Linux Exploit Countermeasures & Bypasses

Question 1

This tool can be used to examine an executable and display what mitigation it uses.

Answer 1

gitsec

https://github.com/slimm609/checksec.sh

Question 2

This tool/script can be use to examine an executable and display what exploit mitigation it uses

Answer 2

checksec

https://github.com/slimm609/checksec.sh

Question 3

This is the most popular countermeasures that can be found in most modern software pieces. The idea is that data on the stack is not executable. Often referred as DEP - Data Execution Prevention

Answer 3

No eXecute

Question 4

If AMD make use of the No eXecute (NX) bit. What does Intel uses?

Answer 4

Execute Disable Bit (XD) both 32/64 arch

Question 5

If you try to execute any data that lies on the stack, for example after moving the execution flow back to the stack after buffer overflow, the program will crash with a??

Answer 5

SIGSEGV

Question 6

True / False

NX disallows the execution of data on the stack but having the function argument on the stack is perfectly fine

Answer 6

True

Question 7

This command can be use to check if the target binary uses the Libc( standard C library in linux)

Answer 7

ldd

Question 8

Using this command you can issue all functions provided by your system’s libc.

Answer 8

nm -D /lib/$(uname -m)-linux-gnu/libc-*.so | grep -vw U | grep -v “_” | cut -d “ “ -f3

Question 9

Using this command you can issue all functions provided by your system’s libc.

Answer 9

nm -D /lib/$(uname -m)-linux-gnu/libc-*.so | grep -vw U | grep -v “_” | cut -d “ “ -f3

Question 10

This is the distance between the library’s base address and the target function address

Answer 10

offset

Question 11

In order to execute a function that is in libc, we needed to do this 3 step (specified on XDS)

Answer 11

• Find an interesting function that will provide us with a shell
• Set up the stack properly
• Overwrite the EIP with the abovementioned function’s address

Question 12

This is an exploit countermeasure introduced on the Operating System Level. When ASLR is turned on, upon launching a new process, its core memory areas will be loaded at different address each time.

Answer 12

ASLR (Address Space Layout Randomization)

Question 13

What file is the ASLR setting is held.

Answer 13

randomize_va_space

/proc/sys/kernel/randomize_va_space

Question 14

If the value of ASLR is 0, what does it means?

Answer 14

It means that ASLR if OFF

Question 15

If the value of ASLR is 1, what does it mean?

Answer 15

It means that the ASLR is ON and the stack, virtual dynamic shared object page, shared memory regions are randomized

Question 16

If the value of ASLR is 2, what does it mean?

Answer 16

ASLR is ON and in addition to 1, the data segments are randomize too.

Question 17

To permanently set the value of ASLR which file and value you needed to append on it.

Answer 17

/etc/sysctl.conf

kernel.randomize_va_space=0

Question 18

This is another exploit mitigation that is employed on Linux systems. This is also known as stack canary, stack protector, stack guard or SSP

Answer 18

Stack Cookie

Question 19

This is a 4-byte value that is pushed onto the stack when a function is entered.

Answer 19

Stack Canary

Question 20

When the function ends its task, and the stack frame is cleared, the stack cookie value is checked against the previously pushed value. If it’s different, the program is terminated by calling this function. What is this function?

Answer 20

__stack_chk_fail function

Question 21

This one is a type of stack cookie. It is a 4-byte value generated by e.g. /dev/random

Answer 21

Random Canary

Question 22

This one is a type of stack cookie. The random canary is additionally XOR’ed with stored control data

Answer 22

Random XOR Canary

Question 23

This one is a type of stack cookie. The canary has value of 0x00000000; supposedly, it will be impossible to deliver zeroes to the stack as it’s a null terminator string

Answer 23

Null Canary

Question 24

This one is a type of stack cookie. The canary is set to a combination of string terminators like 0x00, 0xff, 0x0a and 0x0d

Answer 24

Terminator Canary

Question 25

What are the two signs to detect that stack canary is being used?

Answer 25

• “Stack Smashing Detected”

- Call to __stack_chk_fail or similar function in the disassembly

Question 26

To compile a binary with a Stack Guard in GCC what flag should you use?

Answer 26

-fstack-protector-all

Question 27

Is a collection of python modules that commonly used in the CTF binary exploitation challenges.

Answer 27

Python Pwntools

Question 28

This flag in GCC instruct the compiler to create a 32-bit executable

Answer 28

-m32

**If you encounter an error make sure you install the gcc-multilib

Question 29

This flag in GCC turns off the Position Independent Executable mitigation.

Answer 29

-no-pie

Question 30

It’s an exploit mitigation that protects data section of a process from overwriting during an exploitation process

Answer 30

RELRO or RELocation Read Only

Question 31

There are two stages of RELRO, on this stage exploitation of arbitrary write is still possible. This can be forced during compilation using the below gcc arguments

-Wl, -z, relro

Answer 31

Partial RELRO

Question 32

In order to force full RELRO, what are the additional arguments to be supplied to gcc

Answer 32

-Wl, -z, -relro, -z, now

Question 33

If this protection is set, then it can specify a path from which a library can be included. The path is harcoded, and the libraries included do not drop the potential SUID privileges.

Answer 33

RPATH

Question 34

This protection is a stronger version of ASLR. Despite what ASLR does, this protection randomizes Code and GOT/PLT elements.

Answer 34

PIE (Position Independent Executable) also known as Position Independent Code.

Question 35

This protection utilizes the fact that shipping zero’s within an attacker buffer is often a problem

Answer 35

ASCII Armor