Security Summer School

User Tools

Site Tools

session:06

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:06 [2018/06/28 17:05]
Maria-Elena MIHĂILESCU (25616) [Diverting code execution] Add code snippet 		session:06 [2020/07/19 12:49] (current)
Line 1: Line 1:
-0x06. Buffer Management+====== 0x05. Buffer Exploitation ======
  
-== Slides+===== Resources =====
  
-Slides are available [[http://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|here]].+[[https://security.cs.pub.ro/summer-school/res/slides/06-buffer-management.pdf|Session 5 slides]]
  
-[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]].+[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|Session's tutorials and challenges archive]]
  
 [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]]. [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|Session's code snippets]].
-== Tutorials 
  
-== Buffers+/*[[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-full.zip|Session's solutions]]*/ 
 + 
 +===== Tutorials ===== 
 + 
 +===== Buffers =====
  
 A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes. A buffer is an area of contiguous data in memory, determined by a starting address, contents and length. Understanding how buffers are used (or misused) is vital for both offensive and defensive purposes.
Line 215: Line 218:
 Can you guess how the resulting code will look like, disassembled? Where are we writing to? Can you guess how the resulting code will look like, disassembled? Where are we writing to?
  
-=== Stack buffer overflows+==== Stack buffer overflows ====
  
 As we have seen in previous sessions, the stack serves multiple purposes: As we have seen in previous sessions, the stack serves multiple purposes:
Line 405: Line 408:
 </note> </note>
  
-=== Diverting code execution+==== Diverting code execution ====
  
 We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says: We attempted to use the wonderful ''gets'' function, but the compiler does not generate it and the man page explicitly says:
Line 548: Line 551:
 </note> </note>
  
-=== Overwriting the stored return address+==== Overwriting the stored return address ====
  
 Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack. Let's wrap up our stack smashing adventure by changing the code flow through overwriting the return address stored on the stack.
  
-<code c>+You can find the following code snippet [[https://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-snippets.zip|here]] (''buffer_overflow_ret/buffer_overflow_ret.c''). 
 + 
 +<code c buffer_overflow_ret.c>
 #include <stdio.h> #include <stdio.h>
  
Line 586: Line 591:
  
 <code bash> <code bash>
-$ ./overret +$ ./buffer_overflow_ret 
 Please leave a message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Please leave a message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Nothing to see here Nothing to see here
Line 595: Line 600:
  
 <code bash> <code bash>
-$ gdb ./overret +$ gdb ./buffer_overflow_ret 
 gdb-peda$ pattc 100 gdb-peda$ pattc 100
 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL' 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AAL'
 gdb-peda$ r gdb-peda$ r
-Starting program: /tasks/overret/overret+Starting program: ./buffer_overflow_ret
 Please leave a message: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALL Please leave a message: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALL
 Nothing to see here Nothing to see here
Line 650: Line 655:
 <code bash> <code bash>
 gdb-peda$ r < payload gdb-peda$ r < payload
-Starting program: /tasks/overret/overret < payload+Starting program: ./buffer_overflow_ret < payload
 Please leave a message: Nothing to see here Please leave a message: Nothing to see here
  
Line 670: Line 675:
 [------------------------------------stack-------------------------------------] [------------------------------------stack-------------------------------------]
 0000| 0xffffd620 --> 0x0  0000| 0xffffd620 --> 0x0 
-0004| 0xffffd624 --> 0xffffd6b4 --> 0xffffd859 ("/tasks/overret/overret")+0004| 0xffffd624 --> 0xffffd6b4 --> 0xffffd859 ("./buffer_overflow_ret")
 0008| 0xffffd628 --> 0xffffd6bc --> 0xffffd8cb ("XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg") 0008| 0xffffd628 --> 0xffffd6bc --> 0xffffd8cb ("XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg")
 0012| 0xffffd62c --> 0xffffd644 --> 0x0  0012| 0xffffd62c --> 0xffffd644 --> 0x0 
Line 692: Line 697:
  
 <code> <code>
-$ cat payload | ./overret +$ cat payload | ./buffer_overflow_ret 
 Please leave a message: Nothing to see here Please leave a message: Nothing to see here
 Well done! Well done!
Line 704: Line 709:
 </note> </note>
  
-== Challenges+===== Challenges =====
  
 <note important> <note important>
Line 723: Line 728:
 Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]]. Use the following [[http://security.cs.pub.ro/summer-school/res/arc/06-buffer-management-skel.zip|archive]].
  
-=== 01. Parrot+==== 01. Parrot ====
  
 Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function. Some programs feature a "stack smashing protection" in the form of stack canaries, that is, values kept on the stack which are checked before returning from a function. If the value has changed, then the "canary" can conclude that stack data has been corrupted throughout the execution of the current function.
Line 729: Line 734:
 We have implemented our very own ''parrot''. Can you avoid it somehow? We have implemented our very own ''parrot''. Can you avoid it somehow?
  
-=== 02. Indexing+<note tip> 
 +Values are little endian. So if you want to send ''0xabcd'' you would send it as ''\xcd\xab\x00\x00''
 +</note> 
 + 
 +<note tip> 
 +When providing input to a program and wanting to maintain connection to its standard input, run: 
 +<code> 
 +cat payload - | ./program 
 +</code> 
 + 
 +Or, if you have a payload generator program such as ''payload.py'', run: 
 +<code> 
 +cat <(python payload.py) - | ./program 
 +</code> 
 +</note> 
 + 
 +==== 02. Indexing ====
  
 More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in. More complex programs require some form of protocol or user interaction. This is where the great [[https://github.com/Gallopsled/pwntools|pwntools]] come in.
Line 735: Line 756:
 Here's an interactive script to get you started: Here's an interactive script to get you started:
  
-<code python>+<code python exploit.py>
 #!/usr/bin/env python #!/usr/bin/env python
 from pwn import * from pwn import *
Line 750: Line 771:
 </code> </code>
  
-=== 03. Smashthestack Level7+<note tip> 
 +Go through GDB when aiming to solve this challenge. As all input values are strings, you can input them at the keyboard and follow their effect in GDB. 
 +</note> 
 + 
 +<note tip> 
 +You can inspect the behavior of a program for a given input by doing: 
 +<code> 
 +cat payload | strace ./program 
 +</code> 
 +That is, you will trace the program being exploited and see ''read()'' or other calls and how they fare for a given input. 
 +</note> 
 +==== 03. Smashthestack Level7 ====
  
 Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one. Now you can tackle a real challenge. See if you can figure out how you can get a shell from this one.
  
-=== 04Neighbourly+<note tip> 
 +There's an integer overflow + buffer overflow in the program. 
 +</note>
  
-Let's overwrite a structure'function pointer using a buffer overflow in its vicinity. The principle is the same.+<note tip> 
 +What are the four 32 bit values that multiplied by ''4'' give you, let'say, ''256''? 
 +</note>
  
-=== 05. BonusBirds+<note tip> 
 +In order to run a program that receives command line arguments under gdb, you can do the following:
  
-Time for more complex challengeBe patient and don't speed through it.+<code gdb> 
 +$ gdb ./main 
 +gdb$ set args arg1 arg2 arg3 
 +gdb$ start 
 +</code>  
 +</note> 
 +==== 04. Neighbourly ==== 
 + 
 +Let's overwrite structure's function pointer using a buffer overflow in its vicinityThe principle is the same. 
 + 
 +<note tip> 
 +The ''ptext'' field of the structure is a function pointer. Overwrite it with the address of the ''win()'' function. 
 +</note>
  
-=== 06. Uninitialized+==== 05. Uninitialized ====
  
 There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell. There's something faulty in the program, and it's **not** an buffer overflow. Provide the proper input to the executable and get a shell.
Line 769: Line 818:
 Do **not** use pwntools for this task. Do **not** use pwntools for this task.
 </note> </note>
-=== 07: Bonus: Uninitialized 2+==== 06: Bonus: Uninitialized 2 ====
  
 There's a small update to the ''uninitialized'' executable and you need to update your solution. There's a small update to the ''uninitialized'' executable and you need to update your solution.
  
 <note tip> <note tip>
-Use ''strace'' to understand what's happening differently.+Use ''ltrace'' to understand what's happening differently.
 </note> </note>
  
Line 780: Line 829:
 Create a pwntools-based script to solve both the initial executable and the bonus one. Create a pwntools-based script to solve both the initial executable and the bonus one.
 </note> </note>
 +
 +==== 05. Bonus: Birds ====
 +
 +Time for a more complex challenge. Be patient and don't speed through it.
session/06.1530194733.txt.gz · Last modified: 2018/06/28 17:05 by Maria-Elena MIHĂILESCU (25616)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki