Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-02 [2020/10/18 19:30] dennis.plosceanu [7. GDB] |
cns:labs:lab-02 [2022/10/17 19:18] (current) mihai.dumitru2201 [2. Shellcode] |
||
|---|---|---|---|
| Line 244: | Line 244: | ||
| <note>What is the difference between ''-d'' and ''-D''? What does ''-M'' do? In general we encourage you to check out the manpages to find out.</note> | <note>What is the difference between ''-d'' and ''-D''? What does ''-M'' do? In general we encourage you to check out the manpages to find out.</note> | ||
| - | Sometimes however it is possible that the code we are dealing with doesn't have any useful metadata associated with it, e.g. it comes in a raw (flat) binary form, the executable format is not recognized or the ELF header is corrupted. Let's take for example the ''hello2'' binary generated from ''hello2.S'' in the [[http://elf.cs.pub.ro/oss/res/labs/lab-02.tar.gz|lab archive]]: | + | Sometimes however it is possible that the code we are dealing with doesn't have any useful metadata associated with it, e.g. it comes in a raw (flat) binary form, the executable format is not recognized or the ELF header is corrupted. Let's take for example the ''hello2'' binary generated from ''hello2.S'' in the ''01-hello'' dorectory: |
| <code text> | <code text> | ||
| Line 465: | Line 465: | ||
| <note important> | <note important> | ||
| Note that we have removed Address Space Layout Randomization for these examples. We'll explain this later. | Note that we have removed Address Space Layout Randomization for these examples. We'll explain this later. | ||
| + | |||
| + | Disable: ''echo 0 | sudo tee /proc/sys/kernel/randomize_va_space'' | ||
| + | |||
| + | Enable again: ''echo 2 | sudo tee /proc/sys/kernel/randomize_va_space'' | ||
| </note> | </note> | ||
| <code c> | <code c> | ||
| Line 776: | Line 780: | ||
| All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| + | |||
| + | Submit your flags to [[https://cns-lab-ctf21.cyberedu.ro/|the CNS CyberEDU Platform]]. | ||
| ===== 1. Position independent executables ==== | ===== 1. Position independent executables ==== | ||
| Line 858: | Line 864: | ||
| - How do we actually use the data from this .o file? What symbols are exported? | - How do we actually use the data from this .o file? What symbols are exported? | ||
| * <code> | * <code> | ||
| - | $ readelf -s ./mycode.bin.o | + | $ nm ./mycode.bin.o |
| 0000000000000035 D _binary___mycode_bin_end | 0000000000000035 D _binary___mycode_bin_end | ||
| 0000000000000035 A _binary___mycode_bin_size | 0000000000000035 A _binary___mycode_bin_size | ||
| Line 877: | Line 883: | ||
| - The stack is still executable, remove this flag! | - The stack is still executable, remove this flag! | ||
| * ''execstack -c ./my'' | * ''execstack -c ./my'' | ||
| + | |||
| + | <note> | ||
| + | If you're missing the ''execstack'' binary on the Kali VM (or on any Debian-based distribution), manually download and install it: | ||
| + | |||
| + | <code> | ||
| + | # curl -LO http://ftp.de.debian.org/debian/pool/main/p/prelink/execstack_0.0.20131005-1+b10_amd64.deb | ||
| + | # dpkg -i execstack_0.0.20131005-1+b10_amd64.deb | ||
| + | </code> | ||
| + | |||
| + | If installation freezes, cancel it then try again. | ||
| + | |||
| + | </note> | ||
| + | |||
| - Why does ''execstack -c ./*.o'' throw an error? | - Why does ''execstack -c ./*.o'' throw an error? | ||
| * ''execstack'' has to have information about the segments, information which is only available after the linking process | * ''execstack'' has to have information about the segments, information which is only available after the linking process | ||
| Line 901: | Line 920: | ||
| * What other control-flow altering instructions are executed besides ''call'' and ''ret''? | * What other control-flow altering instructions are executed besides ''call'' and ''ret''? | ||
| - | <note tip>Normally we use tools such as IDA or Radare2 to reverse engineer binaries. In this case however, we challenge you to use only your brain, a pen and a piece of paper. It's a bit tedious, but the end result should be fun.</note> | + | <note tip>Normally we use tools such as IDA, Ghidra or Radare2 to reverse engineer binaries. In this case however, we challenge you to use only your brain, a pen and a piece of paper. It's a bit tedious, but the end result should be fun.</note> |
| <note important>You can dump data from within ''objdump'' using the ''-s'' flag. Use this to figure out what pointers to contents from ''.data'' are put into registers.</note> | <note important>You can dump data from within ''objdump'' using the ''-s'' flag. Use this to figure out what pointers to contents from ''.data'' are put into registers.</note> | ||
| Line 1013: | Line 1032: | ||
| ==== 5. Memory Dump Analysis ==== | ==== 5. Memory Dump Analysis ==== | ||
| - | Using your newfound voodoo skills you are now able to tackle the following task. In the middle of two programs I added the following lines: | + | Let's consider the way programs run. |
| + | Consider the length of addresses for a given system and note that: | ||
| + | * there is a 3GB / 1GB user-mode / kernel-mode split for an i386 system | ||
| + | * that split is not the case for a 32bit program running on 64bits, it uses the entire 4GB of required virtual page | ||
| + | |||
| + | In the middle of two programs I added the following lines: | ||
| <code c> | <code c> | ||
| Line 1081: | Line 1105: | ||
| * Which of the values point to the library/mmap zone? | * Which of the values point to the library/mmap zone? | ||
| - | ==== 6. Smash the Stack ==== | + | ==== 6. IO Netgarage ==== |
| - | * Download level01 from Smash the stack and solve it using peda. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | + | |
| + | Download `level01` from [[https://io.netgarage.org/|IO Netgarage]] and solve it using GDB / PEDA. Break on ''*main'', step through the execution and figure out what it does and how to crack it. | ||
| + | |||
| + | Use the command below to copy the ''level01'' executable locally. Use the ''.'' (dot) mark at the end of the command to refer to the current directory. Provide ''level1'' as the password. | ||
| <code> | <code> | ||
| - | $ scp level1@io.netgarage.org:/levels/level01 . # Password is level1 | + | $ scp level1@io.netgarage.org:/levels/level01 . |
| </code> | </code> | ||
| ==== 7. GDB ==== | ==== 7. GDB ==== | ||
| - | * Use GDB and PEDA to run the code provided at {{cns:labs:s5_pp_bash.tar.gz|}}. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | + | |
| + | Use GDB and PEDA to run the code provided from ''07-bash-login/''. The executable gets input from the user and evaluates it against a static condition. If it succeeds it then calls a ''password_accepted'' function that prints out a success message and spawns a shell. Try to not use a decompiler. | ||
| Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | Your task is to use GDB and PEDA to force the executable to call the ''password_accepted'' function. | ||
| Line 1096: | Line 1124: | ||
| Think of modifying registers for forcing the executable to call the function (there is more than one way of doing this). | Think of modifying registers for forcing the executable to call the function (there is more than one way of doing this). | ||
| + | |||
| + | Hints: | ||
| + | * https://stackoverflow.com/questions/41183935/why-does-gcc-use-multiplication-by-a-strange-number-in-implementing-integer-divi | ||
| + | * https://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html | ||
| </note> | </note> | ||
| Line 1115: | Line 1147: | ||
| * Modify the binary entry point such that it will call this symbol! | * Modify the binary entry point such that it will call this symbol! | ||
| * The output of this exercise should be three binaries: ''main.ok.main'', ''main.ok.call_me'', ''main.ok.real_main''. ''readelf -h main.ok*'' should not complain. | * The output of this exercise should be three binaries: ''main.ok.main'', ''main.ok.call_me'', ''main.ok.real_main''. ''readelf -h main.ok*'' should not complain. | ||
| + | |||
| + | <note tip> You can find an [[http://i.imgur.com/m6kL4Lv.png | i386 ELF structure]] diagram here. </note> | ||
| ===== Resources ===== | ===== Resources ===== | ||
| Line 1134: | Line 1168: | ||
| * [[http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | Smallest elf file]] | * [[http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html | Smallest elf file]] | ||
| * [[https://code.google.com/p/corkami/wiki/ELF101 | Elf Header exploded view]], [[http://i.imgur.com/i6wlE5h.png | direct link (ARM)]], [[http://i.imgur.com/m6kL4Lv.png | direct link i386]] | * [[https://code.google.com/p/corkami/wiki/ELF101 | Elf Header exploded view]], [[http://i.imgur.com/i6wlE5h.png | direct link (ARM)]], [[http://i.imgur.com/m6kL4Lv.png | direct link i386]] | ||
| - | * | ||
