IT Security Consultant

4 minute read

Foreword

This series will cover some basic exploitation techniques on Linux systems (x64) which are getting more advanced during the series. The main focus will be on bypassing protection mechanisms of modern systems like ASLR, non-executable stack, Stack Cookies and position-independent code. Each technical topic will be hands-on and I will provide an example to try it yourself and follow along.

Overview

The following table shows some topics I will write about and it might be updated over time.

Chapter Topic Active Protections
1 Environment Setup -
2 Bug Classes -
3 Your first Exploit ASLR
4 Return 2 Libc ASLR, NX
5 How to leak data? Mixed
6 Defeating Stack Cookies ASLR, NX, Stack Cookies
7 Full RelRO Bypass ASLR, NX, Stack Cookies, Full RelRO

Introduction

Today’s post will cover a basic setup for a virtual environment to do some pwnable challenges. This is not the only setup and a lot of people will have better or other tools in their collection. But for me, it is a good base for most of the pwnables I do.

Disclaimer: I’m not a professional and therefore, some things could be wrong or could be done better. But let’s hope it is good enough! ;-)

Base System

As a host system, you can use whatever you want. Windows, Linux, MacOS or something else will do the work.

Virtual Machines

Virtual machines are the best way to have a running system that can be compromised and later be restored to an earlier state. Therefore, I would recommend to not run the vulnerable code on your main systems and build your virtual environment where you can safely run vulnerable code. Moreover, it is very convenient to roll back your system in case of a bad behavior of some of the executables or if the system is damaged in a way.

Virtualization Software:

  • VMWare Workstation (Pro), most students get a free copy
  • VirtualBox, free and open-source
  • Hyper-V, comes with Win10-Pro

OS Choice

Since most of the challenges are for Linux based systems, I would recommend to set up your custom virtual environment with a vanilla Linux like Ubuntu.

Tools

Tools are an essential part of your pwn-environment because you will need some! In the following, I will describe some useful tools which I often use.

ipython

A good interactive python shell with tab completion and highlighting.

gdb

Debugging in Linux is done with gdb and I will not cover each command here because there are many tutorials available.

gdb-Plugin: GEF

GEF is a great plugin for gdb which extends the debugging functionalities. Other plugins almost do the same as pwndbg and PEDA. I’ve decided that GEF is the right choice for me but feel free to try each one yourself.
Some important commands we’ll use quite often:

  • Print memory
    eXamine memory: x/FMT ADDRESS.
    Example: x/10gx $rsp
    This command will print 10 times a 8 byte value (g = giant word - 8 byte, w = word - 4 byte), starting from the address in rsp.
    More information at gdb Manuals

  • set follow-fork-mode child
    gdb follows a fork to debug the child process. It is essential for debugging a socket server which forks its process on each connection.
    Command: set follow-fork-mode child

  • search-pattern
    Easily find strings or your payload in the programs memory.
    Command: search-pattern 'AAAAAAA'`

  • vmmap
    Display a comprehensive layout of the virtual memory mapping.

More information at GEF-Docs.

strace / ltrace

For a basic overview of the binary, you can use strace and ltrace. strace is a program to trace system calls and show all received signals of a given binary. ltrace does the same just with library calls. (e.g. read(..), fgets(…))

Both tools are also great for reversing challenges because sometimes you might see some plaintext strings in function calls.

Pwntools

Pwntools is a great collection of tools/functions packed into a library for python. It is designed for rapid prototyping (which I can confirm) and it makes your exploit development for different tasks a lot easier.
A basic script could look like this:

from pwntools import *

r = process("./challenge")
r.sendline("Hello")
print r.recvline()
r.interactive()

A big advantage of this plugin is that the communication with processes, network sockets or other protocols like ssh uses the same interface. Therefore, you can easily develop your exploit against a local target with r = process("challenge") and later change one line to exploit the remote service r = remote("192.168.1.42", 1337).

Binary Ninja

Binary Ninja is a really great and especially affordable reverse engineering tool. It comes with a good disassembler, medium level and low-level intermediate languages and a great python API interface to develop your plugins for binary ninja.
Further, you have some useful plugins already available at Binary Ninja Community Plugins.

Radare2

Radare2 is also a great tool for reversing but it is kind of hard to begin with since it is a command-line tool. radare2

IDA Free

Another possible disassembler would be IDA free. Since this is a demo version the functionalities are a little bit restricted. But for a beginner, it is enough. IDA Free.

ROPgadget / Ropper

ROPgagdet looks for gadgets in a binary to build a ROP chain and it supports different architectures and file formats.
Ropper does almost the same.

One Gadget

One Gagdet allows you to spawn a shell with execve('/bin/sh', NULL, NULL) via libc in one shot! Therefore, you only need to leak the libc base address in the target’s memory and redirect code execution to the gadget.

Libc Database

Libc Database builds a database of libc offsets to identify used libc on the target machine. You have to be able to leak some libc pointers (e.g. via read primitive and GOT (Global Offset Table) addresses). A web-based variant is available at blukat.me.

That’s all for the first post.

See you soon.

You May Also Enjoy

Facebook CTF 2019: overfloat

5 minute read

overfloat was an entry challenge of the pwnable category of the Facebook CTF 2019. A binary and a libc were provided (Original tar). You can find the full ex...