This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
session:12 [2017/07/02 11:15] Laura-Cristina RUSE (23439) created |
session:12 [2020/07/20 17:34] (current) Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | = 0x0B. Return Oriented Programming (part 2) | + | ====== 0x0B. Return Oriented Programming (advanced) ====== |
- | == Slides | + | ===== Slides |
- | [[https:// | + | [[https:// |
- | == Setup | + | [[https:// |
- | The ROPgadget version installed in the [[|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as '' | + | [[https:// |
+ | |||
+ | ===== Setup ===== | ||
+ | |||
+ | The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as '' | ||
< | < | ||
pip install --upgrade ropgadget | pip install --upgrade ropgadget | ||
Line 17: | Line 21: | ||
</ | </ | ||
- | == Tutorials | + | ===== Tutorials |
In this lab we are going to dive deeper into ROP (//Return Oriented Programming// | In this lab we are going to dive deeper into ROP (//Return Oriented Programming// | ||
Line 27: | Line 31: | ||
* ROP for syscalls and 64 bits | * ROP for syscalls and 64 bits | ||
- | As the basis of the lab we will use a CTF task called **ropasaurusrex** and gradually make exploitation harder. | + | As the basis of the lab we will use a CTF challenge |
- | + | ||
- | First download the [[https:// | + | |
- | === Calling Conventions in the ROP Context | + | ==== Calling Conventions in the ROP Context |
As you know, the [[: | As you know, the [[: | ||
Line 88: | Line 90: | ||
- | === Intro to pwntools | + | ==== Intro to pwntools |
Writing exploits in command line using expressions such as the following is prone to errors: | Writing exploits in command line using expressions such as the following is prone to errors: | ||
Line 102: | Line 104: | ||
</ | </ | ||
- | However, exploitation rarely requires only a static payload. ASLR usually makes the exploit developer work harder and first obtain an info leak and then readjust the payload for that specific memory layout instance. To this end, some frameworks come to your aid to make life simpler. | + | However, exploitation rarely requires only a static payload. ASLR usually makes the exploit developer work harder and first obtain an info leak and then readjust the payload for that specific memory layout instance. To this end, some frameworks come to your aid to make life simpler. |
* local exploitation / remote exploitation: | * local exploitation / remote exploitation: | ||
- | * auto gdb attach: http://pwntools.readthedocs.io/en/latest/gdb.html | + | * auto gdb attach: http://docs.pwntools.com/en/stable/gdb.html |
* rop gadget search / rop chain assembly | * rop gadget search / rop chain assembly | ||
- | * shellcode generation: http://pwntools.readthedocs.io/en/latest/ | + | * shellcode generation: http://docs.pwntools.com/en/stable/ |
* plenty other | * plenty other | ||
Line 145: | Line 147: | ||
- interact with the process using '' | - interact with the process using '' | ||
- | === Task 0 walkthrough | + | ==== Challenge |
- | Let's do a walkthrough/ | + | Let's do a walkthrough/ |
First we need to look in the binary and observe the stack buffer overflow: | First we need to look in the binary and observe the stack buffer overflow: | ||
Line 273: | Line 275: | ||
- | == Tasks | + | ===== Challenges ===== |
- | === Task 1: Using ROP to Leak and Call system() | + | ==== 1. Challenge: Using ROP to Leak and Call system() |
Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' | Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the '' | ||
Line 312: | Line 314: | ||
<note tip> | <note tip> | ||
- | Fire up GDB on the libc library and save the offset of the function you want to leak and '' | + | To find out the address of the '' |
+ | </ | ||
+ | |||
+ | /* | ||
+ | |||
+ | <note tip> | ||
+ | As an alternative, | ||
< | < | ||
root@kali: | root@kali: | ||
Line 332: | Line 340: | ||
After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the '' | After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the '' | ||
</ | </ | ||
+ | |||
+ | */ | ||
Call '' | Call '' | ||
Line 342: | Line 352: | ||
For the actual parameter use the '' | For the actual parameter use the '' | ||
</ | </ | ||
- | + | ==== 2. Challenge: Handling Low Stack Space ==== | |
- | === Task 2: Handling Low Stack Space | + | |
The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. | ||
Line 380: | Line 389: | ||
Use a new ropchain to call '' | Use a new ropchain to call '' | ||
</ | </ | ||
- | === Task 3: Stack Pivoting | + | ==== 3. Challenge: Stack Pivoting |
Let's assume that '' | Let's assume that '' | ||
Line 418: | Line 427: | ||
</ | </ | ||
- | === Task 4 [Hard]: Change Memory Protection and Write Shellcode | + | /*==== 4. Challenge |
We want to exploit a more constrained environment. The constraint is to remove the '' | We want to exploit a more constrained environment. The constraint is to remove the '' | ||
- | Go the '' | + | Go the '' |
<note important> | <note important> | ||
Line 437: | Line 446: | ||
You can use a " | You can use a " | ||
- | You need a proper gadget to fill the value of '' | + | You need a proper gadget to fill the value of '' |
</ | </ | ||
Line 449: | Line 458: | ||
<note tip> | <note tip> | ||
- | Use the [[http://pwntools.readthedocs.io/en/latest/ | + | Use the [[http://docs.pwntools.com/en/stable/ |
</ | </ | ||
+ | */ | ||
- | === Task 5 [Bonus] | + | ==== 4. Challenge |
- | Switch to task5. You have a 64 bit binary that you need to exploit to execute /bin/date: | + | Switch to '' |
* First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention. | ||
* Then overflow the second buffer and issue a syscall for **execve("/ | * Then overflow the second buffer and issue a syscall for **execve("/ | ||
* Extra: Pop a shell. | * Extra: Pop a shell. | ||
+ | ==== Resources: ==== | ||
+ | |||
+ | * https:// | ||
+ | * http:// | ||
+ | * https:// | ||
+ | * https:// |