It’s time for Degenerate Fat Bear Week, the week where we degenerately gamble and talk shit on the results of an anonymous online poll! (for charity)
Katmai National Park in Alaska has a lot of bears in it. Every year they put a bunch of bears into a bracket, and everyone on the internet can vote for who they think is the fattest. We gamble on the results of this anonymous online voting, because we are degenerates. This year you can see the bracket here:
| #unlifted instructions | |
| # | |
| from collections import defaultdict | |
| from binaryninja.enums import LowLevelILOperation | |
| unlifted = defaultdict(list) | |
| print('unlifted instructions in bndb') | |
| for ll in bv.llil_instructions: |
I have no idea if this is the best way to do this (is it really required to compile QT?) but it works for me. This is also reconstructed from the history of a few terminal windows, so it's entirely possible I'm forgetting something.
Start by following the install_linux.txt instructions. You'll need to copy
libida.dylib and libida64.dylib into bin in the SDK root. Additionally,
that bin directory should be in you PATH. Finally make bin/idamake.pl
executable. All of these is covered in the SDK docs.
Starting in clang 3.7 they've introduced a new argument -fsanitize=cfi which aims to protect indirect calls from overwrites.
All the code and binaries I used can be downloaded here
First, I thought I would look at how CFI applied to simple C structs with function pointers. After fighting with the compiler to get it to stop optimizing my code, (i.e. call <puts> instead of call rcx because clang realized that rcx was always going to be puts(3)) I got it calling things from memory. However, there was no CFI protection on the call. I played around with this a bit (interestingly, clang will optimize use of un-initialized memory to the ud2 instruction) but was unable to get any CFI protection in place.
Reading a bit of the clang manual, it talked a lot about C++ virtual methods, so I thought I would look at those. I also played around with non virtual calls, those were replaced with static cal
Note: I've only briefly read the related CPI paper (PDF), this is just initial impressions after playing around with it a bit.
All the code and binaries I used can be downloaded here. Note that I removed -DFORTIFY_SOURCE=2 to make the examples a bit simpler.
-fsanitize=safe-stack basically seems to move stack based buffers off the actual stack, onto another segment of memory (I'll call it the fake stack). The actual stack then stores references to this segment. For example:
char buf[20];
printf("%p\n", buf);
| Kreading klist: | |
| Attack the Core - http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860 | |
| Kernel Exploitation Notes - http://phrack.org/issues/64/6.html#article | |
| Stack Jacking - https://jon.oberheide.org/blog/2011/04/20/stackjacking-your-way-to-grsec-pax-bypass/ | |
| Smashing the Kernel Stack for Fun and Profit- http://phrack.org/issues/60/6.html | |
| A XNU Hope - http://phrack.org/issues/64/11.html | |
| Core Security OpenBSD IPv6 Remote Kernel Exploit - http://www.coresecurity.com/content/open-bsd-advisorie | |
| 802.11 Wireless Vulnerabilities on Windows - http://www.uninformed.org/?v=6&a=2&t=sumry | |
| Abusing Mach on OS X - http://www.uninformed.org/?v=4&a=3&t=sumry |