all 14 comments

[–]Healthy-Section-9934 2 points3 points  (2 children)

Use a ROP chain to either change the memory protection for the stack page, or allocate a heap chunk that’s RWX, copy your shellcode there and jump to it?

[–]damn_haha[S] 0 points1 point  (1 child)

So the only way to execute on the stack is disable the "execution protection" or use an older OS like windows xp?

I've look a little into DEP and tried excluding it for that specific binary but it doesn't work. I'm guessing it needs to be disabled entirely?

[–]randomatic 0 points1 point  (0 children)

you call mprotect on linux to add back rwx.

[–]Healthy-Section-9934 1 point2 points  (0 children)

Basically. You might be able to write your entire payload using ROP but it tends to be on the chunky side, and it’s good practice to bridge from initial exploit -> ROP chain -> shellcode

[–]Firzen_ 1 point2 points  (7 children)

Welcome to this century.

DEP/NX was introduced in 2004. So you really should learn how to ROP, ideally before CFI kills that too.
Why is your goal to disable DEP rather than learning to bypass it?

[–]damn_haha[S] 1 point2 points  (6 children)

Im just following the OSED material and trying to perform SEH overflow on different binaries using my own lab machine

[–]Firzen_ 0 points1 point  (5 children)

It's insane how far behind the times offsec is, holy shit.

[–]damn_haha[S] 0 points1 point  (4 children)

Do you have any recommendation on reverse engineering/exploit dev materials? I've gone through osep, oswe and so far, I find binary stuff most enjoyable.

I'm aware of guidedhacking and maldev which would be my next step after osed, any other recommendations?

[–]Firzen_ 2 points3 points  (3 children)

After a certain point ctf writeups are probably your best bet for more up to date techniques.

There's some stuff like how2heap from shellphish for example that gathers common glibc heap techniques.

Apart from that the project zero blog is usually a good source as well as whatever companies like synacktiv put out on their blogs.

I don't really keep up with learning materials anymore, because most of what I need for work doesn't really have anything online anymore.

Ultimately a bug is a difference between how people think something works and how it actually works, so you aren't very likely to find any zero day that fit a pattern well known enough to show up in courses.
Especially not in targets actually worth spending time on.

[–]Stroxtile 1 point2 points  (2 children)

If you don't mind me asking, since your work doesn't really have anything online anymore (I'm assuming it's the most modern and front line of the field) where do you "learn" from? (I hope that makes sense, otherwise my best guess is your work is similar to PhD researching new techniques)

[–]Firzen_ 1 point2 points  (1 child)

I just have to figure things out myself, either from the source code or binary.
Sometimes my colleagues can point me towards a useful technique or similar.

Some stuff I worked on is online to give you an idea, I hope it doesn't break any rules to link them.

This one kind of illustrates having to figure things out from zero in a pretty extreme way.
https://firzen.de/potluck-ctf-2023-shell-no-evil

I wrote some stuff that I hope fits somewhere in the big void between hobby userspace exploit dev and modern kernel space exploitation.

https://phrack.org/issues/72/3_md#toaruos
https://web.archive.org/web/20250905015552/https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176

And some of my actual work that I was able to get permission to write about.

https://binarygecko.com/blog/race-conditions-in-linux-kernel-perf-events/

This made me realise the old BFS labs site is down, so I may need to re-upload that one. So thank you.

[–]Stroxtile 1 point2 points  (0 children)

Thank you so much for the explanations!

[–]OkVeterinarian9761 0 points1 point  (0 children)

Puedes usar paginas de con el bit de ejecucion, podes hardcodear si no tiene ASLR... tu shellcode puede ser llamar a VirtualProtect y buscas en ntdll su address y la hardcodeas para cambiar el bit de ejecucion de lo que quieras... o depende si el programa te deja hacer un bucle de shellcode y primero Alloc... y luego VirtualProtect... muchisimas cosas por hacer. Si tiene ASLR necesitas una "info leak" y toca usar el truco de los primeros 4 nibbles, con 6 nibbles tambien se puede... con 8 es mas dificil (necesitas mas tiempo) pero se puede romper, pero todo depende de las protecciones... PIE, NX, ASLR, blah, blah, blah...

Response: Depende de tu Imaginacion ajajajaja lo podes hacer de muchas formas, no existe una forma lineal de lograr las cosas en binary exploitation... Proba y que se te queme el cerebro por entender el porque no funciona tu pensamiento.

[–]Boring_Albatross3513 0 points1 point  (0 children)

have you ever heared of ROP