I have some questions for you wizard shellcode-flinging hackers out there.
with modern mitigations like ASLR and beyond, how are exploits like this even possible?
I took a course in college which provided us with a dozen binaries, to be run on a specific Ubuntu version. Each binary had a different bug, use-after-free, buffer overflow, both, or more, and our task was to exploit it.[0]
It was HARD. Finding the flaw was hard. Then, writing the exact correct shellcode to do something useful with the flaw was even harder. Especially when you only have the compiled binary and GDB to work with.
In harder levels, we had to do this with mitigations enabled like ASLR, stack canaries, etc.
And my takeaway was, this is nearly impossible, because you need to 1. discover an exploitable flaw (or multiple, and chain them together!!) 2. find the exact binary shellcode payload that will do something useful without simply crashing the executable. And this was in a controlled environment as students, not the real world which is even more difficult.
So my question is, with all these mitigations, how is it possible?!
You were a inexperienced beginner finding and exploiting tens of bugs over a 10-15 week course. In between other courses and learning you only had hours to maybe a few days per bug. On Zerodium [1], a generic Linux LPE pays 50 K$. At normal experienced exploit developer costs that buys you ~200 person-hours. That is professionals spending 10-100x as much time as you spent.
Just think of the gap between the first time in the woodworking shop and a carpenter, first time pottery versus a master, a new painter and a professional artist. Think of how many things the master can do that it is literally impossible for the new person to do. Then add another 10-100x as much time on that. That is the gap.
I don't work in that space, so i don't know what is normal, but that sounds reasonable to me. Its a niche field that requires quite a bit of low level skill. I'd expect it to pay significantly more than web dev jobs
Costs, not salary. Overhead is usually 1.5x-3x salary and I was throwing in some profit for good measure. So the number I threw out is more in the 150 k$-300 k$ range, not the 500 k$ range like you are thinking.
I went from having previously written 0 exploits (aside from IoT fails with command injection), to my first Chrome exploit in about 15 weeks. I did probably put in about 1,000 hours though.
modern mitigations have made exploits much more difficult, however researchers continue to find bypasses to these mitigations.
there are "classic" techniques to bypass most of the modern protections and if there isn't then researchers often come up with novel attacks / bypasses. for example for heap protections you can see how2heap to bypass heap protections[0]. another example is an exploit which allows bypass of KASLR (which has since been patched)[1]. it looks like this exploit comes up with a "dirty pagetable" technique[2].
it's always a game of cat and mouse with more mitigations always being added while researchers constantly look to bypass them.
short answer: some people are good, some people are lucky, and some people are good and lucky. It only takes one from the latter category to find these things
longer answer: It is definitely really damn hard these days. Even disabling the mitigations, it's still pretty hard to find and a vuln and write an exploit. But many people who find these (not all though) work as part of a team, where they can parallelize fuzzing efforts and combine/chain knowledge and other exploits much better than an individual could. The level of expertise and talent that some of these people have is absolutely incredible, and experience is worth a pound of gold for these types of things, and some people have years or decades of experience.
I've wondered this myself. I've tried a class similar to yours, where you were provided with binaries and tried to find the bugs in them. And it was hard.
But when you consider that major bugs found now are being found by well funded teams or state actors trying to exploit them, it makes more sense that they would be able to work around existing mitigations due to the sheer manpower and resources they have to throw at the problem.
with modern mitigations like ASLR and beyond, how are exploits like this even possible?
I took a course in college which provided us with a dozen binaries, to be run on a specific Ubuntu version. Each binary had a different bug, use-after-free, buffer overflow, both, or more, and our task was to exploit it.[0]
It was HARD. Finding the flaw was hard. Then, writing the exact correct shellcode to do something useful with the flaw was even harder. Especially when you only have the compiled binary and GDB to work with.
In harder levels, we had to do this with mitigations enabled like ASLR, stack canaries, etc.
And my takeaway was, this is nearly impossible, because you need to 1. discover an exploitable flaw (or multiple, and chain them together!!) 2. find the exact binary shellcode payload that will do something useful without simply crashing the executable. And this was in a controlled environment as students, not the real world which is even more difficult.
So my question is, with all these mitigations, how is it possible?!
[0] I googled for the exact project but could not find it, though it was very very similar to this: https://web.stanford.edu/class/archive/cs/cs107/cs107.1194/a...