Fedora Core, CentOS, Whitebox Linux (Exec-shield) exploit documents

This is documents that make fedora core, centos, whitebox linux exec-shield system to do exploit.
Result that is studying is being not open to the public yet.

Written period: 2005.12.10 ~ 2006.01.20, 2006.11 ~ 2007.01.20.

- Conference article and code:

* Linux Memory Protection Mechanism [PDF]

* POC 2008 Conference PDF:
Title: New Local & Remote Exploit to Get Over Exec-shield Protection [Pictures] [Video] (English)

* PADOCON 2007 Conference PDF:
Title: Advanced exploitation in exec-shield (Fedora Core case study) [Pictures] [Video] (English)

* POC 2006 Conference PDF:
Title: New Ways to Attack Applications of Operating System Under Execshield [Pictures] [Video] (English)

* English article Text:
Title: Advanced exploitation in exec-shield (Fedora Core case study) (English)

* Fedora Core Proof-of-Concept exploit codes: [Here]
Testbed information: [Here]


- Detailed knowledge (Korean):

* Fedora Core 5, 6 based remote random-library breaker [PDF] (Korean)

- Type: Local & Remote. (all)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-stack, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 5, 6.
- exploitable function list: random_library_break.txt
- POC exploit: pr0ftpd_modctrls.tgz
P.S: It was written in Korean language in 2007.

* Fedora Core 3 based local random-stack brute-force breaker [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow, Format string attack. (Return-to-Library)
- Environment condition: Nonexec-stack, Random-stack, Random-library.
- Brute-Force use: Yes.
* Runtime library virtual address calculation method: get_library_virtual_address.txt
- testbed: Fedora Core Linux 3, 5, 6.
P.S: It was written in Korean language in 2005.

* Fedora Core 3 based GOT, PLT overwrite exploit method [PDF] (Korean)

- Type: Remote (mostly), Local. (some)
- Exploit method: Format string attack. (Return-to-Library)
- Environment condition: Nonexec-stack, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3 also, old Linux. (mostly)
P.S: It was written in Korean language in 2005.

* Fedora Core 3 based shellcode local & remote format string exploit method (Part #1) [PDF] (Korean)

- Type: Local & Remote. (all)
- Exploit method: Format string attack. (shellcode-exec)
- Environment condition: Nonexec-stack, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3 (VMware).
- POC exploit: 0x82-shoverwrite.tgz
P.S: It was written in Korean language in 2005.

* Fedora Core 4,5,6 based shellcode local format string exploit method (Part #2) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Format string attack. (shellcode-exec)
- Environment condition: Nonexec-stack, Random-stack, Random-library.
- Brute-Force use: Yes.
- testbed: Fedora Core Linux 4, 5, 6
- POC exploit: 0x82-library_terror.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 3,4,5,6 based remote format string exploit method [PDF] (Korean)

- Type: Remote. (only)
- Exploit method: Format string attack. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
P.S: It was written in Korean language in 2005.

* Fedora Core 3,4 based local format string exploit method (Part #1) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Format string attack. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3, 4, CentOS 4.2, Whitebox Linux 4.
P.S: It was written in Korean language in 2005.

* Fedora Core 3,4,5,6 based local format string exploit method (Part #2) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Format string attack. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
- POC exploit: 0x82-p_section_overwrite.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 3,4,5,6 based local format string exploit method (Part #3) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Format string attack. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
- POC exploit: 0x82-dtors_execv_ex.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 3 based remote buffer overflow method [PDF] (Korean)

- Type: Remote. (only)
- Exploit method: Stack overflow attack (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- testbed: Fedora Core Linux 3.
P.S: It was written in Korean language in 2005.

* Fedora Core 4,5,6 based local stack overflow exploit method (Part #1) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library. also, -fomit-frame-pointer compile.
- Brute-Force use: some. (Random Library address)
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
- POC exploit: 0x82-break_FC4.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 4,5,6 based local environment stack overflow exploit method (Part #2) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library.
- Brute-Force use: some. (Random Library address)
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
- POC exploit: 0x82-local_environ_bof.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 4 based -pie compile binary local stack overflow exploit [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, Random-library, Position Independent Executables (-pie compile).
- Brute-Force use: some. (Random Library address)
- testbed: Fedora Core Linux 3, 4, CentOS 4.2.
- POC exploit: 0x82-breakeat-pie.tgz
- POC exploit result: 0x82-breakeat-pie_README
P.S: It was written in Korean language in 2006.

* CentOS 4.2 based local stack overflow exploit (also, Whitebox Linux 4) [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack. also, -fomit-frame-pointer compile.
- Brute-Force use: No.
- testbed: Fedora Core Linux 3, 4, 5, 6, CentOS 4.2, Whitebox Linux 4.
- POC exploit: 0x82-overCentOS4.2.tgz
P.S: It was written in Korean language in 2006.

* Fedora Core 5,6 based main() function stack overflow exploit method [PDF] (Korean)

- Type: Local. (only)
- Exploit method: Stack overflow. (Return-to-Library)
- Environment condition: Nonexec-user-memory, Random-stack, StackGuard(?) + StackShield(?).
- Brute-Force use: some. (Random Library address)
- testbed: Fedora Core Linux 5, 6.
P.S: It was written in Korean language in 2006.


- Background knowledge (Korean):

* glibc-2.5/elf/dl-runtime.c src code research analysis [PDF] (Korean)

- Analyze dl-runtime.c.
P.S: It was written in Korean language in 2006.
(testbed: Fedora core Linux 6)

* gcc-4.1.1/gcc/crtstuff.c src code research analysis [PDF] (Korean)

- Analyze constructor (ctors), destructor (dtors).
P.S: It was written in Korean language in 2006.
(testbed: Fedora core Linux 6)


P.S: My insufficient English ability is very regrettable.
Therefore, is going to make out lecture hereafter.


By "dong-hoon yoU" (Xpl017Elz), in INetCop(c).
MSN & E-mail: szoahc(at)hotmail(dot)com
Home: http://x82.inetcop.org

GnuPG Public Key