Security Summer School

User Tools

Site Tools

session:07

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:07 [2018/07/02 09:43]
Dennis-Adrian PLOSCEANU (25612) 		session:07 [2020/07/19 12:49] (current)
Line 1: Line 1:
-====== 0x07. Shellcodes ======+====== 0x06. Shellcodes ======
  
 ===== Resources ===== ===== Resources =====
  
-{{:public:sess-09_2015.pdf|Slides}}+To work this session, first clone/update [[https://github.com/hexcellents/sss-exploit|the repository]] and navigate to the ''07-shellcodes'' folder.
  
-[[http://security.cs.pub.ro/summer-school/res/arc/07-shellcodes-skel.zip|Tasks archive]] +Other resources
- +  [[http://shell-storm.org/shellcode/|Shellcode repository]]
-[[http://shell-storm.org/shellcode/|Shellcode repository]]+
  
 ===== Initial info ===== ===== Initial info =====
Line 15: Line 14:
 An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability. An attacker will typically employ information leak attacks to extract address and values, would use buffer overflow attacks to overwrite sensible data, inject shellcodes and execute them by modifying the program control flow and others. The way these steps are woven together depends on the vulnerability and the program specifics. The attacker is the one that needs to find the best way to tie these steps together to exploit the vulnerability.
  
-When doing a shellcode-based attack, the attacker needs to execute code from that shellcode into memory. For that to happen, the attacker needs to run three steps: 
-  - The attacker needs to create the shellcode. This is typically done by writing assembly code and then assembling that code into binary code. 
-  - The attacker places the shellcode inside the vulnerable process address space. This is done by feeding the binary shellcode as input: standard input, program arguments, reading from sockets, environment variables. 
-  - The attacker needs to trigger the execution of the shellcode. This means altering the program control flow by typically altering a function return address or a function pointer to point to the start of the shellcode. 
- 
-While the above three steps are not necessarily chronological, one can identify each of them as parts of a shellcode-based attack. 
 ===== Shellcode ===== ===== Shellcode =====
  
Line 851: Line 844:
  
 Inside the ''07-challenge-use-standard-input/'' subfolder in the tasks archive you will find a vulnerable source code file (''vuln.c'') with a similar vulnerability to the one above: the use of ''strcpy()'' to cause a buffer overflow inside the ''do_nothing_successfully()'' function. There are several differences: Inside the ''07-challenge-use-standard-input/'' subfolder in the tasks archive you will find a vulnerable source code file (''vuln.c'') with a similar vulnerability to the one above: the use of ''strcpy()'' to cause a buffer overflow inside the ''do_nothing_successfully()'' function. There are several differences:
-* the initial data is now read from standard input using ''fgets()'' +  * the initial data is now read from standard input using ''fgets()'' 
-* the buffer we are going to overwrite is now 70 characters long +  * the buffer we are going to overwrite is now 70 characters long 
-* we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address+  * we've added an extra local variable before the buffer to make it a bit more challenging to determine the return address
  
 Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the ''buffer'' variable and overwriting the return address of the ''do_nothing_successfully()'' function to point to the shellcode (i.e. the address of the ''shellcode'' variable). Similarly to the task above, exploit the vulnerability by causing a buffer overflow of the ''buffer'' variable and overwriting the return address of the ''do_nothing_successfully()'' function to point to the shellcode (i.e. the address of the ''shellcode'' variable).
Line 1164: Line 1157:
 Run the attack on the **same** terminal you used to generate the segmentation fault and find out the ''esp'' address. It's generally a very good idea to run the vulnerable program under ''env -i''. Run the attack on the **same** terminal you used to generate the segmentation fault and find out the ''esp'' address. It's generally a very good idea to run the vulnerable program under ''env -i''.
 </note> </note>
-==== 08.a. Challenge: Use stack buffer for storing the shellcode on another program ====+==== 08.a. Challenge: Use stack buffer for storing the shellcode on a new program ====
  
 Let's to a similar task as the one above. In the ''08-challenge-shellcode-in-stack-buffer-2/'' subfolder from the tasks archive there is a slightly updated vulnerable file. Use the same vulnerability as in the task above to obtain a shell. Let's to a similar task as the one above. In the ''08-challenge-shellcode-in-stack-buffer-2/'' subfolder from the tasks archive there is a slightly updated vulnerable file. Use the same vulnerability as in the task above to obtain a shell.
session/07.1530513785.txt.gz · Last modified: 2018/07/02 09:43 by Dennis-Adrian PLOSCEANU (25612)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki