This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:08 [2018/07/03 16:54] Razvan Deaconescu |
session:08 [2020/07/19 12:49] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
===== Resources ===== | ===== Resources ===== | ||
- | [[http:// | + | /*[[http:// |
- | [[http://shell-storm.org/shellcode/|Shellcode repository]] | + | [[https://github.com/hexcellents/sss-exploit|Activities repo]] |
+ | [[http:// | ||
===== Reminder: Shellcode ===== | ===== Reminder: Shellcode ===== | ||
Line 56: | Line 57: | ||
+++ exited with 42 +++ | +++ exited with 42 +++ | ||
</ | </ | ||
+ | |||
+ | ===== 2. Challenge: exec Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 3. Challenge: exec Shellcode (x86_64) ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Find a proper shellcode in the [[http:// | ||
+ | |||
+ | ===== 4. Challenge: Shellcode as Argument ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | |||
+ | ===== 5. Challenge: Shellcode at Standard Input ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Feed the '' | ||
+ | < | ||
+ | cat <(python -c 'print " | ||
+ | </ | ||
+ | |||
+ | ===== 6. Tutorial: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | The '' | ||
+ | <code c> | ||
+ | char input[64]; | ||
+ | fgets(input, | ||
+ | </ | ||
+ | |||
+ | We want to call the function '' | ||
+ | - Find the address of the '' | ||
+ | - Determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | - Create a payload that overwrites the return address with the address of the win function. | ||
+ | |||
+ | We find the address of the '' | ||
+ | < | ||
+ | $ nm vuln | grep win | ||
+ | 00000000004005b7 t win | ||
+ | </ | ||
+ | |||
+ | We determine the offset from the start of the buffer to the place storing the function return address by using GDB PEDA doing the following steps: | ||
+ | - Run the program under GDB with '' | ||
+ | - Create a cyclic pattern using '' | ||
+ | - Run the program using '' | ||
+ | - Feed the cyclic pattern to it (copy-paste). | ||
+ | - Extract the substring value from '' | ||
+ | - Get the offset from the start of the buffer to the saved RBP using '' | ||
+ | - Add 8 to the offset (the size of saved RBP) to determine the offset from the start of the buffer to the place storing the function return address. | ||
+ | |||
+ | We create the payload by using Python: | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | where: | ||
+ | - '' | ||
+ | - '' | ||
+ | |||
+ | We exploit the program by feeding the input to the '' | ||
+ | < | ||
+ | python -c 'print " | ||
+ | </ | ||
+ | |||
+ | The exploit script is in '' | ||
+ | < | ||
+ | $ ./ | ||
+ | Have a number: 50 | ||
+ | Hello! Gimme input: Glad to meet you! | ||
+ | Congrats! | ||
+ | ./ | ||
+ | 11653 Segmentation fault | ../src/vuln | ||
+ | </ | ||
+ | The printing of the '' | ||
+ | |||
+ | ===== 7. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 8. Challenge: Buffer Overflow ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Similarly to the tutorial in '' | ||
+ | |||
+ | ===== 9. Challenge: Buffer Overflow and Shellcode ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Exploit the buffer overflow in the '' | ||
+ | |||
+ | ===== 10. Tutorial: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | We use [[https:// | ||
+ | |||
+ | The '' | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 11. Challenge: Buffer Overflow in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 12. Challenge: Buffer Overflow and No Code in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | ===== 13. Tutorial: Buffer Overflow and Shellcode in pwntools ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | This tutorial uses pwntools to craft a shellcode and then feed it to the program while also creating a buffer overflow payload. Go through it, see what it does. | ||
+ | |||
+ | Check the [[http:// | ||
+ | |||
+ | ===== 14. Challenge: Your Turn ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Create a simple C program using a buffer overflow and able to store a shellcode into a global (data) variable. Compile it both for 32 and 64 bits. Then create exploits for them using '' | ||
+ | |||
+ | Create your simple C program in '' | ||
+ | |||
+ | The '' | ||
+ | |||
+ | ===== 15. Tutorial: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | We often use the stack to store the shellcode. That's what we use now. | ||
+ | |||
+ | For that to happen easily we need to disable ASLR using '' | ||
+ | < | ||
+ | $ setarch x86_64 -R /bin/bash | ||
+ | |||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | $ ldd vuln | ||
+ | linux-vdso.so.1 (0x00007ffff7ffb000) | ||
+ | libc.so.6 => / | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | Then we go into GDB and determine the offset and at the same time find the buffer address: | ||
+ | < | ||
+ | $ gdb ./vuln | ||
+ | </ | ||
+ | Use '' | ||
+ | |||
+ | In the '' | ||
+ | |||
+ | <note important> | ||
+ | To reenable ASLR, simply exit the shell you created using '' | ||
+ | </ | ||
+ | |||
+ | ===== 16. Challenge: io.netgarage.io level05 ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's a buffer overflow that may end up calling a shellcode placed on the stack buffer. | ||
+ | |||
+ | Create a '' | ||
+ | |||
+ | <note tip> | ||
+ | Use the '' | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | Disable ASLR using '' | ||
+ | </ | ||
+ | |||
+ | ===== 17. Challenge: Shellcode on Stack ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | Update the '' | ||
+ | |||
+ | ===== 18. Challenge: Shellcode on Stack (32 bit) ===== | ||
+ | |||
+ | Go to the '' | ||
+ | |||
+ | It's similar to the challenge above, except that it runs on 32 bits. Copy and update the '' | ||
/* | /* |