The Last Class

I've had a lot of fun trying to make sure you all come along for this journey. My subversive goal is nurturing a sense of creative autonomy via tech. To tackle something seemingly impossible is to chunk it into parts, master the concepts, and just roll up your sleeves to work through the pieces.

It's very hard to measure success in this, if someone comes in with no experience then that next step is a sort of confidence to overcome that sense of static noise when a topic seems too hard.

If you've got some previous experience then that next step feels more like your ability to pick up something beyond the course content just to serve you in accomplishing a new goal.

I really hope that the spirit of, "if someone can do it that so can I", will carry with you into future projects no matter what fields your career ends up in. The process is more important that the outcome and you just have to accumulate 1000 losses as quickly as possible.

Heap Exploitation re-theme

So I attempted to shift around the second half of the class in order to bring more of you to the cutting edge with me.

I covered less pure content but tried to get the story consistent and progressive rather than shotgun.

From that perspective, the foray into fastbin dup was a mistake, forgive me.

I'm curious to see if it worked. So I made a new set of mastery tasks to capture this different model of learning the cutting edge:

• 0) Debugging and inspecting the heap with pwndbg/gdb and pwntools
• 1) Pulling off tcache-poisoning (without decryption e.g. <= glibc 2.31) to do a Write-What-Where (PCP 22)
• 2) Leaking a glibc address and calculating the location of free_hook and system
• 3) Doing a Mom's Spaghetti exploit: tcache-poison WWW, glibc leak, and popping a shell with free_hook (PCP 24/27)
• 4) Adapting that exploit to glibc 2.32 by leaking a heap address and encrypting your tcache poisoning target (PCP 28)
• 5) Adapting your exploit to not need Use-After-Free simple a Double-Free (PCP 29)
• 6) Moving to the cutting edge by targeting something other than free-hook in glibc 2.34+ (PCP 30)
• 7) Moving beyond ProfNinja by learning an out-of-class exploit to do cutting edge without double-free (e.g. off by one poison null byte) (PCP 31)

Green means you could probably deploy the skill in a live scenario.

Yellow means you think you get it intellectually but need to practice.

Red means you've got no idea what I'm talking about.

Head to the discord and update your green-yellow-red emojis for these new heap tasks. I also added green-yellow-red hearts to the pre-heap tasks, if you take a moment to let me know how you self-assess on those that would be great.

OK so what sort of stuff did we cover:

• How to just use C, the language of languages
• The basics of x86
• How to reverse engineer a binary and see the intention behind it
• The reason for and mechanics of calling conventions
• The essence of the stack and use of rsp and rbp
• The nature of memory segments and their permissions
• The concept and execution of shellcode
• Stack smashing/buffer overflow exploits for overwriting local variables
• Controlling the stack at a ret to change the RIP
• How to debug via r2, pwntools, and connecting to a process
• ROP gadgets and ROP chaining
• Address space randomization via PIE and ASLR
• ret to glibc (go to walmart)
• Lazy-linking and the GOT and PLT
• How printf vulnerabilities can be used for leaks
• How printf vulnerabilities can be used to make a write-what-where
• How a write-what-where can be used to control the RIP via the GOT
• How syscalls control access to the OS
• The syscall calling conventions
• How SROP can be used to control ALL registers at once
• The goals of the heap for dynamic memory allocation (performance and defragmentation)
• The tcache struct format
• The structure of the main_arena
• pwndbg for heap visualization
• Use-after-free for finding a heap leak (leaking singly linked list pointers)
• Use-after-free for finding a glibc leak (leaking a main_arena address)
• The __free_hook as a target for RIP control
• Finding glibc one_gadgets
• Overcoming the 2.32 encryption of fd pointers
• Using a double-free to make a pseudo use-after-free (House of Botcake)
• Walking to the cutting edge (2.34+) by targeting __exit_funcs and the thread control block

Pretty deep.

What's missing?

We took an interesting path through this topic.

So what would I have liked to cover with you that we didn't?

• kernel exploitation, less protections, different malloc
• writing our own reverse engineering display for some esoteric architecture
• static analysis tools
• symbolic execution engines (z3 and angr)
• a case-study on a piece of malware
• an ARM exploit
• an example of these exploits being used via a higher-level language (e.g. exploiting Chrome malloc via javascript )
• exploring Just-In-Time compilation vulnerabilities
• WASM, Java Byte Code, Python Byte Code vulnerabilities with the same principles (i.e. virtual machine exploitation)

Secure Software Design?

So for the CISC students who came in with different expectations I do want to confirm that the topic is in-fact one and the same. I encourage you to learn the CERT guidelines real quick:

Let's go through them real quick: CERT Coding Standards

memset your junk and delete your pointers.

Help make the world secure and not just the one project.

There is a whole world of secure software processes: almost like a project management class. Something like this:

Take a look at the SDL: SDL from microsoft

I also find it helps to contextualize all of this by looking at the MITRE ATTACK framework:

Use the charts: https://attack.mitre.org/matrices/enterprise/

Sure, but what about a PWN career?

OK so suppose you love PWNing like me and want to make a career of it?

So being a top CTFer is a great job door-opener, we learned about them because a large company uses CTFs as their cyber interview process (top score gets the job).

But also bug bounties, CVE hunting, malware detection, forensics.

OK so what about more practice?

Here are a ton of problem sets:

CTF flowcharts

Also compete every weekend with us!

OK OK, but what about those other heap tricks?

So here's a "stack leak" in our cutting edge world:

How about the FSOP stuff?

Well here are some links to old lectures on that:

Intro to FSOP

FSOP struggles

FSOP success

OK Go Forth

Thanks again, I wish you nothing but the best. Any way I can help let me know.