📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page
  • Theorem Proveer
  • Symbolic Execution
  • Automated symbolic execution on binaries

Was this helpful?

  1. Enumeration and Initial Compromise
  2. Buffer Overflow Prep

Theorem Proving

PreviousSyscallsNextStripping readable function names

Last updated 1 year ago

Was this helpful?

Some programs are easy to bruteforce and get an answer to something(like in CTF challenges). But some programs are more complicated in nature and they often won't make it easy to bruteforce them like that. For example, a program sleeps for 5 seconds after supplying input. So bruteforcing becomes hard.

One way out is to open ghidra, copy the decompiled code in a file, compile it and bruteforce it that way.

Other way is by using a theorem prover!

Theorem Proveer

Theorem proving can help solve complex problems with "simple" input. General concept is that given a set of contraints, a theorem prover will find a solution to satisfy all of them or tell you if it's not satisfiable.

Most common and robust theorem prover is z3:

z3 supports many types. Most commonly:

  • Ints (arbitrary length integer)

  • BitVecs (integers of a specific bit length)

  • Bools (T/F)

  • Solver (how we check for output from the engine)

pip3 install z3-solver

In [1]: from z3 import Ints, Solver

In [2]: a, b = Ints("a b")

In [3]: a
Out[3]: a

In [4]: b
Out[4]: b

In [5]: s=Solver()

In [6]: s.add((a+b)*2==100)

In [7]: s.add((a-b)*10 == 0)

In [8]: s.check()
Out[8]: sat

In [9]: s.model
Out[9]: <bound method Solver.model of [(a + b)*2 == 100, (a - b)*10 == 0]>

In [10]: s.model()
Out[10]: [b = 25, a = 25]

Solver.add() => Adds conditions to the model

Solver.sat() => Checks if the conditions added satisfy a solution or not. sat=satisfiable or unsat=unsatisfiable

Solver.model() => Outputs the solution

Another example for the same equations we provided:

Now, here is a simple fibonacci recursive function in C. Find the value of a and b which would return 1 upon satisfying the first if condition:

int recurse(int a, int b, int c) {
  int sum = a + b;
  if (c == 16 && sum == 116369) {
    return 1;
  } else if (c < 16) {
    return recurse(b, sum, c + 1);
  } else {
    return 0;
  }
}=

As we can see here:

when c=1, sum = a+b

Then recursive function is faced and then:

a becomes b

b becomes sum(a+b)

So, lets say at c=1, a=1, b=1; sum=2

c=2: a=b;b=a+b => a=1;b=2; sum=3

c=3: a=a;b=a+b => a=2;b=3;sum=5

...and so on

The general transformation for a and b is: a=b, b=a+b

This goes on until c becomes 16.

So, python function becomes:

def recurse(a,b):
    for i in range(1,17):
        a=b
        b=a+b
    return b

Using z3 this can be solved like:

So, at a=13 and b=37, we'll have c=16 and sum=116369

Symbolic Execution

Rather than treating input as a concrete value, a symbolic execution refers to putting in a symbolic value (variable) and running through a program keeping track of what operations were done on the symbolic variable and trying to explore all possible paths on the program.

In the screenshot above, when z==12, fail() is called and when z!=12, OK is printed. So, a variable lambda (λ) is read and assigned to y.

λ could take any value, and symbolic execution forks two paths, as it can proceed along both branches.

So, the constraint solver would determine that in order to reach fail(), λ would be equal to 6.

But as conditionals increase, each conditional creates two new branches of possibility. So for a large program, exponential paths will be created. This is not feasible. Its recommended to restrict symbolic execution to only a small part of the program which is relevant.

Automated symbolic execution on binaries

When doing this on binaries, models like z3 don't work as well as expected because for these, we need to take symbolic data and run it through assembly code.

We can use angr here!

https://github.com/Z3Prover/z3