Differences

This shows you the differences between two versions of the page.

--- session:12 [2017/07/02 11:15]
Laura-Cristina RUSE (23439) created
+++ session:12 [2020/07/20 17:34] (current)
Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()]
@@ Line 1: / Line 1: @@
-= 0x0B. Return Oriented Programming (part 2)
+====== 0x0B. Return Oriented Programming (advanced) ======
-== Slides
+===== Slides =====
-[[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session slides]]
+[[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session 12 slides]]
-== Setup
+[[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-skel.zip|Session's tutorials and challenges archive]]
-The ROPgadget version installed in the [[|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget:
+[[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-full.zip|Session's solutions]]
+===== Setup =====
+The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget:
 <code>
 pip install --upgrade ropgadget
@@ Line 17: / Line 21: @@
 </code>
-== Tutorials
+===== Tutorials =====
 In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered:
@@ Line 27: / Line 31: @@
   * ROP for syscalls and 64 bits
-As the basis of the lab we will use a CTF task called **ropasaurusrex** and gradually make exploitation harder.
+As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder.
-First download the [[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-skel.zip|session archive]].
-=== Calling Conventions in the ROP Context
+==== Calling Conventions in the ROP Context ====
 As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload.
@@ Line 88: / Line 90: @@
-=== Intro to pwntools
+==== Intro to pwntools ====
 Writing exploits in command line using expressions such as the following is prone to errors:
@@ Line 102: / Line 104: @@
 </code>
-However, exploitation rarely requires only a static payload. ASLR usually makes the exploit developer work harder and first obtain an info leak and then readjust the payload for that specific memory layout instance. To this end, some frameworks come to your aid to make life simpler. We shall focus on [[http://pwntools.com/|pwntools]] which features:
+However, exploitation rarely requires only a static payload. ASLR usually makes the exploit developer work harder and first obtain an info leak and then readjust the payload for that specific memory layout instance. To this end, some frameworks come to your aid to make life simpler. As seen in the previous sessions, [[http://pwntools.com/|pwntools]] is intended to make exploit writing as simple as possible and today we will focus on the following features:
   * local exploitation / remote exploitation: https://github.com/binjitsu/tutorial/blob/master/tubes.md
-  * auto gdb attach: http://pwntools.readthedocs.io/en/latest/gdb.html
+  * auto gdb attach: http://docs.pwntools.com/en/stable/gdb.html
   * rop gadget search / rop chain assembly
-  * shellcode generation: http://pwntools.readthedocs.io/en/latest/shellcraft.html
+  * shellcode generation: http://docs.pwntools.com/en/stable/shellcraft.html
   * plenty other
@@ Line 145: / Line 147: @@
   - interact with the process using ''recvuntil'' and ''sendline'' functions
-=== Task 0 walkthrough
+==== Challenge 0 walkthrough ====
-Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''task-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output.
+Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output.
 First we need to look in the binary and observe the stack buffer overflow:
@@ Line 273: / Line 275: @@
-== Tasks
+===== Challenges =====
-=== Task 1: Using ROP to Leak and Call system()
+==== 1. Challenge: Using ROP to Leak and Call system() ====
 Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''task-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
@@ Line 312: / Line 314: @@
 <note tip>
-Fire up GDB on the libc library and save the offset of the function you want to leak and ''system()'':
+To find out the address of the ''system()'' call when you know the address of the ''puts()'' call, use [[https://github.com/razvand/snippets/blob/master/pwntools/exploit.py|this pwntools snippet]]. Check the last lines that compute the address of ''system()''
+</note>
+/*
+<note tip>
+As an alternative, more cumbersom method, fire up GDB on the libc library and save the offset of the function you want to leak and ''system()'':
 <code>
 root@kali:~/12-rop/skel/task-01# ldd ropasaurusrex1
@@ Line 332: / Line 340: @@
 After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the ''system()'' call for the current run.
 </note>
+*/
 Call ''system()''.
@@ Line 342: / Line 352: @@
 For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable.
 </note>
+==== 2. Challenge: Handling Low Stack Space ====
-=== Task 2: Handling Low Stack Space
 The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that.
@@ Line 380: / Line 389: @@
 Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above.
 </note>
-=== Task 3: Stack Pivoting
+==== 3. Challenge: Stack Pivoting ====
 Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain.
@@ Line 418: / Line 427: @@
 </note>
-=== Task 4 [Hard]: Change Memory Protection and Write Shellcode
+/*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====
 We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call.
-Go the ''task-4/'' subfolder and first do a static and dynamic analysis of the ''ropasaurusrex4'' executable.
+Go the ''challenge-04/'' subfolder and first do a static and dynamic analysis of the ''ropasaurusrex4'' executable.
 <note important>
@@ Line 437: / Line 446: @@
 You can use a "fake" call to setup the ''ebx'', ''ecx'' and ''edx'' registers. Check the executable.
-You need a proper gadget to fill the value of ''eax'' to the ''mprotect'' system call number. Use the [[http://pwntools.readthedocs.io/en/latest/constants.html|constants module in pwnlib]] to extract the ''mprotect'' system call number.
+You need a proper gadget to fill the value of ''eax'' to the ''mprotect'' system call number. Use the [[http://docs.pwntools.com/en/stable/constants.html|constants module in pwnlib]] to extract the ''mprotect'' system call number.
 </note>
@@ Line 449: / Line 458: @@
 <note tip>
-Use the [[http://pwntools.readthedocs.io/en/latest/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://pwntools.readthedocs.io/en/latest/asm.html|asm() function in pwnlib]] to assemble the shellcode.
+Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode.
 </note>
+*/
-=== Task 5 [Bonus]
+==== 4. Challenge [Bonus] ====
-Switch to task5. You have a 64 bit binary that you need to exploit to execute /bin/date:
+Switch to ''task-04''. You have a 64 bit binary that you need to exploit to execute /bin/date:
   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.
   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.
   * Extra: Pop a shell.
+==== Resources: ====
+  * https://syscalls.kernelgrok.com/
+  * http://articles.manugarg.com/systemcallinlinux2_6.html
+  * https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries#the-procedure-linkage-table-plt
+  * https://github.com/Gallopsled/pwntools-tutorial/tree/master/walkthrough

Security Summer School

User Tools

Site Tools

Differences

Page Tools