binary-protection-bypass

仓库: yaklang/hack-skills
安装量: 533
排名: #6630

安装

npx skills add https://github.com/yaklang/hack-skills --skill binary-protection-bypass
SKILL: Binary Protection Bypass — Expert Attack Playbook
AI LOAD INSTRUCTION
Expert binary protection identification and bypass techniques. Covers ASLR, PIE, NX, RELRO, canary, FORTIFY_SOURCE, stack clash, CET shadow stack, and ARM MTE. Each protection is paired with its bypass methods and required primitives. Distilled from ctf-wiki mitigation sections and real-world exploitation. Base models often confuse which protections block which attacks and miss the combinatorial effect of multiple protections. 0. RELATED ROUTING stack-overflow-and-rop — ROP chains to bypass NX, ret2libc for ASLR bypass format-string-exploitation — primary method for leaking canary, PIE, libc addresses heap-exploitation — heap attacks for RELRO bypass (when GOT is read-only) arbitrary-write-to-rce — what to overwrite when GOT is protected by RELRO Advanced Reference Load PROTECTION_BYPASS_MATRIX.md for comprehensive protection × bypass × primitive matrix. 1. PROTECTION IDENTIFICATION $ checksec ./binary [ * ] '/path/to/binary' Arch: amd64-64-little RELRO: Full RELRO ← GOT read-only Stack: Canary found ← stack canary enabled NX: NX enabled ← stack not executable PIE: PIE enabled ← position-independent code FORTIFY: Enabled ← fortified libc functions Quick Identification Table Protection Check Command Binary Indicator ASLR cat /proc/sys/kernel/randomize_va_space OS-level (0=off, 1=partial, 2=full) PIE checksec or readelf -h (Type: DYN) Binary compiled with -pie NX checksec or readelf -l (no RWE segment) gcc -z noexecstack (default on) Canary checksec or look for __stack_chk_fail@plt gcc -fstack-protector-all Partial RELRO readelf -l (GNU_RELRO segment, .got.plt writable) gcc -Wl,-z,relro Full RELRO readelf -l + .got section read-only gcc -Wl,-z,relro,-z,now FORTIFY Presence of __printf_chk , __memcpy_chk etc. gcc -D_FORTIFY_SOURCE=2 2. ASLR BYPASS ASLR randomizes base addresses of stack, heap, libc, and mmap regions at each execution. Bypass Method Required Primitive Notes Information leak Any read primitive (format string, OOB read, UAF) Leak libc/stack/heap address → calculate base Partial overwrite Write primitive (limited length) Overwrite last 1-2 bytes (page offset fixed) Brute force (32-bit) Ability to reconnect/retry ~256–4096 attempts (8-12 bits entropy) Return-to-PLT Stack overflow PLT addresses are at fixed offset from binary base (if no PIE) ret2dlresolve Stack overflow + write primitive Resolve arbitrary function without knowing libc base Format string leak Format string vulnerability %N$p for stack/libc/heap addresses Stack reading Byte-by-byte (fork server) Read stack byte-by-byte via crash oracle ASLR Entropy (x86-64 Linux) Region Entropy (bits) Positions Stack 22 ~4M mmap / libc 28 ~256M Heap (brk) 13 ~8K PIE binary 28 ~256M 3. PIE BYPASS PIE (Position Independent Executable) randomizes the binary's own code/data base address. Bypass Method Required Primitive Notes Information leak Read return address from stack PIE base = leaked_addr - known_offset Partial overwrite One-byte or two-byte write Last 12 bits of page offset are fixed Format string leak Format string vulnerability %N$p where N points to .text return address Relative addressing Knowledge of binary layout If you know relative offsets, only need one leak Partial Overwrite Details PIE binary loaded at: 0x555555554000 (example) Function at offset 0x1234: 0x555555555234 Overwrite return address last 2 bytes: 0x?234 → 0x?XXX Unknown: bits 12-15 (one nibble = 4 bits = 16 possibilities) Success rate: 1/16 per attempt 4. NX / DEP BYPASS NX (No-eXecute) / DEP (Data Execution Prevention) prevents execution of code on the stack/heap. Bypass Method Detail ROP (Return-Oriented Programming) Chain existing code gadgets ending in ret ret2libc Call libc functions (system, execve) directly ret2csu Use __libc_csu_init gadgets for controlled function calls ret2dlresolve Forge dynamic linker structures to resolve arbitrary functions SROP Use sigreturn to set all registers from fake signal frame mprotect ROP Chain mprotect(addr, size, PROT_RWX) → make page executable → jump to shellcode JIT spray In JIT environments (V8, etc.), create executable code via JIT compiler mprotect Chain

Make stack executable, then jump to shellcode

rop

b'A' * offset rop += p64 ( pop_rdi ) + p64 ( stack_page )

page-aligned address

rop += p64 ( pop_rsi ) + p64 ( 0x1000 )

size

rop += p64 ( pop_rdx ) + p64 ( 7 )

PROT_READ|PROT_WRITE|PROT_EXEC

rop += p64 ( mprotect_addr ) rop += p64 ( shellcode_addr )

jump to shellcode on now-executable stack

  1. RELRO BYPASS RELRO Level GOT Status Bypass No RELRO GOT fully writable Direct GOT overwrite Partial RELRO .got.plt writable (lazy binding) GOT overwrite still works Full RELRO All GOT entries resolved at load, GOT read-only Cannot write GOT → target other structures Full RELRO Alternative Targets Target When How __malloc_hook glibc < 2.34 Overwrite with one_gadget __free_hook glibc < 2.34 Overwrite with system , trigger free("/bin/sh") _IO_FILE vtable Any glibc FSOP / vtable hijack __exit_funcs Any glibc Overwrite exit handler list TLS_dtor_list glibc ≥ 2.34 Thread-local destructor list (needs pointer guard) .fini_array If writable Overwrite destructor function pointers Stack return address Direct stack write Overwrite return address for ROP See arbitrary-write-to-rce for comprehensive target list.
  2. CANARY BYPASS Method Condition Detail Format string leak printf(user_input) %N$p to read canary from stack Brute-force fork() server (canary persists in child) Byte-by-byte: 256 × (canary_size-1) attempts Stack reading Partial overwrite / info leak Overwrite canary's null byte, leak via output Thread canary overwrite Overflow reaches TLS Canary at fs:[0x28] ; overflow past buffer to TLS → overwrite canary with known value Canary-relative overwrite Overflow after canary but before return addr Skip canary, only overwrite return address (rare layout) Heap-based Vulnerability is on heap, not stack Canary only protects stack __stack_chk_fail GOT overwrite Partial RELRO Overwrite __stack_chk_fail@GOT to point to harmless function → canary check passes Canary Format x86: 0x00XXXXXX (4 bytes, leading null byte) x86-64: 0x00XXXXXXXXXXXXXX (8 bytes, leading null byte) The leading \x00 prevents string operations from accidentally reading the canary.
  3. FORTIFY_SOURCE BYPASS _FORTIFY_SOURCE=2 adds buffer size checking and restricts format string operations. Fortified Function Restriction Bypass __printf_chk %n with positional args ( %N$n ) forbidden Use non-positional %n or %hn chain __memcpy_chk Destination buffer size checked Use heap overflow instead of stack __strcpy_chk Same __read_chk Read size checked against buffer Format String with FORTIFY_SOURCE

%1$n is blocked by __printf_chk

But sequential (non-positional) %n may still work:

Print exact byte count, then %hn — must be very precise

Or: find unfortified printf in binary/libc via ROP

  1. CET (Control-flow Enforcement Technology) Intel CET adds two mechanisms: Shadow Stack Hardware-maintained copy of return addresses On ret , CPU checks shadow stack matches actual stack Mismatch →

CP

fault (control protection exception) Impact Detail ROP blocked Return address overwrite detected on ret JOP possible jmp [reg] not checked by shadow stack COP possible call [reg] pushes to shadow stack but target validated by IBT Indirect Branch Tracking (IBT) Indirect jmp / call must land on ENDBR64 instruction Non-ENDBR landing →

CP

fault Bypass : Data-only attacks (don't change control flow) Find valid ENDBR gadgets that chain into useful operations JOP with ENDBR-prefixed gadgets Target structures outside CFI scope (modprobe_path, function pointer arrays) 9. MTE (Memory Tagging Extension, ARM) ARM MTE assigns 4-bit tags to memory pointers and allocations. Tag mismatch = fault. Aspect Detail Tag bits 4 bits in pointer (bits 56-59) = 16 possible tags Granule 16 bytes (each 16-byte granule has one tag) Check Load/store: pointer tag must match memory tag Probabilistic Random tag → 1/16 chance attacker guesses correctly Bypass Approaches Method Success Rate Brute-force 1/16 per attempt (6.25%) Tag oracle Side-channel to determine tag (timing, error messages) In-bounds exploit Stay within same tagged region (use relative offsets) Tag bypass gadget Use LDGM / STGM instructions if accessible Speculative execution Spectre-style bypass of tag check 10. DECISION TREE Binary analysis: checksec output ├── NX disabled? │ └── Shellcode on stack/heap (simplest path) │ ├── NX enabled (standard modern binary)? │ ├── Need code execution → ROP/ret2libc │ │ │ ├── Canary enabled? │ │ ├── fork server? → byte-by-byte brute-force │ │ ├── Format string? → leak canary via %p │ │ ├── Heap vuln? → canary doesn't protect heap │ │ └── Partial RELRO? → overwrite __stack_chk_fail@GOT │ │ │ ├── PIE enabled? │ │ ├── Format string? → leak .text address → PIE base │ │ ├── Partial overwrite → last 12 bits fixed (1/16 brute-force) │ │ └── OOB read? → leak code pointer │ │ │ ├── ASLR enabled? │ │ ├── Info leak available → leak libc base │ │ ├── No leak → ret2dlresolve or SROP │ │ ├── 32-bit? → brute-force feasible (~4096 attempts) │ │ └── Return-to-PLT (no libc base needed for PLT calls) │ │ │ ├── RELRO level? │ │ ├── None/Partial → GOT overwrite │ │ └── Full → alternative targets: │ │ ├── glibc < 2.34 → __malloc_hook / __free_hook │ │ ├── glibc ≥ 2.34 → _IO_FILE / exit_funcs / TLS_dtor_list │ │ ├── .fini_array (if writable) │ │ └── Stack return address │ │ │ └── FORTIFY_SOURCE? │ ├── Blocks positional %n → use sequential %n or heap exploit │ └── Blocks buffer overflows in fortified functions → use unfortified paths │ ├── CET (shadow stack)? │ ├── ROP blocked → data-only attack or JOP │ └── ENDBR-gadget chaining │ └── MTE (ARM)? ├── 1/16 brute-force └── Stay in-bounds for relative corruption

返回排行榜