別PWN那裡 DoubleSigma Terrynini

ancient pwn basic

Before learning the ancient pwn, Make sure that you understand the concept of stack frame. If your answer is negative, there is an ancient material for you from 2018/12/14. All the example code are at the end of this material.

ancient pwn buffer overflow

ancient pwn $ gcc -fno-stack-protector pwn_01.c -o pwn_01
 $ ./pwn_01
 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 [1] 19730 segmentation fault (core dumped) ./pwn_01 These are some ancient tricks, so we have to turn off some modern feature.

ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23]

ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa

ancient pwn Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] aaaaaaaa aaaaaaaa STACK Overflow ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

ancient pwn gets() is deprecated, because it’s dangerous.

ancient pwn $ gcc -fno-stack-protector pwn_02.c -o pwn_02

ancient pwn 0 Previous RBP Return Address \00\00\00\00\00\00\00\00 low address high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value

ancient pwn 0 Previous RBP Return Address aaaaaaaa low address high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value

ancient pwn 0 Previous RBP Return Address aaaaaaaa low address high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value 0x6161616161616161

ancient pwn 0 Previous RBP Return Address aaaaaaaa low address high address visitor.name[0]~visitor.name[7] visitor.Taiwan_value Buffer Overflow! 0x6161616161616161 /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

ancient pwn ret2text

ancient pwn $ gcc -fno-stack-protector -no-pie pwn_03.c -o pwn_03 Let’s pwn with pwntool this time.

ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] Previous RBP

ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 0000000000400577 : 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 400587: nop 400588: pop rbp 400589: ret .--------------------------------------. | | | | | | | | | | | | | | | | '--------------------------------------'

.--------------------------------------. | | | | | | | | | | | | | | | | '--------------------------------------' ancient pwn Return Address aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] Previous RBP aaaaaaaa 0x0400577 Control Flow Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 0000000000400577 : 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 400587: nop 400588: pop rbp 400589: ret

ancient pwn Controlling the return address, and jump to a piece of code. It was named ret2text.

ancient pwn ret2sc

Shellcode $ gcc -fno-stack-protector -z execstack pwn_04.c -o pwn_04

Return Address shellcode shellcode note[0x90]~note[0x97] Previous RBP Shellcode push 0x68 mov rax, 0x732f2f2f6e69622f push rax mov rdi, rsp push 0x1010101 ^ 0x6873 xor dword ptr [rsp], 0x1010101 xor esi, esi push rsi push 8 pop rsi add rsi, rsp push rsi mov rsi, rsp xor edx, edx push SYS_execve pop rax syscall note[0x97]~note[0x9e] .------------------------------------. | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '------------------------------------' | | | asm() '---------------------------->

Return Address shellcode shellcode 0x7ffcbe83d7c0 high address note[0x90]~note[0x97] Previous RBP Shellcode note[0x97]~note[0x9e]

Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e]

Return Address shellcode shellcode 0x7ffcbe83d7c0 high address Previous RBP Shellcode Garbage 0x7ffcbe83d7c0 note[0x90]~note[0x97] note[0x97]~note[0x9e] retturn to shellcode! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

ancient pwn Practice time

ancient pwn How ancient humans deal with these kind of attack?

Stack Guard Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary

Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa Stack Guard

Previous RBP Return Address aaaaaaaa aaaaaaaa aaaaaaaa low address high address name[0]~name[7] name[8]~name[15] name[16]~name[23] canary aaaaaaaa aaaaaaaa aaaaaaaa stack smashing detected /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Stack Guard

ASLR Address Space Layout Randomization It’s a feature of kernel, Linux kernel enable it by default. To randomize the .text, a binary have to be compiled with PIE.

ASLR Address Space Layout Randomization $ gcc -fno-stack-protector pwn_03.c -o pwn_03

ASLR Address Space Layout Randomization 0000000000400577 : 400577: push rbp 400578: mov rbp,rsp 40057b: lea rdi,[rip+0xd6] 400582: call 400460 400587: nop 400588: pop rbp 400589: ret 00000000000006ca : 6ca: push rbp 6cb: mov rbp,rsp 6ce: lea rdi,[rip+0xd3] 6d5: call 580 6da: nop 6db: pop rbp 6dc: ret .---------------------------------------. .----------------------------------. | | | | | | | | | | | | | | PIE | | | |>>>>>>>>>>>>>>>>>>>>>>| | | | | | | | | |
 | | | | | | | |
 | | | | '---------------------------------------' '----------------------------------'

DEP Data execution prevention Need hardware support which called CPU NX bit. NX bit, no execute bit, marks certain areas of memory as non-executable.

$ gcc -fno-stack-protector pwn_04.c -o pwn_04 DEP Data execution prevention The shellcode on stack and heap would become unexecutable.

ancient pwn ret2plt

PLT&GOT Procedure Linkage Table & Global offset Table A dynamic link binary has to relocate library function calls during execution. $ gcc -c pwn_05.c -o pwn_05.o

PLT&GOT Procedure Linkage Table & Global offset Table A dynamic link binary has to relocate library function calls during execution. $ gcc -c pwn_04.c -o pwn_04.o

PLT&GOT Procedure Linkage Table & Global offset Table External functions are unknown during the link stage, and we shouldn’t modify the instruction after compilation. 0000000000000000 : ... 30: e8 00 00 00 00 call 35 35: 48 8d 85 f0 fe ff ff lea rax,[rbp-0x110]

PLT&GOT Procedure Linkage Table & Global offset Table To solve that, we have GOT, global offset table. ld is response to resolve xxxx@GLIBC during loading. : call printf@GOT GOT 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------.
 | scanf@GLIBC | '---------------' .---------------.
 | printf@GLIBC | '---------------' .---------------.
 | read@GLIBC | '---------------' .---------------.
 | exit@GLIBC | '---------------' .------------> ---' .-------> | ---'

PLT&GOT Procedure Linkage Table & Global offset Table When a binary is too big, it takes lots of time to fill out GOT. Sometimes, some functions won’t be called during execution, we don’t need to resolve them each time.

PLT&GOT Procedure Linkage Table & Global offset Table To solve that, we have PLT, procedure linkage table, and a mechanism named Lazy binding. : call printf@plt GOT .---------------.
 | printf@GLIBC | '---------------' .-------> ---' .-----------------------------------. |: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' .----------> | | first call | -----------' ------------. second call | | | | '----> .----. | ld | '----' | | | | resolve | | | v

ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP .-----------------------------------. |: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'

ret2plt Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP Garbage printf@plt .-----------------------------------. |: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------'

Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP Garbage printf@plt .-----------------------------------. |: | | jmp QWORD PTR [rip+0x200aba] | | push 0x0 | | jmp 500 <.plt> | '-----------------------------------' Return to plt ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ret2plt

ancient pwn GOT hijack

$ gcc -zlazy pwn_04.c -o pwn_04 GOT Hijack If the Lazy Binding is applied, GOT must be writable.

.---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

.---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

.---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write .---------------.
 | call puts | '---------------' GOT+0x20 .------------.
 | puts@GLIBC | '------------' ---> -------> 0x12345678 <_IO_puts@@GLIBC_2.2.5>: push r13 push r12 mov r12,rdi push rbp push rbx .---------------------------. | | | | | | | | | | | | | | '---------------------------' .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> GOT Hijack

.------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.
 | __libc_system@@GLIBC_PRIVATE | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack

GOT Hijack .------------.
 | call puts | '------------' GOT+0x20 .-------------------------------.
 | __libc_system@@GLIBC_PRIVATE | '-------------------------------' ---> .-----------------.
 | puts(“/bin/sh”) | '-----------------' ---> .---------------------------------------------.
 | GOT+0x20 = __libc_system@@GLIBC_PRIVATE | '---------------------------------------------' | .--------------------------' | | | v Over Write ---> .-------------------.
 | system(“/bin/sh”) | '-------------------' GOT Hijack ! /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

But you have to leak libc base address first. GOT Hijack

ancient pwn Practice time

ancient pwn ROP

ROP Return Oriented Programming What if we can’t reach our goal by jumping on a piece of code?

.------------. | | | | | | | | '------------' ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + +

.----------------------------------------------------------------------------. | | | | | | | | | | | | | | | | ‘----------------------------------------------------------------------------' .------------. | | | | | | | | '------------' ROP Return Oriented Programming xor rax, rax ret inc rax ret mov rcx, rax ret .------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' 0x8010AB0 0x8010CD0 0x8010EF0 + + .------------. | | | | | | | | '------------' xor rax, rax inc rax mov rcx, rax .------------. | | | | | | | | '------------' rcx = 1 = =

.------------. | | | | | | | | '------------' .--------------. | | | | | | | | '--------------' Return Address aaaaaaaa aaaaaaaa low address high address Previous RBP .------------. | | | | | | | | '------------' xor rax, rax ret inc rax ret mov rcx, rax ret 0x8010AB0 0x8010CD0 0x8010EF0 0x8010CD0 0x8010AB0 0x8010EF0 ROP aaaaaaaa

ancient pwn ret2libc

ancient pwn Practice time

ancient pwn codes

Example pwn_01.c #include int main(){ char name[24]; gets(name); printf(" Your namename is %s.", name); return 0; }

Example pwn_02.c #include #include typedef struct{ char name[8]; long int Taiwan_value; }passport; int main(){ passport visitor; visitor.Taiwan_value = 0; read(0, visitor.name, 18); if( visitor.Taiwan_value > 0){ printf(" %s !? welcome, Taiwanese.", visitor.name); printf("Value : %d",visitor.Taiwan_value); }else{ printf(" %s ?? Get off, outlander.",visitor.name); } return 0; }

Example pwn_03.c #include #include void cheat(){ puts("My grandpa taught me this in Hawaii "); } int main(){ char name[0x10]; read(0, name, 0x20); printf("%s", name); return 0; }

Example pwn_04.c #include #include int main(){ char note[0x100]; printf("the address is : %p \n",note); read(0, note, 0x120); return 0; }

Example pwn_05.c #include #include int main(){ char note[0x100]; puts("So... where is the system ?"); system("echo 'here'"); printf("printf is at %p\nsystem is at %p\noffset = %d\n", printf, system, (int) (system)-(int)(printf)); return 0; }