Security Summer School

User Tools

Site Tools

session:12

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:12 [2018/07/16 13:03]
Adriana COGEAN (25140) 		session:12 [2020/07/20 17:34] (current)
Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()]
Line 1: Line 1:
-0x0C. Return Oriented Programming (advanced)+====== 0x0B. Return Oriented Programming (advanced) ======
  
-== Slides+===== Slides =====
  
-[[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session slides]]+[[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session 12 slides]]
  
-== Setup+[[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-skel.zip|Session's tutorials and challenges archive]] 
 + 
 +[[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-full.zip|Session's solutions]] 
 + 
 +===== Setup =====
  
 The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget: The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget:
Line 17: Line 21:
 </code> </code>
  
-== Tutorials+===== Tutorials =====
  
 In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered: In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered:
Line 29: Line 33:
 As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder. As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder.
  
-First download the [[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-skel.zip|session archive]]. +==== Calling Conventions in the ROP Context ====
- +
-=== Calling Conventions in the ROP Context+
  
 As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload. As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload.
Line 88: Line 90:
  
  
-=== Intro to pwntools+==== Intro to pwntools ====
  
 Writing exploits in command line using expressions such as the following is prone to errors: Writing exploits in command line using expressions such as the following is prone to errors:
Line 145: Line 147:
   - interact with the process using ''recvuntil'' and ''sendline'' functions   - interact with the process using ''recvuntil'' and ''sendline'' functions
  
-=== Challenge 0 walkthrough+==== Challenge 0 walkthrough ====
  
 Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output. Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output.
Line 273: Line 275:
  
  
-== Challenges+===== Challenges =====
  
-=== 1. Challenge: Using ROP to Leak and Call system()+==== 1. Challenge: Using ROP to Leak and Call system() ====
  
-Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''challenge-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.+Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''task-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
  
 You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call. You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call.
Line 312: Line 314:
  
 <note tip> <note tip>
-Fire up GDB on the libc library and save the offset of the function you want to leak and ''system()'':+To find out the address of the ''system()'' call when you know the address of the ''puts()'' call, use [[https://github.com/razvand/snippets/blob/master/pwntools/exploit.py|this pwntools snippet]]. Check the last lines that compute the address of ''system()'' 
 +</note> 
 + 
 +/* 
 + 
 +<note tip> 
 +As an alternative, more cumbersom method, fire up GDB on the libc library and save the offset of the function you want to leak and ''system()'':
 <code> <code>
 root@kali:~/12-rop/skel/task-01# ldd ropasaurusrex1  root@kali:~/12-rop/skel/task-01# ldd ropasaurusrex1 
Line 332: Line 340:
 After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the ''system()'' call for the current run. After the leak subtract the saved offset from it. You now have the libc base address (which should be aligned to a multiple of 0x1000). Use that address and add the other offset to compute the address of the ''system()'' call for the current run.
 </note> </note>
 +
 +*/
  
 Call ''system()''. Call ''system()''.
Line 342: Line 352:
 For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable. For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable.
 </note> </note>
- +==== 2. Challenge: Handling Low Stack Space ====
-=== 2. Challenge: Handling Low Stack Space+
  
 The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that.
  
-For the current task, switch to the ''challenge-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.+For the current task, switch to the ''task-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.
  
 Find out how much space you have in the overflow and assess the situation. Find out how much space you have in the overflow and assess the situation.
Line 380: Line 389:
 Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above. Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above.
 </note> </note>
-=== 3. Challenge: Stack Pivoting+==== 3. Challenge: Stack Pivoting ====
  
 Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain. Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain.
Line 418: Line 427:
 </note> </note>
  
-=== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode+/*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====
  
 We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call. We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call.
Line 451: Line 460:
 Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode. Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode.
 </note> </note>
 +*/
  
-=== 5. Challenge [Bonus]+==== 4. Challenge [Bonus] ====
  
-Switch to ''challenge-05''. You have a 64 bit binary that you need to exploit to execute /bin/date:+Switch to ''task-04''. You have a 64 bit binary that you need to exploit to execute /bin/date:
   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.
   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.
   * Extra: Pop a shell.   * Extra: Pop a shell.
  
-=== Resources:+==== Resources: ====
  
   * https://syscalls.kernelgrok.com/   * https://syscalls.kernelgrok.com/
session/12.1531735413.txt.gz · Last modified: 2018/07/16 13:03 by Adriana COGEAN (25140)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki