Pwn
I placed pwn in with programming, because it relies heavily on programming concepts and knowledge
ELF Analysis
Take a quick look at the file before jumping into analysis
GDB
Program used to help debug activities as they occur. Use set disassembly-flavor intel
to get rid of nasty AT&T syntax. Can analyze core dumps to help identify vulnerable locations in memory for binaries as well.
Generally, we want to set a break AFTER a vulnerable function to see what the stack looks like.
Change the libc used in GDB with the command
Command
Explanation
disass main
disassemble the main function.
break main
break *main+53
break *0x8040564
Break on the main()
function, or an offset, or a specific memory address. Specific addresses require a *
print $eip
Print the contents of a register, variables, or even a memory address
x/20i
x/5i *0x8040564
x/20wx $esp
x/s *0x8040564
Examine 20 Instructions from current EIP
Examine 5 instructions from a specific address Examine 20 DWORDs from the stack pointer
Examine ASCII strings in an address
info
info registers
info function
Lots of interesting info about the current program
Prints all register contents
Prints out all functions
list
Show the source code (if available)
continue
Continues execution after a breakpoint is hit
si
ni
Step Instruction (into library calls!)
Next Instruction (skips library calls!)
bt
Backtrace, shows return pointers on the stack. SUPER useful to identify the call chain to gather return pointers
info breakpoints
del breakpoints
del break 3
Show all breakpoints
Delete all breakpoints
Delete breakpoint 3
Some Vulnerable Functions
If we find a program which calls some of these functions, we may be able to take control with a buffer overflow based attack.
calloc, malloc, realloc, fscanf, gets, scanf, sprintf, sscanf, strcat, strcpy, strncat, strncmp, strncpy, memchr, memcmp, memcpy, memmove, memset, scanf, gets, fwscan, sscanf
Stripped Binaries
Stripped programs have their symbol tables removed, which makes identifying user created functions difficult to find compared with non-stripped binaries. If we search for functions, we will only see functions called in linked libraries.
What we can do, is set a break on some of the functions that are called. Once that break is hit, we can inspect the backtrace
with bt
to identify where the return pointer will hit a call.
ret2libc
This is a technique where we use stack overflows to reach linked functions in libc and gain execution.
We can find locations and offsets in linked libraries with this neat command below. Taken from https://blog.artis3nal.com/2020-08-14-htb-october-msf/
Stack Canaries
In the case of a terminator canary, keep in mind that many functions such as gets() will place a null byte at the end for us! If we overrun the buffer, we can strategically reconstruct a canary value.
ASLR
ASLR makes exploitation more difficult, however there are some nifty tricks we can use to still get around it. Trampoline calls can be used to call the stack, we just need to search for opcodes which are either a JMP ESP
or CALL ESP
. By calling the stack pointer, we can execute our data on the stack (as long as DEP is not present!!).
PEDA makes this easy with the command jmpcall esp
.
Additionally, we can check if the libraries loaded by a program are staticly loaded or not. This can be done using the ldd
program.
Pwntools
Create Shellcode
One of the easiest ways to create shellcode is using msfvenom. We can always list out the options with --list-options as a switch.
Last updated