We have hit an interesting point in HTAE. We can continue on as we have been going through the book or we can do something a little different.
I’m electing to do something a little different. The reasoning behind this is as follows. To continue with Hacking the Art of Exploitation under the assumption that you are following along to learn things I would have to go over a great deal of material just to explain what is happening. That isn’t a reason in and of itself to skip to a different path. We are going to end up covering a lot of that material regardless. But there are more reasons.
As I’ve stated several times in the posts here we would have to have root access to the victim machine to get these exploits to work. That is just not realistic, because if you have root access anyway you can just run whatever you want to run without the hassle of using buffer overflows and shellcode. None of what we have done is a waste though, because we now see how these attacks function in theory.
Lets get real.
We are going to start taking a look at how to overcome modern protections on program execution. Since HTAE is almost 10 years old now we want to update it for the modern situation. That will include modifying our attacks, using new techniques, and gaining a better understanding of the differences between 32 and 64 bit architectures. We will start with the 32-bit situation where I will be continuing on Debian. Then I will move to a 64-bit install of Mint.
Why switch to Mint? because Mint is one of the most popular Linux distro’s out there, right up there with Ubunu if not more popular. I’m not sure how representative as a whole it is but you can check out Distro Watch to see how many page hits each distro gets, though I’m not sure if its just from Distro Watch or if it’s in general. While Debian is right up there as well I feel that using different distro’s and seeing how they operate similarly and dissimilarly is a worthwhile experience.
Modern Protections Review.
- ASLR – Address Space Layout Randomization.
- DEP – Data Execution Prevention.
- Canaries – Checking bits of data to make sure they haven’t been overwritten.
We have learned some basic theory and some very special cases for executing attacks on Linux environments. Those include: stack smashing, heap overflows, format string exploits, and injecting shellcode into a running program. For the next few posts I’m going to go over how we translate those theories and special cases in execution on 32 and 64 bit Linux machines without going in and disabling the protections. I am going to do this now because its a good time to go over it with the previous material still fresh in our minds.
The fun is only just beginning.