Pwn

I placed pwn in with programming, because it relies heavily on programming concepts and knowledge

ELF Analysis

Take a quick look at the file before jumping into analysis

readelf -h ./binary                # Analyze the ELF headers
readelf -sW ./binary | grep FUNC   # List all functions in binary
objdump -M intel -d ./binary | awk -v RS= '/^[[:xdigit:]]+ <main>/'    # Display disassembly for main() only
ltrace ./binary                    # Watch library calls as program executes
strings ./binary                   # The classic
printf $(python -c 'print("A"*15)') | ./int-overflow      # Easy way to change amount of bytes passed to program
echo -n -e ' \x41\x41\x41\x41\x41\x41\x42' > bytes        # Put bytes directly into a file
(cat ./exploit; cat) | ./program    # Pass the exploit to the program, leaves stdin open 
./checksec.sh ./program    # Runs the checksec.sh script to determine binary mitigations in place

# Use MSF to create the pattern and identify offsets
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 200 -q 6641396541386541

# Similar to MSF, PEDA can support patterns too. Inside GDB
pattern_create 700
pattern_offset $ASCII_VALS

# Disable ASLR
echo 0 > /proc/sys/kernel/randomize_va_space
# Check if ASLR is enabled or not
cat /proc/sys/kernel/randomize_va_space

# Compile a program to be vulnerable
gcc -no-pie -m32 -fno-stack-protector -z execstack binary.c -o binary

# Strip internal symbols from a program
strip binary

# GDB-PEDA check security of a binary
checksec

GDB

Program used to help debug activities as they occur. Use set disassembly-flavor intel to get rid of nasty AT&T syntax. Can analyze core dumps to help identify vulnerable locations in memory for binaries as well.

Generally, we want to set a break AFTER a vulnerable function to see what the stack looks like.

Change the libc used in GDB with the command

# Execute inside GDB to get correct libc offsets
set exec-wrapper env 'LD_PRELOAD=/home/chris/libc.so.6'

# Execute outside of GDB with command:
LD_PRELOAD=./libc.so.6 | python -c 'print("1\n"+"A"*40)' | ./vuln_elf

# Find /bin/sh in memory while using GDB
find "/bin/sh"

# Find "system" function in memory (has to be started first to link libs)
p system

# View env vars at a break after starting execution
x/100s **(char***)&environ

# Start a program with values passed as input (not argv)
run < <(python -c 'print("A"*64 + "BBBB")')

Command

Explanation

disass main

disassemble the main function.

break main

break *main+53

break *0x8040564

Break on the main() function, or an offset, or a specific memory address. Specific addresses require a *

print $eip

Print the contents of a register, variables, or even a memory address

x/20i

x/5i *0x8040564 x/20wx $esp

x/s *0x8040564

Examine 20 Instructions from current EIP

Examine 5 instructions from a specific address Examine 20 DWORDs from the stack pointer

Examine ASCII strings in an address

info

info registers

info function

Lots of interesting info about the current program

Prints all register contents

Prints out all functions

list

Show the source code (if available)

continue

Continues execution after a breakpoint is hit

si

ni

Step Instruction (into library calls!)

Next Instruction (skips library calls!)

bt

Backtrace, shows return pointers on the stack. SUPER useful to identify the call chain to gather return pointers

info breakpoints

del breakpoints

del break 3

Show all breakpoints

Delete all breakpoints

Delete breakpoint 3

# Read the disassembly from main()
disas main

# Print the value of hexadecimal to ASCII
print (char []) 0x24424142

# Pass Args to a program when starting in GDB
run `python -c 'print("A"*50)'`

# Pass input to a program when starting in GDB
run < <(python -c 'print("A"*50)')

# Enable core dumps
ulimit -c unlimited
sudo chmod -s ./binary

# With core dumps enabled, crash the binary and load the dump
gdb --core=core

Some Vulnerable Functions

If we find a program which calls some of these functions, we may be able to take control with a buffer overflow based attack.

calloc, malloc, realloc, fscanf, gets, scanf, sprintf, sscanf, strcat, strcpy, strncat, strncmp, strncpy, memchr, memcmp, memcpy, memmove, memset, scanf, gets, fwscan, sscanf

Stripped Binaries

Stripped programs have their symbol tables removed, which makes identifying user created functions difficult to find compared with non-stripped binaries. If we search for functions, we will only see functions called in linked libraries.

What we can do, is set a break on some of the functions that are called. Once that break is hit, we can inspect the backtrace with bt to identify where the return pointer will hit a call.

# Inspect in GDB for functions
i fun

# Set break on a linked function
break gets

# View backtrace on break to see where entry point into function
bt

ret2libc

This is a technique where we use stack overflows to reach linked functions in libc and gain execution.

We can find locations and offsets in linked libraries with this neat command below. Taken from https://blog.artis3nal.com/2020-08-14-htb-october-msf/

# strings to find offset for /bin/sh, this will be 0x00131a7a
strings -atx /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
   131a7a /bin/sh

Stack Canaries

In the case of a terminator canary, keep in mind that many functions such as gets() will place a null byte at the end for us! If we overrun the buffer, we can strategically reconstruct a canary value.

ASLR

ASLR makes exploitation more difficult, however there are some nifty tricks we can use to still get around it. Trampoline calls can be used to call the stack, we just need to search for opcodes which are either a JMP ESP or CALL ESP. By calling the stack pointer, we can execute our data on the stack (as long as DEP is not present!!).

PEDA makes this easy with the command jmpcall esp.

Additionally, we can check if the libraries loaded by a program are staticly loaded or not. This can be done using the ldd program.

Pwntools

>>> import pwn
>>> pwn.p64(0x7fffffffe380)
b'\x80\xe3\xff\xff\xff\x7f\x00\x00'
>>> pwn.p32(0x0804853b)
b';\x85\x04\x08'

Create Shellcode

One of the easiest ways to create shellcode is using msfvenom. We can always list out the options with --list-options as a switch.

PreviousPowerShellNextWindows Pwn

Last updated