This series will cover some basic exploitation techniques on Linux systems (x64) which are getting more advanced during the series. The main focus will be on bypassing protection mechanisms of modern systems like ASLR, non-executable stack, Stack Cookies and position-independent code. Each technical topic will be hands-on and I will provide an example to try it yourself and follow along.
The following table shows some topics I will write about and it might be updated over time.
|3||Your first Exploit||ASLR|
|4||Return 2 Libc||ASLR, NX|
|5||How to leak data?||Mixed|
|6||Defeating Stack Cookies||ASLR, NX, Stack Cookies|
|7||Full RelRO Bypass||ASLR, NX, Stack Cookies, Full RelRO|
Today’s post will cover a basic setup for a virtual environment to do some pwnable challenges. This is not the only setup and a lot of people will have better or other tools in their collection. But for me, it is a good base for most of the pwnables I do.
Disclaimer: I’m not a professional and therefore, some things could be wrong or could be done better. But let’s hope it is good enough! ;-)
As a host system, you can use whatever you want. Windows, Linux, MacOS or something else will do the work.
Virtual machines are the best way to have a running system that can be compromised and later be restored to an earlier state. Therefore, I would recommend to not run the vulnerable code on your main systems and build your virtual environment where you can safely run vulnerable code. Moreover, it is very convenient to roll back your system in case of a bad behavior of some of the executables or if the system is damaged in a way.
- VMWare Workstation (Pro), most students get a free copy
- VirtualBox, free and open-source
- Hyper-V, comes with Win10-Pro
Since most of the challenges are for Linux based systems, I would recommend to set up your custom virtual environment with a vanilla Linux like Ubuntu.
Tools are an essential part of your pwn-environment because you will need some! In the following, I will describe some useful tools which I often use.
A good interactive python shell with tab completion and highlighting.
Debugging in Linux is done with
gdb and I will not cover each command here because there are many tutorials available.
GEF is a great plugin for
gdb which extends the debugging functionalities. Other plugins almost do the same as pwndbg and PEDA.
I’ve decided that
GEF is the right choice for me but feel free to try each one yourself.
Some important commands we’ll use quite often:
eXamine memory: x/FMT ADDRESS.
This command will print 10 times a 8 byte value (g = giant word - 8 byte, w = word - 4 byte), starting from the address in
More information at gdb Manuals
set follow-fork-mode child
gdbfollows a fork to debug the child process. It is essential for debugging a socket server which forks its process on each connection.
set follow-fork-mode child
Easily find strings or your payload in the programs memory.
Display a comprehensive layout of the virtual memory mapping.
More information at GEF-Docs.
strace / ltrace
For a basic overview of the binary, you can use
strace is a program to trace system calls and show all received signals of a given binary.
ltrace does the same just with library calls. (e.g. read(..), fgets(…))
Both tools are also great for reversing challenges because sometimes you might see some plaintext strings in function calls.
Pwntools is a great collection of tools/functions packed into a library for python. It is designed for rapid prototyping (which I can confirm) and it makes your exploit development for different tasks a lot easier.
A basic script could look like this:
from pwntools import * r = process("./challenge") r.sendline("Hello") print r.recvline() r.interactive()
A big advantage of this plugin is that the communication with processes, network sockets or other protocols like
ssh uses the same interface. Therefore, you can easily develop your exploit against a local target with
r = process("challenge") and later change one line to exploit the remote service
r = remote("192.168.1.42", 1337).
Binary Ninja is a really great and especially affordable reverse engineering tool. It comes with a good disassembler, medium level and low-level intermediate languages and a great python API interface to develop your plugins for binary ninja.
Further, you have some useful plugins already available at Binary Ninja Community Plugins.
Radare2 is also a great tool for reversing but it is kind of hard to begin with since it is a command-line tool. radare2
Another possible disassembler would be IDA free. Since this is a demo version the functionalities are a little bit restricted. But for a beginner, it is enough. IDA Free.
ROPgadget / Ropper
One Gagdet allows you to spawn a shell with
execve('/bin/sh', NULL, NULL) via libc in one shot! Therefore, you only need to leak the libc base address in the target’s memory and redirect code execution to the gadget.
Libc Database builds a database of libc offsets to identify used libc on the target machine. You have to be able to leak some libc pointers (e.g. via read primitive and
GOT (Global Offset Table) addresses). A web-based variant is available at blukat.me.
That’s all for the first post.
See you soon.