Binary Exploitation Series (1): Environment Setup
Foreword
This series will cover some basic exploitation techniques on Linux systems (x64) which are getting more advanced during the series. The main focus will be on bypassing protection mechanisms of modern systems like ASLR, non-executable stack, Stack Cookies and position-independent code. Each technical topic will be hands-on and I will provide an example to try it yourself and follow along.
Overview
The following table shows some topics I will write about and it might be updated over time.
Chapter | Topic | Active Protections |
---|---|---|
1 | Environment Setup | - |
2 | Bug Classes | - |
3 | Your first Exploit | ASLR |
4 | Return 2 Libc | ASLR, NX |
5 | How to leak data? | Mixed |
6 | Defeating Stack Cookies | ASLR, NX, Stack Cookies |
7 | Full RelRO Bypass | ASLR, NX, Stack Cookies, Full RelRO |
Introduction
Today’s post will cover a basic setup for a virtual environment to do some pwnable challenges. This is not the only setup and a lot of people will have better or other tools in their collection. But for me, it is a good base for most of the pwnables I do.
Disclaimer: I’m not a professional and therefore, some things could be wrong or could be done better. But let’s hope it is good enough! ;-)
Base System
As a host system, you can use whatever you want. Windows, Linux, MacOS or something else will do the work.
Virtual Machines
Virtual machines are the best way to have a running system that can be compromised and later be restored to an earlier state. Therefore, I would recommend to not run the vulnerable code on your main systems and build your virtual environment where you can safely run vulnerable code. Moreover, it is very convenient to roll back your system in case of a bad behavior of some of the executables or if the system is damaged in a way.
Virtualization Software:
- VMWare Workstation (Pro), most students get a free copy
- VirtualBox, free and open-source
- Hyper-V, comes with Win10-Pro
- …
OS Choice
Since most of the challenges are for Linux based systems, I would recommend to set up your custom virtual environment with a vanilla Linux like Ubuntu.
Tools
Tools are an essential part of your pwn-environment because you will need some! In the following, I will describe some useful tools which I often use.
ipython
A good interactive python shell with tab completion and highlighting.
gdb
Debugging in Linux is done with gdb
and I will not cover each command here because there are many tutorials available.
gdb-Plugin: GEF
GEF is a great plugin for gdb
which extends the debugging functionalities. Other plugins almost do the same as pwndbg and PEDA.
I’ve decided that GEF
is the right choice for me but feel free to try each one yourself.
Some important commands we’ll use quite often:
-
Print memory
eXamine memory: x/FMT ADDRESS.
Example:x/10gx $rsp
This command will print 10 times a 8 byte value (g = giant word - 8 byte, w = word - 4 byte), starting from the address inrsp
.
More information at gdb Manuals -
set follow-fork-mode child
gdb
follows a fork to debug the child process. It is essential for debugging a socket server which forks its process on each connection.
Command:set follow-fork-mode child
-
search-pattern
Easily find strings or your payload in the programs memory.
Command:search-pattern 'AAAAAAA'
` -
vmmap
Display a comprehensive layout of the virtual memory mapping.
More information at GEF-Docs.
strace / ltrace
For a basic overview of the binary, you can use strace
and ltrace
. strace
is a program to trace system calls and show all received signals of a given binary. ltrace
does the same just with library calls. (e.g. read(..), fgets(…))
Both tools are also great for reversing challenges because sometimes you might see some plaintext strings in function calls.
Pwntools
Pwntools is a great collection of tools/functions packed into a library for python. It is designed for rapid prototyping (which I can confirm) and it makes your exploit development for different tasks a lot easier.
A basic script could look like this:
from pwntools import *
r = process("./challenge")
r.sendline("Hello")
print r.recvline()
r.interactive()
A big advantage of this plugin is that the communication with processes, network sockets or other protocols like ssh
uses the same interface. Therefore, you can easily develop your exploit against a local target with r = process("challenge")
and later change one line to exploit the remote service r = remote("192.168.1.42", 1337)
.
Binary Ninja
Binary Ninja is a really great and especially affordable reverse engineering tool. It comes with a good disassembler, medium level and low-level intermediate languages and a great python API interface to develop your plugins for binary ninja.
Further, you have some useful plugins already available at Binary Ninja Community Plugins.
Radare2
Radare2 is also a great tool for reversing but it is kind of hard to begin with since it is a command-line tool. radare2
IDA Free
Another possible disassembler would be IDA free. Since this is a demo version the functionalities are a little bit restricted. But for a beginner, it is enough. IDA Free.
ROPgadget / Ropper
ROPgagdet looks for gadgets in a binary to build a ROP chain and it supports different architectures and file formats.
Ropper does almost the same.
One Gadget
One Gagdet allows you to spawn a shell with execve('/bin/sh', NULL, NULL)
via libc in one shot! Therefore, you only need to leak the libc base address in the target’s memory and redirect code execution to the gadget.
Libc Database
Libc Database builds a database of libc offsets to identify used libc on the target machine. You have to be able to leak some libc pointers (e.g. via read primitive and GOT
(Global Offset Table) addresses). A web-based variant is available at blukat.me.
That’s all for the first post.
See you soon.