Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • ASLR
  • Stack Canaries/Stack cookies
  • Non-Executable Memory/DEP
  • PIE/Position Independent Executable
  • RELRO
  • Partial RELRO
  • Full RELRO

Was this helpful?

  1. Binary Exploitation

Exploit Mitigations and Protections

PreviousDebuggingNextExploit Protection Bypassing

Last updated 2 years ago

Was this helpful?

ASLR

Randomizes memory addresses (but not the addresses of instructions).

Stack Canaries/Stack cookies

In a function, a stack canary is an 8-byte (or 64-bit, and 4-byte on 32-bit) value that is placed at the end of the stack. Then, at the end of the function, before the return, a check is made to determine if the canary still has the same value. If not, it’s determined that stack smashing has occurred.

It stops the function from returning, but might not protect from other side effects of the stack being overwritten.

However, note that compiler developers know about buffer overflows, so usually buffers are placed below local variables, and as close to the stack canary as possible, to prevent the variables from being overwritten.

Also note that the canary starts with a NULL byte. This is because functions like strcpy can’t write NULL bytes, and so you cannot overwrite the canary with those functions.

However, on 32 bit it’s a NULL byte and 3 more bytes, which is able to produce 16 million total random values. Depending on how the program is run, you can try to exploit it 16 million times, and on one of those tries, you might be able to get the correct stack canary by chance.

Non-Executable Memory/DEP

It’s when CPUs make memory regions, such as the stack and the heap nonexecutable. This is done by either the NX bit, or if the cpu doesn’t support it, then it’s emulated via memory segmentation.

PIE/Position Independent Executable

PIE/PIC makes it so that the addresses of the bytecode is not the same between executions. If it’s not enabled, then the location of main() is always the same, for example.

RELRO

There is a mitigation for this. Enter relocations read-only, or RELRO. It in fact has two levels of protection: partial and full RELRO.

Partial RELRO

During compilation, enabled with -Wl,-z,relro

  • Maps the .got section as read-only, but not .got.plt

  • Rearranges sections to reduce the likelihood of global variables overflowing into control structures.

Full RELRO

During compilation, enabled with -Wl,-z,relro,-z,now

Does the steps of Partial RELRO, plus:

  • Causes the linker to resolve all symbols at link time (before starting execution) and then remove write permissions from .got.

  • .got.plt is merged into .got with full RELRO, so you won’t see this section name.

Only full RELRO protects against overwriting function pointers in .got.plt. It works by causing the linker to immediately look up every symbol in the PLT and update the addresses, then mprotect the page to no longer be writable.

Since the Global Offset Table and Process Linkage Table contain function pointers, which are dereferenced to call those functions, then

being able to write to it will lead to arbitrary code execution.