Security Summer School

User Tools

Site Tools

session:12

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
session:12 [2020/06/17 23:27]
Rareş-Mihail VISALOM (67101) 		session:12 [2020/07/20 17:34] (current)
Liza-Elena BABU (78556) [1. Challenge: Using ROP to Leak and Call system()]
Line 1: Line 1:
-= 0x0B. Return Oriented Programming (advanced)+====== 0x0B. Return Oriented Programming (advanced) ======
  
-== Slides+===== Slides =====
  
 [[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session 12 slides]] [[https://security.cs.pub.ro/summer-school/res/slides/12-return-oriented-programming-advanced.pdf|Session 12 slides]]
Line 9: Line 9:
 [[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-full.zip|Session's solutions]] [[https://security.cs.pub.ro/summer-school/res/arc/12-return-oriented-programming-advanced-full.zip|Session's solutions]]
  
-== Setup+===== Setup =====
  
 The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget: The ROPgadget version installed in the [[start|Kali virtual machine]] needs to be upgraded to work properly. Please use the command below (as ''root'') before starting this session and using ROPgadget:
Line 21: Line 21:
 </code> </code>
  
-== Tutorials+===== Tutorials =====
  
 In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered: In this lab we are going to dive deeper into ROP (//Return Oriented Programming//) and setbacks that appear in modern exploitation. Topics covered:
Line 33: Line 33:
 As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder. As the basis of the lab we will use a CTF challenge called **ropasaurusrex** and gradually make exploitation harder.
  
-=== Calling Conventions in the ROP Context+==== Calling Conventions in the ROP Context ====
  
 As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload. As you know, the [[:session:02#function-calls|calling convention for 32 bits]] uses the stack. This means that setting up parameters is as easy as just writing them in the payload.
Line 90: Line 90:
  
  
-=== Intro to pwntools+==== Intro to pwntools ====
  
 Writing exploits in command line using expressions such as the following is prone to errors: Writing exploits in command line using expressions such as the following is prone to errors:
Line 147: Line 147:
   - interact with the process using ''recvuntil'' and ''sendline'' functions   - interact with the process using ''recvuntil'' and ''sendline'' functions
  
-=== Challenge 0 walkthrough+==== Challenge 0 walkthrough ====
  
 Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output. Let's do a walkthrough/tutorial to work with the basic functionality of pwntools. We will use the first task and identify the vulnerability and write an exploit. For that change to the ''challenge-01/'' subfolder, and exploit the ''ropasaurusrex1'' executable in order to overflow the saved EBP, EIP and write the string //ELF// to standard output.
Line 275: Line 275:
  
  
-== Challenges+===== Challenges =====
  
-=== 1. Challenge: Using ROP to Leak and Call system()+==== 1. Challenge: Using ROP to Leak and Call system() ====
  
-Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''challenge-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.+Having completed the recap in the walkthrough above let's proceed to more advanced things. Use the ''task-01/ropasaurusrex1'' executable file and update the script above in order to spawn a shell.
  
 You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call. You can now call the functions in the binary but ''system()'' or any other appropriate function is missing and ASLR is enabled. How do you get past this? You need an information leak! To leak information we want to print it to standard output and process it. We use calls to ''printf()'', ''puts()'' or ''write()'' for this. In our case we can use the ''write()'' function call.
Line 352: Line 352:
 For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable. For the actual parameter use the ''%%"sh"%%'' string already present in the vulnerable binary. Use ''searchmem'' in GDB to find the ''%%"sh"%%'' string in the executable.
 </note> </note>
-=== 2. Challenge: Handling Low Stack Space+==== 2. Challenge: Handling Low Stack Space ====
  
 The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that. The previous binary had the luxury of plenty of stack space to be overflown. It is often the case that we don't have enough space for a long ROP chain. Let's handle that.
  
-For the current task, switch to the ''challenge-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.+For the current task, switch to the ''task-23/'' sub-folder. The extra constraint here is that huge ropchains are no longer an option.
  
 Find out how much space you have in the overflow and assess the situation. Find out how much space you have in the overflow and assess the situation.
Line 389: Line 389:
 Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above. Use a new ropchain to call ''%%system("sh")%%''. Use ''searchmem'' in GDB to locate the address of an ''sh'' string, same as the task above.
 </note> </note>
-=== 3. Challenge: Stack Pivoting+==== 3. Challenge: Stack Pivoting ====
  
 Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain. Let's assume that ''main()'' function had additional constraints that made it impossible to repeat the overflow. How can we still solve it? The method is called stack pivoting. In short, this means making the stack pointer refer another (writable) memory area that has enough space, a memory area that we will populate with the actual ROP chain.
Line 427: Line 427:
 </note> </note>
  
-=== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode+/*==== 4. Challenge [Hard]: Change Memory Protection and Write Shellcode ====
  
 We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call. We want to exploit a more constrained environment. The constraint is to remove the ''system()'' call and use a statically linked executable with no connection to the standard C library or the ''system()'' call.
Line 460: Line 460:
 Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode. Use the [[http://docs.pwntools.com/en/stable/shellcraft.html|shellcraft module in pwnlib]] to create a shellcode and use the [[http://docs.pwntools.com/en/stable/asm.html|asm() function in pwnlib]] to assemble the shellcode.
 </note> </note>
 +*/
  
-=== 5. Challenge [Bonus]+==== 4. Challenge [Bonus] ====
  
-Switch to ''challenge-05''. You have a 64 bit binary that you need to exploit to execute /bin/date:+Switch to ''task-04''. You have a 64 bit binary that you need to exploit to execute /bin/date:
   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.   * First overflow the buffer and call vuln_gate. You will need to prepare registers for the 64 bit calling convention.
   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.   * Then overflow the second buffer and issue a syscall for **execve("/bin/sh", ["/bin/sh", "-c", "/bin/date"], NULL)**. You will need to prepare registers for the 64 bit syscall convention.
   * Extra: Pop a shell.   * Extra: Pop a shell.
  
-=== Resources:+==== Resources: ====
  
   * https://syscalls.kernelgrok.com/   * https://syscalls.kernelgrok.com/
session/12.1592425624.txt.gz · Last modified: 2020/06/17 23:27 by Rareş-Mihail VISALOM (67101)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki