This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:07 [2018/07/02 09:39] Dennis-Adrian PLOSCEANU (25612) [04.a. Tutorial: Graceful return/exit from shellcode] |
session:07 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
===== Resources ===== | ===== Resources ===== | ||
- | {{:public: | + | To work this session, first clone/ |
- | [[http:// | + | Other resources: |
- | + | | |
- | [[http:// | + | |
===== Initial info ===== | ===== Initial info ===== | ||
Line 15: | Line 14: | ||
An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability. | An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability. | ||
- | When doing a shellcode-based attack, the attacker needs to execute code from that shellcode into memory. For that to happen, the attacker needs to run three steps: | ||
- | - The attacker needs to create the shellcode. This is typically done by writing assembly code and then assembling that code into binary code. | ||
- | - The attacker places the shellcode inside the vulnerable process address space. This is done by feeding the binary shellcode as input: standard input, program arguments, reading from sockets, environment variables. | ||
- | - The attacker needs to trigger the execution of the shellcode. This means altering the program control flow by typically altering a function return address or a function pointer to point to the start of the shellcode. | ||
- | |||
- | While the above three steps are not necessarily chronological, | ||
===== Shellcode ===== | ===== Shellcode ===== | ||
Line 566: | Line 559: | ||
==== 05.a. Challenge: Update the execve shellcode to work properly ==== | ==== 05.a. Challenge: Update the execve shellcode to work properly ==== | ||
- | In the '' | + | In the '' |
$ make | $ make | ||
cc -m32 -Wall -g -c -o vuln.o vuln.c | cc -m32 -Wall -g -c -o vuln.o vuln.c | ||
Line 587: | Line 580: | ||
In the '' | In the '' | ||
- | In the '' | + | In the '' |
Our goal is to provide the proper command line argument in order to overflow the '' | Our goal is to provide the proper command line argument in order to overflow the '' | ||
Line 835: | Line 828: | ||
Let's now get to the next step towards making the attack more realistic. We would rarely have the benefit of a function pointer (such as '' | Let's now get to the next step towards making the attack more realistic. We would rarely have the benefit of a function pointer (such as '' | ||
- | Inside the '' | + | Inside the '' |
Exploit this vulnerability by causing a buffer overflow of the '' | Exploit this vulnerability by causing a buffer overflow of the '' | ||
Line 850: | Line 843: | ||
Passing information as a program argument is one of the way to provide input to the vulnerable program. Another way is through standard input. Let's use standard input to cause a buffer overflow and run the shellcode (again inside the '' | Passing information as a program argument is one of the way to provide input to the vulnerable program. Another way is through standard input. Let's use standard input to cause a buffer overflow and run the shellcode (again inside the '' | ||
- | Inside the '' | + | Inside the '' |
- | * the initial data is now read from standard input using '' | + | * the initial data is now read from standard input using '' |
- | * the buffer we are going to overwrite is now 70 characters long | + | * the buffer we are going to overwrite is now 70 characters long |
- | * we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address | + | * we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address |
Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the '' | Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the '' | ||
Line 882: | Line 875: | ||
Now that we know how to cause a buffer overflow and trigger the execution of the shellcode, let's make another step into making things more realistic by injecting the shellcode into the program. Up until now the shellcode was conveniently stored in the '' | Now that we know how to cause a buffer overflow and trigger the execution of the shellcode, let's make another step into making things more realistic by injecting the shellcode into the program. Up until now the shellcode was conveniently stored in the '' | ||
- | Inside the '' | + | Inside the '' |
Similarly to the task above, exploit the vulnerability by injecting the '' | Similarly to the task above, exploit the vulnerability by injecting the '' | ||
Line 901: | Line 894: | ||
In the above task we were in luck that we had two buffers and both were filled by feeding input to the vulnerable program (in our case, through standard input). But that's not usually the case. Let's consider the situation where the '' | In the above task we were in luck that we had two buffers and both were filled by feeding input to the vulnerable program (in our case, through standard input). But that's not usually the case. Let's consider the situation where the '' | ||
- | In the '' | + | In the '' |
In short, we'll have to get to a situation where we overwrite the return address of '' | In short, we'll have to get to a situation where we overwrite the return address of '' | ||
Line 1164: | Line 1157: | ||
Run the attack on the **same** terminal you used to generate the segmentation fault and find out the '' | Run the attack on the **same** terminal you used to generate the segmentation fault and find out the '' | ||
</ | </ | ||
- | ==== 08.a. Challenge: Use stack buffer for storing the shellcode on another | + | ==== 08.a. Challenge: Use stack buffer for storing the shellcode on a new program ==== |
- | Let's to a similar task as the one above. In the '' | + | Let's to a similar task as the one above. In the '' |
===== Bonus ===== | ===== Bonus ===== | ||
Line 1216: | Line 1209: | ||
* you run the program with an empty environment, | * you run the program with an empty environment, | ||
* when running under gdb you also run with an empty environment, | * when running under gdb you also run with an empty environment, | ||
- | |||