rpisec - rensselaer polytechnic institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · –...

50
Setup YOU NEED AN SSH CLIENT – DO THIS NOW If on Windows Download PuTTY (google it) If on Linux You probably already have an SSH client, so chill RPISEC - 10/17/2014 Intro to Binary Exploitation 1

Upload: others

Post on 20-Jul-2020

7 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Setup

• YOU NEED AN SSH CLIENT – DO THIS NOW

• If on Windows– Download PuTTY (google it)

• If on Linux– You probably already have an SSH client, so chill

RPISEC - 10/17/2014 Intro to Binary Exploitation 1

Page 2: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

RPISEC

Intro to Binary Exploitation

Fall 2014

RPISEC - 10/17/2014 Intro to Binary Exploitation 2

Page 3: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Binary Exploitation

• The simplest definition – To change data theprogram uses in ways that were not intendedby the programmer

• In CTFs - Pwn(ables)/Exp(loitation)

• Very technical, insanely gratifying– Intimate knowledge of language/machine

RPISEC - 10/17/2014 Intro to Binary Exploitation 3

Page 4: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

WELCOME TO THE WARZONElet’s pwn some stuff

RPISEC - 10/17/2014 Intro to Binary Exploitation 4

Page 5: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

warzone.rpis.ec

ssh username/password

intro01:intro01

RPISEC - 10/17/2014 Intro to Binary Exploitation 5

Page 6: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Tips to get started

• cd /levels

• ./intro01– AAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

• python –c ‘print “A”*20’

• gdb ./intro01– run

• In GDB:– Info functions

– Info registers• i r

– disassemble <function>• disas main

– breakpoint <function>• b main

– breakpoint * <address>• b * 0x08048455

RPISEC - 10/17/2014 Intro to Binary Exploitation 6

Page 7: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Stack Overview

• The stack is a region of memory for a program to maintain function variables and stuff during execution

• This is main()’s stack ------->

RPISEC - 10/17/2014 Intro to Binary Exploitation 7

Page 8: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Understanding the Stack

RPISEC - 10/17/2014 Intro to Binary Exploitation 8

Page 9: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Understanding the Stack

RPISEC - 10/17/2014 Intro to Binary Exploitation 9

Page 10: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Corrupting the Stack

RPISEC - 10/17/2014 Intro to Binary Exploitation 10

Page 11: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

PWNING the Stack

RPISEC - 10/17/2014 Intro to Binary Exploitation 11

Page 12: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Endianess – How data is stored in memory

• Endianess – How data is stored in memory

• Modern computers are generally little endian– ‘little end in’

• Endianess can be confusing, and I don’t want to get into the details– 0x41424344 stored as 0x44, 0x43, 0x42, 0x41– 0xdeadbeef stored as 0xef, 0xbe, 0xad, 0xde

RPISEC - 10/17/2014 Intro to Binary Exploitation 12

Page 13: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Intro01 Exploit

(python -c 'print "A"*64 + "\xef\xbe\xad\xde"'; cat) | ./intro01

RPISEC - 10/17/2014 Intro to Binary Exploitation 13

Page 14: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

UNDERSTANDING CONTROL FLOWBend it like Beckham

RPISEC - 10/17/2014 Intro to Binary Exploitation 14

Page 15: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 15

Runtime Memory

Stack

ELF Executable

.text segment

.data segment

Heap

0x00000000 – Start of memory

0xFFFFFFFF – End of memory

0x08048000 – Start of .text Segment

0xbfff0000 – Top of stack

Libraries (libc)

Page 16: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 16

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

Page 17: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 17

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 18: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 18

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segmentEIP

Page 19: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 19

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment EIP

Page 20: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 20

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment EIP

Page 21: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 21

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segmentEIP

Page 22: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 22

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 23: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 23

Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 24: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 24

Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 25: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 25

Runtime Memory

Stack

Heap

Executable code

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 26: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

.text segment

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 26

Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

EIP

Page 27: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 27

EIP

Page 28: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 28

EIP

Page 29: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 29

EIP

Page 30: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 30

EIP

Page 31: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 31

EIP

Page 32: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

How Calling Works

RPISEC - 10/17/2014 Intro to Binary Exploitation 32

EIP …

Page 33: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 33

EIP

Page 34: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 34

EIP

Page 35: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 35

EIP

Page 36: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 36

EIP

Page 37: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 37

EIP

Page 38: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

OWNING CONTROL FLOWNow that you know how it works …

RPISEC - 10/17/2014 Intro to Binary Exploitation 38

Page 39: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Stack Smashing

RPISEC - 10/17/2014 Intro to Binary Exploitation 39

…EIP

Page 40: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Stack Smashing

RPISEC - 10/17/2014 Intro to Binary Exploitation 40

…EIP

Page 41: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Stack Smashing

RPISEC - 10/17/2014 Intro to Binary Exploitation 41

EIP

Page 42: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning

RPISEC - 10/17/2014 Intro to Binary Exploitation 42

EIP

Page 43: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Returning home

RPISEC - 10/17/2014 Intro to Binary Exploitation 43

EIP SEGFAULT0x41414141

Page 44: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

“If your program simply segfaulted, consider yourself lucky.”

-Chuck Stewart

RPISEC - 10/17/2014 Intro to Binary Exploitation 44

Page 45: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Redirecting Control Flow

RPISEC - 10/17/2014 Intro to Binary Exploitation 45

EIP

Overwrite witha code address

Page 46: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

warzone.rpis.ec

SSH in as intro02use the password you got from solving intro01

RPISEC - 10/17/2014 Intro to Binary Exploitation 46

Page 47: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Example ELF / EXE in Memory

RPISEC - 10/17/2014 Intro to Binary Exploitation 47

Runtime Memory

Stack

Heap

Libraries (libc)

ELF Executable

.text segment

.data segment

• What if there’s no easy function to pop a shell like intro02?– No easy ‘win’ function

• Make our own exec() function in a buffer on the stack, and redirect control flow to it!

Page 48: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

INJECTING CODEShellcode and other antics

RPISEC - 10/17/2014 Intro to Binary Exploitation 48

Page 49: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

PWNING the Stack

RPISEC - 10/17/2014 Intro to Binary Exploitation 49

Put x86 in buffer on the stack

Overwrite Return

Page 50: RPISEC - Rensselaer Polytechnic Institutesecurity.cs.rpi.edu/courses/binexp-spring2015/... · – AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA AAAAAAAA • python –c ‘print

Intro03 & Additional Reading

• There are multiple ways to solve intro03, we would like to see you use shellcode to solve it

• http://insecure.org/stf/smashstack.html

• We’ll cover writing shellcode & more advanced forms of exploitation later this year

RPISEC - 10/17/2014 Intro to Binary Exploitation 50