This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:07 [2018/07/02 09:06] Dennis-Adrian PLOSCEANU (25612) [10.a. Challenge: Use stack buffer for storing the shellcode on another program] |
session:07 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
===== Resources ===== | ===== Resources ===== | ||
- | {{:public: | + | To work this session, first clone/ |
- | [[http:// | + | Other resources: |
- | + | | |
- | [[http:// | + | |
===== Initial info ===== | ===== Initial info ===== | ||
Line 15: | Line 14: | ||
An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability. | An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability. | ||
- | When doing a shellcode-based attack, the attacker needs to execute code from that shellcode into memory. For that to happen, the attacker needs to run three steps: | ||
- | - The attacker needs to create the shellcode. This is typically done by writing assembly code and then assembling that code into binary code. | ||
- | - The attacker places the shellcode inside the vulnerable process address space. This is done by feeding the binary shellcode as input: standard input, program arguments, reading from sockets, environment variables. | ||
- | - The attacker needs to trigger the execution of the shellcode. This means altering the program control flow by typically altering a function return address or a function pointer to point to the start of the shellcode. | ||
- | |||
- | While the above three steps are not necessarily chronological, | ||
===== Shellcode ===== | ===== Shellcode ===== | ||
Line 328: | Line 321: | ||
The '' | The '' | ||
- | All of the above steps are incorporated in the '' | + | All of the above steps are incorporated in the '' |
$ make | $ make | ||
nasm -o shellcode.bin shellcode.S | nasm -o shellcode.bin shellcode.S | ||
Line 352: | Line 345: | ||
Let's do the first one. A rather simple approach would be to add the '' | Let's do the first one. A rather simple approach would be to add the '' | ||
- | by adding a '' | + | by adding a '' |
$ cat shellcode.S | $ cat shellcode.S | ||
BITS 32 | BITS 32 | ||
Line 368: | Line 361: | ||
In the above listing we can see the addition of the '' | In the above listing we can see the addition of the '' | ||
- | We now need to extract the shellcode byte string and replace in the vulnerable program ('' | + | We now need to extract the shellcode byte string and replace in the vulnerable program ('' |
$ make print | $ make print | ||
nasm -o shellcode.bin shellcode.S | nasm -o shellcode.bin shellcode.S | ||
\x68\x21\x0a\x00\x00\x68\x6f\x72\x6c\x64\x68\x6f\x2c\x20\x57\x68\x48\x65\x6c\x6c\xba\x0e\x00\x00\x00\x89\xe1\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd\x80\xc3 | \x68\x21\x0a\x00\x00\x68\x6f\x72\x6c\x64\x68\x6f\x2c\x20\x57\x68\x48\x65\x6c\x6c\xba\x0e\x00\x00\x00\x89\xe1\xbb\x01\x00\x00\x00\xb8\x04\x00\x00\x00\xcd\x80\xc3 | ||
</ | </ | ||
- | We now replace the above byte string shellcode in the '' | + | We now replace the above byte string shellcode in the '' |
$ cat vuln.c | $ cat vuln.c | ||
[...] | [...] | ||
Line 477: | Line 470: | ||
Our goal is to properly set the stack pointer before executing '' | Our goal is to properly set the stack pointer before executing '' | ||
- | |||
==== 04.b. Challenge: Fix ret instruction in shellcode ==== | ==== 04.b. Challenge: Fix ret instruction in shellcode ==== | ||
Line 565: | Line 557: | ||
The shellcode was successful and we managed to obtain a new shell. | The shellcode was successful and we managed to obtain a new shell. | ||
- | ==== 07.a. Challenge: Update the execve shellcode to work properly ==== | + | ==== 05.a. Challenge: Update the execve shellcode to work properly ==== |
- | In the '' | + | In the '' |
$ make | $ make | ||
cc -m32 -Wall -g -c -o vuln.o vuln.c | cc -m32 -Wall -g -c -o vuln.o vuln.c | ||
Line 588: | Line 580: | ||
In the '' | In the '' | ||
- | In the '' | + | In the '' |
Our goal is to provide the proper command line argument in order to overflow the '' | Our goal is to provide the proper command line argument in order to overflow the '' | ||
Line 836: | Line 828: | ||
Let's now get to the next step towards making the attack more realistic. We would rarely have the benefit of a function pointer (such as '' | Let's now get to the next step towards making the attack more realistic. We would rarely have the benefit of a function pointer (such as '' | ||
- | Inside the '' | + | Inside the '' |
Exploit this vulnerability by causing a buffer overflow of the '' | Exploit this vulnerability by causing a buffer overflow of the '' | ||
Line 851: | Line 843: | ||
Passing information as a program argument is one of the way to provide input to the vulnerable program. Another way is through standard input. Let's use standard input to cause a buffer overflow and run the shellcode (again inside the '' | Passing information as a program argument is one of the way to provide input to the vulnerable program. Another way is through standard input. Let's use standard input to cause a buffer overflow and run the shellcode (again inside the '' | ||
- | Inside the '' | + | Inside the '' |
- | * the initial data is now read from standard input using '' | + | * the initial data is now read from standard input using '' |
- | * the buffer we are going to overwrite is now 70 characters long | + | * the buffer we are going to overwrite is now 70 characters long |
- | * we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address | + | * we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address |
Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the '' | Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the '' | ||
Line 883: | Line 875: | ||
Now that we know how to cause a buffer overflow and trigger the execution of the shellcode, let's make another step into making things more realistic by injecting the shellcode into the program. Up until now the shellcode was conveniently stored in the '' | Now that we know how to cause a buffer overflow and trigger the execution of the shellcode, let's make another step into making things more realistic by injecting the shellcode into the program. Up until now the shellcode was conveniently stored in the '' | ||
- | Inside the '' | + | Inside the '' |
Similarly to the task above, exploit the vulnerability by injecting the '' | Similarly to the task above, exploit the vulnerability by injecting the '' | ||
Line 902: | Line 894: | ||
In the above task we were in luck that we had two buffers and both were filled by feeding input to the vulnerable program (in our case, through standard input). But that's not usually the case. Let's consider the situation where the '' | In the above task we were in luck that we had two buffers and both were filled by feeding input to the vulnerable program (in our case, through standard input). But that's not usually the case. Let's consider the situation where the '' | ||
- | In the '' | + | In the '' |
In short, we'll have to get to a situation where we overwrite the return address of '' | In short, we'll have to get to a situation where we overwrite the return address of '' | ||
Line 1165: | Line 1157: | ||
Run the attack on the **same** terminal you used to generate the segmentation fault and find out the '' | Run the attack on the **same** terminal you used to generate the segmentation fault and find out the '' | ||
</ | </ | ||
- | ==== 08.a. Challenge: Use stack buffer for storing the shellcode on another | + | ==== 08.a. Challenge: Use stack buffer for storing the shellcode on a new program ==== |
- | Let's to a similar task as the one above. In the '' | + | Let's to a similar task as the one above. In the '' |
- | ===== Tasks ===== | + | ===== Bonus ===== |
- | + | ||
- | {{ : | + | |
<note warning> | <note warning> | ||
Line 1181: | Line 1171: | ||
- | ==== Call trampoline ==== | + | ==== 09. Challenge: |
Another way of working with strings is to declare them as data inside the shellcode. However, if you do this, you won't know their address at compile-time. You have to obtain the address at runtime by abusing the call instruction, | Another way of working with strings is to declare them as data inside the shellcode. However, if you do this, you won't know their address at compile-time. You have to obtain the address at runtime by abusing the call instruction, | ||
Line 1198: | Line 1188: | ||
Write the shellcode that prints " | Write the shellcode that prints " | ||
- | ==== Exploit with known buffer address ==== | + | ==== 10. Challenge: |
<note important> | <note important> | ||
Line 1204: | Line 1194: | ||
</ | </ | ||
- | Switch to the //1-exact// directory. | + | Switch to the //10-challenge-known-buffer// directory. |
You'll have to exploit the vulnerable binary found there and get a shell. | You'll have to exploit the vulnerable binary found there and get a shell. | ||
Line 1219: | Line 1209: | ||
* you run the program with an empty environment, | * you run the program with an empty environment, | ||
* when running under gdb you also run with an empty environment, | * when running under gdb you also run with an empty environment, | ||
- | |||