Welcome back to the deep dive.
It's great to be back.
In part one, we went through some pretty wild stuff. Oh we did dodging buffer overflows, playing Tetris with the.
Heap stack pivoting, fun times stack pivoting.
It was like a crash course. It was in memory corruption.
Absolutely, But that was just the warm up, just the basics. Now we're going deeper, deeper into the rabbit hole.
Into the world of return oriented programming.
Oh yes, ROP or ROP. This is where things get really interesting.
So Chapter seven of Beginner's Guide to Exploitation on Air, Volume two is going to be our guy roadmap. Yeah, our roadmap for this adventure. And we're going to be looking at how attackers build ROP chains on real.
Systems, real world stuff, targeting the kernel, the heart of the operating side.
So before we get lost in the assembly jungle.
It can be a juggle out there, let's make sure we're all.
On the same page. Okay, what exactly is an ROP gadget? That's an ROP gadget and why are they so important?
Is a pre existing snippet of code? Okay, within a program that ends with a return instructions okay, and attackers use these gadgets to indirectly achieve their goals.
So they're not actually writing their own.
Code, right, They can't just inject their own code directly, so they have to use what's already there.
So they're piecing together existing instructions exactly.
It's like creating a Frankenstein's Monster of code.
It's like a puzzle. It is a puzzle where they have to find the right pieces, yeah, and.
Fit them together in just the right way to get the desired outcome.
So why is this so powerful?
Well, because it allows attackers to bypass security mechanisms. Okay, they try to prevent vent the execution.
Of data by essentially using legitimate code.
Exactly, they're reusing code that's already there.
It's pretty sneaky, is very sneaky, But it sounds like you need to be pretty skilled to pull this off.
You need a deep understanding of the target system. You need to know how memory is laid out, what gadgets are available.
So when we talk about kernel level exploitation, that puzzle gets even more complex.
Oh yeah, the kernel has a lot of security mechanisms in place.
So like the iOS kernel that prevents non position independent binaries from executing.
So attackers need to find ways around that.
Okay, So let's say we have that information, like what we know the memory layout, where do we even begin to look for these gadgets?
So there are a few tools and techniques that attackers use. One common approach is to use a disassembler. A disassembler, yeah, like Hopper or idea pro.
So they're manually looking through code.
They are, but it can be very tedious.
Especially when you're dealing with something like the iOS kernel.
Yeah, that's a lot of code to sift through.
So are there any shortcuts?
There are? Luckily rules there are tools called ROP gadget finders.
ROP gadget finders.
These tools automatically scan the binary code and extract potential gadgets.
So it makes the process a lot easier, much easier. Are there any specific gadget finders.
There are a few out there that you would recommend. The book Mentions one created by Jonathan sall One, Okay, which you can find on GitHub.
So we've got our gadget finding tools, We're ready to go. What kind of gadgets are we actually looking for?
So the specific gadgets you need.
What should we be keeping an eye out for.
Depend on your goal, okay, But some common types include write what whear gadget right what where? These allow you to write data to a specific memory address.
Okay, so you can control the data exactly.
You can control the target program's data.
Okay. Stack pivot gadgets we've already talked about those.
We have those. Let you redirect the stackpointer. Yeah. And then system called gadgets.
System call gadgets.
These are very powerful.
Why are they so powerful.
Because they allow you to invoke system calls, okay, which are functions provided by the operating system.
You can do things like read sensitive file.
You can read files, execute commands.
Have elevated privileges.
With elevated privileges, that's the danger.
It sounds dangerous, it is. So by chaining these different gadgets together, that's the art of ROP, attackers can create.
Very powerful exploits.
So it's like a chain reaction. It is of carefully planned.
Actions, each gadget triggering.
The next, leading to the ultimate goal.
Exactly. That's a great way to put and.
I imagine domnning an ROP chain. It's not easy, is not a walk in the park.
No, it's not.
What are some of the challenges.
So one challenge is finding gadgets that work well together. Okay, not all gadgets can be chained together seamlessly. Yeah, they might have specific requirements or side effects.
So you need to find the right gadgets.
You need to find the right set of gadgets that work well together. They work harmoniously together. Yeah. Another challenge is ASLR. ASLR address space layout randomization.
That's a big one.
It is a big one.
We talked about that.
Before we did.
It randomizes memory addresses. It does make it harder to predict where things are exactly. So how do attackers deal with that? Well, they have to get creative, got their ways around it.
There are sometimes they can exploit other vulnerabilities to leak information about the memory layout, or use techniques like heap.
Spraying so they can increase the chances of their payload landing at a predictable address in a specific spot exactly. So even with ASLR, attackers can still find ways they can to build their rop chains.
They're very determined.
It's impressive how they can do that.
It's a constant arms race between attackers and defenders.
So it's like attackers are finding ways to bypass.
They are, and then defenders are trying to stay one step ahead, trying. It's a never ending battle.
So we're nearing the end of part two already of our rop field adventure Time Flies.
When you're having fun.
What are some key takeaways?
I think the biggest takeaway is that knowledge is power.
Knowledge is power.
The more we understand how attackers think.
Yeah, and operate, the better we can defend against them.
Exactly.
So this deep dive into rop is all about giving you that knowledge.
It is, even though it's technical, Yeah, it's important to understand these things, Okay, whether you're a developer, a security professional, or just someone who's interested, or just someone who's curious about how things work.
Yeah, and how things can be broken.
And how they can be broken exactly.
Security is everyone's responsibility, it is, So by understanding these concepts, you can help build a more secure a world.
That's the goal.
Okay. So that brings us to the end of part two of our deep dive.
Time Flies into ar exploitation. It does.
In part three, we're gonna shift gears and we're going to explore ARM sixty.
Four the world of mobile devices, the world of mobile devices, smartphones, tablets, all that good stuff.
So stay tuned and we'll be back soon.
We'll be back.
Welcome back to the deep dive for the final part of our journey.
I can't believe it's already the final part.
I know it's flown by it has. So we've climbed the treacherous cliffs of memory corruption, We've navigated the labyrinthine.
Heap, we've seen it all.
We've even mastered stack pivoting like pros, and most importantly, we've learned how attackers exploit these vulnerabilities right.
To gain control of systems.
Yeah, and we even ventured into the world of ROP.
Oh yes, ROP return oriented programming.
Discovering how attackers can chain together these tiny snippets of code.
It's amazing what they can do to.
Create these really powerful exploits.
It is, but all of our.
Adventure make sures so far have been in the thirty two bit.
ARM world, right, the land of ARMv seven.
Now it's time to step into the future. The future is now the world of ARM sixty four. ARM sixty four the dominant architecture in most modern mobile devices.
Smartphones, tablets, even some laptops.
So Chapter nine of Beginner's Guide to Exploitation on ARM Volume two, Okay, is our guide for this new landscape, our roadmap, and we're going to see how the exploitation techniques we've discussed translate to this new world.
Because it's a different world.
It is a different world.
But there are some similarities.
So is everything we've learned about thirty two BITARM exploitations still relevant?
That's a good question.
Yeah, or do we need to throw out our playbooks.
I wouldn't throw them out just yet, okay, because the good news is, yeah, a lot of the core principles are still the same. Okay, memory corruption, control, flow, hijacking.
So the fundamentals haven't changed.
The fundamentals are the same, Okay, it's just the details that are different.
So it's like visiting a new country. I like that analogy where they speak a slightly different dialoge a.
Different dialect of the same language.
Of the same language.
Exactly.
We still need to understand memory layouts. Yes, we need to exploit vulnerabilities. Of course, overwrite crucial data. That's how you gain control and manipulate the program counter.
To redirect execution flow.
Okay, so that's reassuring it is. But let's get.
Specific, all right, let's dive into the details.
What are some of the key differences?
Okay, So one of the most noticeable differences is register size.
Register size.
ARM sixty four uses sixty four bit registers, okay, compared to the thirty two bit registers in ARM v seven.
So everything's just bigger essentially. Yes, more room to store data.
More space to work with.
So the instruction of monics are different too.
Right, Yeah, than the monics are a bit different.
Because you're working with larger registers.
Right, Some instructions have different names or slightly different syntax.
Can you give me some examples?
Sure? So remember how we used posh and pop instructions in ARMv seven, Yeah.
To add and remove items from the stack.
Well, in AIRM in sixty four, yeah, we use STP and LDP instead.
SDP and LDP store pair and load pair. So instead of pushing and popping single registers, right, we're storing and loading pairs.
Here's the registers.
Okay, so that makes sense it does. What about returning from functions?
Ah? Yes, that's another difference.
Airmv seven just uses rat.
Right, simple and straightforward.
That AIRM sixty four gets a little fancier okay.
Uses a combination of LDP and RAT interesting it is.
Okay, So there are definitely some tweaks.
Some adjustments so technique, but the underlying concepts.
But the book shows how ROP can still be applied in AARM sixty four absolutely so they have an AIRM sixty four version they do of the ROP Level one challenge, which is great for practice, so you can really see how these concepts translate.
To the new architecture.
So even with all these changes, it's still about finding the right gadgets always chaining them together.
That's the heart of ROPS, in the right way to achieve your goal.
So it seems like ARM sixty four it doesn't completely rewrite the rules of exploitation.
It just adds a little bit of complexity.
It just requires a bit of adaptation, adaptation and creativity. So as we wrap up this deep dive, it's been quite a journey. It has been an amazing journey.
Through the world of ARM exploitation.
What are some key takeaways?
Okay, Well, I think the most important takeaway for our listeners is that secure coding practices are absolutely essential.
Secure coding because.
Even small errors can have huge consequences.
You have to validate your inputs carefully. You do be mindful of memory management.
Memory management is.
Key, and always prioritize security from the very beginning. Yeah, throughout the whole development process.
Absolutely.
Okay, So knowledge is power.
Knowledge is power.
Understanding how these exploits work.
Right, because that's how you protect yourself.
Yeah, you have to know what the attackers are doing exactly, and you have to keep.
Learning, never stop learning.
Because this world is constantly changing.
It's a constantly evolving landscape.
It's been an amazing journey, it has. We've climbed the mountains of memory corruption.
We've been to the top, we've.
Explored the depths of the heat.
We've seen it all.
And we've even mastered the art of stack.
Bending state bending.
I like that. Most importantly, we've gained valuable knowledge. Yes, knowledge is key about how attackers exploit these vulnerabilities and how we can protect ourselves.
And that's what it's all about.
So thank you for joining us, Thank you for having me on this deep dive. It's been a pleasure into the world of arm exploitation. Until next time, stay curious, stay safe.
Stay secure, and keep exploring the world of cybersecurity.
The fascinating world of cybersecurity,