Security Summer School

User Tools

Site Tools

session:08

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:08 [2018/07/03 19:16]
Razvan Deaconescu 		session:08 [2020/07/19 12:49] (current)
Line 1: Line 1:
-====== 0x08. Shellcodes (advanced) ======+====== 0x07. Shellcodes (advanced) ======
  
 ===== Resources ===== ===== Resources =====
  
-[[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|Activities archive]]+/*[[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|Activities archive]]*/ 
 + 
 +[[https://github.com/hexcellents/sss-exploit|Activities repo]]
  
 [[http://shell-storm.org/shellcode/|Shellcode repository]] [[http://shell-storm.org/shellcode/|Shellcode repository]]
Line 70: Line 72:
 ===== 4. Challenge: Shellcode as Argument ===== ===== 4. Challenge: Shellcode as Argument =====
  
-Go to ''02-challenge-shellcode-argv/'' in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].+Go to ''04-challenge-shellcode-argv/'' in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
  
 Feed the ''vuln'' executable a proper ''x86_64'' shellcode as a program argument. Make sure it works by running it by itself and then run it under ''strace''. Feed the ''vuln'' executable a proper ''x86_64'' shellcode as a program argument. Make sure it works by running it by itself and then run it under ''strace''.
Line 191: Line 193:
 Create a simple C program using a buffer overflow and able to store a shellcode into a global (data) variable. Compile it both for 32 and 64 bits. Then create exploits for them using ''pwntools''. Do something similar to the challenge 9, but vary buffer sizes. Do a pwntools-based exploit for 32 bits and one for 64 bits. Create a simple C program using a buffer overflow and able to store a shellcode into a global (data) variable. Compile it both for 32 and 64 bits. Then create exploits for them using ''pwntools''. Do something similar to the challenge 9, but vary buffer sizes. Do a pwntools-based exploit for 32 bits and one for 64 bits.
  
 +Create your simple C program in ''src/vuln.c'' altering the provided skeleton.
 +
 +The ''Makefile'' in ''src/'' builds the ''vuln.c'' file two executables ''vuln32'' and ''vuln64'' for 32 and 64 bits. Create your exploits starting from the ''sol/exploit32_template.py'' and ''sol/exploit64_template.py'' scripts.
 +
 +===== 15. Tutorial: Shellcode on Stack =====
 +
 +Go to the ''15-tutorial-shellcode-on-stack/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +We often use the stack to store the shellcode. That's what we use now.
 +
 +For that to happen easily we need to disable ASLR using ''setarch'' and then check it does work by using ''ldd'' and making sure no library address change:
 +<code>
 +$ setarch x86_64 -R /bin/bash
 +
 +$ ldd vuln
 +        linux-vdso.so.1 (0x00007ffff7ffb000)
 +        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c16000)
 +        /lib64/ld-linux-x86-64.so.2 (0x0000555555554000)
 +$ ldd vuln
 +        linux-vdso.so.1 (0x00007ffff7ffb000)
 +        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c16000)
 +        /lib64/ld-linux-x86-64.so.2 (0x0000555555554000)
 +</code>
 +
 +Then we go into GDB and determine the offset and at the same time find the buffer address:
 +<code>
 +$ gdb ./vuln
 +</code>
 +Use ''pattc'' and ''patto'' for that and determine the offset and, during the crash, find the buffer address in ''RAX''.
 +
 +In the ''sol/exploit.py'' script, we fill the ''approximate_buffer_address'' variable with the address from GDB and then we run along that. We run the program multiple times, until we find the proper address that is able to get us the shellcode to run.
 +
 +<note important>
 +To reenable ASLR, simply exit the shell you created using ''setarch''.
 +</note>
 +
 +===== 16. Challenge: io.netgarage.io level05 =====
 +
 +Go to the ''16-challenge-io.netgarage.io-level05/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +It's a buffer overflow that may end up calling a shellcode placed on the stack buffer.
 +
 +Create a ''sol/exploit.py'' script that exploits the ''vuln'' executable. Use the ''sol/exploit.py'' script from the tutorial above as a starting point.
 +
 +<note tip>
 +Use the ''argv'' parameter to the ''process()'' call in pwntools to pass an argument to the program. Read more [[http://docs.pwntools.com/en/stable/tubes/processes.html|here]].
 +</note>
 +
 +<note important>
 +Disable ASLR using ''setarch'' before running the exploit.
 +</note>
 +
 +===== 17. Challenge: Shellcode on Stack =====
 +
 +Go to the ''17-challenge-shellcode-on-stack/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +Update the ''sol/exploit.py'' script that exploits the ''vuln'' executable. It's similar to challenge 15.
 +
 +===== 18. Challenge: Shellcode on Stack (32 bit) =====
 +
 +Go to the ''18-challenge-shellcode-on-stack-32/'' folder in the [[http://security.cs.pub.ro/summer-school/res/arc/08-shellcodes-advanced-skel.zip|activities archive]].
 +
 +It's similar to the challenge above, except that it runs on 32 bits. Copy and update the ''exploit.py'' script from the solution above and update it to make it work on 32 bits.
  
 /* /*
session/08.1530634618.txt.gz · Last modified: 2018/07/03 19:16 by Razvan Deaconescu

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki