This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:08 [2018/07/03 16:17] Razvan Deaconescu [Resources] |
session:08 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
===== Resources ===== | ===== Resources ===== | ||
- | [[http:// | + | /*[[http:// |
+ | |||
+ | [[https:// | ||
[[http:// | [[http:// | ||
Line 17: | Line 19: | ||
- Inject the shellcode into the memory address space of the vulnerable process. This is fed through some form of input to the process (standard input, program arguments, sockets, I/O, environment variables etc.). | - Inject the shellcode into the memory address space of the vulnerable process. This is fed through some form of input to the process (standard input, program arguments, sockets, I/O, environment variables etc.). | ||
- Trigger the running of the shellcode by jumping to the shellcode address, usually done through a buffer overflow. | - Trigger the running of the shellcode by jumping to the shellcode address, usually done through a buffer overflow. | ||
+ | |||
+ | ===== 1. Tutorial: Shellcode Running ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | '' | ||
+ | < | ||
+ | $ make print | ||
+ | \xbb\x2a\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80 | ||
+ | </ | ||
+ | |||
+ | The shellcode is already part of '' | ||
+ | <code c> | ||
+ | void (*func_ptr)(void) = (void (*)(void)) shellcode; | ||
+ | func_ptr(); | ||
+ | </ | ||
+ | |||
+ | This is possible due to making the data section executable when linking the '' | ||
+ | |||
+ | You can check it works properly by running it and checking the return code: | ||
+ | < | ||
+ | $ ./vuln | ||
+ | Nice function at 0x8048510 | ||
+ | $ echo $? | ||
+ | 42 | ||
+ | </ | ||
+ | |||
+ | You can also check that by running the '' | ||
+ | < | ||
+ | $ strace ./vuln | ||
+ | execve(" | ||
+ | strace: [ Process PID=11063 runs in 32 bit mode. ] | ||
+ | [...] | ||
+ | write(1, "Nice function at 0x8048510\n", | ||
+ | ) = 27 | ||
+ | exit(42) | ||
+ | +++ exited with 42 +++ | ||
+ | </ | ||
+ | |||
+ | ===== 2. Challenge: exec Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 3. Challenge: exec Shellcode (x86_64) ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 4. Challenge: Shellcode as Argument ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | |||
+ | ===== 5. Challenge: Shellcode at Standard Input ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | < | ||
+ | cat <(python -c 'print " | ||
+ | </ | ||
+ | |||
+ | ===== 6. Tutorial: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | The '' | ||
+ | <code c> | ||
+ | char input[64]; | ||
+ | fgets(input, | ||
+ | </ | ||
+ | |||
+ | We want to call the function '' | ||
+ | - Find the address of the '' | ||
+ | - Determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | - Create a payload that overwrites the return address with the address of the win function. | ||
+ | |||
+ | We find the address of the '' | ||
+ | < | ||
+ | $ nm vuln | grep win | ||
+ | 00000000004005b7 t win | ||
+ | </ | ||
+ | |||
+ | We determine the offset from the start of the buffer to the place storing the function return address by using GDB PEDA doing the following steps: | ||
+ | - Run the program under GDB with '' | ||
+ | - Create a cyclic pattern using '' | ||
+ | - Run the program using '' | ||
+ | - Feed the cyclic pattern to it (copy-paste). | ||
+ | - Extract the substring value from '' | ||
+ | - Get the offset from the start of the buffer to the saved RBP using '' | ||
+ | - Add 8 to the offset (the size of saved RBP) to determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | |||
+ | We create the payload by using Python: | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | where: | ||
+ | - '' | ||
+ | - '' | ||
+ | |||
+ | We exploit the program by feeding the input to the '' | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | |||
+ | The exploit script is in '' | ||
+ | < | ||
+ | $ ./ | ||
+ | Have a number: 50 | ||
+ | Hello! Gimme input: Glad to meet you! | ||
+ | Congrats! | ||
+ | ./ | ||
+ | 11653 Segmentation fault | ../src/vuln | ||
+ | </ | ||
+ | The printing of the '' | ||
+ | |||
+ | ===== 7. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 8. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 9. Challenge: Buffer Overflow and Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Exploit the buffer overflow in the '' | ||
+ | |||
+ | ===== 10. Tutorial: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | We use [[https:// | ||
+ | |||
+ | The '' | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 11. Challenge: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 12. Challenge: Buffer Overflow and No Code in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 13. Tutorial: Buffer Overflow and Shellcode in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | This tutorial uses pwntools to craft a shellcode and then feed it to the program while also creating a buffer overflow payload. Go through it, see what it does. | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 14. Challenge: Your Turn ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a simple C program using a buffer overflow and able to store a shellcode into a global (data) variable. Compile it both for 32 and 64 bits. Then create exploits for them using '' | ||
+ | |||
+ | Create your simple C program in '' | ||
+ | |||
+ | The '' | ||
+ | |||
+ | ===== 15. Tutorial: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | We often use the stack to store the shellcode. That's what we use now. | ||
+ | |||
+ | For that to happen easily we need to disable ASLR using '' | ||
+ | < | ||
+ | $ setarch x86_64 -R /bin/bash | ||
+ | |||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Then we go into GDB and determine the offset and at the same time find the buffer address: | ||
+ | < | ||
+ | $ gdb ./vuln | ||
+ | </ | ||
+ | Use '' | ||
+ | |||
+ | In the '' | ||
+ | |||
+ | <note important> | ||
+ | To reenable ASLR, simply exit the shell you created using '' | ||
+ | </ | ||
+ | |||
+ | ===== 16. Challenge: io.netgarage.io level05 ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's a buffer overflow that may end up calling a shellcode placed on the stack buffer. | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | <note tip> | ||
+ | Use the '' | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | Disable ASLR using '' | ||
+ | </ | ||
+ | |||
+ | ===== 17. Challenge: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Update the '' | ||
+ | |||
+ | ===== 18. Challenge: Shellcode on Stack (32 bit) ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's similar to the challenge above, except that it runs on 32 bits. Copy and update the '' | ||
+ | |||
+ | /* | ||
==== 10.b. Challenge: Buffer is too small: Use another buffer for storing the shellcode ==== | ==== 10.b. Challenge: Buffer is too small: Use another buffer for storing the shellcode ==== | ||
Line 135: | Line 376: | ||
You still have to know what value to overwrite the return address with, that is, the address of the environment variable. To do this, you can write a small program that searches the variable in the environment and prints its address. Then you use the same address (or something around it) in your exploit, assuming that the environment is roughly the same when passed from the shell to its child processes. | You still have to know what value to overwrite the return address with, that is, the address of the environment variable. To do this, you can write a small program that searches the variable in the environment and prints its address. Then you use the same address (or something around it) in your exploit, assuming that the environment is roughly the same when passed from the shell to its child processes. | ||
+ | */ |