Join us at hack.lu 2025 — Info & Registration
Duration: 120 min
Type: Training
Speakers: Saumil Shah
Abstract
“You do not find infoleaks, you create them” -Halvar Flake
In this hands-on 2 hour workshop we will learn how a memory corruption bug can be turned into both an RCE as well as an Infoleak bug to bypass ASLR. Students will work with a memory corruption vulnerability in a popular web server and turn it into an infoleak bug.
Description
Memory corruption bugs don’t always have to result in arbitrary code execution. Sometimes a memory corruption bug can be put to an entirely different purpose, in this case turning it into an Infoleak bug to bypass ASLR.
This workshop demonstrates how to make infoleak bugs happen seemingly from thin air. Students will work with a 12 year old vulnerability in a popular web server and turn it into a brand new Infoleak bug.
Outline
- Case study of an integer overflow bug in a popular web server.
- Understanding the chain of function calls and frames on the stack.
- Understanding the basis of an infoleak.
- Using GDB to hit trace black box binaries to analyse the sequence of function calls.
- Diverting the flow of functions after memory corruption to produce meaningful output.
- Populating the output with arbitrary values.
- Leaking the stack pointer address.
- Leaking libc base address.
- Putting the infoleak exploit together
The case study will be presented for X86 as well as ARM32 binaries.
Theory - 1 hour
Exercise - 1 hour
Students will be provided with a docker container with the necessary debugging and exploit development tools. Students are expected to bring a laptop with a working Docker installation.