You do not have permission to edit this page, for the following reason:
Free text:
= Capture The Flag evening - Part 23 = * 4 August, 2014 - 7 PM * Please bring along a laptop with you!!! = General CTF Info = * See the page for the [[Ctf-evenings]] * Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]] = Binary Exploitation = * Brainsmoke is talking about binary exploitation today == Examining the challenge == * objdump -d: see the disassembly, sometimes you can see symbols ** This example has mangled C++ symbols * From running it, the program appears to be a daemon of some kind - a Socks proxy ** This is a proxy for TCP - we can look at the protocol details w/ Google ** netstat -uplanet (we can see which ports are used) * What was added between Socks4 and Socks5? (there might be a bug) ** Authentication and connecting directly to a domain ** Most of the fields are fixed length ** But the domain name is a string - it could have a buffer overflow ** There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number ** If you try to read a negative number, you will try to read a lot of bytes * We want to find out what happens when you tell the program to read and send 255 bytes ** We want to establish a connection ** We need to specify Socks5 == Verifying the buffer overflow == * Use xxd to construct the command (converts hex code to binary, and vice-versa) ** Example: xxd -r -p <<< 41414141410a = AAA ** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication) ** hexdump -C file ** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request) ** We're following along w/ the protocol here ** It crashed - a child exited with Signal 6 (SIGABT) ** You can use gdb to find the segfault ** Now we send the payload - nothing crashed, so the stopped child must have the connection ** We continue it, and we see the segfault ** You can use 'info reg' to see the register contents ** eax now has the value of 0x41414141! ** Also the instruction point (eip), we can look at what it's pointing at ** You can use: x/i $eip = call *0x8(%eax) ** We have control over eax. So we can get it to call code that we enter! ** x/1000i Starting from the right instruction thread ** x/32x 0x8058b80-32 (you can see 16 bytes of crap, and then our data, and then the address that we need) ** (You can also oftentimes see the input you provide in the dmesg output that happens during the segfault) ** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*16 + "ABCD" + "A"*2000 ') | nc localhost 1080 | dd bs=1 > file (connection request) ** We can use Metasploit cyclic patterns for this * He also used his own emulator w/ an elf loader ** mimenu ** It produces a taint tracking dump ** We can see that there's a second area where the tainted data is stored ** We have data at a known location - that's where we are going to want to put out code ** We should note down the address ** ebx is a heap pointer - if you use ASLR, then this will wind up in a different place every time == Crafting the exploit == * He's changing the commandline script into a proper python program * He's reusing socket routines from an old exploit * He's also finding old previously used shellcode - the sample he's using works on lots of architectures - everything afterwards will be executed as a command * He's opening a shell - he's trying to reuse a variety of file descriptors w/ bash
Save page Show preview Show changes Cancel