CTF-practice-evening:2014-08-04: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| (24 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Event | {{Event | ||
|Date=2014/ | |Date=2014/08/04 | ||
|Location=ACTA | |Location=ACTA | ||
|EventType=Workshop | |EventType=Workshop | ||
| Line 7: | Line 7: | ||
= Capture The Flag evening - Part 23 = | = Capture The Flag evening - Part 23 = | ||
* | * 4 August, 2014 - 7 PM | ||
* Please bring along a laptop with you!!! | * Please bring along a laptop with you!!! | ||
| Line 14: | Line 14: | ||
* See the page for the [[Ctf-evenings]] | * See the page for the [[Ctf-evenings]] | ||
* Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]] | * Link to the Tech Inc [[TechInc-CTF-Scoreboard | Challenge Website Scoreboard]] | ||
= Binary Exploitation = | |||
* Brainsmoke is talking about binary exploitation today | |||
== Examining the challenge == | |||
* objdump -d: see the disassembly, sometimes you can see symbols | |||
** This example has mangled C++ symbols | |||
* From running it, the program appears to be a daemon of some kind - a Socks proxy | |||
** This is a proxy for TCP - we can look at the protocol details w/ Google | |||
** netstat -uplanet (we can see which ports are used) | |||
* What was added between Socks4 and Socks5? (there might be a bug) | |||
** Authentication and connecting directly to a domain | |||
** Most of the fields are fixed length | |||
** But the domain name is a string - it could have a buffer overflow | |||
** There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number | |||
** If you try to read a negative number, you will try to read a lot of bytes | |||
* We want to find out what happens when you tell the program to read and send 255 bytes | |||
** We want to establish a connection | |||
** We need to specify Socks5 | |||
== Verifying the buffer overflow == | |||
* Use xxd to construct the command (converts hex code to binary, and vice-versa) | |||
** Example: xxd -r -p <<< 41414141410a = AAA | |||
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication) | |||
** hexdump -C file | |||
** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request) | |||
** We're following along w/ the protocol here | |||
** It crashed - a child exited with Signal 6 (SIGABT) | |||
** You can use gdb to find the segfault | |||
** Now we send the payload - nothing crashed, so the stopped child must have the connection | |||
** We continue it, and we see the segfault | |||
** You can use 'info reg' to see the register contents | |||
** eax now has the value of 0x41414141! | |||
** Also the instruction point (eip), we can look at what it's pointing at | |||
** You can use: x/i $eip = call *0x8(%eax) | |||
** We have control over eax. So we can get it to call code that we enter! | |||
** x/1000i Starting from the right instruction thread | |||
** x/32x 0x8058b80-32 (you can see 16 bytes of crap, and then our data, and then the address that we need) | |||
** (You can also oftentimes see the input you provide in the dmesg output that happens during the segfault) | |||
** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*16 + "ABCD" + "A"*2000 ') | nc localhost 1080 | dd bs=1 > file (connection request) | |||
** We can use Metasploit cyclic patterns for this | |||
* He also used his own emulator w/ an elf loader | |||
** mimenu | |||
** It produces a taint tracking dump | |||
** We can see that there's a second area where the tainted data is stored | |||
** We have data at a known location - that's where we are going to want to put out code | |||
** We should note down the address | |||
** ebx is a heap pointer - if you use ASLR, then this will wind up in a different place every time | |||
== Crafting the exploit == | |||
* He's changing the commandline script into a proper python program | |||
* He's reusing socket routines from an old exploit | |||
* He's also finding old previously used shellcode - the sample he's using works on lots of architectures - everything afterwards will be executed as a command | |||
* He's opening a shell - he's trying to reuse a variety of file descriptors w/ bash | |||
Latest revision as of 20:43, 4 August 2014
| CTF-practice-evening:2014-08-04 | |
|---|---|
| Date | 2014/08/04 |
| Time | |
| Location | ACTA |
| Type | Workshop |
| Contact | Melanie |
| iCalendar | Add to calendar |
Capture The Flag evening - Part 23
- 4 August, 2014 - 7 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Binary Exploitation
- Brainsmoke is talking about binary exploitation today
Examining the challenge
- objdump -d: see the disassembly, sometimes you can see symbols
- This example has mangled C++ symbols
- From running it, the program appears to be a daemon of some kind - a Socks proxy
- This is a proxy for TCP - we can look at the protocol details w/ Google
- netstat -uplanet (we can see which ports are used)
- What was added between Socks4 and Socks5? (there might be a bug)
- Authentication and connecting directly to a domain
- Most of the fields are fixed length
- But the domain name is a string - it could have a buffer overflow
- There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number
- If you try to read a negative number, you will try to read a lot of bytes
- We want to find out what happens when you tell the program to read and send 255 bytes
- We want to establish a connection
- We need to specify Socks5
Verifying the buffer overflow
- Use xxd to construct the command (converts hex code to binary, and vice-versa)
- Example: xxd -r -p <<< 41414141410a = AAA
- xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication)
- hexdump -C file
- xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request)
- We're following along w/ the protocol here
- It crashed - a child exited with Signal 6 (SIGABT)
- You can use gdb to find the segfault
- Now we send the payload - nothing crashed, so the stopped child must have the connection
- We continue it, and we see the segfault
- You can use 'info reg' to see the register contents
- eax now has the value of 0x41414141!
- Also the instruction point (eip), we can look at what it's pointing at
- You can use: x/i $eip = call *0x8(%eax)
- We have control over eax. So we can get it to call code that we enter!
- x/1000i Starting from the right instruction thread
- x/32x 0x8058b80-32 (you can see 16 bytes of crap, and then our data, and then the address that we need)
- (You can also oftentimes see the input you provide in the dmesg output that happens during the segfault)
- xxd -r -p <<< 05010005010003ff:python<<<'print "A"*16 + "ABCD" + "A"*2000 ') | nc localhost 1080 | dd bs=1 > file (connection request)
- We can use Metasploit cyclic patterns for this
- He also used his own emulator w/ an elf loader
- mimenu
- It produces a taint tracking dump
- We can see that there's a second area where the tainted data is stored
- We have data at a known location - that's where we are going to want to put out code
- We should note down the address
- ebx is a heap pointer - if you use ASLR, then this will wind up in a different place every time
Crafting the exploit
- He's changing the commandline script into a proper python program
- He's reusing socket routines from an old exploit
- He's also finding old previously used shellcode - the sample he's using works on lots of architectures - everything afterwards will be executed as a command
- He's opening a shell - he's trying to reuse a variety of file descriptors w/ bash